Privacy Lessons Learned from Litigation: The unfair and deceptive practices lawsuit against Zoom

Richard Horton
Associate Editor
Loyola University Chicago School of Law, LLM 2021

Yet another privacy and data security-related lawsuit has been filed against Zoom Video Communications, Inc. (“Zoom Inc.”). Zoom Inc. has been the subject of several complaints related to its video-conferencing service since its meteoric and spectacular rise in popularity due to the Coronavirus pandemic and related quarantine measures beginning in March 2020. In this particular case, there are compliance lessons to be learned from the unfair and deceptive practices claims alleged against Zoom Inc. in the plaintiff’s D.C. Superior Court filing.

What’s the issue?

Zoom Inc. is the company that owns and operates the eponymously named Zoom internet video-conferencing service. Zoom is a public company that was founded in 2011 and had its IPO last year. The plaintiff in the lawsuit alleges that at its IPO, Zoom Inc. was worth $16 billion, and now, during the global pandemic, currently enjoys a valuation of over $70 billion. Zoom Inc. has not only been sued specifically for its privacy and data security failings, but also has been the subject of a shareholder derivative suit that alleges that those shortcomings have caused the stock price to drop resulting in a loss to investors.

This time, Zoom Inc. is being hauled into court, not by one of its users, business subscribers, or shareholders, but by a consumer protection non-profit organization, Consumer Watchdog, suing on behalf of the general public and consumers in the District of Columbia. Consumer Watchdog is a consumer protection advocacy group that has advocated for several wide-ranging reforms, including energy, healthcare, insurance, and privacy. The public interest group, established in 1985, has its roots in California and nuclear power proliferation reform. In its August 10th filing, Consumer Watchdog has alleged that the increase in Zoom users and the resulting increase in the stock market valuation of Zoom Inc. were, at least in material part, due to Zoom Inc.’s misrepresentations about the privacy and security of the service.

What are unfair, deceptive, or abusive acts or practices (UDAAP)?

Generally, consumer protection laws at the state and federal levels prohibit unfair, deceptive, and abusive acts and practices, including the Fair Trade Commission Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), and the applicable law in this case, the DC Consumer Protection and Procedures Act (CPPA). Laws with similar language have been adopted across the country in all 50 states. Courts have consistently interpreted a company’s misrepresentations to be an unfair and deceptive act.

Consumer Watchdog has alleged that Zoom Inc. made false representations that communications on the platform were protected by “end-to-end encryption.” While Consumer Watchdog appears to acknowledge that a type of encryption was used, the dispute hinges on Zoom Inc.’s ability to intercept and access all communications on its platform, notwithstanding the encryption measures in place. Consumer Watchdog argues that because Zoom Inc. retained this ability, the encryption mechanism that it put in place did not meet the high standard of “end-to-end encryption.” The advocacy group has not alleged that Zoom Inc. actually made any efforts to access communications, but rather, merely that it could have.

What’s the compliance risk?

While it has been alleged that Zoom Inc. made the false representations to “establish itself as a safe, secure, and reliable video conferencing platform,” tech companies can take affirmative measures to prevent marketing teams from issuing similarly false claims, knowingly, negligently, recklessly, or otherwise.

Ostensibly, product marketers for Zoom Inc. made representations in marketing materials that used security-related technical terms that have exacting and precise definitions (i.e. end-to-end encryption). Definitions, which those same marketers, may not have been able to fully appreciate. Moreover, a typical legal review of the same marketing materials, performed by general counsel or marketing-focused attorneys, will not likely uncover these types of oversights, for the very same reason—lack of deep subject matter expertise.

The compliance risk, illustrated by this case, is that a product marketing team may elect to use technical terms related to the privacy and data security of its product platform when those terms do not adequately or precisely reflect the actual capabilities of the platform. This problem will arise relatively more often in product marketing-driven organizations, where the use of the technical term originates from the product marketing team (e.g. defining market position), rather than the teams with technical competence, particularly the engineering team. This lawsuit is evidence that even relatively slight inconsistencies between product promises and technical standards can form the basis for costly litigation.

How do you control it?

Tech companies must begin to recognize the increasing importance of privacy and data security features. Consumer Watchdog explained in its complaint that “consumers are making data security a crucial consideration when choosing which companies to do business with and which products to buy.” Because UDAAP laws typically require that a representation must be material to be considered deceptive, tech companies should understand that privacy and data security statements are now actionable.

Tech companies must respond with a risk mitigation approach, by developing a formal review and approval process for marketing materials that includes consultation with privacy and data security engineers, particularly when technical terms and security-related claims are employed. The formal review process should be mandatory, when triggered, and risk & compliance personnel should adopt a written policy and related procedures to ensure that it is followed. The policy and its enforcement should be owned and maintained by risk & compliance teams. For ideas on what these types of controls generally look like, review this sample policy template published by the Health Care Compliance Association (HCCA).

As a part of the recommended review process, the privacy and data security engineer should verify, on behalf of risk & compliance, that all privacy and data security claims in the marketing materials are true, correct, and accurate, and not misleading or deceptive when compared against the technical specifications of the system currently in production. This may require technical standards-related research and even consultation with legal counsel that specializes in privacy and data security matters.

Alternatively, it may be argued that an approval process with too many stakeholders is a hindrance to the speed and agility of the organization. However, that effect can be minimized by soliciting engineering’s input earlier in the process of developing the marketing team’s materials. Marketing will typically begin its efforts by developing a messaging framework, that can then be used to guide subsequent development of specific marketing assets. Consultation of engineering during the review and approval of the messaging framework is less cumbersome and time-consuming than conducting the same process for each individual marketing asset.

Further, technical specifications are collaboration and communication tools. Engineering teams should seriously consider developing technical specification documents, that detail the architectural and design solutions that they have chosen (guided by product requirements), so that marketing can reference it when developing its marketing materials and formulating related claims. Any privacy and security-related update to the marketing materials that is not reasonably based on content expressly stated in the messaging framework or technical specification should trigger an additional review for approval.