Zoom Class Actions Illustrate Pitfalls of Failing to Accurately Disclose Data Practices

The recent scrutiny and class action litigation accompanying Zoom’s rapid transformation to the cultural mainstream stands as a powerful reminder of the importance of proactively understanding and disclosing how a business collects, uses, and shares its customers’ personal information. In a cruel twist to the adage “the coverup is worse than the crime,” it is not Zoom’s data practices that have put it in the legal spotlight, but rather its failure to adequately provide consumers notice of those data practices, a problem that businesses can easily address with an appropriate privacy policy.

In two separate class action lawsuits filed in the Northern District of California, consumers allege that Zoom improperly failed to disclose that it was sharing certain consumer data with Facebook for the purpose of delivering ads. The suits followed news coverage that documented how Zoom sent data about its users to Facebook, including information about the device, the mobile carrier, and the unique advertising identifier associated with the user’s device. Zoom provided this information to Facebook regardless of whether the Zoom user was an actual Facebook subscriber.

While this type of consumer data sharing is commonplace, these class action lawsuits are premised on the allegation that Zoom failed to appropriately disclose how it is using and sharing consumers’ data – a deficiency that could have easily been cured through an accurate and complete online privacy policy. Zoom’s failure to provide point-of-collection disclosures, plaintiffs allege, are in violation of both the California Consumer Protection Act (“CCPA”), as well as constitute an unfair and deceptive practice in violation of state consumer protection laws (“UDAP”).

With respect to UDAP concerns, Zoom’s troubles illustrate the importance of providing a fulsome and accurate description of the collection, use, and sharing of consumer information within a consumer-facing privacy policy. Even where a privacy policy is not required by law (e.g., pursuant to the CCPA or California and Delaware Online Privacy Protection Acts), publishing an online privacy policy can expose a business to potential legal claims if the policy is misleading , incomplete, or inaccurate. Businesses that describe their privacy practices with specificity, as opposed to catch-all and non-exhaustive lists, are best positioned to argue that they have provided adequate notice in defense of such UDAP or CCPA claims.

Unlike general UDAP principles, the CCPA specifically requires covered businesses to provide point-of-collection disclosures regarding the collection, use, sharing, and selling of the personal information of California consumers. Any data privacy practices not included in the disclosure are considered unauthorized and prohibited by the CCPA.

The Zoom lawsuits are also significant, as they present a novel question about the scope of the CCPA’s private right of action. The CPPA expressly provides a private right of action only for violations of the Act’s data breach provisions. All other alleged violations of the Act (for example, failing to comply with restrictions on the use, collection, and sharing of personal information) can only be brought by the California Attorney General.

In an effort to bypass the CCPA’s limited private right of action, the Zoom plaintiffs argue that Zoom’s disclosure of personal information to Facebook constitutes a data breach because failing to disclose a data-sharing practice is tantamount to an unauthorized disclosure of personal information (rather than an apparent failure to disclose). While this argument appears to be a reach beyond the plain language of the CCPA, if the Zoom plaintiffs are successful with this argument, businesses may face private class action litigation for a wide scope of alleged CCPA violations.