` A Popular Web-Conference Platform Finds Itself in Hot Waters Over Privacy Practices, but Can It Be Sued under the CCPA? - Clarip Privacy Blog
ENTERPRISE    |    CONSUMER PRIVACY TIPS    |    DATA BREACHES & ALERTS    |    WHITEPAPERS

A Popular Web-Conference Platform Finds Itself in Hot Waters Over Privacy Practices, but Can It Be Sued under the CCPA?

Web-Conference Platform

Since the beginning of the novel coronavirus pandemic, a web-conferencing platform Zoom has been a popular go-to resource for online meetings, conferences, and virtual classrooms.  As its popularity soared, the platform has been criticized extensively over its privacy policies and practices and has now found itself on the receiving of at least two lawsuits, by the company’s investors and a consumer class action under the California Consumer Privacy Act.

The reported privacy and data security issues effecting Zoom have included the Zoom iOS app sharing usage data with Facebook, even for users who do not have Facebook account, users who sign up from the same email domain being automatically added to each other’s contact lists, lack of end-to-end encryption for audio and video content,  vulnerability to “Zoom-bombing,” when internet trolls join and disrupt Zoom meetings with inappropriate content, and routing of user data to other countries.

In a March 30, 2020 letter to the company, the New York Attorney General Letitia James expressed concern that the “company has been slow to address security flaws ‘that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.’”  On April 5, 2020, the New York City’s Department of Education has barred teachers and administrators from using Zoom for remote learning purposes over concerns about security breaches, such as “Zoom-bombing.”

In a class-action lawsuit filed on March 30, 2020 in the Northern District of California, plaintiff alleges that Zoom was sending nonencrypted and nonredacted personal information to Facebook in violation of Section 1798.150(a) of the CCPA.  According to the Complaint, the information disclosed by Zoom to Facebook included users’ mobile OS type and version, the device time zone, the device model and the device’s unique advertising identifier.

Although the Complaint gathered a lot of attention in the press, its CCPA claim might be difficult for plaintiffs to sustain.  Section 1798 provides that a business might be sued by the consumers for an authorized access, exfiltration, theft or disclosure of personal information as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.

Even though the CCPA defines “personal information” very broadly for purposes of regulatory compliance, the definition of “personal information” subject to Section 1798.150 is limited to “individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements . . . (i) Social security number; (ii) Driver’s license number [or other government-issued identification number], (iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (iv) Medical information; (v) Health insurance information; and (vi) Unique biometric data . . .”  Cal. Civ. § 1798.81.5.  It appears that data purportedly disclosed by Zoom to Facebook does not fall within the limited scope of “personal information” subject to a private right of action under the CCPA.

Regardless of whether plaintiff can sustain a direct claim under the CCPA, however, the Complaint alleges a number of other claims, including for unlawful and unfair business practices, which might serve as vehicles for indirect claims under the CCPA.

The fallout of the disclosure of privacy issues surrounding Zoom is another reminder for companies to take their privacy and data security obligations seriously and diligently.  Organizations that fail to do so might find themselves not only in hot legal waters but also on the short end of the consumer and investor confidence.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653

The pixel
Show Buttons
Hide Buttons