The use of videoconferencing platforms has spiked significantly due to COVID-19 closures. With this spike, some users have become increasingly concerned about the privacy of these platforms, due to exposure of information from security breaches. We examined the privacy policies of six prominent videoconferencing applications to determine their compliance with the California Consumer Privacy Act (CCPA). This should serve as a reminder to all organizations about the importance of following CCPA guidelines.
Evaluation Process
To evaluate these videoconferencing platforms’ compliance with the California Consumer Privacy Act, we examined the finalized CCPA regulations under Title 11, Division 1, Chapter 20, specifically sections 999.308, 999.317 (g)(1), and 999.332. These regulations were approved by the Office of Administrative Law on August 14, 2020. These regulations generally require a disclosure of rights, instructions on how to enforce rights, and transparency regarding the collection, disclosure, and sale of information. We reduced the requirements into a chart and reviewed the privacy policies (as of August 26, 2020) for each platform.
CCPA Regulations | Zoom | Webex | Go To Meeting (LogmeIn) | Skype (Microsoft) | Teams (Microsoft) | Wire |
Dated Privacy Policy | Yes | Cisco Privacy Policy: Yes Data Sheet: No | Yes | Yes | Yes | Yes |
Explanation about a right to know the personal information it collects, uses, discloses, and sells and right to delete | Yes, under Data Subject Rights | Yes, but part of different documents | Yes | Yes | Yes | Yes |
Provides agent instructions | No | No | No | No | No | No |
Instructions for requests to know information/deletion | Yes, but deletions are restricted to profile information. | Yes, though verification is not given | Yes, though verification is not given | Yes, | Yes | Yes, though verification is not given and deletions are restricted to profile information. |
Identifies the categories of personal information Collected. | Yes, but not as laid out in statute | Yes, but not as laid out in statute | Yes, but not as laid out in statute | Yes | Yes | Yes |
Identifies where personal information is obtained. | Yes | Unclear | Yes, but slightly unclear. | Yes | Yes | Yes, but minimal details were provided. |
Explain that the consumer has a right to opt-out of the sale of their personal information by a business. | Yes | N/A; No sale occurs | Yes | N/A; No sale occurs | N/A; No sale occurs | N/A; No sale occurs |
State whether or not the business sells personal information. | No Sales | No Sales (without consent) | No Sales | No Sales | No Sales | No Sales |
Identifies the business or commercial purpose for collecting personal information. | Yes | Yes | Yes | Yes | Yes | Yes |
Identifies the categories of personal information, disclosed to third parties | No, but instances listed | Yes | No, unclear | Yes | Yes | Yes. |
Listing the categories of third parties to whom the information was disclosed or sold. | No | Yes | Claims it is exempt under the “Shine the Light” law | No | No | No |
Provide contact information for privacy issues | Yes | Yes | Yes | Yes | Yes | Yes |