The new California Consumer Privacy Act (CCPA) shows promising signs in supporting consumer rights in consumer privacy and protection cases, as early cases apply the new statute, according to plaintiffs’ attorney Jason Hartley of Hartley LLP.
In Kondrat et al v. Zoom, one of many suits filed against the teleconferencing provider, the plaintiffs asserted the CCPA to redress consumer violations. In the case, the plaintiffs and class members paid for access to Zoom. They argue that they did not get what they paid for because of privacy and security issues unknown to subscribers of Zoom. For example, Zoom allegedly shared personally identifying information to Facebook and other third parties; told users that the platform was encrypted from end-to-end when it was not; and users may have experienced “zoombombing,” when a bad actor was able to join a supposedly private meeting and disrupt the call.
Discussing this case and its relation to the CCPA, Hartley, who represents the plaintiffs, said “this [litigation] could be a test case of sorts for the new California Consumer Privacy Act. This is the kind of conduct, frankly, that that law was passed to address…and, at least in California, we’re taking measures to protect our consumers and, in this respect, it may become a leader for a lot of other states and I hope that it does.”
The CCPA adds another layer of consumer protection because it provides for statutory damages, which other statutes that would normally be used in this kind of lawsuit do not yet provide. Speaking broadly about the CCPA, Hartley stated that the statute went into effect in January and as a result, “the jury is still out, literally and figuratively, as to what kind of teeth that statute really is going to have. It changes the law a little bit in that it’s relatively broad in the kind of data that it encompasses, and also provides for statutory damages. So, if Zoom or any other corporation that might be violating the law doesn’t act quickly, it’s on the hook statutorily, and that’s a big difference from the normal data breach cases because the fact remains that it’s very difficult to prove actual damages because your data is getting out there through any number of ways, so it’s hard to trace it…if it was because of a breach of your account with Home Depot or your Zoom account or any other entity…so actual damages are always very difficult to prove in a case. The California statute says ‘well in addition to that, proving actual damages, you’ve got statutory damages. I think that’s a big stick for corporations to be as responsible as they should already have been with your personal information.”
Consumers have filed suits against other corporations, such as Salesforce and Hanna Andersson, claiming that they violated the CCPA. For example, in the Salesforce and Hanna Andersson suit, the plaintiffs argue that the data breach resulted in the dissemination of consumers’ data on the dark web. Meanwhile, companies, such as Avast tout that they are CCPA compliant and advertisers have asked California to delay enforcing the statute arguing that the resources that would normally be used to ensure CCPA compliance have instead been used to deal with the COVID-19 pandemic. These examples highlight the potential strength and importance of the statute.
In March and April, Zoom made public statements about the incidents and its overall privacy and security practices, which it has worked to quickly resolve. Hartley pointed out Zoom’s quick action and compared it to other companies, who have lagged when resolving breaches, believing this action has most likely helped Zoom. He added that the “new California Consumer Privacy Act, which incentivizes companies…at least in California, to take quick action to address these kinds of failures and unwanted disclosure of personal information” could have been one of the factors that motivated Zoom to act quickly, ultimately helping consumers because of its quick response and action.
The statute could also benefit consumers through its statutory damages clause. Hartley said the CCPA “helped us in drafting the complaint because there aren’t many statutes, frankly, that you can sue under in a data breach or privacy case that provides for actual remunerations for the victims…so, having a statutory damage is very powerful in protecting consumer rights.” He added that “the statutory damages in there can be significant because it provides for up to $100 per person and $750 per consumer per incident, so that can add up when you’ve got as many as millions of [users harmed at the]…fault of Zoom, it’s a big deal for a company like that.”
When asked about what consumers can legally and reasonably expect companies to protect, Hartley responded that “the massive data breach cases that myself and my colleagues have pursued have done a good job of keeping corporate America on notice that consumers aren’t going to tolerate irresponsible disclosure of their personal data…First of all, there are some data that in all fairness most companies really take dramatic efforts to protect and those are because they come with statutory damages for disclosure. For example, your personal medical history, your social security number; so, there are teeth in the legislation regarding breaches of those laws and I hope that the California statute… advances that rationale to your simple personal information.”
Hartley concluded that “the bottom line is that I represent real people who have real damages and if Zoom is going to do right by them and give them their money back and fix the problems that they acknowledged that we alleged in the complaint, that’s fantastic… [and if they provide as a result,] a secure platform to use moving forward, I think that’s a win-win.”