Zoom privacy policy: A guide for businesses, educational institutions, and healthcare providers
Zoom has become deeply embedded in modern business communication. Companies use it for daily meetings, client presentations, webinars, training sessions, and industry conferences. Educational institutions use it for remote learning, and healthcare providers use it to deliver telehealth services.
Each of these uses involves sharing personal data with the platform. This data may belong to employees, clients, webinar attendees, students, patients — anyone that joins a Zoom call. And your business could be responsible for protecting it.
Zoom’s privacy policy applies only to personal data it collects from individual users. Any personal data shared by a business is covered by Zoom’s Data Processing Addendum (DPA) and US State Law Privacy Addendum.
In this guide, we look at what personal data Zoom collects from business use, how this data may be used, and what obligations organizations may face under global data protection laws.
What personal data does Zoom collect?
- Zoom’s role in business data: Zoom serves as a data processor for organizations, handling personal data from employees, clients, students, and patients during meetings, webinars, and telehealth services.
- Data Processing Addendum (DPA): For business use, Zoom’s data handling is primarily governed by its Data Processing Addendum (DPA) and US State Law Privacy Addendum, which outline contractual obligations.
- Categories of data collected: Zoom collects various personal data, including account data, meeting participant details, device information, support data, and address book or calendar data.
- Zoom as data controller: Zoom acts as a data controller for its own business purposes, such as billing, legal obligations, abuse detection, and service improvement, without using customer data for third-party advertising.
- Third-party data sharing: Zoom shares data with third-party subprocessors for cloud services, AI features, content delivery, security, and other operational functions, which are all bound by DPA obligations.
- International data transfers: Personal data may be transferred internationally, with Zoom relying on adequacy agreements or other legal mechanisms like Standard Contractual Clauses (SCCs).
- Industry-specific considerations and protections: Educational institutions require a Children’s Educational Privacy Statement, and healthcare providers handling PHI need a Business Associate Agreement (BAA) with a “Zoom for Healthcare” plan to meet HIPAA requirements.
- Organizational obligations: Businesses must ensure compliance by obtaining consent where required, developing acceptable use policies, complying with BAA terms for HIPAA, and maintaining transparent privacy policies.
When your organization uses Zoom, the platform collects several categories of personal data related to your account and the activities conducted on it. This data is gathered from account holders, meeting participants, and the devices used to access Zoom’s services.
- Account data: Including names, email addresses, user IDs, profile pictures, and any other information a user adds to their profile
- Meeting and webinar participant data: Names, contact details, registration data, participant roles, tracking fields (such as “department”), and details about meeting times and topics
- Device and diagnostic data: Information about the devices used to connect to Zoom, such as IP addresses, device types, operating systems, network information, and the specifications of connected hardware like microphones and cameras
- Support data: Descriptions of technical problems, user contact information, feedback, and uploaded attachments
- Address book and calendar data: Contact lists and calendar entries from integrations with tools like Outlook or Google Calendar
Beyond these categories, Zoom also processes the content generated during meetings and webinars. This includes video, audio, chat messages, whiteboards, captions, transcriptions, presentations, polls, surveys, and Q&A sessions.
Depending on the nature of the discussion and the information shared by participants, this content could contain personal data.
How Zoom uses personal data
Zoom handles personal data in two ways. In most situations, it acts as a data processor, managing data on behalf of your organization. In some cases, it acts as a data controller, using certain information for its own purposes.
Read more about Data Processing Agreements (DPA).
Zoom’s personal data use when acting as processor
Under its DPA, Zoom primarily acts as a data processor, while your organization acts as data controller. This means Zoom is contractually obligated to handle personal data in line with your instructions in order to:
- Provide and update services
- Secure and monitor services
- Resolve technical issues
- Provide customer support
Zoom’s DPA does not specifically address its AI Companion features or the third-party AI models that power the feature. However, Zoom’s documentation clarifies that customer content, such as audio, video, chat, screen sharing, attachments, poll results, whiteboards, and reactions, is not used to train Zoom’s own or third-party AI models.
