*Source: Privacy FAQs dated March 25, 2020 and provided by Zoom to the UW on March 29, 2020. Republished, in whole or in part, with Zoom’s permission and in collaboration with UW Privacy Office.
A general note on enterprise Software as a Service
When negotiating enterprise software contracts, UW-IT typically partners with the UW Attorney General’s Office, the Office of the CISO, and the UW Privacy Office to craft terms and conditions that are very different than those intended for consumers or companies. The goal is to protect the privacy of those who use the software, to mitigate a host of institutional risks, to ensure regulatory compliance (e.g., HIPAA, FERPA), and to maintain ownership of UW data and intellectual property. Please know that this care and diligence is part of every contract negotiation for enterprise Software as a Service.
You can read a message from Zoom’s CEO to users issued on April 1, 2020 here.
- Zoom only collects user data to the extent necessary to provide technical and operational support, and to improve its services.
- Zoom must collect technical information like users’ IP address, OS details and device details in order for its service to function properly.
- When user data is used for service improvement, it is completely anonymized and aggregated immediately upon collection in order to protect users’ identities and privacy.
Does Zoom sell user data to third-party companies?*
- No – Zoom does not sell user data of any kind to anyone. Zoom stands by its commitment to protect the privacy of its customers’ data.
Does Zoom share data with Facebook or have access to a user’s Facebook content?*
- Zoom does not share user data with Facebook, and Facebook cannot access any personal data Zoom collects by the use of its products and services.
- Zoom does not have access to any user’s Facebook content.
Does Zoom share any user data with third parties that could qualify as “selling”? What about selling or providing user data to Google?*
- If you do not want to receive targeted ads about Zoom, simply click the “Cookie Preferences” link at the bottom of any page on the zoom.us site and adjust the slider to “Required Cookies.”
Is it true person-to-person in meeting chat messages could be later sent to someone else after a call is recorded to the cloud?*
- No. Private chats are not made available to the meeting host. (Note: Chats to Everyone may be stored by the meeting host.)
Is Zoom compliant with privacy laws in other jurisdictions like the GDPR?*
- Zoom complies with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR. See Zoom’s Official Statement: EU GDPR Compliance.
Can users request information about what data are collected on them?*
Does Zoom have the ability to “break in” or monitor conversations, whether in real time or record a copy? Or, if a customer is recording, keep a copy? Or, in transit to storage?*
- Zoom does not break-in or monitor conversations in real time and places the highest priority in the operations of its suite of products and services. By default, Zoom employs in-transit and at-rest encryption for in-meeting and in-webinar presentation content. Customers can also enable end-to-end encryption for chat. If customers employ local storage of meeting recordings, Zoom does not have access to or store these local meeting recordings. Only customers can access their local meeting recordings. Zoom is legally required to work with law enforcement when there is a violation of Zoom’s online Terms of Service.
- Zoom provides customers with a robust set of security features. Customers can learn more at https://zoom.us/security.
The attention tracking feature was permanently removed on 4/1/2020.
Does Zoom have different privacy policies when Zoom is utilized for educational purposes? If so, what are they?*
- Zoom is committed to protecting the privacy of education users. Zoom’s education use is designed to reflect Zoom’s compliance with the requirements of the Children’s Online Privacy Protection Act (“COPPA”), the California Consumer Privacy Act (“CCPA”), the Federal Education Rights and Privacy Act (“FERPA”), and other applicable law.
Do universities have any say in how the data Zoom collects is used?*
- Yes. Zoom is a Service Provider/Data Processor and Zoom only process data as instructed by its customers. Zoom also offers customers the ability to enter into custom Agreements to tailor the contract with Zoom to fit their unique needs. The UW has an agreement with Zoom for use of its service. The agreement recognizes Zoom as a School Official (as the term is used and defined in FERPA) and a Business Associate (as the term is used and defined in HIPAA).
Is Zoom in compliance with FERPA?*
- Yes, Zoom is compliant with FERPA . For more information, please Zoom’s FERPA Guide.
Is it true Zoom’s person-to-person chat messages could be later sent to someone else after a call is recorded to the cloud?*
- No. Private chats are not made available to the meeting host.
Does Zoom advertise to education users/students?*
- Zoom does not advertise to education users/students on its in-product pages.
Does Zoom monitor the audio or video of meetings involving education users/students?*
- Zoom enables customers to use its cloud recordings feature; however, those recordings are not accessed by Zoom except pursuant to a given customer’s request to respond to technical issues.
Does Zoom provide encryption on meetings or chats involving education users/students?*
- Zoom encrypts in-meeting and in-webinar presentation content at the application layer using TLS 1.2 with Advanced Encryption Standard (AES) 256-bit algorithm.
- For further information on Zoom encryption, please read The Facts Around Zoom and Encryption for Meetings/Webinars.