Zoom's $85 million privacy settlement eases risk with cash payout

Zoom has agreed to pay $85 million to settle privacy litigation over Zoombombings that disrupted meetings with pornography, foul language or other disturbing content. The deal eases litigation risk for Zoom, which failed in its effort to gain protection under the controversial US legal shield that protects websites from liability for third-party content.

If the deal is approved by a US federal judge, Zoom subscribers will be eligible for 15 percent refunds on their core subscriptions or $25, whichever is larger, while others could receive up to $15.

The cash payments are unusual in privacy class actions. Class members in such cases rarely receive direct payments as part of a settlement, except in cases involving the Illinois Biometric Information Privacy Act, which provides for damages of $1,000 to $5,000 per violation.

Without the costly damages prescribed by BIPA, most privacy lawsuits against tech companies such as Facebook and Google are settled with so-called cy-pres payments that go to various privacy groups and universities, instead of individual class members.

Zoom users haven’t asserted any BIPA violations. Plaintiffs began suing the videoconferencing platform for invasion of privacy, negligence and breach of contract in March 2020, soon after the Covid pandemic reached the US. The Zoom users described a litany of abuse, including racist postings and other offensive conduct that interrupted public meetings.

They also allege that Zoom shared their personal information with third-party services such as Facebook, Google and LinkedIn, and falsely told users that its service provided end-to-end encryption.

Zoom managed to escaped most of the claims in March through Section 230 of the Communications Decency Act. Zoom can’t be held liable for injuries stemming from the “heinousness” of content posted by third parties under Section 230, even the offensive, sometimes racist Zoombombings that interrupted public meetings, US District Judge Lucy Koh in San Jose said.

But Section 230 doesn't protect Zoom from users’ claims that the Zoombombings violated its contract with users, she said, because those allegations don't hinge on the harmfulness of that content.

Section 230 immunizes companies from legal claims regarding screening out offensive material, Koh said, “not failures to secure software from intrusion.”

Therefore, the plaintiffs could pursue claims that Zoom’s security failures breached its contract with users, Koh said.

Two months later, Zoom notified the court that the parties were negotiating a settlement. They filed a motion for preliminary approval on Saturday.

Zoom also agreed to make changes to its business practices under the deal, a much more common feature of privacy settlements. For example, Disney, Viacom, Twitter and more than a dozen app developers settled litigation recently accusing the companies of baking covert tracking technology into their software, agreeing to wide-ranging changes in their business practices. The deal won final approval in April.

Zoom agreed to implement additional security measures, including alerting users when meeting hosts or other participants use third-party apps in meetings, and to provide specialized training to employees on privacy and data handling.

Zoom will make sure that its privacy statements disclose that users can share data with third parties, but it also agreed not to reintegrate Facebook's trackers for iOS into Zoom meetings for a year.

Zoom will also implement a “documented process for communication with law enforcement about meeting disruptions involving illegal content,” along with a devoted team to oversee this process.

“The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us,” Zoom said in a statement. “We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront.”

A hearing before Koh on the preliminary settlement motion is slated for Oct. 21.