Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 1 of 41
`
`
`
`
`
`
`
`UNITED STATES DISTRICT COURT
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`SAN JOSE DIVISION
`
`IN RE: ZOOM VIDEO
`
`COMMUNICATIONS INC. PRIVACY
`
`LITIGATION
`
`Case No. 20-CV-02155-LHK
`
`ORDER GRANTING IN PART AND
`DENYING IN PART ZOOM’S MOTION
`TO DISMISS
`Re: Dkt. No. 134
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Plaintiffs, on behalf of themselves and two putative nationwide classes, allege that
`
`Defendant Zoom Video Communications, Inc. (“Zoom”) violated nine provisions of California
`
`law. Plaintiffs specifically claim that Zoom violated California law by (1) sharing Plaintiffs’
`
`personally identifiable information with third parties; (2) misstating Zoom’s security capabilities;
`
`and (3) failing to prevent security breaches known as “Zoombombing.” Before the Court is
`
`Zoom’s motion to dismiss Plaintiffs’ first amended complaint. ECF No. 134. Having considered
`
`the parties’ submissions; the relevant law; and the record in this case, the Court GRANTS IN
`
`PART and DENIES IN PART Zoom’s motion to dismiss.
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`1
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 2 of 41
`
`
`
`I.
`
`BACKGROUND
`A. Factual Background
`Zoom provides an eponymous video conference service that is available on computers,
`
`tablets, smartphones, and telephones. FAC ¶¶ 69–70. Since early 2020, the use of Zoom
`
`conferences (a.k.a. “Zoom meetings”) has increased significantly in response to the COVID-19
`
`pandemic. Today, Zoom has more than 200 million daily users. Id. ¶ 4.
`
`Plaintiffs are Zoom users who allege—on behalf of themselves and two putative
`
`nationwide classes—that Zoom has made harmful misrepresentations and failed to secure Zoom
`
`meetings. Plaintiffs make three overarching allegations. See Opp’n at 1–3.
`
`First, Plaintiffs allege that Zoom shared Plaintiffs’ personally identifiable information
`
`(“PII”) with third parties—such as Facebook, Google, and LinkedIn—without Plaintiffs’
`
`permission. This PII includes Plaintiffs’ “device carrier, iOS Advertiser ID, iOS Device CPU
`
`Cores, iOS Device Display Dimension, iOS Device Model, iOS Language, iOS Time zone, iOS
`
`Version, even if the user did not have a Facebook account.” Opp’n at 1 (citing FAC ¶¶ 5, 13, 78).
`
`This PII, “when combined with information regarding other apps used on the same device,”
`
`allegedly allows third parties “to identify users and track their behavior across multiple digital
`
`services.” FAC ¶¶ 88–89. Specifically, Plaintiffs allege this PII allows third parties to know when
`
`a particular device “open[s] or close[s]” Zoom. FAC ¶ 94. Third parties add this information about
`
`a particular device’s Zoom usage to their fine-grained profiles on particular devices and people.
`
`FAC ¶ 95.
`
`Second, Plaintiffs allege that “Zoom misstated the security capabilities and offerings of its
`
`services where Zoom failed to provide end-to-end encryption.” Opp’n at 2 (citing FAC ¶¶ 7, 163–
`
`66). Specifically, Plaintiffs allege that Zoom misrepresents its encryption protocol—transport
`
`encryption—as end-to-end encryption. FAC ¶ 168. Transport encryption provides that “the
`
`encryption keys for each meeting are generated by Zoom’s servers, not by the client devices.” Id.
`
`Thus, Zoom can still access the video and audio content of Zoom meetings. Id. By contrast, end-
`
`to-end encryption provides that “the encryption keys are generated by the client (customer)
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`2
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 3 of 41
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`devices, and only the participants in the meeting have the ability to decrypt it.” Id.
