By: Brenna Ryder

A California federal judge granted preliminary approval to Zoom Video Communications, Inc., (“Zoom”), users’ $85 million deal resolving privacy and data security claims against the video conferencing provider.  U.S. District Judge Lucy H. Koh (“Koh”), granted this initial approval, ruling that “the terms of the settlement agreement do not improperly grant preferential treatment to any individual or segment of the settlement class.”

Zoom provides a videoconference service that is available on computers, tablets, smartphones, and telephones.  Zoom has more than 200 million daily users, a number that has rapidly increased since early 2020 in response to the COVID-19 pandemic.  This ruling is part of In re Zoom Video Commc’ns Priv. Litig. (N.D. Cal. Mar. 11, 2021).

The original claims were brought by eleven individuals and two churches (“Users”), on behalf of themselves and two putative nationwide classes, alleging that Zoom has made harmful misrepresentations and failed to secure Zoom meetings.  First, Users alleged that Zoom shared plaintiffs’ personally identifiable information (“PII”), with third parties, such as Facebook and LinkedIn, without plaintiffs’ permission.  This PII included plaintiffs’ device carrier, iOS Advertiser ID, iOS Device CPU Cores, iOS Device Model, iOS Language, iOS Time zone, iOS Version, and other key data points, even if the user did not have accounts with the third parties.  This PII, when combined with information about other apps used on the same device, allegedly allowed third parties to identify users and track their behavior.  Plaintiffs specifically alleged that this PII allowed third parties to know when a particular device opens or closes Zoom.

Second, Users alleged that Zoom misstated the security capabilities and offerings of its services, including failing to provide end-to-end encryption.  Users alleged that Zoom misrepresented transport encryption, its encryption protocol, as end-to-end encryption.  Transport encryption provides that the encryption keys for each meeting are generated by Zoom’s servers, not by the client devices.  This allows Zoom to still access the video and audio content of Zoom meetings.  In contrast, end-to-end encryption provides that the encryption keys are generated by the customer devices, and only the participants in the meeting have the ability to decrypt it.  In April 2020, Zoom apologized for the confusion the company had caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption when Zoom’s encryption did not meet the commonly accepted definition of end-to-end encryption.  In October 2020, Zoom announced availability of a “technical preview” of its first real end-to-end encryption offering.

Lastly, Users alleged that Zoom has failed to prevent, and warn users about, security breaches called Zoombombings.  A Zoombombing occurs when bad actors join a Zoom meeting without authorization and display pornography, scream racial slurs, or engage in similarly inappropriate conduct.  Many accounts of these security breaches were reported to Zoom, but Zoom largely did not take responsibility for these occurrences.  After several well-known companies brought these security breaches into the limelight, Zoom released a statement noting that password protections are on by default and recommending to Users to: keep those protections on, limit screen sharing to certain participants, and make events invitation-only.  This seems like a weak response, particularly for businesses who increase and diversify their consumer bases by hosting public online events.

Koh wrote an in-depth analysis as part of her ruling analyzing Zoom’s assertion that Section 230 of the Communications Decency Act, 47 U.S.C. § 230, barred plaintiffs’ Zoombombing claims.  Section 230 “grants a broad liability shield to tech companies for content posted on their platforms by users and other third parties.”  The Ninth Circuit has set forth a three-element test for a defendant to receive §230(c)(1) immunity and the parties here disputed whether Zoom meets the first two elements of this test.  Zoom does meet the first two elements of this test because: (1) Zoom is an interactive computer service, and (2) some of Users’ claims seek to treat Zoom as a publisher or speaker of third-party content.  After Koh largely agreed that the statute immunizes interactive service providers, like Zoom, from such allegations, Users submitted a fresh complaint bolstering their claims.

According to the deal, Zoom Users who paid for an account will be eligible to receive fifteen percent of the money paid for their subscription during the class period or $25, whichever is greater.  Furthermore, the deal also states that class members not eligible to submit a paid subscription claim can make a claim for $15.  The number of claims made may cause those claim amounts to go up or down.  Any money left over will be given to two nonprofits: the Electronic Frontier Foundation and the Electronic Privacy Information Center.  These damages do not do enough to compensate Users who suffered emotional distress as a result of being subjected to racial slurs and child pornography during Zoombombings.  These damages also do not appropriately compensate for lost profits or customers as a result of Zoombombings during online public events.

In addition to payment, Zoom agreed to several major changes to its practices, designed to improve meeting security, boost privacy disclosures, and safeguard consumer data.  One of these changes is that Zoom will now provide in-meeting notifications in an effort to make it easier for users to understand who can see, save, and share their information and content.  Users will be alerted when a meeting host or another participant uses a third-party application during a meeting.  Additionally, Zoom will develop and maintain: (1) a user-support ticket system for tracking reports of meeting disruptions; (2) a documented process for communicating with law enforcement about meeting disruptions involving illegal content; and (3) security features like waiting rooms for attendees, a suspend-meeting button, and the ability to block users from specific countries.  Though these are steps in the right direction, Zoom needs to do more to protect users from Zoombombings, especially as remote alternatives continue to be embraced in response to the COVID-19 pandemic.

This case provides an in-depth look at interactive service providers’ responsibilities to customers at a time when users’ reliance on these platforms has grown dramatically.  Unfortunately, though users’ reliance has increased, interactive service providers remain subject to very little responsibility when it comes to protecting users from malicious third-party actors.  A final approval hearing for the settlement is set for April 7, 2022.

Student Bio: Brenna Ryder is a third-year evening student at Suffolk University Law School.  She is a staff writer on the Journal of High Technology Law.  Brenna received a Bachelor of Science Degree in Business Administration and Management, with concentrations in Management Information Systems and Business Law, from Boston University’s Questrom School of Business.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.