Privacy Suits Against Zoom and Houseparty Test the CCPA’s Private Right of Action
Over the past month, many have discovered video chat and conferencing apps such as Zoom and Houseparty, using them for both business and to keep connected to friends and family during this period of global social distancing. Increased usage of these apps has also resulted in close scrutiny of their privacy practices by the public and government authorities. Indeed, Zoom has been hit with eight class actions that were recently consolidated, while separate plaintiffs sued the owners of Houseparty. A core allegation among those suits is that, without notice or consent, these apps provided user data to third parties (e.g., Facebook). Both the Houseparty complaint and a majority of the Zoom complaints allege violations of the California Consumer Privacy Act (CCPA), making these cases among the first with the potential to test the contours of the nascent but expansive privacy law. If the CCPA claims in these suits survive, it could signal the beginning of a substantial increase in class actions claiming CCPA violations.
As previously discussed on this blog, the CCPA provides a private right of action to California consumers, meaning the law allows individual consumers to sue companies under certain circumstances. The scope of that private cause of action, however, appears limited to claims arising from data breaches: the language of the CCPA grants a private right of action only to consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Cal. Civ. Code § 1798.150(a)(1). The law also applies a narrow definition of “personal information” for purposes of a private CCPA claim, including only information typically covered by data breach statutes (e.g., social security numbers, financial or credit card numbers and passcodes, and medical or health information). In contrast, the definition of “personal information” applicable to the rest of the CCPA is much more expansive, id. § 1798.140. In addition, the law adds that the private right of action “shall not be based on violations of any other section” of the CCPA, id. § 1798.150 (c); those violations are within the exclusive jurisdiction of the California Attorney General, id. §1798.155(b).
The suits against Zoom and Houseparty are likely to test the limits of the CCPA’s private right of action, in large part because all of them stem from situations involving alleged voluntary transfers of consumer data to a third-party, a situation that does not fit squarely into the CCPA’s statutory framework for private claims. Instead, the Houseparty complaint alleges violations of one of the statute’s core privacy provisions, which requires notice of disclosure of personal information and the right to opt-out of such disclosures. The initial Zoom complaint, on the other hand, claims direct standing pursuant to the CCPA’s private right of action, alleging that Zoom’s alleged unauthorized disclosure of information to third parties satisfies the requirements of such a claim. Both sets of plaintiffs seek to apply the definition of “personal information” provided by the CCPA’s core provisions, rather than the more limited carveout for private claims. Notably, plaintiffs in these two cases also say little of the CCPA’s requirement that private claims based on “unauthorized access and exfiltration, theft, or disclosure” result from a defendant’s “violation of the duty to implement and maintain reasonable security procedures and practices.” Id. § 1798.150(a)(1). If the alleged CCPA claims in either case survive a legal challenge, the landscape for private litigation under the CCPA may begin to tilt towards a much broader swath of individual claims, including class actions, than the statute’s language suggests.
One more statutory nuance emerges in the initial complaint against Zoom. The CCPA provides that, prior to bringing a private lawsuit, a consumer must give a would-be defendant written notice of alleged violations and allow 30 days for the business to “cure” those violations. Id. § 1798.150(b). If the business “actually cures the noticed violation,” no action for “class-wide statutory damages may be initiated against the business.” Id. Neither the CCPA nor its regulations define what it means to “cure” a CCPA violation. The Zoom complaint seems to recognize this requirement, alleging that plaintiffs served notice of the alleged CCPA violations prior to bringing suit and that, on March 27, “Zoom released a new version of the Zoom App which purports to no longer send unauthorized personal information of its users to Facebook.” The complaint further alleges that harm to the class has already been realized and is ongoing. Nonetheless, the legal effect of a “purported” cure (on the face of the complaint) remains to be seen, as do the contours of a standard for determining the legal sufficiency of a “cure” under the statute itself. It is unclear what constitutes a “cure” under the statute, and the legal effect of a cure (as alleged in the complaint) in private litigation remains to be seen.
We will continue to monitor these issues and other litigation under the CCPA as it develops.