525 F.Supp.3d 1017
N.D. Cal.2021Background:
- Zoom Video Communications provides widely used video-conferencing software; use surged during COVID‑19 and the FAC alleges (a) unwanted sharing of user PII with third parties (e.g., Facebook, Google, LinkedIn); (b) misrepresentations that Zoom offered end‑to‑end encryption when it used server‑side (transport) encryption; and (c) failures to prevent and warn about "Zoombombing" intrusions (pornographic, racist, or otherwise offensive disruptions).
- Plaintiffs are 11 individuals and two churches suing on behalf of a nationwide class and a subclass of users under 13; some plaintiffs allege Zoombombing harms, others allege only data‑sharing and encryption misrepresentations.
- The FAC pleads nine claims under California law (invasion of privacy; negligence; implied contract; implied covenant of good faith; unjust enrichment; UCL; CLRA; CDAFA; deceit by concealment). Zoom moved to dismiss the FAC in full.
- Key factual gaps identified by the court: most plaintiffs fail to plead that Zoom actually disclosed their specific PII to third parties (only one former plaintiff plausibly alleged pre‑March 27 iOS/Facebook SDK sharing, but she later dismissed claims), and many allegations lack dates/app-specific details.
- Court disposition: GRANTS IN PART and DENIES IN PART Zoom’s motion to dismiss; allows leave to amend for dismissed claims and dismisses certain claims based on §230 immunity, pleading failures, and the economic loss rule.
Issues:
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| §230(c)(1) immunity for Zoombombing claims | Zoom should be accountable for failure to provide promised security and warnings | §230 immunizes interactive computer services against liability for third‑party content/publisher functions | §230 largely bars claims that challenge the harmfulness of third‑party content or treat Zoom as publisher; but does not bar content‑neutral claims or contract claims independent of publisher status (partial immunity; leave to amend) |
| Invasion of privacy (data sharing) | Zoom shared device‑fingerprinting and PII (via Facebook SDK, Android behavior, LinkedIn Sales Navigator) without consent | Plaintiffs fail to allege that Zoom actually disclosed each plaintiff’s data to third parties or allege necessary device/app/version specifics | Dismissed for failure to plead actual disclosure of plaintiffs’ data; leave to amend |
| Negligence (Count 2) | Zoom negligently failed to secure meetings and misrepresented security features causing emotional and economic harm | Economic loss rule precludes tort recovery for purely economic losses; no special relationship or intentional misconduct pleaded | Dismissed under economic loss rule; leave to amend |
| Implied contract / Terms of Service interplay (Counts 3 & 4) | Plaintiffs allege implied contract obligations to secure user data separate from TOS; some data allegedly shared before TOS acceptance | Zoom argues TOS and privacy policy are the controlling express contract; plaintiffs accepted TOS | Court finds Zoom has not shown on 12(b)(6) record that plaintiffs agreed to TOS; implied contract and implied covenant survive |
| CDAFA (Cal. Penal Code §502) (Count 8) | Zoom unlawfully accessed/used/provided access to users’ data; plaintiffs suffered damage/loss | Plaintiffs failed to plead damage or loss because no showing that Zoom disclosed plaintiffs’ data or profited from it | Dismissed for failure to plead requisite "damage or loss"; leave to amend |
| Fraud‑based claims: UCL (fraudulent prong), CLRA, deceit by concealment | Plaintiffs allege misrepresentations/omissions about encryption, privacy, and data sales | Zoom argues Rule 9(b) requires particularized pleading; many plaintiffs did not allege when/where they saw statements or the specific reliance details; also CLRA standing/notice issues | Fraud‑based claims dismissed for failure to meet Rule 9(b); leave to amend. UCL unlawful and unfair prongs survive (tethered to implied contract and alleged statutory/public‑policy violations) |
| UCL unlawful/unfair prongs & unjust enrichment (Counts 5 & 6) | UCL remedies and restitution/wrongs flow from contract, statutory violations, and unfair practices | Zoom contends predicates fail so UCL/unjust enrichment fail too | UCL unlawful and unfair prongs survive (tethering to statutory/public policy including COPPA/HIPAA alleged). Unjust enrichment survives as derivative of surviving claims |
Key Cases Cited
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (pleading must state a claim plausible on its face)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (court need not accept legal conclusions as true)
- Barnes v. Yahoo!, Inc., 570 F.3d 1096 (9th Cir. 2009) (§230 does not bar contract claims that create duties independent of publisher status)
- Fair Hous. Council v. Roommates.Com, LLC, 521 F.3d 1157 (9th Cir. 2008) (en banc) (§230 protects traditional editorial functions and content moderation)
- Doe v. Internet Brands, Inc., 824 F.3d 846 (9th Cir. 2016) (§230 immunity does not bar claims that do not require treating defendant as publisher of third‑party content)
- HomeAway.com, Inc. v. City of Santa Monica, 918 F.3d 676 (9th Cir. 2019) (content‑neutral regulation not precluded by §230)
- In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020) (recognizing harm from undisputed third‑party tracking and use of user data)
- Nguyen v. Barnes & Noble Inc., 763 F.3d 1171 (9th Cir. 2014) (inquiry notice standard for online terms of service)