Looking at the Zoom story: privacy missteps in the CCPA era
August 1, 2021
As millions of people found themselves quarantined at home to curb the spread of the coronavirus, the video conferencing software Zoom surged in popularity as a way to stay connected, with daily users increasing to 200 million in March 2020 from 10 million in 2019. But with more success came more scrutiny — particularly around the company’s privacy policies and security standards.
On July 31, 2021, Zoom agreed to pay $85 million to settle a class action suit alleging that Zoom violated users’ privacy rights by sharing personal info without permission, and falsely claiming the platform was end-to-end encrypted. The trajectory of Zoom over the past two years serves as an object lesson in the disastrous effects of not designing for privacy.
What started as an investigation into the passing of analytics data to Facebook in the Zoom iOS app has snowballed into a cautionary tale for those that thought they could fly under the radar as regulatory pressure and consumer awareness around privacy mounts in the US. High-profile data breaches, like the breach at Marriott, along with regulatory mandates like the GDPR in Europe and CCPA in the US, have increased demand for products that support improved personal privacy protections.
In the span of just one month in 2020, Zoom found itself the subject of four class-action lawsuits alleging violation of CCPA by not obtaining proper consent from users about the transfer of their Zoom data to Facebook, among other misrepresented security measures. Private citizens quickly availed themselves of the right to action under CCPA without waiting for further guidance from the California Attorney General on the regulation. Consumers are becoming more savvy and aware of the trade-offs between convenience and privacy — and the value their data has for companies like Zoom.
Consumers aren’t the only ones with their eyes on companies like Zoom. When enforcement actions under CCPA delayed due too the pandemic, many brands took a wait-and-see approach, but the deadline extension didn’t prevented attorneys general in Connecticut, New York and Florida from looking into Zoom’s privacy practices. The New York attorney general’s office in particular issued a letter expressing concern “that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network. While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices.”
The impact for Zoom has not been insignificant. In addition to a string of bad press, Zoom’s shares fell seven percent and alternatives (Microsoft’s Teams, Cisco’s Webex and Google’s Hangouts) gained substantial market share. And it’s not too late for Zoom to correct the course. With the formation of a new security council and appointment of former Facebook Chief Security Officer Alex Stamos as an advisor, Zoom’s CEO has publicly committed to “transforming our business to a privacy-and-security-first mentality.”
We believe that companies that take this approach are going to win in the long run, both in developing consumer trust and creating sustainable business models. As technology evolves, there will continue to be tradeoffs between personal privacy and access, however, the aim should be for humans ultimately, not technology, to make that choice.
In sensitive times such as these, it’s more important than ever for companies to safeguard relationships with consumers and their data, not just because the law mandates it in some cases but because it’s what audiences want. We are seeing audiences raise their hand in the form of these private actions to demand more accountability from brands and their privacy measures. And it is only the beginning. Organizations must rethink ways in which they can offer better and more secure digital experiences for their users and invest in methods that allow privacy and usability to work in harmony, not conflict.
Latest Blog Posts
The requirement to honor global privacy control is already...
Application of this California law is much broader than...
In response to IAB Europe's appeal of a February...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.