According to the documentation, data generated through AI Companion interactions may still be accessed and processed. Zoom claims it uses this data to maintain service functionality, troubleshoot errors, and support users.
Zoom’s personal data use when acting as controller
Zoom may act as a data controller when using personal data for its own legitimate business purposes. These purposes include:
- Billing and account management
- Meeting legal obligations
- Detecting abuse
- Applying pseudonymized data for analytics, reporting, and improving services
This means Zoom can determine how certain data is processed when it relates to running and maintaining its business operations.
The DPA explicitly states that Zoom does not process customer personal data for third-party advertising, direct marketing, profiling, research, or analytics purposes. Exceptions do include instances when processing:
- is required by customer instructions
- falls under the listed legitimate business purposes
- occurs within free, early access, or beta programs
Who does Zoom share personal data with?
The DPA permits Zoom to use third-party subprocessors to process customer personal data on its behalf.
These subprocessors must follow the same obligations as Zoom under the DPA. That includes processing data only under your instructions as the controller, restricting access to trained and contractually bound personnel, reporting security breaches right away, and cooperating with Zoom in responding to requests from customers, data subjects, or regulators.
Zoom engages these subprocessors for a variety of operational functions, such as:
- Cloud services: Hosting and storing data in external environments, including call recordings and transcripts
- AI features: Supporting functions that process data to provide artificial intelligence tools within Zoom
- Content delivery networks (CDNs): Distributing meeting or webinar content across global servers, which may involve routing personal data through multiple locations
- Security services: Monitoring and protecting against threats to privacy or safety
- Cookie and preference management: Collecting user consent signals and preference data
- Feedback, reviews, and surveys: Gathering responses that often contain personal identifiers or opinions belonging to users
- Notification services: Delivering emails, reminders, or system alerts that require access to participant contact details
Zoom may also share personal data with third-party applications that organizations choose to integrate, such as apps approved by schools for student accounts. In these cases, the organization decides whether to grant access, but the data still leaves Zoom’s systems and goes to the external app.
International data transfers
Zoom may transfer and process customer personal data to and in the United States and other countries where its affiliates, professional advisors, or authorized subprocessors are located.
Data transfers may also occur when an end user connects to Zoom services from a different location, such as during international travel. In each case, personal data moves across borders and becomes subject to different legal systems and regulations, which may not provide the same protections as the user’s country of origin.
Zoom states in its privacy statement that it will carry out all such transfers in compliance with applicable data protection laws and the terms of its DPA.
Organizations based in the European Union, the European Economic Area, Switzerland, or the United Kingdom have specific compliance requirements. If personal data is sent to a country without an adequacy decision from the European Commission, the Swiss Federal Data Protection and Information Commissioner, or the UK Information Commissioner’s Office, Zoom relies on Standard Contractual Clauses (SCCs) for transferring the data lawfully.
This legal mechanism provides the necessary safeguards for the data as required by the respective data protection authorities in those regions.
Using Zoom in industries with sensitive personal data
Educational institutions and healthcare providers that use Zoom face specific challenges related to sensitive personal data. Many global and regional data privacy laws provide special protections for this data, which your business must adhere to if it falls under either of these categories.
Because of the added risks, Zoom includes specific provisions for how its platform can be used in education and healthcare settings.
Read more about protecting sensitive personal data.
Educational use
When schools or other organizations use Zoom to provide educational services to students under the age of 18, Zoom’s Children’s Educational Privacy Statement supplements the main DPA.
This statement adds to the terms in the DPA by describing how Zoom collects, uses, and discloses personal data from students.
While the personal data collected from students is largely the same as that of other users — including names, email addresses, meeting recordings, and chats — there are some types of personal data that are unique to an educational environment.
These may include contact lists that the educational service adds or allows students to access on their account, such as the names and email addresses of other students. It may also include calendar information, such as a class schedule or upcoming school events.
