In re Zoom Video Commc'ns Inc. Privacy Litig.

525 F.Supp.3d 1017

IN RE: ZOOM VIDEO COMMUNICATIONS INC. PRIVACY LITIGATION

Case No. 20-CV-02155-LHK

United States District Court, N.D. California, San Jose Division.

Signed March 11, 2021

ORDER GRANTING IN PART AND DENYING IN PART ZOOM'S MOTION TO DISMISS

Re: Dkt. No. 134

LUCY H. KOH, United States District Judge

Plaintiffs, on behalf of themselves and two putative nationwide classes, allege that Defendant Zoom Video Communications, Inc. ("Zoom") violated nine provisions of California law. Plaintiffs specifically claim that Zoom violated California law by (1) sharing Plaintiffs’ personally identifiable information with third parties; (2) misstating Zoom's security capabilities; and (3) failing to prevent security breaches known as "Zoombombing." Before the Court is Zoom's motion to dismiss Plaintiffs’ first amended complaint. ECF No. 134. Having considered the parties’ submissions; the relevant law; and the record in this case, the Court GRANTS IN PART and DENIES IN PART Zoom's motion to dismiss.

I. BACKGROUND

A. Factual Background

Zoom provides an eponymous video conference service that is available on computers, tablets, smartphones, and telephones. FAC ¶¶ 69–70. Since early 2020, the use of Zoom conferences (a.k.a. "Zoom meetings") has increased significantly in response to the COVID-19 pandemic. Today, Zoom has more than 200 million daily users. Id. ¶ 4.

Plaintiffs are Zoom users who allege—on behalf of themselves and two putative nationwide classes—that Zoom has made harmful misrepresentations and failed to secure Zoom meetings. Plaintiffs make three overarching allegations. See Opp'n at 1–3.

First, Plaintiffs allege that Zoom shared Plaintiffs’ personally identifiable information ("PII") with third parties—such as Facebook, Google, and LinkedIn—without Plaintiffs’ permission. This PII includes Plaintiffs’ "device carrier, iOS Advertiser ID, iOS Device CPU Cores, iOS Device Display Dimension, iOS Device Model, iOS Language, iOS Time zone, iOS Version, even if the user did not have a Facebook account." Opp'n at 1 (citing FAC ¶¶ 5, 13, 78). This PII, "when combined with information regarding other apps used on the same device," allegedly allows third parties "to identify users and track their behavior across multiple digital services." FAC ¶¶ 88–89. Specifically, Plaintiffs allege this PII allows third parties to know when a particular device "open[s] or close[s]" Zoom. FAC ¶ 94. Third parties add this information about a particular device's Zoom usage to their fine-grained profiles on particular devices and people. FAC ¶ 95.

Second, Plaintiffs allege that "Zoom misstated the security capabilities and offerings of its services where Zoom failed to provide end-to-end encryption." Opp'n at 2 (citing FAC ¶¶ 7, 163–66). Specifically, Plaintiffs allege that Zoom misrepresents its encryption protocol—transport encryption—as end-to-end encryption. FAC ¶ 168. Transport encryption provides that "the encryption keys for each meeting are generated by Zoom's servers, not by the client devices." Id. Thus, Zoom can still access the video and audio content of Zoom meetings. Id. By contrast, end-to-end encryption provides that "the encryption keys are generated by the client (customer) devices, and only the participants in the meeting have the ability to decrypt it." Id.

Plaintiffs’ last overarching allegation is that Zoom has failed to prevent—and warn users about—security breaches known as "Zoombombing." A Zoom meeting is Zoombombed when bad actors join a meeting without authorization and "display[ ] pornography, scream[ ] racial epitaphs [sic], or engag[e] in similarly despicable conduct." FAC ¶ 9.

These three overarching allegations give rise to nine claims on behalf of all Plaintiffs and both putative classes: (1) invasion of privacy in violation of California common law and the California Constitution, Art. I, § 1 ; (2) negligence; (3) breach of implied contract; (4) breach of implied covenant of good faith and fair dealing; (5) unjust enrichment/quasi-contract; (6) violation of the California Unfair Competition Law, Cal. Bus. Prof. Code § 17200, et seq. ; (7) violation of the California Consumer Legal Remedies Act, Cal. Civ. Code § 1750, et seq. ; (8) violation of the Comprehensive Data Access and Fraud Act ("CDAFA"), Cal. Penal Code § 502 ; and (9) deceit by concealment under Cal. Civ. Code § 1710(3). Plaintiffs’ two putative classes are:

Nationwide Class: All persons in the United States who used Zoom.

Under 13 Sub-Class: All persons under the age of 13 in the United States who used Zoom.

