Privacy & Information Security Law Blog

On July 31, 2021, Zoom Video Communications, Inc. (“Zoom” or the “Company”) agreed to pay $85 million to settle a class action suit that alleged the Company violated users’ privacy rights by misleading consumers about encryption security, sharing data through third-party integrations without adequate notice or consent, and failing to protect private meetings from being disturbed by “zoombombings.” Class members would be eligible to receive payment, regardless of whether they paid for a Zoom account.

As part of the settlement, Zoom also agreed to a number of changes to its privacy and security practices. For example, the Company agreed to implement security features, such as waiting rooms for attendees, a “suspend meeting activities” button, blocking users from specific countries and alerting users when third-party apps are used in a Zoom meeting. Zoom also would be required to develop and maintain a documented process for communicating with law enforcement about meeting disruptions involving illegal content, including dedicated personnel to report serial meeting disrupters to law enforcement. In addition, Zoom agreed to implement a user-support ticket system for the internal tracking of and communication with users about reports of meeting disruptions.

The proposed settlement also focuses on consumer education. Specifically, Zoom agreed to: (1) better educate users about the security features available in the app to protect meeting security and privacy; (2) ensure its privacy statement discloses Zoom users’ ability to share user data with third parties via third-party integration software and to otherwise record and/or transcribe meetings; and (3) maintain on its website centralized information and links for parents whose children use school-provisioned K-12 accounts.

With respect to third-party integrations and applications, Zoom agreed to develop and maintain a documented process to be used for admitting third-party applications to Zoom’s “Marketplace.” The Company further agreed that it would not reintegrate certain third-party software development kits (“SDKs”) for a one-year period and that it would, in fact, request certain third parties to delete U.S. user data obtained through certain SDKs.

According to the settlement request, these changes are “designed to improve meeting security, bolster privacy disclosures, and safeguard consumer data.” The proposed settlement must now be approved by U.S. District Judge Lucy Koh.