Request a Demo
5 min read

Could your privacy policy cope with explosive growth?

Six months ago, Zoom was a buttoned-down, business-focused video-chat tool with 10 million daily users — but by March, its user-base had surged to over 200 million as the coronavirus pandemic drove countless organizations to move online. Almost overnight, Zoom became not just a household name but a generation-defining cultural touchstone, and its stock price more than tripled.

Great news, right? Well, sure — except that Zoom’s explosive growth also exposed serious weaknesses in its privacy policy. First, it emerged that Zoom’s app was leaking user data to Facebook; later, cybercriminals began trading exploits, meetings were crashed by foul-mouthed “Zoom-bombers,” and it became apparent that Zoom’s vaunted end-to-end encryption didn’t actually exist.

The upshot: serious damage to Zoom’s brand, with corporations banning employees from the service, irate users filing lawsuits, and regulators launching a flurry of investigations. “We have fallen short of the community’s — and our own — privacy and security expectations,” admitted CEO Eric Yuan. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”

Zoom’s growth might have been unanticipated, but its privacy failure was a self-inflicted injury. By following a few simple guidelines, Zoom could have implemented far more effective policies, and spared itself a litany of headaches. So where did Zoom go wrong — and how can you ensure your own company’s privacy policy is ready for whatever the future brings?

1. Compliance is just the beginning

Many companies see the privacy policy primarily as a necessary but annoying document required by law — begrudgingly admitting that such policies are increasingly important given the rise of complex new frameworks such as the GDPR and the CCPA. But don’t take a bare-minimum approach and assume your privacy policy is ready for primetime just because you’ve ticked a few regulatory boxes. Your policy should aim higher, and be transparent, truthful, and forthcoming. Don’t just promise to play by the rules. Go further, and explain in positive terms exactly how you’ll collect, use, and protect your customers’ data.

2. Keep it simple

Your privacy policy doesn’t have to be a fusty legal document: turn it into a living, breathing opportunity to build and strengthen relationships with visitors who have shown an interest in what you do. The key is to thread the needle between using legally precise language, and expressing your company’s approach to privacy in terms that are simple enough for users to understand. It’s a fine line to walk: ambiguities could leave you legally liable, while dense legalese will make customers’ eyes glaze over. Imagine your grandma is reading your privacy policy — if she gets confused, or can’t make it through without taking a nap, then it needs more work. And remember it’s not illegal for the policy to have a little personality.

3. Make your policy a no-spin zone

Treating your privacy policy as a communication tool doesn’t mean putting your PR team in charge and calling it a day. As Zoom learned when it claimed to have E2E encryption, buzzwords and impressive-sounding jargon can come back to haunt you if they don’t reflect how your product actually works. You can’t spin your way to a successful privacy policy, so don’t tell people what you think they want to hear. Just tell them in plain English what you’re actually doing. And if you include specific technical claims, make sure they’re true.

4. Sweat the small stuff

When it comes to your privacy policy, the devil is in the details. The snippet of Zoom’s code that leaked data to Facebook probably seemed inconsequential when it was first written, but when the world started paying attention, Zoom wound up with egg on its face. When thinking about privacy, don’t focus solely on the processes that are central to your business. Ultimately, trivial-sounding cut corners, workarounds, and hand-waved details can harm your brand.

5. Think of the children

Part of the reason Zoom slipped up was that its product, designed for enterprise users, was suddenly adopted by 90,000 schools for online teaching. Zoom got an unscheduled stress-test as children began mucking about with features and settings, and its privacy policies were swiftly put under the microscope by worried parents. The key lesson? Make your privacy policy robust enough to cater to sensitive or specially regulated users — and if kids might use your product, consider havinga separate privacy policy to explain how you’ll handle their data.

6. Put your money where your mouth is

Whenever a product gets popular, hackers start sniffing around. Zoom tripped up by failing to anticipate that, and leaving it to its own business partners to root out vulnerabilities in its platform. A better approach: spend some money early on, and pay “white hat” hackers to dig up problems that need patching. There’s little point crafting a transparent, effective privacy policy if you don’t also do your utmost to keep your users’ data safe from cyberattacks and other predictable threats.

Make privacy a priority

It’s easy to sympathize with Zoom. After all, how many startup CEOs can say, hand on heart, that they could handle a twentyfold growth surge without a few growing pains? Ultimately, though, Zoom’s privacy problems were an unforced error. Digital startups are built for rapid growth, so there’s no excuse for having privacy policies that aren’t future-proofed.

The real takeaway is that whatever business you’re in, the days of neglecting privacy are long gone. You never know when your user numbers will skyrocket, and you’ll never get a second chance to make a first impression, so you can’t afford to treat your privacy policy as an afterthought.

Fortunately, the solution is simple: instead of viewing privacy as merely another box to check, bring your whole team into the process, from top-level leaders to legal, technical, and communication experts. Establish privacy as a genuine priority, then use your privacy policy to communicate that commitment and make it a key differentiator for your brand.

Despite Zoom’s missteps, implementing an effective and resilient privacy policy isn’t rocket science. If you take your customers’ privacy seriously, and craft a policy that clearly and honestly explains your values, you’ll be well-placed to succeed — no matter what the future holds.

Privacy Tech
June 8, 2020

Continue reading

News, Regulations
What the POTUS privacy push means for your 2023 strategy
Jonathan Joseph
7 min read
Privacy Tech, Product
3 requirements for effective consent management
Peter Wang
6 min read
Case Study
Kodiak Robotics: enhancing the UX with customizable, scalable data privacy tech
Kara Kennedy
4 min read

Get started with Ketch

Simplifying your privacy program has never been easier. Begin your journey to simplified privacy operations and granular data control across the enterprise.