In California’s Northern District, Judge Lucy Koh recently dismissed several claims in a class action against Zoom Video Communications Inc. alleging user privacy violations. The dismissed claims alleged invasion of privacy, negligence, and violations of California’s consumer and anti-hacking laws. A few contract-based claims are allowed to proceed.
The Claims Against Zoom
The lawsuit, In re: Zoom Video Communications Inc Privacy Litigation, encompasses three main issues, resulting in a total of nine claims. First, the plaintiffs claim that Zoom improperly shared their personally identifiable information (PII) with third parties like Facebook, Google, and LinkedIn without the plaintiffs’ permission. The shared information allegedly allows these third parties “to identify users and track their behavior across multiple digital services” and to know when a party’s device uses Zoom.
Second, the plaintiffs allege that “Zoom misstates the security capabilities and offerings of its services where Zoom failed to provide end-to-end encryption.” Specifically, the plaintiffs claim that Zoom falsely claimed its encryption protocol as end-to-end encryption when in fact, Zoom used transport encryption in those situations. In end-to-end encryption, user devices generate the encryption and decryption keys, preventing parties that don’t use those devices from accessing the content. In transport encryption, however, the service (here, Zoom) generates those keys, meaning the service has access to the content that is encrypted.
Third, the plaintiffs claim that Zoom failed to prevent or warn users about a security breach popularly known as “Zoombombing.” Zoombombing occurs when people join a Zoom meeting in order to disrupt it in some way. These users typically join without authorization, and their actions may range from talking or yelling over other participants, to posting pornography. In the lawsuit, the plaintiffs allege that Zoom’s failure to prevent Zoombombing constitutes negligence and violations of various California state laws.
From these three issues, the plaintiffs alleged nine different claims against Zoom, including invasion of privacy, negligence, breach of implied contract, breach of implied covenant of good faith and fair dealing, unjust enrichment or quasi-contract, and violations of four different California statutes.
Zoom’s Motion to Dismiss
In response, Zoom sought dismissal of all nine of the plaintiffs’ claims, with prejudice. In support of its motion to dismiss, Zoom made two main arguments. First, Zoom argued that the Zoombombing-related claims are barred by Section 230 of the Communications Decency Act. Section 230 protects online platforms from liability stemming from user content hosted on the platform. Since Zoombombing involves users creating content on the platform, Zoom argued, Zoom itself is protected from liability for failing to bar or moderate the Zoombombing activities under the Act.
Judge Koh agreed, noting that “Appalling as this content is, Zoom’s failure to edit or block user-generated content is the very activity Congress sought to immunize.” Insofar as any of the plaintiffs’ claims treated Zoom as the “publisher” of user-generated content, those claims were barred by Section 230.
Zoom also argued that all nine claims should be dismissed because the plaintiffs had failed to allege harm under any of them. Judge Koh agreed as to the PII sharing claims, noting that while the plaintiffs had indicated Zoom shared user info with other platforms, none of them had sufficiently shown that their specific PII was among that shared information.
Judge Koh allowed the claims sounding in breach of contract, breach of implied contract and quasi-contract to proceed, noting that Zoom had not shown that plaintiffs agreed to Zoom’s terms of service. The judge also allowed Zoombombing claims to proceed “to the extent that they do not either (1) challenge the harmfulness of content provided by another; or (2) derive from Zoom’s status or conduct as a publisher or speaker of that content.”
Next Steps in the Zoom Class Action
Zoom initially sought dismissal of all nine claims with prejudice. Judge Koh, however, allowed the plaintiffs the opportunity to replead any of the dismissed claims. Most of the remaining claims focus on the contractual relationship between Zoom and its users. As part of the order denying in part Zoom’s motion to dismiss, Judge Koh noted that Zoom had failed to show that the plaintiffs had accepted the platform’s terms of service. Such a showing is likely to become a point of contention as the parties proceed.
Judge Koh also allowed Zoombombing-related claims to proceed, as long as they did not address the content Zoombombers created or focus on Zoom’s status as a “publisher or speaker” of this content. The plaintiffs are likely to reorganize their approach based on these restrictions.
Zoom’s ease of use allowed it to surge ahead of other videoconference platforms in the early months of the COVID-19 pandemic. While the company has worked to address some security concerns, public scrutiny of Zoom’s privacy policies continues. In addition to addressing this California lawsuit, Zoom may need to address software issues or public image concerns regarding security and privacy moving forward.