If you've used Zoom at all in the past five years, or even just signed up with the video-conferencing service, then you may have some money coming to you.
On Saturday (July 31), Zoom reached an $85 million agreement with two California law firms that had sued the company in federal court claiming that Zoom misled users about its encryption and security, had inadequate security that led to "Zoom bombings" and shared user data with Facebook, with Google and with LinkedIn without user consent or even user notification.
- Zoom's security issues: Here's everything that's gone wrong
- How to use Zoom on iPhone, Android, Windows or Mac
- Plus: I'm testing YouTube TV to cut the cord — the pros and cons
Any consumer who paid for a Zoom subscription between March 30, 2016 through July 30, 2021 will be entitled to a reimbursement of 15% of their subscription costs, or $25, whichever is greater. The plaintiffs estimate the average reimbursement may about $35, but that eventually depends on how many people file claims.
Even consumers who had free Zoom accounts are entitled to claim $15 from the settlement fund. The presiding judge has yet to approve the settlement, but a hearing is set for Oct. 21. This lawsuit does not affect or concern enterprise or government clients of Zoom, who are not part of the plaintiff class.
Update: Zoom reached out to us after publication of this story and provided this statement, in full.
"The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront. "
How you can file a settlement claim against Zoom
Under the terms of the agreement, Zoom will provide the settlement administrators a list of eligible registered users, and the administrators will notify those users via email or regular post of their eligibility to file a claim.
Those so notified "need only provide their names, mailing address, email and claim number," according to the settlement motion.
If you don't get a notification but feel you're entitled to file a claim, then you need to provide "either an email associated with a Zoom account, a Zoom account number, or failing that, documentation and an attestation demonstrating that [you] are a Class Member."
Class members include any Zoom personal account holder who "registered, used, opened, or downloaded the Zoom Meetings Application" from March 30, 2016 until this past Saturday.
A settlement website is to be set up at http://www.zoommeetingsclassaction.com/. (It's not live yet, but the domain has been registered.) There will also be a settlement mailing address, email address and phone number that claim filers can contact.
Ambulance chasing, but with merit
The class-action suit is a merging of 14 different lawsuits filed against Zoom in March and April of 2020, soon after the COVID-19 pandemic lockdown began in Europe and North America and use of Zoom by private clients skyrocketed. The 14 lawsuits were consolidated into one by a judge in May 2020.
A flurry of lawsuits being filed against a suddenly hot company seems opportunistic, and it is, but the plaintiffs' claims do have merit.
Zoom did in fact mislead customers about the nature and security of what it claimed was "end-to-end encryption" but really wasn't, leading Zoom to settle a claim with the Federal Trade Commission in November 2020.
Zoom did in fact incorporate Facebook code into its iOS app that sent Facebook information about each user's iPhone model, location, carrier and app usage, whether or not the user had a Facebook account. Zoom users were not notified of this.
Zoom did in fact give users who paid for a special LinkedIn service a snapshot of the LinkedIn pages of other Zoom users, without telling those users that their LinkedIn pages were being shared over Zoom. The New York Times found that even if you signed into Zoom meetings under fake names, your real LinkedIn page would pop up.
Zoom also sent mobile-app usage data to Google's Firebase analytics service, which is less outrageous but is nonetheless the basis of separate lawsuits against Google.
The plaintiffs originally sought to hold Zoom liable for the actions of Zoom "bombers" who invaded Zoom meetings with content that was often shocking or rude.
The court rejected those claims, ruling that Zoom was not responsible for the actions of third-party users per Section 230 of the federal law code. But the court retained the plaintiffs' complaint that Zoom did not provide a "secure videoconferencing service."
Actions Zoom has to take
From now on, Zoom has to notify users during meetings about which other meeting participants can see who's on the call, which participants can save meeting data and which participants are using third-party apps that can interact with the Zoom software. (Some of these features are already in place.)
Zoom also agrees to:
- Notify users when their personal is data being shared with third parties such as Facebook, Google or LinkedIn
- Create staff positions dedicated to reporting incidents of Zoom bombing to law enforcement
- Create waiting rooms for attendees (already implemented)
- Create a "suspend meeting activities" button
- Enable "blocking of users from specific countries for a minimum of three years"
- Provide a centralized hub of privacy and security information for parents of kids who use Zoom for school
The lawyers for the plaintiffs are asking the judge to set aside 25% of the settlement, or $21.25 million, to pay their legal fees. That sounds like a lot, but it's less than the 33% that plaintiff's attorneys normally get.
If any of the $85 million is left over after all claims have been settled, the extra money will go to the Electronic Frontier Foundation and the Electronic Privacy Information Center, two non-profit digital-rights groups.