What Zoom’s $85m class action lawsuit means for data privacy
Popular video conferencing platform Zoom is under fire for allegedly sharing users’ private information without their consent and lying about their software being end-to-end encrypted. Now it has promised to pay $85m in claims to users and vows to improve its privacy practices. The case evidences a larger privacy movement playing out in both the public and private sectors.
Zoom is paying claims to users for sharing their data with third parties without consent
People who used Zoom between March 30 2016 and July 30 2021 may have received an email late last month explaining that they could receive cash payment from the video conferencing platform as part of a class action lawsuit.
Zoom on July 31 agreed to pay $85m to settle a class action suit alleging that the company violated users’ privacy rights by falsely claiming that its platform is end-to-end encrypted and sharing users’ personal information with the likes of Facebook, Google and other third parties without adequate permission. The lawsuit alleges that the company also failed to appropriately mitigate ‘Zoombombings,’ the phenomenon in which hackers barge into users’ meetings.
Though the settlement was initially filed in July, it wasn’t until late November that many former and current Zoom users learned about the debacle. This came in the form of an email from a case administrator detailing the agreement and outlining who may be eligible for compensation and how to file a claim.
The suit serves as a high-profile reminder of the increasingly heated data privacy debates playing out within the walls of big tech companies and in the halls of Congress.
‘A cautionary tale’
The Zoom case is not the first of its kind and, in general, privacy-related class action suits are gaining traction in both the US and Europe. “The success of these class actions is just one of many indicators that courts, policymakers, regulators and individuals are scrutinizing companies’ handling of data and in many instances finding it lacking,” says Caitlin Fennessy, chief knowledge officer and vice-president at the International Association of Privacy Professionals (IAPP), a nonprofit interest group. “This settlement is yet another example that data and dollars – profit and risk – will be inextricably linked for years to come.”
And the pricey result of the suit has spooked other companies. “[It’s] a cautionary tale for the digital ecosystem, and it’s forced some companies to take a hard look at their own data protection policies and security measures,” says Elena Morin, marketing director at privacy software company Sourcepoint. “The digital ecosystem is in the midst of a reckoning with privacy UX: what is the best way to tell users where their data is going and why? Yet, underlying this, there is still a massive transparency gap – both between brands and their tech partners, and between brands and consumers.”
Zoom aims to clean up its act
While other companies are reading the writing on the wall, Zoom is dealing with the consequences of its shortcomings. Experts predict that the company’s reputation is sure to take a hit – but it won’t be anything from which the platform won’t be able to bounce back.
“The class action lawsuit won’t permanently damage Zoom’s reputation, but it will bruise it,” says Steffen Schebesta, chief executive officer and vice-president of corporate development at marketing SaaS company Sendinblue. “Zoom has become synonymous with the ‘work from home’ model triggered by the pandemic. The demand for Zoom and video conference software is not going to disappear – the demand will only increase as companies determine how or if employees will return to an office.”
In fact, today Zoom has about 300 million daily meeting participants – up from just 10 million two years ago. And while the case may lead some consumers to ditch Zoom in favor of competitors such as Microsoft Teams or Google Meet, Zoom isn’t likely to suffer a death blow from a privacy scandal like this one. Nonetheless, the company knows its reputation is on the line, and with demand for privacy-centric solutions steadily increasing, it’s already made efforts to win back consumer trust.
After it was revealed that the platform’s core products, outside of its ‘Connector’ offering, are not end-to-end encrypted – though they were advertised as such – the company acquired key directory and encryption software Keybase last year in an effort to develop its cryptography and bolster security. In a blog post announcing the decision, Zoom’s chief executive Eric Yuan wrote: “This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform ... Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform.”
And although Zoom’s popularity is likely to help shield it from too much reputational damage, experts including Karen Freberg, associate professor of strategic communication at the University of Louisville and an expert in crisis communications, believe that regaining users’ full trust won’t happen overnight. “Zoom needs to make sure they ... [address issues] raised in the class action lawsuit, be transparent on what the brand is doing by having regular and consistent communication with consumers [and] outline specifics on what they are doing to make sure they do not violate the trust of consumers again.”
As an example, Freberg proposes that perhaps the company could help establish a data protection code of ethics in collaboration with other players such as Google and Microsoft in order to pave the way in setting standardized principles and best practices for the industry.
Zooming out to witness a broader phenomenon
Zoom isn’t the only tech player to face backlash recently for purportedly failing to enforce the privacy standards it preaches. Just last week, Apple came under fire for taking a lax approach in enforcing its anti-tracking rules for big tech companies including Meta and Snap. In an increasingly privacy-obsessed world, internet users, lawmakers and privacy advocates are forcing companies to practice greater transparency and offer users more freedom to choose how their personal information is collected and shared.
“Sadly, we often come across companies [that] have only taken basic measures to address compliance and have treated their internal data privacy practices as a ‘one and done,’” says Michael Storan, co-founder and chief executive officer of privacy compliance software firm Dataships. “This means the majority of companies out there, particularly smaller and mid-market companies, are not too dissimilar to Zoom in this regard.”
But it’s not just private corporations that are feeling the heat – mounting pressure has also led to a data protection policy renaissance around the globe; US states and countries everywhere are increasingly proposing and passing comprehensive GDPR-like data privacy laws. China and Saudi Arabia are two of the most recent. Unfortunately, more stringent regulations and mounting pressure in the private sector often results in companies overpromising and under-delivering on privacy promises.
To ensure that they deliver on their promises while maintaining consumer trust, companies need to ‘walk the walk.’ “There absolutely needs to be consistency when it comes to data tracking and protection,” says Freberg. “[Cases like Zoom and Apple failing to enforce privacy promises] sends mixed messages ... that some brands and companies are above the rules and regulations set for everyone else. Actions speak louder than words, and if you are saying to consumers you are not tracking their data or actions on apps or other forms of technology, then you should follow through. Otherwise, this is where a disconnect happens, and where people get confused or even upset since it is a violation of expectations on behalf of the brand in question. If people feel brands are saying and doing different things, their level of trust will be impacted.”
Ultimately, Zoom’s settlement is just one manifestation of an increasingly complex privacy landscape, according to Matt Voda, chief executive officer at ad measurement platform OptiMine. “The entire industry is riding a huge privacy wave that it helped generate, and there will be many more of these discoveries [of data-related misuse or deceit] over time,” he says. “Tech players will be forced to adjust, either as a result of public sentiment and mistrust or through more draconian regulatory actions. We’re in for a rollercoaster of a ride with consumer data privacy over the next several years, and it will create a lot of disruption in the marketing and measurement industry, but will be great for consumers.”