Data broker lawsuit involving ZoomInfo could provide CCPA enforcement insight

Bombora, a New York-based data marketing company, alleges in a May 19 lawsuit filed in California Superior Court that ZoomInfo of Vancouver, Washington—a former business partner—is violating the CCPA by how it collects, stores, and sells customer data. Bombora alleges that ZoomInfo’s CCPA violations also puts it in violation of the California Unfair Competition Law.

“The CCPA is the law, breaking it is unlawful, and the unfair action is unfair competition in the state of California,” says Havona Madama, Bombora’s general counsel and chief data privacy officer.

In a statement, ZoomInfo called the claims “meritless” and “an attempt at retaliation against ZoomInfo for ending a vendor relationship with Bombora.”

“ZoomInfo fully complies with the CCPA and the regulations issued by the California Attorney General. ZoomInfo intends to vigorously defend the suit and will respond on the timeline set by the court,” the company said. The company has until July 10 to file a response with the court.

Both Bombora and ZoomInfo are data brokers. Their business model is selling data collected from their customers to marketers. The companies say the information they collect can predict the types of products and services that customers in their database are interested in purchasing, which they call “intent data.” Marketers use intent data to develop targeted sales pitches to those customers on behalf of their clients.

ZoomInfo may take several avenues to defend itself. While the CCPA contains a private right of action for an aggrieved consumer to sue a company that mishandles its data, it does not provide a similar right of action for one company to sue another.

ZoomInfo, which announced an $887 million Initial Public Offering earlier this month, had been in a vendor relationship with Bombora for nearly five years before abruptly ending it in March, Madama says. ZoomInfo used Bombora’s methods and strategies to launch its own product, ZoomInfo Intent, to directly compete with Bombora’s product, Company Surge.

“Bombora has been harmed by, among other things, ZoomInfo’s unfair competition and has suffered injury in fact from lost customers and revenue that would have been derived therefrom,” the lawsuit stated.

According to the lawsuit, ZoomInfo collects data through its “Community Edition” tool that is installed on a customer’s e-mail. In exchange for using Community Edition, a customer gets access to some of ZoomInfo’s databases and information.

“In exchange for the ‘free’ product and access to some limited services, ZoomInfo accesses and/or collects all of the information stored in the user’s contact list and email files, including metadata. ZoomInfo then takes the personal information that it collects, combines it with other information from other sources and creates its own form of intent data,” the lawsuit said.

The sharing of personal information via Community Edition without an opt-out notification is a violation of the CCPA, Bombora claims.

In addition to collecting personal information about users of Community Edition, the tool also collects information about third parties whose names, contact information, and other personal information is stored in the Community Edition consumers’ files, the lawsuit said. Those unknowing third-party users are never informed their data was collected and sold by ZoomInfo, which constitutes another CCPA violation, the lawsuit alleged.

ZoomInfo’s user agreement says even if a Community Edition user unsubscribes from the service, ZoomInfo can keep the data it collected, including data collected on unknowing third parties.

“There is literally no way to get it back from ZoomInfo and, more importantly, ZoomInfo can also keep using and selling all of your data, including third party data, indefinitely,” the lawsuit said.

The CCPA “grants California consumers robust data privacy rights and control over their personal information, including the right to know, the right to delete, and the right to opt-out of the sale of personal information that businesses collect, as well as additional protections for minors,” according to a description of the law on the Attorney General’s Website.

Although enforcement of the CCPA by the California Attorney General’s office will not begin until July 1, the law took effect Jan. 1. The law contains a look-back provision on rules for collecting data that stretches back to Jan. 1, 2019. That means companies will be responsible for their data collection conduct from that date.

Three other prominent companies have been recently hit with CCPA-related lawsuits coming from consumers, not competitors. Lawsuits against Zoom and Houseparty were lodged by consumers alleging the companies mishandled their personal information. A CCPA-related lawsuit against TikTok, filed on behalf of a minor, alleged the Chinese company mishandled the data of the minor.

While it bears repeating that the CCPA only applies to California residents, companies complying with the CCPA could apply CCPA-related protections to data gathered from consumers in other states.

ZoomInfo may take several avenues to defend itself in its case. While the CCPA contains a private right of action for an aggrieved consumer to sue a company that mishandles its data, it does not provide a similar right of action for one company to sue another.

Second, ZoomInfo has registered with the California Attorney General’s office as a data broker. Under the CCPA, a data broker does not have to provide consumers with a notice of how to opt out when it obtains the information; instead, a data broker has to establish an online privacy policy, as well as an online portal where opt-out requests can be made.