We’ve Surveyed Video Conferencing Models to See Who Fits the CCPA Bill: Here’s What We Found

Jul 29, 2020 Published Article

Worldwide closures as a result of COVID-19 have resulted in an extreme surge in video conferencing use. This spike in use has also resulted in increased concern about the privacy of these video conferencing applications, including a class action lawsuit against one of the applications: Zoom.  Because of this, we took a deeper look into the privacy policies of six prominent video conferencing applications and created a chart showing each video conferencing application's compliance with the California Consumer Privacy Act. Reviewing these materials will provide an awareness of the deficiencies within the Privacy Policies, which can help you become more well-informed about your own rights, and more knowledgeable about any deficiencies in your own business' privacy policy. If these widely-used and widely-known companies can have deficiencies, it is an important way to re-examine and fix these issues in your own.

To determine this, we reviewed the CCPA’s twenty requirements for compliance, including: (1) the existence of a privacy policy, (2) required disclosures of information regarding the existence of rights under the CCPA, (3) instructions on how to exercise rights, and (4) providing contact information.

Here are the top 5 discoveries from our review:

1) No videoconferencing applications address authorized agents. This makes sense, as the treatment of authorized agents were just laid out in the recently finalized regulations. This is a reminder to businesses to utilize these regulations when setting up compliance measures to ensure there is no risk in missing out on requirements like this, which will still be required and enforced by the Attorney General.

2) Three platforms (WebEx, Skype, and Teams) have separate tabs and pages detailing privacy policies, and don't necessarily have a single unified and simple policy. Because of the accessibility requirements, this means that the privacy policy may not be readily accessible on the business's website, and may open companies to arguments that the entirety of their policy is non-compliant if key portions are hidden or otherwise inaccessible. Therefore to eliminate this concern, keep your policy unified, simple and in one location for ease of viewing.

3) None of the platforms address information relating to minors under the age of 16, which is notable as some of these platforms have been used for online education. The final regulations outline different treatment for minors from ages 13 to 16, and for minors under the age of 13. As a result, privacy policies focused on compliance with the Children's Online Privacy Protection Act (COPPA) may be insufficient as it only applies to those under 13 years old.

4) While all of the platforms state that no sale of information occurs, two platforms (Zoom and GoToMeeting) go above and beyond to explain the right to opt-out of sales. This is especially great as the CCPA permits that no notice needs to be given if no sale occurs. By taking this extra step, Zoom and GoToMeeting explain to their users that they have additional rights, which may be necessary as these platforms are also used by other entities, which may collect or otherwise use information collected from a videoconference meeting.

5) Only one platform (Wire) does not give instructions on how to delete information. The CCPA regulations still require that information regarding instructions on how to delete information be given. The lack of instructions does not relieve Wire from its obligations, and similarly situated businesses may find themselves in a position where they will have to comply with a consumer request, in any form, as the regulations require that a business either comply, or list the proper instructions on how to make the request.

Download the Full Breakdown

To learn more about our findings and how the video conferencing companies stacked up against the CCPA, visit: https://www.newmeyerdillion.com/ccpa-privacy-policy-compliance-videoconferencing-platforms/. We hope this serves as a reminder to everyone to read the privacy platforms for the services you use and update your company’s privacy policies to comply with the most recent regulations, as none of these services are currently in complete compliance, and it is only a matter of time before enforcement begins.