What are practical lessons learned from the $85 million Zoom settlement?

  • You can have big ticket enforcement dollars even without GDPR or CCPA.
  • When you integrate a third party feature – including via a Software Development Kit (SDK) that shares information with a third party and especially when that third party can use the information for marketing, advertising or other purposes – you need to, at minimum, disclose  clearly it. (It is also important to disclose what the third party does with the data and the implications to the consumer. We saw this with  Commission Nationale de l’Informatique et des Libertés (CNIL) enforcements and now we see it in the US too.)
  • Be careful about unequivocal statements about your security measures (“We use end-to-end encryption”) or privacy (“We take your privacy seriously”). These types of statements have been enforced by the Federal Trade Commission as deceptive/misleading statements.
  • It is important to have strong information security measures in practice.
  • For large companies, it is also very important to have policies and procedures that allow the information security measures to happen. (Think of alignment with ISO 27001, NIST CSF, CIS Top 20.)

A copy of the complaint may be read here.

A copy of the settlement may be read here.