Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Alerts
    4. Recent privacy class actions against Zoom raise questions about work-from-home technologies as well as CCPA applicabilityAlerts

    Alert / Data Privacy and Class Action Alert

    Recent privacy class actions against Zoom raise questions about work-from-home technologies as well as CCPA applicability

    April 6, 2020

    Share

    Recent class action lawsuits filed against the popular video conferencing service in California federal court for alleged privacy violations highlight concerns for employers and their remote workforce as well as raises questions about the applicability of the new CCPA.

    DOWNLOADS

    Across the country, millions of people are confined to their homes due to the coronavirus pandemic. In the new work-from-home environment, novel and challenging privacy concerns are coming to the forefront. With the use of video conferences exploding, recent class action lawsuits filed against Zoom (one of the most popular video conferencing services) in California federal court for alleged privacy violations highlight these issues. Companies should properly assess services’ data privacy and security measures before requiring employees to use such services. Employers could potentially be held liable for a communication services’ mishandling of users’ personal information.

    Zoom class actions

    The class actions allege that Zoom failed to properly safeguard the personal information of users of its software application and video conferencing platform. Among other things, the suits allege that Zoom collected and disclosed, without adequate notice or authorization, personal information of its users to third parties, including Facebook.

    Zoom allegedly disclosed personal information including the model of a user’s device, the time zone and city where a user is connecting from, the phone carrier being used, and a unique identifier for targeted advertisements. The collection and disclosure of this information purportedly was not addressed in Zoom’s privacy policy. The class action complaints allege that millions of users were harmed by these failures, as well as Zoom’s failure to implement and maintain reasonable security protections and protocols. These purported failures are cited in support of the complaints’ causes of action under the California Consumer Privacy Act (CCPA), California Unfair Competition Law, Consumers Legal Remedies Act, negligence, invasion of privacy, and unjust enrichment.

    The California Consumer Privacy Act claim

    The claims under the CCPA raise novel threshold questions, particularly given that the statute only went into effect on January 1, 2020. As is well known, the CCPA provides California residents with significant privacy rights, including access to their personal information retained or shared by a business, as well as notices from certain businesses regarding their collection, use, and disclosure of personal information. Thus far, it has been generally understood that a business’s violation of these provisions is only enforceable by the California Attorney General (and such enforcement will not begin until July 1, 2020). The CCPA’s very limited private right of action provides California residents recourse when their “nonencrypted and nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Cal. Civ. Code § 1798.150(a). It is generally understood, in other words, that this limited private right of action only applies when there has been a data breach (i.e., unauthorized access) which compromises user data.

    However, the complaints against Zoom do not allege a data breach; rather they attempt to interpret the CCPA’s private right of action (likely in an effort to recover the CCPA’s statutory damages) to apply to the “unauthorized disclosure” of personal information (i.e., sharing personal information with a known business partner)—rather than the CCPA’s requirement of “unauthorized access and . . . disclosure.”/

    Additionally, the CCPA’s private right of action provisions do not include the CCPA’s otherwise broad definition of “personal information.” Instead, those provisions apply only when sensitive personal information—defined under the state’s breach notification law (e.g., social security number, payment card information, health information)—is accessed and disclosed. The complaints against Zoom do not focus on this type of sensitive information.

    Therefore, Zoom likely has many arguments supporting dismissal of the CCPA claim early in the litigation. The court’s handling of these threshold CCPA questions will be interesting and instructive for future CCPA plaintiffs and defendants.

    The remaining claims

    The complaints against Zoom also assert additional claims, including unfair business practices and negligence, apparently based on the alleged underlying failure to comply with the CCPA. However, the CCPA appears on its face to preclude individuals from using it as a basis for other causes of action: “Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” Cal. Civ. Code § 1798.150(c). The plaintiffs appear to be testing this language, and the court’s interpretation of this CCPA provision will similarly prove instructive in future CCPA litigation.

    Potential employer liability? What this means for your business:

    While not yet an issue in the current Zoom litigation, an obvious question for employers is whether they can, or should, mandate that at-home employees use certain technologies as part of their day-to-day business operations. It does not seem far-fetched to envision a scenario where an employee sues an employer, claiming he or she has been harmed by substandard privacy and security practices of third-party services that the employer required the employee to use.

    Plaintiffs firms may be working from home—but they’re still working! It is important for businesses to remain vigilant and aware of potential concerns surrounding their new remote workforce. In light of the novel challenges business face with employees working from home, here are some things employers can do to limit their liability and protect their employees:

    • Do not require or recommend employees use a communication service that has not been adequately vetted by the employer or its attorneys. If, for example, a service’s privacy policy does not appear on its face to comply with notice and transparency requirements (or if an employer has reason to know affirmative statements in a privacy policy are false), an employer may be liable under negligence or other theories;
    • Carefully scrutinize privacy and security measures before recommending any “free” version of a communication service or technology for employees’ remote work. Business- or professional-versions, while coming with a cost, often come with additional protections and, at a minimum, are subject to bilateral contract negotiation where representations and warranties likely can be secured;
    • Review and follow best practices for using communication services and other technologies to minimize privacy and security concerns. For a list of best practices and other advice, please see our alert, “How to protect your remote workforce from cyberattacks: Tips to consider as working from home becomes the norm.”
    Privacy

    Practices

    Cybersecurity & PrivacyCongressional InvestigationsLitigationClass Actions & Aggregate Litigation

    Insights And Happenings

    • Alert

      U.S. Securities and Exchange Commission issues requests to companies related to the SolarWinds cyberattack

      June 23, 2021
    • Alert

      More changes in the California Consumer Privacy Act (CCPA) landscape: What you need to know about the new regulations

      March 23, 2021
    • Article

      Telephone Consumer Protection Act (TCPA) Compliance: Uncertainty in Uncertain Times

      June 2, 2020

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL