In two separate class action lawsuits filed in the Northern District of California, consumers allege that Zoom improperly failed to disclose that it was sharing certain consumer data with Facebook for the purpose of delivering ads. The suits followed news coverage that documented how Zoom sent data about its users to Facebook, including information about the device, the mobile carrier, and the unique advertising identifier associated with the user’s device. Zoom provided this information to Facebook regardless of whether the Zoom user was an actual Facebook subscriber.
Unlike general UDAP principles, the CCPA specifically requires covered businesses to provide point-of-collection disclosures regarding the collection, use, sharing, and selling of the personal information of California consumers. Any data privacy practices not included in the disclosure are considered unauthorized and prohibited by the CCPA.
The Zoom lawsuits are also significant, as they present a novel question about the scope of the CCPA’s private right of action. The CPPA expressly provides a private right of action only for violations of the Act’s data breach provisions. All other alleged violations of the Act (for example, failing to comply with restrictions on the use, collection, and sharing of personal information) can only be brought by the California Attorney General.
In an effort to bypass the CCPA’s limited private right of action, the Zoom plaintiffs argue that Zoom’s disclosure of personal information to Facebook constitutes a data breach because failing to disclose a data-sharing practice is tantamount to an unauthorized disclosure of personal information (rather than an apparent failure to disclose). While this argument appears to be a reach beyond the plain language of the CCPA, if the Zoom plaintiffs are successful with this argument, businesses may face private class action litigation for a wide scope of alleged CCPA violations.