As Zoom’s popularity has soared in recent weeks, the company has begun facing increasing scrutiny from both government regulators and consumer advocates. Much of this scrutiny has focused on privacy and security concerns, including the following:
- “Zoombombing” incidents in which unauthorized individuals have allegedly hijacked Zoom meetings, often with racist or pornographic imagery;
- Zoom’s allegedly unauthorized disclosure of user data to third parties; and
- Zoom’s alleged use of transport encryption, rather than end-to-end encryption, which allegedly allows Zoom to access user video and audio content.
Government regulators at both the state and federal level have expressed concerns regarding these perceived privacy and security deficiencies. Multiple state attorneys general, including those in New York, Florida, and Connecticut, have sought information on Zoom’s privacy practices. Further, the Boston office of the FBI issued a warning and related guidance regarding Zoom’s privacy settings in response to reported “zoombombing” incidents.
Other constituencies have called on the Federal Trade Commission (FTC) to open an investigation. The Electronic Privacy Information Center (EPIC) sent a letter to the FTC on April 6, 2020, urging the FTC to investigate Zoom’s security practices. EPIC’s letter referenced a July 2019 FTC complaint that EPIC had filed against Zoom, noting that “the problems have only become worse” in the interim. Three days earlier, on April 3, 2020, Senator Sherrod Brown (D-OH), the ranking member on the Senate Committee on Banking, Housing and Urban Affairs, requested that the FTC “immediately open an investigation into what appears to be Zoom’s deceptive representations about the security and privacy it provides to its users.” Senator Brown’s request focused on Zoom’s alleged misrepresentations regarding its use of end-to-end encryption. Senator Brown also sent a letter directly to Zoom requesting information on its encryption practices. Senator Richard Blumenthal (D-Conn.) also requested information from Zoom regarding its data collection, privacy, and security practices.
In addition to the aforementioned governmental scrutiny, Zoom is facing three consumer privacy class action lawsuits recently filed in the Central and Northern Districts of California.
Cullen v. Zoom Video Communications, Inc., No. Case 5:20-cv-02155-LHK (N.D. Cal.), filed on March 30, 2020, challenges Zoom’s alleged disclosure of user information to third parties without user consent. The putative class comprises “[a]ll persons and businesses in the United States whose personal or private information was collected and/or disclosed by Zoom to a third party upon installation or opening of the Zoom video conferencing application.” Taylor v. Zoom Video Communications, Inc., No. 5:20-cv-02170-SVK (N.D. Cal.), filed on March 31, 2020, similarly challenges Zoom’s alleged unauthorized disclosure of user information to third parties, though the plaintiff seeks to represent only those “persons who used the Zoom app for iOS during the applicable limitations period.”
Ohlweiler v. Zoom Video Communications, Inc., No. 2:20-cv-03165-SVW-JEM (C.D. Cal.), filed on April 3, 2020, is slightly broader than the Cullen and Taylor actions. In addition to challenging Zoom’s alleged unauthorized disclosure of user information to third parties, Ohlweiler challenges Zoom’s allegedly false advertising of its end-to-end encryption capabilities. The plaintiff seeks to represent a putative class of all individuals who used Zoom, and/or purchased the application for personal use, in the US and/or California in the past four years.
All three lawsuits (the Zoom lawsuits) assert statutory claims under California’s Unfair Competition Law, Consumer Legal Remedies Act, and the newly-enacted California Consumer Privacy Act (CCPA), as well as common law claims for negligence and unjust enrichment. In addition, certain of the Zoom lawsuits assert claims for violation of California’s constitutional right to privacy (Cullen and Ohlweiler); breach of implied contract (Taylor); unjust enrichment (Taylor and Ohlweiler); public disclosure of private facts (Taylor); violation of California’s False Advertising Law (Ohlweiler); and breach of express warranty (Ohlweiler).
The CCPA claims asserted in the Zoom lawsuits are particularly interesting, given that the statute took effect less than four months ago, and no court has yet interpreted its provisions. Significantly, while the CCPA’s private right of action has commonly been understood to apply only to data breach incidents involving the involuntary disclosure of user data due to inadequate security protocols, the Zoom lawsuits seek relief under the CCPA for Zoom’s allegedly voluntary-yet-unauthorized disclosure of user data to third parties. These lawsuits may therefore present one of the first opportunities for the courts to articulate the boundaries of the CCPA’s private right of action. Additionally, should any of the Zoom lawsuits fail to allege access or disclosure of “personal information,” as that term is narrowly defined for purposes of the private right of action, the CCPA claims will likely fail.
And on April 7, 2020, Zoom was hit with a shareholder lawsuit asserting violations of the Securities Exchange Act based on Zoom’s allegedly materially false and misleading statements regarding its data privacy and security procedures. See Drieu v. Zoom Video Communications, Inc., No. 5:20-cv-02353-JD (N.D. Cal.).
Zoom has implemented a number of countermeasures to address the security and privacy concerns discussed above, including the issuance of a 90-day Plan to Bolster Key Privacy and Security Initiatives. Only time will tell whether these countermeasures will mollify the various constituencies that have been raising alarm bells following the broad adoption of Zoom’s virtual conferencing capabilities during these unusual times.