`
`Plaintiffs’ last overarching allegation is that Zoom has failed to prevent—and warn users
`
`about—security breaches known as “Zoombombing.” A Zoom meeting is Zoombombed when bad
`
`actors join a meeting without authorization and “display[] pornography, scream[] racial epitaphs
`
`[sic], or engag[e] in similarly despicable conduct.” FAC ¶ 9.
`
`These three overarching allegations give rise to nine claims on behalf of all Plaintiffs and
`
`both putative classes: (1) invasion of privacy in violation of California common law and the
`
`California Constitution, Art. I, § 1; (2) negligence; (3) breach of implied contract; (4) breach of
`
`implied covenant of good faith and fair dealing; (5) unjust enrichment/quasi-contract; (6) violation
`
`of the California Unfair Competition Law, Cal. Bus. Prof. Code § 17200, et seq.; (7) violation of
`
`the California Consumer Legal Remedies Act, Cal. Civ. Code § 1750, et seq.; (8) violation of the
`
`Comprehensive Data Access and Fraud Act (“CDAFA”), Cal. Penal Code § 502; and (9) deceit by
`
`concealment under Cal. Civ. Code § 1710(3). Plaintiffs’ two putative classes are:
`Nationwide Class: All persons in the United States who used Zoom.
`Under 13 Sub-Class: All persons under the age of 13 in the United States who used
`Zoom.
`
`FAC ¶¶ 191–92.1
`
`Plaintiffs are 11 individuals and two churches who have used Zoom. All Plaintiffs (except
`
`Saint Paulus Lutheran Church) allege that they relied on Zoom’s promises that “(a) Zoom does not
`
`sell users’ data; (b) Zoom takes privacy seriously and adequately protects users’ personal
`
`information; and (c) Zoom’s videoconferences are secured with end-to-end encryption and are
`
`protected by passwords and other security measures.” E.g., FAC ¶¶ 18, 22, 26, 40, 57. In addition,
`
`six Plaintiffs, including the two churches, allege that they suffered Zoombombing in the following
`
`ways:
`
`
`1 “Specifically excluded from the Classes are Defendant and any entities in which Defendant has a
`controlling interest, Defendant’s agents and employees, the judge to whom this action is assigned,
`members of the judge’s staff, and the judge’s immediate family.” FAC ¶ 193.
`3
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 4 of 41
`
`
`
`• Saint Paulus Lutheran Church (“Saint Paulus”) is an Evangelical Lutheran church located
`in San Francisco, California. FAC ¶ 32. Saint Paulus accesses Zoom video conferencing on
`an Apple laptop. Id. ¶ 31.
`• Heddi N. Cundle is the administrator of Saint Paulus. Cundle uses Zoom both for Saint
`Paulus and herself. FAC ¶ 33. Cundle accesses Zoom video conferencing on her iPhone
`and Windows laptop. Cundle alleges that on May 6, 2020, she set up a password-protected
`Zoom meeting to hold a Bible study for Saint Paulus. Id. ¶ 37. Despite that password, an
`intruder hijacked the Zoom meeting and displayed child pornography. Id. Cundle then
`reported the Zoombombing incident to Zoom. Id. Zoom allegedly admitted that the
`intruder was “a known serial offender” who had “been reported multiple times to the
`authorities.” Id. ¶ 37. Even so, Zoom allegedly did not ban the intruder from joining future
`meetings using the same Zoom software until Cundle reported the May 6, 2020 incident.
`Id.
`• Oak Life Church (“Oak Life”) is a non-denominational Christian church located in
`Oakland, California. FAC ¶ 39. Oak Life accesses Zoom video conferencing on an iPhone
`and Apple laptop on a paid Zoom Pro account. Id. On April 19, 2020, Oak Life set up a
`Sunday church service on Zoom with three security features: “a waiting room, mute on
`entry, and no ability for [non-host] users to share their screens.” Id. ¶ 41. Despite these
`security features, an intruder hijacked the Zoom meeting and displayed child pornography.
