An Analysis of the Privacy Policies of Video Conferencing Applications

Written by Adwait Kolwalkar

Third Year, BBA. LLB. NMIMS School of Law

Disclaimer: Please note that the views expressed below represent the opinions of the article's author. The following does not necessarily represent the views of Law & Order.

Introduction

At a time of a worldwide lockdown and ‘social distancing’, video conferencing has become the new norm for conducting meetings. Video Conferencing Apps (VCA) such as Zoom, Cisco WebEx, Google Meet, Skype, etc. have gained several thousand users overnight. But there has been a strict concern with regards to the privacy of such applications.

Video Conferencing Applications or VCAs refer to those applications which allow meeting on a virtual platform. A lot of these official meetings contain information that is important and the leaking of such information can have a major impact on the organization. Hence the privacy of these meetings is a matter of concern.

The economy of California is one of the largest in the world due to Silicon Valley. All of the world’s biggest corporations have their headquarters in California hence it becomes vital to look at the state statute on Data Protection.

GDPR on the other hand is of vital importance due to it setting a new standard for data collection, storage, and usage among Europe. It is also important to note that GDPR needs clear consent: this is, data held on subjects must only be used for the purpose agreed. The definition of that data is very broad and can include not just names, addresses, emails, and telephone numbers, but also social media updates, pictures, and IP addresses.[1]

This article mentions two important legislations that have come around relating to Data privacy laws i.e. California Consumer Privacy Act (CCPA) and General Data Protection Regulations (GDPR). Further, this article looks into the privacy policies of two major VCAs i.e. Zoom and Cisco WebEx, and analyses whether these Privacy Policies are in compliance with these laws.

Online Privacy Laws

California Consumer Privacy Act (CCPA) 2018

The CCPA is a statute for privacy and data protection for the residents of California. The reason why a state statute is important is due to the Economy of California. California is home to Silicon Valley where the largest Corporations of the world exist. The scope of CCPA is any business which does not work for profit in California that either has an Annual Gross Revenue over USD 25 million or annually buys sells, receives or shares for a commercial purpose the information of more than 50,000 consumers, household or devices or derives 50% or more of its annual revenues from selling consumer’s Personal Information (PI).[2]

CCPA defines PI as any information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.[3]

CCPA provides a range of Rights to the consumers such as a right to data access, to know what data and to whom it has been sold, delete, opt-out, and protection to Children’s Data. In terms of the Right to Know what data and to whom it has been sold, CCPA prohibits third parties from selling a consumer’s PI which has been sold to the third party by a business unless the consumer has received explicit notice and an opportunity to opt-out.

CCPA also has provided obligations to such businesses such as to provide notice to consumers at or before the data collection, to respond to requests from consumers within a particular time-frame, to verify the identity of the consumers who make requests and to disclose the financial incentives offered in exchange of retention or sale of consumer PI and how the value of PI was calculated. One of the most important obligations is to create procedures to respond to consumers’ requests to know, opt-out, and delete. To opt-out, it has been obligated to have an option of ‘do not sell my info’.

General Data Protection Regulation (GDPR)

General Data Protection Regulation or GDPR is a regulation in the European Union (EU) and European Economic Area (EEA) relating to privacy and Data Protection. It protects Personal Data which is defined as any information relating to an identified or identifiable natural person (‘data subject’)[4].

GDPR also provides certain rights to its data subjects, namely the Right to Transparent information, communication and modalities, Access, Rectify, Erasure, Restriction of Processing, data portability, and object. GDPR also provides the right to data subjects with respect to access to their personal data including receiving a copy and knowing the data’s controller’s processing.

GDPR imposes a penalty upon the data controllers or data processors by data subjects a private action caused due to a breach in GDPR regulations.

Privacy Policy

Privacy Policy is a legal document that provides for the way in which a party gathers, uses, processes, and manages a client’s data. Privacy Policies are mentioned on every website. It was made mandatory by a California Online Privacy Protection Act of 2003 for companies to have Privacy Policies on their website.[5]

Two types of Privacy Policies are taken for consideration with reference to this article. However, while there are and can be breached relating to all types of applications, this article only takes into consideration two video conferencing applications that have had sudden growth starting the lockdown.

1. Zoom

Zoom is one of the apps which has had a sudden increase in its users. Zoom is an American technology company headquartered in California.

