Zoom is sued over privacy failures company says it has fixed

Zoom, the teleconferencing app that has exploded in popularity over the past few weeks, is now subject to a federal privacy lawsuit alleging the tech company shared private information to other third-party platforms such as Facebook without informing users. The company said it has halted the practice.

The lawsuit, which cites California’s new Consumer Privacy Act as one of several causes of action, said users’ information such as time zone, location, device model and phone carrier were shared with other parties each time they interfaced with the app, according to a suit filed by Wexler Wallace LLP in the Northern District of California on Monday. Whether the user had Facebook or not, the information was then used for targeted advertising, the suit alleged.

“Zoom’s failure to implement adequate security protocols and failure to provide accurate disclosures to its users violated those users’ privacy and falls well short of Zoom’s promises,” according to the lawsuit.

The lawsuit, which argues unjust enrichment, comes as the San Jose-based company’s stock price has risen by over 115% since January.

Prior to the suit’s filing on Monday, the company said it “was collecting device information unnecessary for us to provide our services” and halted the practice, in response to a report from Vice that the identifier allowed companies to target users with advertisements. Cullen v. Zoo Video Communications Inc., 5:20-cv-02155-SVK (N.D. Cal., filed March 30, 2020).

“We sincerely apologize for the concern this has caused, and remain firmly committed to the protection of our users’ privacy. We are reviewing our process and protocols for implementing these features in the future to ensure this does not happen again,” the company wrote on its website, recommending users download the newest version of the app.

Zoom said the information collected did not include information and activities related to attendees, names or notes related to meetings.

Despite the changes, the lawsuit contended the damage has been done. It said the company did not go far enough in barring old versions of Zoom from still being accessed and argued past user injury must be remedied.

The company did not comment on those allegations.

Mark J. Tamblyn, of counsel at Wexler Wallace who filed the lawsuit on behalf of plaintiff Robert Cullen, did not respond to a request for comment.

The class, consisting of all individuals and businesses in the U.S. whose private information was collected by Zoom and given to a third party, cites seven causes of action. It seeks injunctive relief under the California Consumer Privacy Act, which says companies must allow for an “opt out” function to protect users from having personal information released without notice and consent. The act was further violated as a result of Zoom not preventing non-encrypted personal information from being disclosed, the lawsuit alleges.

The company is also accused of unlawful and unfair business practices for allegedly not informing users of its private information sharing.

“Had Zoom informed its users that it would use inadequate security measures and permit unauthorized third-party tracking of their personal information, users — like plaintiff and class members — would not have been willing to use the Zoom app,” states the lawsuit.

Under the California Consumers Legal Remedies Act, the lawsuit said Zoom represented it was preventing unauthorized access and disclosure of personal information when it did not.

Other causes of action are alleged negligence, unjust enrichment, and invasion of privacy and violation of the California Constitution.