`Id. The incident traumatized the meeting’s participants and required Oak Life to hire
`trauma counsellors. Id.
`• Stacey Simins is an operator of a burlesque dance studio and uses her Zoom Pro account
`for teaching classes. FAC ¶ 45. Simins accesses Zoom video conferencing on her iPhone,
`Apple laptop, or Apple desktop. Id. ¶ 43. Simins alleges that on “multiple occasions,”
`uninvited men showed up to dance classes taught by her studio. Id. ¶ 45. The intrusion of
`these uninvited men has led to Simins losing 10 to 15 full-time members of her dance
`studio. Id.
`
`• Caitlin Brice uses Zoom for speech therapy and to attend events. FAC ¶¶ 48–49. Brice
`accesses Zoom video conferencing on her Android phone, tablet, and Windows laptop. Id.
`¶ 46. In April or May 2020, Brice alleges that she “attended a Zoom event during which
`the participants were subjected to intentional pornographic material when unknown men
`dropped into the meeting with the intention of disrupting it.” Id. ¶ 49.
`• Peter Hirshberg uses his Zoom Pro account to attend Zoom events. FAC ¶ 55. Hirschberg
`accesses Zoom video conferencing on his iPhone, iPads, and Apple computer. Id. ¶ 53. On
`May 30, 2020, Hirschberg alleges that he “attended a Zoom event during which the
`participants were subjected to intentional anti-semetic [sic] material when uninvited
`intruders dropped into the meeting with the intention of disrupting it.” Id. ¶ 55.
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`4
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 5 of 41
`
`
`
`Seven Plaintiffs do not allege Zoombombing. Rather, these Plaintiffs allege that Zoom
`
`shared their PII and misrepresented Zoom’s encryption protocol. These seven Plaintiffs are the
`
`following individuals:
`
`• Kristen Hartmann purchased a “Zoom Pro” account for her own personal use and accessed
`Zoom’s video conferencing services on her iPhone. FAC ¶ 17. “After comparing Zoom
`against GoToMeeting and Webex, Ms. Hartmann selected Zoom over other options largely
`due to Zoom’s representations of its end-to-end encryption. Further, periodically during
`Zoom meetings calls, Ms. Hartmann would ‘check’ to ensure the calls were end-to-end
`encrypted by hovering her cursor over the green lock icon in the application. . . . Had Ms.
`Hartmann known that Zoom meetings were not actually end-to-end encrypted, she would
`not have paid for a Zoom Pro subscription, or she would have paid less for it.” FAC ¶¶ 18–
`19.
`
`•
`
`Isabelle Gmerek has registered an account with Zoom and accesses Zoom’s video
`conferencing services on her Android phone and iPad. FAC ¶ 21. “In late February or early
`March of 2020, Ms. Gmerek began using Zoom for meetings with her psychologist in
`reliance on representations by Zoom that it was a secure method of videoconferencing, that
`it was in full compliance with the Health Insurance Portability and Accountability Act
`(‘HIPAA’), and that it had not misrepresented the security features available to users.” FAC
`¶ 23.
`• Lisa T. Johnston has registered an account with Zoom and uses Zoom videoconferencing
`on her Apple laptop and iPhone. FAC ¶ 25. Johnston generally alleges, as all Plaintiffs but
`Saint Paulus do, that she relied on Zoom’s promises that “(a) Zoom does not sell users’
`data; (b) Zoom takes privacy seriously and adequately protects users’ personal information;
`and (c) Zoom’s videoconferences are secured with end-to-end encryption and are protected
`by passwords and other security measures.” Id. ¶ 26.
`• M.F. is a minor who was under the age of 13 at all relevant times. Id. ¶ 27. M.F. accesses
`Zoom video conferencing on an iPad, Windows laptop, and Android phone. Id. ¶ 28. Like
`Johnston and other Plaintiffs, M.F. makes general allegations about reliance. Id.