Zoom has distinguished its users in three terms, namely-

1. Customer: This refers to any person or company that signs up for and has an account on the Zoom app.

2. Host: It is someone who can host a meeting on a Zoom account.

3. User: Anyone who uses Zoom.

The Privacy policy of Zoom is an exhaustive document containing the various categories of data and how the app uses the same. Zoom divides the PI of the users into two i.e. data that the consumers give to Zoom and the data which Zoom takes from the users.

Data that is given to Zoom includes phone number, address, billing method, username, phone number, and when a user accesses the Zoom app. It also contains other types of information such as Zoom cloud meetings, chats, and voice mails. Further, Zoom also collects data such as a person’s IP address, MAC address, other device ID (UDID), device type, operating system type and version, client version, type of camera, microphone or speakers, connection type, etc. including information such as approximate location and metadata.

Zoom also has marketing websites such as zoom.us and zoom.com where they advertise their products and prices. These websites obtain cookies[6] and similar analytical tools to be able to provide consumers with a tailor-made preference. The app provides for the consumers to opt-out of these or gives a Cookie preference to ensure compliance with CCPA.

With reference to the sale of data to third parties. Zoom mentions that it indeed sends the data of the cookies to the tool providers such as Google when the consumer has consented to it. However, it states that since the word ‘sale’ has a broad definition under the CCPA. Due to its broad definition, a ‘Do not sell my information’ link is provided at the bottom of every marketing page which then divides the cookies into three parts i.e. Required Cookies (these are required for site functionality such as secure login and how far one is through an order), Functional Cookies (these are needed to increase the performance of the websites and analyze site usage such as remembering log-in details and making sure that the website looks consistent) and Advertising cookies (these cookies are used by advertising companies to serve ads relevant to a consumer’s interest). A user can choose what they choose to provide in terms of the cookies.

Data Subject Rights refer to the rights which are given to the data subjects using zoom defined as the ‘users’. Zoom in its data subject rights is in compliance with laws of CCPA and GDPR with reference to access, rectification, objection, portability, erasure, withdrawal of consent, etc.

Therefore, Zoom is mostly in compliance with the regulations of CCPA and GDPR except in the case of “Does Zoom sell your data”. Zoom states that since the word ‘sale’ has a very broad definition under CCPA. The definition of Sale under CCPA is exchanged on PI of the users for money or other valuable consideration which in itself is explained in a broader term in order to inculcate all those transactions made with regards to a ‘sale’. Zoom in its previous Privacy Policy had generally vague terms for selling of data.[7] There were also allegations of Zoom selling PIs to Facebook.[8]

Stating that the definition of Sale under CCPA is broadly defined means that Zoom on asking whether it sells consumer data, says, “depends on what sale means to you” which creates a lot of confusion as it lacks clarity. The language used to define Sale under Zoom’s Privacy Policy is not clear and transparent. Further, the allegations of whether Zoom indeed sells the data have not yet been proven in a court of law.

2. Cisco WebEx

Cisco Systems, Inc. is a company based in Silicon Valley, California. The main organization is into developing, manufacturing, and selling network hardware, software, telecommunications equipment, etc.

One of its subsidiaries is WebEx. It provides services for meetings, training centres, support centres, web office, etc.

Cisco in its Privacy Statement defines Personal Information as anything which is able to identify an individual such as name, email address, IP address, phone number, etc. Further, it states that “If we link other data with your personal information, we will treat that linked data as personal information”. However, it does not clearly define what the ambit of ‘other data’ is and hence it is not very clear and transparent.

Further, the Privacy Statement states the purpose for which Cisco takes the personal data and the uses of such. It is very particular about the uses of personal data and mentions reasons such as Personalisation, administrating online education, providing customer service, etc. It also mentions that it engages with third parties to improve accuracy and tailor their interactions with the users.

The Privacy Statement also mentions selecting communication preferences. Cisco gives three types of options to control preferences. First, follow the instructions in the promotions email to unsubscribe. Second, to submit a form mentioned on their website or mailing to the communication address. Third, for short message services, to reply ‘STOP’, ‘END’, and ‘QUIT’.

It further states the sharing of personal information. Cisco shares personal information for the purpose of business, sending, delivering, securing, sending information relating to business with users' consent. Some of the ways described are:

1. Within Cisco and its subsidiaries for purposes such as data processing like marketing, security, business operations etc.

2. With Cisco partners and vendors so that they may share information with the users regarding their products.

3. With business partners, vendors authorized third party agents to provide for a particular service, solution or transaction.

