UPDATE: February 3, 2021, at 6:00 PM EST. Zoom contacted us to provide this statement:
“The FTC today confirmed that the settlement we reached last year is now final. The advancements we have made to our platform are well-documented, and we are continuously improving our privacy and security programs to enhance our product. We remain committed to fulfilling the expectations of the millions of people who trust and rely on our platform.”
Earlier this week the Federal Trade Commission (FTC) announced its final settlement with Zoom Video Communications, Inc. (“Zoom”) over allegedly misleading consumers about the security of, among other things, Zoom meetings. The positions taken by former Commissioners Chopra (Biden's pick to run the CFPB) and Slaughter (now Acting FTC Chair) provide a window into the policy direction we are likely to see in the coming years.
As in other FTC data security and privacy enforcement actions, the FTC’s order prohibited Zoom from making privacy and data security promises to consumers it could not or would not keep so that users would be fully aware of the extent to which Zoom can or cannot protect information from unauthorized access. The final order also has a remedial program that will span 60 months and requires Zoom to develop, document, and implement a comprehensive ten-point data security compliance management system, including engaging Zoom’s highest governing body in the process, conducting a risk assessment, retaining a qualified privacy or data security coordinator, and evolving a breach notification and remediation program.
In addition, before rolling out new products or services Zoom must dedicate qualified security personnel to evaluating these proposed new offerings. Again, there is no monetary fine or penalty and the FTC settlement includes mandates for Zoom to get independent program assessments performed by a qualified third party on a regular basis and to notify the FTC of any significant “covered incidents.”
Although this Zoom enforcement action is similar to other recent FTC privacy and data security enforcement actions, what is notable is that the Commission voted 3-2 to finalize the settlement. Separate dissenting statements were filed by Commissioners Rohit Chopra and Rebecca Kelly Slaughter. These statements offer insight into what regulatory approaches we should expect as they move into leadership roles respectively at the Consumer Financial Protection Bureau (“CFPB”) and FTC, assuming their nominations are confirmed.
In his dissenting statement, then Commissioner Chopra explained that he voted against the “weak” settlement due to the “alarm from the public” when the proposed settlement was released for comment. Commissioner Chopra disclosed that “unbeknownst to the public during the comment period, Zoom’s business practices and access controls allowed … the People’s Republic of China … to get access to user data.” Interestingly, Commissioner Chopra criticizes the “paperwork requirements in the FTC’s settlement” and writes that the FTC undermined its own credibility by approving this approach on the eve of a change of administration. Clearly, Commissioner Chopra expresses disappointment in the FTC as, in his words, “an enforcer and as a government agency that listens to the public.” What Commissioner Chopra had hoped for instead was “real accountability relying on a thorough investigation.”
Meanwhile, then Commissioner Rebecca Kelly Slaughter harshly criticized the FTC’s enforcement approach for a video conferencing vendor so ubiquitous in people’s work and business lives. She was disappointed that the FTC’s order “did not address Zoom’s privacy failings and did not require Zoom to provide any recourse to affected users.” In her dissent, Commissioner Slaughter noted that the Department of Justice recently charged a Zoom employee with “allegedly participating in a scheme to surveil, disclose, and censor political and religious speech of individuals located in the United States and around the world at the behest of the People’s Republic of China.” Reporting transparency was an FTC requirement Commissioner Slaughter felt was warranted instead of simply having a third party assessor review Zoom’s privacy and data security program. Focused on “how vulnerable consumers feel using zoom” Commissioner Slaughter articulated a preference for companies like Zoom to adopt a strong privacy program.
These former FTC Commissioners appear well aligned with one another in their approaches to consumer protection enforcement. Principles we may distill from these dissents for future FTC and CFPB enforcement include these: first, if and when companies make privacy promises they cannot and do not keep, if consumers are harmed or feel vulnerable, companies’ plans for resolution must be scaled to include some form of transparent demonstration to the public that they are coming into compliance; second, companies that fail consumers should provide recourse to affected consumers; and, third, governmental agencies designed to protect consumers should “listen to the public.”
 See, footnote 2, ibid.