In California’s Northern District, Judge Lucy Koh recently dismissed several claims in a class action against Zoom Video Communications Inc. alleging user privacy violations. The dismissed claims alleged invasion of privacy, negligence, and violations of California’s consumer and anti-hacking laws. A few contract-based claims are allowed to proceed.
The Claims Against Zoom
The Zoom lawsuit, In re: Zoom Video Communications Inc Privacy Litigation, encompasses three main issues, resulting in nine claims. First, the plaintiffs claim Zoom improperly shared their personally identifiable information (PII) with third parties like Facebook, Google, and LinkedIn without the plaintiffs’ permission. The shared information allegedly allows these third parties “to identify users and track their behavior across multiple digital services.” The information also allows third parties to know when a party’s device uses Zoom.
Second, the plaintiffs allege that “Zoom misstates the security capabilities and offerings of its services where Zoom failed to provide end-to-end encryption.” Specifically, the plaintiffs claim that Zoom falsely claimed its encryption protocol as end-to-end encryption when in fact, Zoom used transport encryption in those situations. In end-to-end encryption, user devices generate the encryption and decryption keys. This prevents parties that don’t use those devices from accessing the content. In transport encryption, however, the service (here, Zoom) generates those keys. This means the service has access to the encrypted content.
Third, the plaintiffs claim that Zoom failed to prevent or warn users about a security breach popularly known as “Zoombombing.” Zoombombing occurs when people join a Zoom meeting in order to disrupt it in some way. These users typically join without authorization. Their actions may range from talking or yelling over other participants, to posting pornography. In the Zoom lawsuit, the plaintiffs allege the company’s failure to prevent Zoombombing constitutes negligence and violations of various California state laws.
From these three issues, the plaintiffs alleged nine different claims against Zoom. The claims include invasion of privacy, negligence, and breach of implied contract. Moreover, additional claims consist of breach of implied covenant of good faith and fair dealing, unjust enrichment or quasi-contract, and violations of four different California statutes.
Zoom’s Motion to Dismiss
In response, Zoom sought dismissal of all nine of the plaintiffs’ claims, with prejudice. In support of its motion to dismiss, Zoom made two main arguments. First, Zoom argued that Section 230 of the Communications Decency Act barred Zoombombing-related claims. Section 230 protects online platforms from liability stemming from user content hosted on the platform. Zoombombing involves users creating content on the platform. Thus, Zoom argued, it is protected from liability for failing to bar or moderate the Zoombombing activities under the Act.
Judge Koh agreed, noting that “appalling as this content is, Zoom’s failure to edit or block user-generated content is the very activity Congress sought to immunize.” Section 230 barred the plaintiffs’ claims that treated Zoom as the “publisher” of user-generated content.
Also, Zoom argued all nine claims should be dismissed because the plaintiffs failed to allege harm under any of them. Judge Koh agreed as to the PII sharing claims. Judge Koh noted that the plaintiffs had indicated Zoom shared user info with other platforms. However, none of them had sufficiently shown that their specific PII was among that shared information.
Judge Koh allowed the claims sounding in breach of contract, breach of implied contract, and quasi-contract to proceed. Furthermore, the judge noted that Zoom had not shown that the plaintiffs agreed to Zoom’s terms of service. The judge also allowed Zoombombing claims to proceed “to the extent that they do not either (1) challenge the harmfulness of content provided by another or (2) derive from Zoom’s status or conduct as a publisher or speaker of that content.”
Next Steps in the Zoom Lawsuit
Zoom initially sought the dismissal of all nine claims with prejudice. Judge Koh, however, allowed the plaintiffs the opportunity to replead any of the dismissed claims. Most of the remaining claims focus on the contractual relationship between Zoom and its users. As part of the order denying in part Zoom’s motion to dismiss, Judge Koh noted that Zoom had failed to show that the plaintiffs had accepted the platform’s terms of service. Such a showing is likely to become a point of contention as the parties proceed.
Judge Koh also allowed Zoombombing-related claims to proceed, as long as they did not address the content Zoombombers created or focus on Zoom’s status as a “publisher or speaker” of this content. The plaintiffs are likely to reorganize their approach based on these restrictions.
Zoom’s ease of use allowed it to surge ahead of other videoconference platforms in the early months of COVID-19. While the company has worked to address some security concerns, public scrutiny of Zoom’s privacy policies continues. Zoom may need to address software issues or public image concerns regarding security and privacy moving forward.