`• Therese Jimenez is the mother and guardian of M.F. FAC ¶ 29. Jimenez accesses Zoom
`video conferencing on her iPad, Windows laptop, and Android phone. Id. Like M.F. and
`other Plaintiffs, Jimenez makes general allegations about reliance. Id. ¶ 30.
`• Sharon Garcia purchased a Zoom Pro account for her personal use. FAC ¶ 56. She
`accesses Zoom video conferencing on her iPhone, Windows laptop, and tablet. Id. Like
`Jimenez and other Plaintiffs, Garcia makes general allegations about reliance. Id. ¶ 57.
`• Angela Doyle makes the same allegations as Garcia, except that Doyle alleges accessing
`Zoom on slightly different devices: an iPhone and Windows computer. FAC ¶ 58.
`5
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 6 of 41
`
`
`
`Lastly, one former Plaintiff, Cynthia Gormezano, alleged using Zoom on her iPhone in March
`
`2020—earlier than other Plaintiffs. FAC ¶¶ 50–52. However, on February 18, 2021, Gormezano
`
`voluntarily dismissed her claims against Zoom. ECF No. 158.
`B. Procedural History
`On March 30, 2020, a plaintiff named Robert Cullen (who is not a Plaintiff in the operative
`
`complaint) filed a class action complaint against Zoom. ECF No. 30. Cullen’s lawsuit was
`
`assigned the instant case number, 20-CV-02155. On May 28, 2020, the Court consolidated 13
`
`other lawsuits under 20-CV-02155. ECF No. 62. On July 30, 2020, Plaintiffs filed a consolidated
`
`class action complaint. ECF No. 114. Zoom moved to dismiss that complaint, but before the Court
`
`could rule, the parties stipulated to Plaintiffs’ filing of the operative First Amended Consolidated
`
`Class Action Complaint (“FAC”). ECF No. 115.
`
`Plaintiffs filed the FAC on October 28, 2020. ECF No. 126. Zoom filed the instant motion
`
`to dismiss the FAC on December 2, 2020. ECF No. 134 (“Mot.”). Plaintiffs filed their opposition
`
`to Zoom’s instant motion on December 30, 2020. ECF No. 141 (“Opp’n”). Zoom filed its reply on
`
`January 21, 2021. ECF No. 147 (“Reply”).2
`
`
`2 Zoom requests judicial notice of six exhibits. ECF No. 134-1. Exhibit 1 is Zoom’s Terms of
`Service. Id. at 3. Exhibits 2 to 6 are versions of Zoom’s Privacy Statement, with effective dates
`ranging from the present to February 23, 2020. Id. Zoom’s request is unopposed as to Exhibits 3,
`4, and 6. ECF No. 141-1. The Court may take judicial notice of matters that are either “generally
`known within the trial court’s territorial jurisdiction” or “can be accurately and readily determined
`from sources whose accuracy cannot reasonably be questioned.” Fed. R. Evid. 201(b). Moreover,
`courts may consider materials referenced in the complaint under the incorporation by reference
`doctrine, even if a plaintiff failed to attach those materials to the complaint. Knievel v. ESPN, 393
`F.3d 1068, 1076 (9th Cir. 2005). Public terms of service and privacy policies are proper subjects
`of judicial notice. See, e.g., Coffee v. Google, LLC, No. 20-CV-03901-BLF, 2021 WL 493387, at
`*3 (N.D. Cal. Feb. 10, 2021) (noticing Google’s terms of service). Accordingly, the Court
`GRANTS Zoom’s request for judicial notice, ECF No. 134-1. However, the Court only takes
`“judicial notice of the fact that these documents exist, ‘not whether, for example, the documents
`are valid or binding contracts.’” Opperman v. Path, Inc., 84 F. Supp. 3d 962, 975 (N.D. Cal. 2015)
`(quoting Datel Holdings Ltd. v. Microsoft Corp., 712 F. Supp. 2d 974, 984 (N.D. Cal. 2010)).