FAC ¶¶ 191–92.¹

Plaintiffs are 11 individuals and two churches who have used Zoom. All Plaintiffs (except Saint Paulus Lutheran Church) allege that they relied on Zoom's promises that "(a) Zoom does not sell users’ data; (b) Zoom takes privacy seriously and adequately protects users’ personal information; and (c) Zoom's videoconferences are secured with end-to-end encryption and are protected by passwords and other security measures." E.g. , FAC ¶¶ 18, 22, 26, 40, 57. In addition, six Plaintiffs, including the two churches, allege that they suffered Zoombombing in the following ways:

• Saint Paulus Lutheran Church ("Saint Paulus") is an Evangelical Lutheran church located in San Francisco, California. FAC ¶ 32. Saint Paulus accesses Zoom video conferencing on an Apple laptop. Id. ¶ 31.

• Heddi N. Cundle is the administrator of Saint Paulus. Cundle uses Zoom both for Saint Paulus and herself. FAC ¶ 33. Cundle accesses Zoom video conferencing on her iPhone and Windows laptop. Cundle alleges that on May 6, 2020, she set up a password-protected Zoom meeting to hold a Bible study for Saint Paulus. Id. ¶ 37. Despite that password, an intruder hijacked the Zoom meeting and displayed child pornography. Id. Cundle then reported the Zoombombing incident to Zoom. Id. Zoom allegedly admitted that the intruder was "a known serial offender" who had "been reported multiple times to the authorities." Id. ¶ 37. Even so, Zoom allegedly did not ban the intruder from joining future meetings using the same Zoom software until Cundle reported the May 6, 2020 incident. Id.

• Oak Life Church ("Oak Life") is a non-denominational Christian church located in Oakland, California. FAC ¶ 39. Oak Life accesses Zoom video conferencing on an iPhone and Apple laptop on a paid Zoom Pro account. Id. On April 19, 2020, Oak Life set up a Sunday church service on Zoom with three security features: "a waiting room, mute on entry, and no ability for [non-host] users to share their screens." Id. ¶ 41. Despite these security features, an intruder hijacked the Zoom meeting and displayed child pornography. Id. The incident traumatized the meeting's participants and required Oak Life to hire trauma counsellors. Id.

• Stacey Simins is an operator of a burlesque dance studio and uses her Zoom Pro account for teaching classes. FAC ¶ 45. Simins accesses Zoom video conferencing on her iPhone, Apple laptop, or Apple desktop. Id. ¶ 43. Simins alleges that on "multiple occasions," uninvited men showed up to dance classes taught by her studio. Id. ¶ 45. The intrusion of these uninvited men has led to Simins losing 10 to 15 full-time members of her dance studio. Id.

• Caitlin Brice uses Zoom for speech therapy and to attend events. FAC ¶¶ 48–49. Brice accesses Zoom video conferencing on her Android phone, tablet, and Windows laptop. Id. ¶ 46. In April or May 2020, Brice alleges that she "attended a Zoom event during which the participants were subjected to intentional pornographic material when unknown men dropped into the meeting with the intention of disrupting it." Id. ¶ 49.

• Peter Hirschberg uses his Zoom Pro account to attend Zoom events. FAC ¶ 55. Hirschberg accesses Zoom video conferencing on his iPhone, iPads, and Apple computer. Id. ¶ 53. On May 30, 2020, Hirschberg alleges that he "attended a Zoom event during which the participants were subjected to intentional anti-semetic [sic] material when uninvited intruders dropped into the meeting with the intention of disrupting it." Id. ¶ 55.

Seven Plaintiffs do not allege Zoombombing. Rather, these Plaintiffs allege that Zoom shared their PII and misrepresented Zoom's encryption protocol. These seven Plaintiffs are the following individuals:

• Kristen Hartmann purchased a "Zoom Pro" account for her own personal use and accessed Zoom's video conferencing services on her iPhone. FAC ¶ 17. "After comparing Zoom against GoToMeeting and Webex, Ms. Hartmann selected Zoom over other options largely due to Zoom's representations of its end-to-end encryption. Further, periodically during Zoom meetings calls, Ms. Hartmann would ‘check’ to ensure the calls were end-to-end encrypted by hovering her cursor over the green lock icon in the application.... Had Ms. Hartmann known that Zoom meetings were not actually end-to-end encrypted, she would not have paid for a Zoom Pro subscription, or she would have paid less for it." FAC ¶¶ 18–19.

• Isabelle Gmerek has registered an account with Zoom and accesses Zoom's video conferencing services on her Android phone and iPad. FAC ¶ 21. "In late February or early March of 2020, Ms. Gmerek began using Zoom for meetings with her psychologist in reliance on representations by Zoom that it was a secure method of videoconferencing, that it was in full compliance with the Health Insurance Portability and Accountability Act (‘HIPAA’), and that it had not misrepresented the security features available to users." FAC ¶ 23.

• Lisa T. Johnston has registered an account with Zoom and uses Zoom videoconferencing on her Apple laptop and iPhone. FAC ¶ 25. Johnston generally alleges, as all Plaintiffs but Saint Paulus do, that she relied on Zoom's promises that "(a) Zoom does not sell users’ data; (b) Zoom takes privacy seriously and adequately protects users’ personal information; and (c) Zoom's videoconferences are secured with end-to-end encryption and are protected by passwords and other security measures." Id. ¶ 26.

• M.F. is a

...