A lawsuit brought under the CCPA may drastically alter the data privacy landscape.
The word “Zoom” has dominated the lexicon of the American people in recent weeks, thanks in large part to the tragic spread of the novel coronavirus and the necessary shift to more virtual forms of human interaction. The rise of social distancing practices globally has resulted in an explosion of videoconferencing services, perhaps none more prevalent than Zoom—which has recently dominated the market.
But the company’s blissful honeymoon with consumers may well be over.
Four days after a March 2020 investigative report detailed alleged privacy violations by Zoom, Robert Cullen filed a class action lawsuit in a California federal court on behalf of himself and millions of Zoom users. Cullen alleges that Zoom violated the California Consumer Privacy Act of 2018 (CCPA), a data privacy law that became effective this year, when the company’s “wholly inadequate program design and security measures” failed to prevent the unauthorized disclosure of users’ personal information to third parties like Facebook. The CCPA is an expansive piece of legislation that, among other things, outlines protections regarding access to and use of consumer data.
The CCPA’s reach extends far beyond California, as entities from tiny startups to tech giants like Facebook and Google have major operation centers in the state. To avoid liability, national and international companies often adopt the highest standards among the legal jurisdictions in which they operate, meaning that tech-responsive California often sets the standard. Moreover, the United States lacks a comprehensive federal data protection law, which means that the far-reaching CCPA could become the preeminent legislation on data protection nationally.
It also means that challenges under the CCPA can have seismic effects on data privacy laws.
The controversy began when an investigative report revealed that Zoom’s iOS app, like many apps, apparently uses Facebook’s “software development kits” to implement the popular “Login with Facebook” feature that many app users enjoy due to its streamlining of account creation across social media platforms.
The issue appears to be that Zoom’s posted privacy policy at the time did not explicitly mention that Zoom allegedly shared user data with Facebook—even for users without Facebook accounts. The data shared reportedly included information such as when Zoom users opened the app, the time zone and city in which they connected, their device’s model information, and a device-specific “advertiser identifier” which companies use to place targeted advertisements.
Cullen argues that Zoom made false representations about the collection and sharing of their data to its userbase, which comprises individuals and businesses.
The CCPA requires that a business collecting a consumer’s personal information “inform consumers as to the categories of personal information to be collected” and their uses. Additional categories of personal information shall not be collected or used “without providing the consumer with notice.” Relatedly, if data are improperly used or shared, consumers must give businesses at least 30 days’ written notice to take steps to correct the potential CCPA violation.
Cullen acknowledges that Zoom updated its app to correct the data sharing issue before he filed the complaint. Zoom also updated its privacy policy to reiterate its commitment to protecting user data. But Cullen argues that the harm is ongoing because Zoom has not deactivated the previous versions of its app and because affected users must now more actively monitor their personal information due to Zoom’s negligence.
Notably, Cullen’s complaint does not specify when exactly Zoom was served notice of its CCPA violation, a fact perhaps made more salient given how quickly the action was filed after the investigative report. If the noticed violation is actually “cured” within 30 days and consumers are alerted, the CCPA bars suit.
Although Zoom has not yet filed a response to Cullen’s legal complaint, the company has stated recently that it “takes its users’ privacy extremely seriously.” The company has also subsequently announced further measures it has taken to address concerns about data privacy.
If Cullen’s case should yield a judicial ruling on whether Zoom’s remedial actions and clarifying statements were adequate under the CCPA’s “notice and cure” framework, a court decision could provide useful clarity on what measures companies must take when accused of violating users’ data privacy rights. In addition to explaining which actions are sufficiently remedial, the court could also outline, for example, how extensive the notice to consumers of the corrective action must be. Cullen seeks “corrective advertising” to consumers of Zoom’s alleged misrepresentation.
Perhaps more important than a possible judicial clarification of “notice and cure” would be clarification of a fundamental definitional issue. Observers note that the CCPA does not define the term “disclosure” when it prohibits “unauthorized disclosure” of user information. Nor does the law direct readers to any other statutory definition of disclosure, an omission that further suggests courts must provide guidance on the term’s meaning.
It also remains unclear if the CCPA’s definition of “personal information” covers all of the categories of disclosed information on which Cullen bases his lawsuit. If the court narrows what information is considered “personal”—that is, what types of disclosures violate the CCPA—its ruling would send a strong message about which types of digital harms rise to the level of legal harm. For example, even though the CCPA lists “geolocation” data as personal information, courts have grappled for several years with the exact definition of such data in the legal context. Because the use of geolocation data can implicate constitutionally protected privacy rights, a federal court decision in this area could broaden or narrow privacy protections for millions of Americans.
Under the CCPA, the California Attorney General can solicit public input on further defining the categories of personal information and other matters to “address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.” The comment period in which the Attorney General solicits public input on the current text of the law ends on July 1, 2020, at which point the Attorney General may begin to bring enforcement actions against CCPA violators. This broad grant of power helps ensure that the CCPA will be flexible enough to accommodate changes in the dynamic technology space.
Still, given the high volume of technology-centered lawsuits in California, other courts and the federal government are likely to monitor the outcome of this early CCPA case. Even if Cullen loses at the trial court level, if the case is not settled out of court then the judge’s legal decision—and any definitions or clarity it may supply—could result in massive changes to the landscape of U.S. privacy law.