18th Annual Workplace Class Action Report - 2022 Edition

672 Annual Workplace Class Action Litigation Report: 2022 Edition (“BIPA”). The parties ultimately settled the matter on a class-wide basis, and the Court granted preliminary settlement approval. The settlement provided $92 million in monetary relief and broad injunctive relief, including: (i) Defendants agreed to refrain from using the App to collect or store a domestic user’s biometric data, geolocation information, or “clipboard” content; (ii) from storing or transmitting a domestic user’s data outside of the United States; and (iii) from pre-uploading domestic user-generated content, unless expressly disclosed in Defendant’s privacy policy and in compliance with all applicable laws. Id . at *17. Defendants also agreed to delete all pre-uploaded user-generated content collected from domestic users who did not save or post the content, and would require a newly designed annual training program for their employees and contractors on compliance with data privacy laws. Id . The Court found that the settlement class met all the requirements of Rule 23. The Court also held that the settlement was fair and reasonable, and reached through hard-fought, arms’ length negotiations, and mediated by a reputable former federal judge. The Court further reasoned that the settlement capitalized on urgent and extraordinary political pressure upon Defendants to shed TikTok’s existing liabilities, and the agreement was vetted again by the entire Plaintiffs’ counsel. Id . at *39. The Court noted that it was likely future litigation would be risky, complex, and expensive. Id . Proceeding to trial would also take years and entail extensive fact and expert discovery and motion practice. For these reasons, the Court granted the parties’ motion for preliminary settlement approval. In Re Zoom Video Communications Inc. Privacy Litigation, 2021 U.S. Dist. LEXIS 47085 (N.D. Cal. March 11, 2021). Plaintiffs, a group of Zoom video conference users, filed a class action alleging that Defendant improperly shared Plaintiffs’ personally identifiable information (“PII”) with third-parties, misstated its security measures, and failed to prevent breaches known as “Zoombombing.” Id. at *8-9. Zoombombing would occur when an unknown party joined an online meeting without permission and engaged in despicable conduct such as sharing pornography, screaming, or using racial slurs. Id. at *11. Plaintiffs’ complaint set forth nine causes of action under California law, including: (i) invasion of privacy; (ii) negligence; (iii) breach of implied contract; (iv) breach of implied covenant of good faith and fair dealing; (v) unjust enrichment; (vi) violation of the California Unfair Competition Law (“UCL”); (vii) violation of the California Consumer Legal Remedies Act (“CLRA”); (viii) violation of the Comprehensive Data Access and Fraud Act (“CDAFA”); and (ix) deceit by concealment. Id. Defendant filed a motion to dismiss, which the Court granted in part and denied in part. Initially, Defendant argued that § 230 of the Communications Decency Act barred Plaintiffs’ claims that were based on Zoombombing. Section 230 generally “‘immunizes providers of interactive computer services against liability arising from content created by third-parties.’” Id. at *22. The Court noted that Defendant constituted an interactive computer service and that § 230 protected content moderation, not failures to secure software from intrusion. According to the Court, § 230 thus only allows claims that are either content-neutral, or do not originate from an entity’s status as a publisher. Here, the Court reasoned that most of Plaintiffs’ Zoombombing claims were directed at the content provided by third-party hackers, so the Court granted Defendant’s motion to the extent Plaintiffs’ claims (i) challenged “the harmfulness of ‘content provided by another;” and (ii) derived from Defendant’s status or conduct as a “publisher or speaker of that content.” Id. at *39. As to Plaintiff’s individual causes of action, the Court held that Plaintiffs’ invasion of privacy claim failed because they did not sufficiently allege that Defendant actually provided their PII to a third-party. Given this determination, the Court also dismissed Plaintiffs’ CDAFA claim, which required a showing of actual harm with respect to Defendant’s alleged release of Plaintiffs’ PII. Additionally, the Court dismissed Plaintiffs’ negligence claim on the basis of the economic loss rule, which “‘prevents the law of contract and the law of tort from dissolving one into the other.’” Id. at *48-49. In terms of Plaintiffs’ implied contract claims, though, the Court rejected Defendant’s argument (offered in a declaration) that Plaintiffs could not proceed with such claims because they were bound to an express written agreement, i.e. , Defendant’s terms of service. Specifically, the Court noted that it could not consider Defendant’s declaration at the motion to dismiss stage, and that even if it could, the one-paragraph declaration lacked sufficiently detailed facts and supporting evidence. Defendant also challenged Plaintiffs’ UCL, CLRA, and fraudulent concealment claims on the grounds that these counts failed under the Rule 9(b) heightened pleading standard for fraud claims. The Court agreed that most of Plaintiffs’ fraud-based claims were insufficiently plead, and pointed to the fact that such allegations required alleging details surrounding Defendant’s specific misrepresentations. However, the Court allowed Plaintiffs’ UCL claim to proceed under the “unlawful” and “unfair” prongs since this claim related to Plaintiffs’ adequately alleged implied contract claims. Id. at *70-71. Finally, because Plaintiffs’ unjust enrichment claim was derivative of the UCL claim, the Court refused