`6
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 7 of 41
`
`
`
`II.
`
`LEGAL STANDARD
`A. Motion to Dismiss Under Rule 12(b)(6)
`Rule 8(a)(2) of the Federal Rules of Civil Procedure requires a complaint to include “a
`
`short and plain statement of the claim showing that the pleader is entitled to relief.” A complaint
`
`that fails to meet this standard may be dismissed pursuant to Federal Rule of Civil Procedure
`
`12(b)(6). The United States Supreme Court has held that Rule 8(a) requires a plaintiff to plead
`
`“enough facts to state a claim to relief that is plausible on its face.” Bell Atlantic Corp. v. Twombly,
`
`550 U.S. 544, 570 (2007). “A claim has facial plausibility when the plaintiff pleads factual content
`
`that allows the court to draw the reasonable inference that the defendant is liable for the
`
`misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). “The plausibility standard is not
`
`akin to a probability requirement, but it asks for more than a sheer possibility that a defendant has
`
`acted unlawfully.” Id. (internal quotation marks omitted). For purposes of ruling on a Rule
`
`12(b)(6) motion, the Court “accept[s] factual allegations in the complaint as true and construe[s]
`
`the pleadings in the light most favorable to the nonmoving party.” Manzarek v. St. Paul Fire &
`
`Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). The Court, however, need not “assume the
`
`truth of legal conclusions merely because they are cast in the form of factual allegations.” Fayer v.
`
`Vaughn, 649 F.3d 1061, 1064 (9th Cir. 2011) (per curiam) (internal quotation marks omitted).
`
`Additionally, mere “conclusory allegations of law and unwarranted inferences are insufficient to
`
`defeat a motion to dismiss.” Adams v. Johnson, 355 F.3d 1179, 1183 (9th Cir. 2004).
`B. Leave to Amend
`If a court determines that a complaint should be dismissed, it must then decide whether to
`
`grant leave to amend. Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend
`
`“shall be freely given when justice so requires,” bearing in mind “the underlying purpose of Rule
`
`15 to facilitate decisions on the merits, rather than on the pleadings or technicalities.” Lopez v.
`
`Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (en banc) (alterations and internal quotation marks
`
`omitted). When dismissing a complaint for failure to state a claim, “a district court should grant
`
`leave to amend even if no request to amend the pleading was made, unless it determines that the
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`7
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 8 of 41
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`pleading could not possibly be cured by the allegation of other facts.” Id. at 1130 (internal
`
`quotation marks omitted).
`
`Accordingly, leave to amend generally shall be denied only if allowing amendment would
`
`unduly prejudice the opposing party, cause undue delay, or be futile, or if the moving party has
`
`acted in bad faith. Leadsinger, Inc. v. BMG Music Publ’g, 512 F.3d 522, 532 (9th Cir. 2008). At the
`
`same time, a court is justified in denying leave to amend when a plaintiff “repeated[ly] fail[s] to
`
`cure deficiencies by amendments previously allowed.” See Carvalho v. Equifax Info. Servs., LLC,
`
`629 F.3d 876, 892 (9th Cir. 2010). Indeed, a “district court’s discretion to deny leave to amend is
`
`particularly broad where plaintiff has previously amended the complaint.” Cafasso, U.S. ex rel. v.
`
`Gen. Dynamics C4 Sys., Inc., 637 F.3d 1047, 1058 (9th Cir. 2011) (quotation marks omitted).
