Zoom Video Communications has agreed to a preliminary class-action settlement with terms that would require the video-conferencing platform to establish an $85 million fund and improve its data privacy and security practices, according to court documents.

Zoom, which exploded in popularity as stay-at-home orders took hold amid the COVID-19 pandemic, was the subject of more than a dozen class-action complaints alleging violations of security and privacy. In May 2020, the U.S. District Court for the Northern District of California consolidated these complaints into a single class-action lawsuit.

The consolidated lawsuit alleges Zoom “improperly shared its users’ data without notice or consent” using third-party software integrations from companies including Facebook, Google, and LinkedIn. Also addressed in the lawsuit is harm caused by “Zoombombing,” in which unauthorized users crash a video chat and post hateful, racist, or pornographic content.

Under the terms of the preliminary settlement, filed Saturday but still awaiting approval from U.S. District Judge Lucy Koh, class members who are paid Zoom subscribers will be eligible to receive a 15 percent refund or $25, whichever is greater. Class members who are nonpaying Zoom customers may submit a claim to receive $15.

Compliance obligations

Zoom did not admit wrongdoing as part of the settlement. However, the company has agreed to “over a dozen major changes to its practices, designed to improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Enhancements include:

User notification features. Under the settlement terms, Zoom has agreed to provide in-meeting notifications “to make it easier for users to understand who can see, save, and share Zoom users’ information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.”

Revised privacy statement. Zoom must disclose users’ ability to share data with third parties through third-party data-sharing apps or otherwise to record meetings and/or to transcribe meetings.

Facebook obligations. Zoom must not reintegrate the Facebook software development kit (SDK) for iOS into Zoom meetings for a year and must request Facebook delete any U.S. user data obtained from the SDK.

New documented protocols and procedures. Zoom must develop and maintain, for a minimum of three years, documented protocols and procedures for admitting third-party applications for dissemination to users through the Zoom App Marketplace; a user-support ticket system for internal tracking of, and communication with users, about reports of meeting disruptions; a documented process for communication with law enforcement about meeting disruptions involving illegal content, including dedicated personnel to report serial meeting disrupters to law enforcement; and security features, such as waiting rooms for attendees, the suspend-meeting activities button, and blocking of users from specific countries.

User education features. Zoom must “better educate users about the security features available to protect meeting security and privacy, through dedicated space on the Zoom website and banner-type notifications.” Additionally, the company’s Website must have “centralized information and links for parents whose children are using school-provisioned K-12 accounts.”