April 06, 2020
Data Privacy and Class Action Alert
Recent class action lawsuits filed against the popular video conferencing service in California federal court for alleged privacy violations highlight concerns for employers and their remote workforce as well as raises questions about the applicability of the new CCPA.
Across the country, millions of people are confined to their homes due to the coronavirus pandemic. In the new work-from-home environment, novel and challenging privacy concerns are coming to the forefront. With the use of video conferences exploding, recent class action lawsuits filed against Zoom (one of the most popular video conferencing services) in California federal court for alleged privacy violations highlight these issues. Companies should properly assess services’ data privacy and security measures before requiring employees to use such services. Employers could potentially be held liable for a communication services’ mishandling of users’ personal information.
The class actions allege that Zoom failed to properly safeguard the personal information of users of its software application and video conferencing platform. Among other things, the suits allege that Zoom collected and disclosed, without adequate notice or authorization, personal information of its users to third parties, including Facebook.
The claims under the CCPA raise novel threshold questions, particularly given that the statute only went into effect on January 1, 2020. As is well known, the CCPA provides California residents with significant privacy rights, including access to their personal information retained or shared by a business, as well as notices from certain businesses regarding their collection, use, and disclosure of personal information. Thus far, it has been generally understood that a business’s violation of these provisions is only enforceable by the California Attorney General (and such enforcement will not begin until July 1, 2020). The CCPA’s very limited private right of action provides California residents recourse when their “nonencrypted and nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Cal. Civ. Code § 1798.150(a). It is generally understood, in other words, that this limited private right of action only applies when there has been a data breach (i.e., unauthorized access) which compromises user data.
However, the complaints against Zoom do not allege a data breach; rather they attempt to interpret the CCPA’s private right of action (likely in an effort to recover the CCPA’s statutory damages) to apply to the “unauthorized disclosure” of personal information (i.e., sharing personal information with a known business partner)—rather than the CCPA’s requirement of “unauthorized access and . . . disclosure.”/
Additionally, the CCPA’s private right of action provisions do not include the CCPA’s otherwise broad definition of “personal information.” Instead, those provisions apply only when sensitive personal information—defined under the state’s breach notification law (e.g., social security number, payment card information, health information)—is accessed and disclosed. The complaints against Zoom do not focus on this type of sensitive information.
Therefore, Zoom likely has many arguments supporting dismissal of the CCPA claim early in the litigation. The court’s handling of these threshold CCPA questions will be interesting and instructive for future CCPA plaintiffs and defendants.
The complaints against Zoom also assert additional claims, including unfair business practices and negligence, apparently based on the alleged underlying failure to comply with the CCPA. However, the CCPA appears on its face to preclude individuals from using it as a basis for other causes of action: “Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” Cal. Civ. Code § 1798.150(c). The plaintiffs appear to be testing this language, and the court’s interpretation of this CCPA provision will similarly prove instructive in future CCPA litigation.
While not yet an issue in the current Zoom litigation, an obvious question for employers is whether they can, or should, mandate that at-home employees use certain technologies as part of their day-to-day business operations. It does not seem far-fetched to envision a scenario where an employee sues an employer, claiming he or she has been harmed by substandard privacy and security practices of third-party services that the employer required the employee to use.
Plaintiffs firms may be working from home—but they’re still working! It is important for businesses to remain vigilant and aware of potential concerns surrounding their new remote workforce. In light of the novel challenges business face with employees working from home, here are some things employers can do to limit their liability and protect their employees:
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.
Webinar recording | 06.02.20
Litigation Alert | 04.28.20
Webinar Recording | 04.22.20
Class Action Alert | 04.13.20
Data Privacy & Cybersecurity Alert | 03.23.20