Section 230 (Mostly) Protects Zoom from Liability for Zoombombing

This is a privacy class action against Zoom. The opinion has several points of interest for privacy practitioners. I’m going to focus only on the court’s discussion of Zoom’s liability for Zoombombing, the COVID-era problem where malefactors crash a Zoom room uninvited and engage in disruptive and anti-social behavior. Zoom defended on Section 230(c)(1) grounds. Everyone agrees that the Zoombombers are third parties, so that element of the Section 230 defense is met. The plaintiffs contested the other two elements.

Is Zoom an ICS?

The court says the definition of “ICS” is “expansive.” Zoom qualifies as an “access software provider” because its software “transmits and displays video, audio, and written content.” This conforms with the 9th Circuit’s ruling that Kaspersky qualified as an access software provider, and I think it’s well-accepted that apps get full Section 230(c)(1) protection. Still, this is a relatively rare ruling on what constitutes an access software provider, especially in the Section 230(c)(1) context.

The court says Zoom also qualifies as an ICS provider because it enables multiple users to access computer servers. This means “Zoom is the video equivalent of an online messaging board. Users converse in real-time—and may use Zoom’s built-in chat feature too.” The fact that some Zoom rooms may be restricted to invited participants doesn’t affect this conclusion. “Factually, many Zoom meetings are open to the public. Legally, the public/private nature of a meeting is immaterial to whether Zoom is an ‘interactive computer service.’…the case law does not recognize a public/private distinction.” (Cite to Fields v. Twitter). The court summarizes:

it is irrelevant whether a message is directed at one recipient (like in Direct Messaging); a small group (like in an AOL chat room); or the public (like in messaging boards). The relevant question is whether an “interactive computer service” transmitted that message. The statutory text and case law show that Zoom is an interactive computer service.

Do the Claims Treat Zoom as a Publisher/Speaker?

Having concluded that the Zoombombing claims are based on third-party content, and Zoom qualifies as an ICS provider, the remaining Section 230(c)(1) question is whether the Zoombombing claims are “publisher/speaker” claims. The court summarizes: “Section 230(c)(1) largely bars Plaintiffs’ claims. For instance, Plaintiffs cannot hold Zoom liable for injuries stemming from the heinousness of third-party content…However, § 230(c)(1) otherwise allows Plaintiffs’ claims. For instance, Plaintiffs may claim that Zoom breached contractual duties because these duties are independent of Zoom’s role as ‘publisher or speaker.'”

To distinguish between preempted claims over third-party content and unpreempted claims over security breaches, the court starts with the proposition that Section 230(c)(1) protects content moderation decisions. Section 230’s “caption underscores that § 230(c) immunizes affirmative, good-faith acts,” and per Section 230(c)(1), “an interactive computer service can moderate third-party content without fear that it will be treated as the ‘publisher or speaker of’ that content.” Furthermore, “Section 230(b) declares the policy of the United States is to encourage content moderation—not to provide immunity so broad that content moderation becomes disincentivized.”

This statutory analysis shows that Congress did not provide “any intention to immunize conduct unrelated to content moderation, such a failure to protect users from a security breach.” Thus, a publisher/speaker claim occurs when:

First, these claims challenge the harmfulness of “content provided by another.” Second, these claims allege violations of a duty that does not “derive[] from the defendant’s status or conduct as a ‘publisher or speaker.’” Thus, § 230(c)(1) allows two types of claims: claims that either (1) are content-neutral; or (2) do not derive from defendant’s status or conduct as a publisher or speaker

The court explains these two categories:

Content-Neutral Claims. “It is irrelevant to these [content-neutral] claims whether third-party content on defendant’s platform is good or bad, displayed or hidden. Rather, liability stems from a content-neutral rule.” The court cites three examples of Ninth Circuit cases involving content-neutral claims:

  • HomeAway v. Santa Monica because banning rental bookings did not impose liability for the listings’ content. While the court correctly recounted the holding, I still disagree with it. I believe the 9th Circuit’s distinction is 100% illusory, because any listings that lead to illegal or unbookable bookings are bait-and-switch false advertising.
  • Nunes v. Twitter (note: the Nunes here is not Devin) because the TCPA bans unsolicited texts, regardless of the text’s content. In my blog coverage of the Nunes ruling, I described it as “bizarre because it gets the analysis precisely backwards.”
  • Doe v. Internet Brands because “failure to warn” claims are based on the service’s alleged omissions.

Claims Not Deriving from Publisher/Speaker Status. The court says contract claims are one such example, citing Barnes and Green v. AOL. Yet, this discussion doesn’t engage with the many cases where, in fact, Section 230(c)(1) has applied to contract claims that try to work around the Section 230 immunity–including Judge Koh’s own ruling in FAN v. Facebook and the recent and carefully drafted opinion in Murphy v. Twitter. So this part of the opinion leaves open some key questions about the interplay between contract claims and Section 230.

Section 230(c)(1) Mostly Protects Zoom from Zoombombing Claims

The court concludes: “The bulk of Plaintiffs’ Zoombombing claims lie against the “Zoombombers” who shared heinous content, not Zoom itself. Zoom merely ‘provid[ed] neutral tools for navigating’ its service” (cite to That means the following claims survive the Section 230 analysis:

The Court denies Zoom’s motion to dismiss Plaintiffs’ contract claims. These claims do not derive from Zoom’s status or conduct as a “publisher” or “speaker.” The Court also denies Zoom’s motion to dismiss Plaintiffs’ claims to the extent they are content-neutral

The plaintiffs can amend their complaint to fit their claims into these standards.

Case citation: In re Zoom Video Cmmunications Inc. Privacy Litigation, 2021 WL 930623 (N.D. Cal. March 11, 2021). The complaint.