Court Partially Grants Zoom’s Motion to Dismiss Privacy Suit

On Thursday, Judge Lucy H. Koh of the Northern District of California issued an order partially granting and partially denying Zoom Video Communication Inc.’s motion to dismiss the first amended complaint in the consolidated privacy lawsuit against it.

The opinion noted that the plaintiffs, on behalf of themselves and putative classes of Zoom users, alleged that Zoom violated nine provisions of California law by “(1) sharing Plaintiffs’ personally identifiable information with third parties; (2) misstating Zoom’s security capabilities; and (3) failing to prevent security breaches known as‘Zoombombing.’”

Zoom moved to dismiss all of the claims with prejudice, making two primary arguments. In particular, Zoom contended that Section 230 (c)(1) of the Communications Decency Act “bars Plaintiff(s)’ claims to the extent the claims are based on ‘Zoombombing’” and the court noted that Zoom grouped these claims arguing that the “Plaintiffs categorically fail to allege harm under any claim.”

The court analyzed Zoom’s Section 230(c)(1) immunity argument, for which Zoom asserted that Section 230 bars the plaintiffs’ claims based on “Zoombombing.” The court stated that it agrees with Zoom in part, finding that since the plaintiffs “do not treat Zoom as a ‘publisher or speaker’ with respect to all claims” it is partially immune from the plaintiffs’ Zoombombing claims. 

Specifically, the court noted that Zoom is an interactive computer service and agreed with Zoom that the plaintiffs’ “public-private distinction is factually and legally flawed” because, for example, “some Zoom meetings are open to the public” and the related case law “does not recognize a public/private distinction.” The court also agreed that Section 230 “largely bars Plaintiffs’ claims,” for example, that the plaintiffs “cannot hold Zoom liable for injuries stemming from the heinousness of third-party content.”

The court ruled that Section 230 otherwise allows the plaintiffs’ claims regarding breach of contractual duties “because these duties are independent of Zoom’s role as ‘publisher or speaker.’” Thus, the court found that Section 230 (c)(1) mostly immunizes Zoom from the plaintiffs’ Zoombombing claims. The court granted the motion to dismiss the plaintiffs’ claims to the extent that they “(1) challenge the harmfulness of ‘content provided by another’; and (2) derive[] from the defendant’s status or conduct as a ‘publisher or speaker’ of that content.” However, the court allowed the plaintiffs to amend their claims. 

Regarding the invasion of privacy claim, the court agreed with Zoom that the plaintiffs failed to allege that their data was shared with a third party, so the court dismissed the plaintiffs’ Count 1 invasion of privacy claim. The court found that the economic loss rule bars the second claim of negligence. The court stated that, in count 3, the plaintiffs sufficiently pleaded an implied contract violation because Zoom did not show that the plaintiffs agreed to its terms of service. The court also ruled that the plaintiffs adequately alleged Cout 4, breach of the implied covenant of good faith and fair dealing, and Count 5, unjust enrichment/quasi-contract, but insufficiently alleged Count 8, violation of the Comprehensive Data Access and Fraud Act . Meanwhile, the court found that the plaintiffs inadequately alleged Counts 6, 7, and 9, relating to California’s Unfair Competition Law, California Consumer Legal Remedies Act, and fraudulent concealment.

As a result, the court granted in part and denied in part Zoom’s motion to dismiss the plaintiffs’ First Amended Complaint and allowed the plaintiffs 30 days to amend their claims.

Zoom is represented by Cooley LLP. The plaintiffs are represented by Ahdoot & Wolfson PC; Cotchett, Pitre & McCarthy LLP; Wolf Haldenstein Adler Freeman & Herz LLP; Bottini & Bottini Inc.; and Gibbs Law Group LLP.