`III. DISCUSSION
`The FAC pleads nine claims on behalf of all Plaintiffs and two putative nationwide classes:
`
`(1) invasion of privacy in violation of California common law and the California Constitution,
`
`Article I, § 1; (2) negligence; (3) breach of implied contract; (4) breach of implied covenant of
`
`good faith and fair dealing; (5) unjust enrichment/quasi-contract; (6) violation of the California
`
`Unfair Competition Law (“UCL”), Cal. Bus. Prof. Code § 17200, et seq.; (7) violation of the
`
`California Consumer Legal Remedies Act (“CLRA”), Cal. Civ. Code § 1750, et seq.; (8) violation
`
`of the Comprehensive Data Access and Fraud Act (“CDAFA”), Cal. Penal Code § 502; and
`
`(9) deceit by concealment under Cal. Civ. Code § 1710(3).
`
`Zoom moves to dismiss all claims with prejudice. Mot. at 25. To support its motion, Zoom
`
`first makes two overarching arguments. First, Zoom argues that § 230(c)(1) of the
`
`Communications Decency Act bars Plaintiff’ claims to the extent the claims are based on
`
`“Zoombombing.” Mot. at 4–6. Second, Zoom groups the claims together and argues that Plaintiffs
`
`categorically fail to allege harm under any claim. Zoom then specifically challenges each claim.
`
`Zoom analyzes the three “fraud-based” claims—the UCL, CLRA, and fraudulent concealment
`
`claims—together. Mot. at ii.
`
`The Court first addresses Zoom’s § 230(c)(1) immunity argument. Then, the Court
`8
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 9 of 41
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`analyzes the claims in the same order as the parties: invasion of privacy (Count 1); negligence
`
`(Count 2); breach of implied contract (Count 3); breach of implied covenant of good faith and fair
`
`dealing (Count 4); violation of the CDAFA (Count 8); fraud-based claims (Counts 6, 7, and 9); and
`
`unjust enrichment/quasi-contract (Count 5). Whether Plaintiffs have adequately alleged harm is
`
`analyzed as to each claim.
`A. Section 230(c)(1) of the Communications Decency Act partially bars Plaintiffs’
`claims to the extent they are based on Zoombombing.
`Zoom’s first overarching argument is that § 230(c)(1) of the Communications Decency
`
`Act, 47 U.S.C. § 230, bars Plaintiffs’ claims to the extent they are based on third parties disrupting
`
`Plaintiffs’ Zoom meetings (“Zoombombing”). Mot. at. 4–8. The Court agrees with Zoom in part.
`
`As a general matter, § 230 “immunizes providers of interactive computer services against
`
`liability arising from content created by third parties.” Fair Hous. Council of San Fernando Valley
`
`v. Roommates.Com, LLC, 521 F.3d 1157, 1162 (9th Cir. 2008) (en banc). The text of § 230(c)(1)
`
`specifically provides that “[n]o provider or user of an interactive computer service shall be treated
`
`as the publisher or speaker of any information provided by another information content provider.”
`
`47 U.S.C. § 230(c)(1). Pursuant to this statutory text, the Ninth Circuit has set forth a three-
`
`element test for a defendant to receive § 230(c)(1) immunity. Section 230(c)(1) “only protects
`
`from liability (1) a provider or user of an interactive computer service (2) whom a plaintiff seeks
`
`to treat . . . as a publisher or speaker (3) of information provided by another information content
`
`provider.” Barnes v. Yahoo!, Inc., 570 F.3d 1096, 1100–01 (9th Cir. 2009), as amended (Sept. 28,
`
`2009).
`
`Here, “Plaintiffs do not dispute that the allegedly harmful content at issue was posted by
`
`third parties and that Zoom played no role in authoring it.” Reply at 2. The parties instead dispute
`
`whether Zoom meets the first two elements of § 230(c)(1)’s test. See Mot. at 4–8; Opp’n at 3–4.
`
`The Court concludes that Zoom meets the first element of § 230(c)(1). However, as to the second
`
`element, Plaintiffs do not treat Zoom as a “publisher or speaker” with respect to all claims. Thus,
`
`as explained below, Zoom is partially immune Plaintiffs’ Zoombombing claims.
