November 10, 2020

Zoom settles alleged privacy and data security misrepresentations with the FTC

On November 9, 2020, the FTC announced that it reached a settlement with Zoom Video Communications, Inc. to resolve allegations that Zoom misrepresented the strength of its videoconferencing platform’s privacy and data security measures.  

The FTC alleged that, since at least 2016, Zoom misled users about its ability to offer end-to-end encryption, represented that it offered 256-bit end-to-end encryption when it only offered less secure 124-bit encryption, and represented that recorded meetings were immediately encrypted at the end of meetings, when some meetings were actually stored on Zoom servers unencrypted for up to 60 days. According to the FTC, Zoom’s user base “skyrocketed” amidst the COVID-19 pandemic from 10 million in December 2019 to 300 million in April 2020, during which these misrepresentations increased the risk that third parties would surveil or intercept consumers’ videoconferences.  The FTC further alleged that, between July 2018 and July 2019, Zoom secretly installed web server software on end users’ computers without adequate notice or user consent.

Under the settlement and proposed consent order, Zoom must establish a comprehensive security program, implement specific security measures such as multi-factor authentication, cease further privacy and security misrepresentations, conduct biennial independent assessments for twenty years, and provide periodic certifications and assessments to the FTC.

The FTC voted 3-2 to accept the settlement with Zoom, with Commissioners Rohit Chopra and Rebecca Kelly Slaughter issuing dissenting statements.  Commissioner Chopra criticized the settlement’s failure to notify consumers of Zoom’s misrepresentations, the lack of monetary relief despite the FTC’s authority to seek it for dishonest conduct, and its failure to require that Zoom admit liability.  Commissioner Slaughter focused on the settlement’s failure to address data security and privacy concerns.  In a majority statement, the FTC defended the settlement, asserting that it provided critical and timely relief to consumers who needed a safe and secure videoconference meeting platform during the pandemic, explaining that the relief requested by dissenting colleagues was speculative and would require extensive litigation to obtain.

The FTC will publish a description of the proposed consent order containing the terms of the Zoom settlement in the Federal Register for 30 days of public comment, after which the FTC will decide whether to finalize that consent order.

FTC Press Release | Agreement Containing Consent Order | Analysis of Proposed Consent Order to Aid Public Comment | Chopra Dissenting Statement | Slaughter Dissenting Statement | FTC Majority Statement