Looking at the Zoom story: privacy missteps in the CCPA era

August 1, 2021

As millions of people found themselves quarantined at home to curb the spread of the coronavirus, the video conferencing software Zoom surged in popularity as a way to stay connected, with daily users increasing to 200 million in March 2020 from 10 million in 2019. But with more success came more scrutiny — particularly around the company’s privacy policies and security standards.

On July 31, 2021, Zoom agreed to pay $85 million to settle a class action suit alleging that Zoom violated users’ privacy rights by sharing personal info without permission, and falsely claiming the platform was end-to-end encrypted. The trajectory of Zoom over the past two years serves as an object lesson in the disastrous effects of not designing for privacy.

What started as an investigation into the passing of analytics data to Facebook in the Zoom iOS app has snowballed into a cautionary tale for those that thought they could fly under the radar as regulatory pressure and consumer awareness around privacy mounts in the US. High-profile data breaches, like the breach at Marriott, along with regulatory mandates like the GDPR in Europe and CCPA in the US, have increased demand for products that support improved personal privacy protections. 

In the span of just one month in 2020, Zoom found itself the subject of four class-action lawsuits alleging violation of CCPA by not obtaining proper consent from users about the transfer of their Zoom data to Facebook, among other misrepresented security measures. Private citizens quickly availed themselves of the right to action under CCPA without waiting for further guidance from the California Attorney General on the regulation. Consumers are becoming more savvy and aware of the trade-offs between convenience and privacy — and the value their data has for companies like Zoom. 

Consumers aren’t the only ones with their eyes on companies like Zoom. When enforcement actions under CCPA delayed due too the pandemic, many brands took a wait-and-see approach, but the deadline extension didn’t prevented attorneys general in Connecticut, New York and Florida from looking into Zoom’s privacy practices. The New York attorney general’s office in particular issued a letter expressing concern “that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network. While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices.”

The impact for Zoom has not been insignificant. In addition to a string of bad press, Zoom’s shares fell seven percent and alternatives (Microsoft’s Teams, Cisco’s Webex and Google’s Hangouts) gained substantial market share. And it’s not too late for Zoom to correct the course. With the formation of a new security council and appointment of former Facebook Chief Security Officer Alex Stamos as an advisor, Zoom’s CEO has publicly committed to “transforming our business to a privacy-and-security-first mentality.” 

We believe that companies that take this approach are going to win in the long run, both in developing consumer trust and creating sustainable business models. As technology evolves, there will continue to be tradeoffs between personal privacy and access, however, the aim should be for humans ultimately, not technology, to make that choice. 

In sensitive times such as these, it’s more important than ever for companies to safeguard relationships with consumers and their data, not just because the law mandates it in some cases but because it’s what audiences want. We are seeing audiences raise their hand in the form of these private actions to demand more accountability from brands and their privacy measures. And it is only the beginning. Organizations must rethink ways in which they can offer better and more secure digital experiences for their users and invest in methods that allow privacy and usability to work in harmony, not conflict.

Latest Blog Posts

Bicameral, bipartisan discussion draft of federal privacy bill announced

April 15, 2024

If passed, the American Privacy Rights Act, a comprehensive...

CPPA issues an enforcement advisory on data minimization

April 9, 2024

Their first "enforcement advisory", reminds companies of their data...

Kentucky sends comprehensive privacy bill to governor

April 1, 2024

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]