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`9
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 10 of 41
`
`
`
`1. Zoom is an interactive computer service.
`Plaintiffs argue that Zoom is not an interactive computer service. Opp’n at 4. Plaintiffs
`
`reason that Zoom is not a public platform. Id. at 3. “Rather, Zoom calls are intended to involve
`
`only the invited participants for a finite duration.” Id. at 4.
`
`Zoom responds with two arguments. First, Zoom argues that it clearly meets the statutory
`
`definition of “interactive computer service.” Mot. at 5–6. Second, Zoom argues that Plaintiffs’
`
`public-private distinction is factually and legally flawed. Factually, some Zoom meetings are open
`
`to the public. Reply at 2 n.2. As for the law, Zoom argues that the case law supports granting
`
`§ 230(c)(1) immunity even to Zoom’s transmission of nonpublic messages in meetings limited to
`
`invited participants. Id. at 2. The Court agrees with Zoom and addresses each argument in turn.
`
`First, Zoom meets the definition of “interactive computer service.” In general, courts
`
`“interpret the term ‘interactive computer service’ expansively.” Dyroff v. Ultimate Software Grp.,
`
`Inc., 934 F.3d 1093, 1097 (9th Cir. 2019) (quoting Kimzey v. Yelp! Inc., 836 F.3d 1263, 1268 (9th
`
`Cir. 2016)), cert. denied, 140 S. Ct. 2761 (2020). Courts’ expansive interpretations track the
`
`expansive statutory text. Specifically, § 230(f)(2) provides that an “interactive computer service”
`
`is “any [1] information service, system, or access software provider that [2] provides or enables
`
`computer access by multiple users to a computer server.” 47 U.S.C. § 230(f)(2) (emphasis added).
`
`The undisputed facts show that Zoom meets both parts of the statutory definition. To start,
`
`Zoom is an “access software provider.” Id. “Access software provider[s]” include “provider[s] of
`
`software” that “transmit, receive, display, [or] forward . . . content.” Id. § 230(f)(4). Zoom
`
`provides software that undisputedly transmits and displays video, audio, and written content. See,
`
`e.g., FAC ¶¶ 64–65 (describing Zoom as a communications platform for video, audio, and
`
`messaging).
`
`Zoom also “provides or enables computer access by multiple users to a computer server.”
`
`47 U.S.C. § 230(f)(2). It is undisputed that Zoom enables multiple users to access a computer
`
`server. The FAC specifically alleges that “Zoom is a supplier of video conferencing services” that
`
`hosts a connection “between [1] the Zoom app running on a user’s computer or phone and
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`10
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 11 of 41
`
`
`
`[2] Zoom’s server.” FAC ¶¶ 2, 168. Thus, Zoom plainly meets the statutory definition of
`
`“interactive computer service.”
`
`Second, case law confirms that Zoom is an interactive computer service. As both the Ninth
`
`and Tenth Circuits have explained, the “prototypical service qualifying for [§ 230] immunity is an
`
`online messaging board” on which users “post comments and respond to comments posted by
`
`others.” Kimzey, 836 F.3d at 1266 (quoting FTC v. Accusearch Inc., 570 F.3d 1187, 1195 (10th Cir.
`
`2009)). Zoom is the video equivalent of an online messaging board. Users converse in real-time—
`
`and may use Zoom’s built-in chat feature too. See, e.g., FAC ¶¶ 151–52 (discussing video
`
`conferences and chats). Accordingly, the Court finds that Zoom is an interactive computer service.
`
`Plaintiffs’ response is that “Zoom calls are intended to involve only the invited
`
`participants.” Opp’n at 4. This response is factually overbroad and legally imprecise. Factually,
`
`many Zoom meetings are open to the public. Legally, the public/private nature of a meeting is
`
`immaterial to whether Zoom is an “interactive computer service.” Section 230 requires merely that
`
`Zoom “provides or enables computer access by multiple users to a computer server.” 47 U.S.C.