Here, there is an exhaustive list of reasons for the use of personal data.

Cisco with regards to letting children ‘knowingly’ use their website is correct in their approach by stating that they do not do this knowingly and yet if someone under the laws of their particular country does end up seeing a child, then they are told to mail in accordance with ‘Contact Us’.

However, Cisco has not complied with certain compliance with GDPR and CCPA. These include-

1. The Privacy statement does not provide for a ‘Do not sell my information’ option although it states that it does not sell data. It is mandatory for a business to provide this option according to the CCPA.

2. It fails to provide a classification of personal information. In its definition, the privacy statement provides what is personal information and how do they use it but they fail to provide for classification of this personal information.

Therefore, the privacy statement of Cisco, even though it is very exhaustive, lacks some of these compliances. The Privacy Statement has done a good job to describe its compliances for an international transfer to its worldwide subsidiaries.

Conclusion

“Privacy is dead” are the words of Pete Cashmore, CEO of Mashable.[9] It is correct when he said so because the monetary value of ‘data’ has increased over the years. With Privacy now becoming an inalienable right, it is important to care about those businesses which use the same data to control its users.

A Privacy Statement/Policy is important to understand what is being done with the data that you provide in good concern to business. In an era where most of the world is highly dependent on virtual teleconferencing applications, it becomes important to care about privacy too.

With regards to Zoom, their Privacy Policy is mostly compliant with the laws of CCPA and GDPR. However, their policy states the definition of Sale under CCPA has a broad definition, and hence they have put an option of ‘Do not sell my info’ which is mandated under the Act. It is difficult to know for certain whether Zoom sells the data as their answer is not transparent.

On the other hand with regards to Cisco, their privacy policies are mostly in compliance with the different laws that are mentioned. However, there are certain places where they haven’t been clear and therefore it is important that they change these to provide transparency.

[1] iCaaS, Why is GDPR important?, (June 7, 2019), https://myicaas.com/gdpr/why-is-gdpr-important/ [2] 1798.140 (c) California Consumer Privacy Act, 2018. [3] 1798.140 (o) California Consumer Privacy Act, 2018. [4] Article 4, General Data Protection Regulation (GDPR), 2016. [5] 22575, Chapter 22, California Online Privacy Protection Act, 2003. [6] Cookies refer to a small amount of data generated by a website and saved by a web browser for retaining information about the user. [7] Maya Shwayder, Is Zoom’s new privacy policy worth a damn? Proceed with caution, experts say, Digital Trends, (March 31, 2020), https://www.digitaltrends.com/news/zoom-privacy-policy-changed-analysis/ [8] Khristopher J. Brooks, Zoom sued for allegedly sharing users' personal data with Facebook, CBS News, (April 1, 2020, 10:25 AM), https://www.cbsnews.com/news/zoom-app-personal-data-selling-facebook-lawsuit-alleges/ [9] Pete Cashmore, Privacy is dead, and social media hold smoking gun, CNN News, (October 28, 2009, 1:22 PM), https://edition.cnn.com/2009/OPINION/10/28/cashmore.online.privacy/ BIBLIOGRAPHY

1. Privacy Policy, Zoom, (March 29, 2020), Available at: https://zoom.us/privacy.

2. Cisco Online Privacy Statement, Cisco, (May 1, 2020), Available at: https://www.cisco.com/c/en/us/about/legal/privacy-full.html

3. Khristopher J. Brooks, Zoom sued for allegedly sharing users' personal data with Facebook, CBS News, (April 1, 2020, 10:25 AM), https://www.cbsnews.com/news/zoom-app-personal-data-selling-facebook-lawsuit-alleges/

4. Maya Shwayder, Is Zoom’s new privacy policy worth a damn? Proceed with caution, experts say, Digital Trends, (March 31, 2020), https://www.digitaltrends.com/news/zoom-privacy-policy-changed-analysis/

5. 22575, Chapter 22, California Online Privacy Protection Act, 2003.

6. iCaaS, Why is GDPR important?, (June 7, 2019), https://myicaas.com/gdpr/why-is-gdpr-important/

7. Article 4, General Data Protection Regulation (GDPR), 2016.

8. California Consumer Privacy Act, 2018.

9. Pete Cashmore, Privacy is dead, and social media hold smoking gun, CNN News, (October 28, 2009, 1:22 PM), https://edition.cnn.com/2009/OPINION/10/28/cashmore.online.privacy/