`
`§ 230(f)(2). Likewise, the case law does not recognize a public/private distinction. Section 230
`
`immunity can also “bar claims predicated on a defendant’s transmission of nonpublic messages.”
`
`Fields v. Twitter, Inc., 217 F. Supp. 3d 1116, 1128 (N.D. Cal. 2016) (emphasis added), aff’d, 881
`
`F.3d 739 (9th Cir. 2018). For instance, the Fields Court dismissed claims that sought to hold
`
`Twitter liable for private messages sent using Twitter’s “Direct Messaging” feature. Id. Following
`
`at least three other courts, the Fields Court held that “the private nature” of messaging was
`
`immaterial. Id. (collecting cases).
`
`In sum, it is irrelevant whether a message is directed at one recipient (like in Direct
`
`Messaging); a small group (like in an AOL chat room); or the public (like in messaging boards).
`
`The relevant question is whether an “interactive computer service” transmitted that message. The
`
`statutory text and case law show that Zoom is an interactive computer service.
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`11
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`United States District Court
`
`

`

`Case 5:20-cv-02155-LHK Document 168 Filed 03/11/21 Page 12 of 41
`
`
`
`2. Some of Plaintiffs’ claims seek to treat Zoom as a publisher or speaker of
`third-party content.
`The other challenged element of § 230(c)(1) immunity is whether Plaintiffs’ Zoombombing
`
`claims seek to treat Zoom as a “publisher or speaker.” Barnes, 570 F.3d at 1101. Plaintiffs argue
`
`that they “seek to hold Zoom accountable for its failure to provide promised security and privacy
`
`during Zoom calls, not for Zoom’s actions as a content provider, publisher, or speaker.” Opp’n at 4
`
`(citing FAC ¶¶ 177, 180–82). Zoom responds that “[c]ourts routinely reject such attempts to skirt
`
`Section 230.” Reply at 3.
`
`The Court agrees with Zoom in part. As explained below, Section 230(c)(1) largely bars
`
`Plaintiffs’ claims. For instance, Plaintiffs cannot hold Zoom liable for injuries stemming from the
`
`heinousness of third-party content. See, e.g., FAC ¶ 179 (challenging “disturbing display” of
`
`images). These claims (1) challenge the harmfulness of “content provided by another”; and (2)
`
`“derive[] from the defendant's status or conduct as a ‘publisher or speaker’” of that content.
`
`Barnes, 570 F.3d at 1102. However, § 230(c)(1) otherwise allows Plaintiffs’ claims. For instance,
`
`Plaintiffs may claim that Zoom breached contractual duties because these duties are independent
`
`of Zoom’s role as “publisher or speaker.” See FAC ¶¶ 224–43 (implied contract and implied
`
`covenant claims). Supporting this conclusion are § 230’s text, legislative history, and case law. The
`
`Court analyzes each authority in turn.
`a. Section 230(c)’s text encourages and immunizes content moderation, not
`security failures.
`
`To start, the text of § 230(c) immunizes the “blocking and screening of offensive material,”
`
`not failures to secure software from intrusion. The “blocking and screening of offensive material”
`
`is also known as “content moderation.” For example, the Ninth Circuit, like many commentators,
`
`has called the blocking and screening of offensive material “content moderation.” Prager Univ. v.
`
`Google LLC, 951 F.3d 991, 996 (9th Cir. 2020); see also, e.g., U.S. Dep’t of Justice, Section
`
`230—Nurturing Innovation or Fostering Unaccountability? at 4 (June 2020) (stating that § 230(c)
`
`immunizes “content moderation”).
`
`Three parts of the text highlight the distinction between content moderation and security
`
`Case No. 20-CV-02155-LHK
`ORDER GRANTING IN PART AND DENYING IN PART ZOOM’S MOTION TO DISMISS
`
`12
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6