Zoom may use this data to:
- Deliver educational services: Such asproviding schools with access to the platform, customizing products for classroom needs, and supplying customer support
- Develop new features for schools: including conducting product research and making improvements designed for educational environments
- Authenticate and secure accounts: Verifying student logins, preventing unauthorized access, and addressing potential safety risks
- Meet legal obligations: Such as responding to official requests and complying with applicable education or privacy regulations
Control over how this data is used ultimately belongs to the school or educational organization. Institutions may also approve third-party applications that gain access to personal data from student accounts, extending data sharing beyond Zoom itself.
In the US, specific federal laws apply to data belonging to minors. Under the Children’s Online Privacy Protection Act (COPPA), schools are responsible for obtaining verifiable parental consent before installing any third-party app that will be used by children under age 13 and that collects their data. Zoom’s terms explicitly place this obligation on the educational institution.
Under the Family Educational Rights and Privacy Act (FERPA), Zoom is considered a “school official” when providing services, which means it maintains student data solely on behalf of the school and cannot use it independently except as permitted by law. Zoom holds and manages student data on the school’s behalf and is limited to using that information only as directed by the institution or as otherwise allowed under the law.
Read more about student data privacy laws around the world.
Health information and HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that sets strict rules for how healthcare providers and other covered entities handle protected health information (PHI). These rules cover the collection, use, and protection of PHI.
For organizations subject to HIPAA, Zoom’s standard DPA alone is not sufficient. HIPAA requires a specific contract known as a Business Associate Agreement (BAA) for vendors that handle PHI. Healthcare entities must also subscribe to a Zoom for Healthcare plan and execute a separate BAA with Zoom.
Zoom’s HIPAA compliance guide highlights safeguards for PHI, such as enhanced security controls, access restrictions, data encryption, and authentication measures.
Zoom also provides account administrators with specific tools and features designed to help them configure the platform in line with their security and HIPAA compliance objectives.
These measures support HIPAA compliance, but the healthcare organization is still responsible for configuring and monitoring them.
Health-related personal data under the GDPR
Health-related personal data is considered a special category of data under the EU’s General Data Protection Regulation (GDPR) and receives additional protections. Importantly, processing of health data is prohibited under Art 9. GDPR unless certain conditions are met, such as if explicit consent from the data subject has been obtained, or if processing is needed for the provision of healthcare, or for public interest in public health.
Zoom does not have an equivalent to the HIPAA-mandated BAA when it comes to health data belonging to persons located in the EU/EEA, to whom the GDPR applies.
As a healthcare provider in the EU/EEA, you may be permitted to use Zoom for clinical consultations, but you must follow the GDPR’s rules for special category data. This includes identifying and documenting a valid Art. 6 GDPR legal basis and an Art. 9 condition before processing health data.
According to Zoom, the platform supports GDPR compliance by providing technical and organizational safeguards, such as encryption, data minimization, and transparency tools.
These include:
- Enabling businesses to implement end-to-end encryption for meetings so that no provider or system may access the communications, including Zoom
- Implementing safeguards to prevent unauthorized persons from accessing a meeting
- Providing role-based user security
- Enabling admins to choose the storage location for some of the data for their account, including cloud recordings, meeting transcripts, chat transcripts, and files
It is strongly advised to obtain legal advice before using Zoom for providing healthcare services in the EU/EEA.
Read more about GDPR sensitive personal data.
How to align your business with privacy laws and Zoom’s privacy requirements
Organizations that use Zoom are responsible for handling personal data in a way that meets the standards set by global privacy laws in relevant jurisdictions and Zoom’s terms. Here are some steps your business can take.
Consent requirements
Your organization must obtain explicit consent where required by law before processing personal data through Zoom. This obligation applies in several situations.
Under laws such as the GDPR and Brazil’s Lei Geral de Proteção de Dados (LGPD), you must have a legitimate basis for processing personal data. Explicit consent is one of the accepted legal bases. Explicit consent may also be necessary for processing special category data like health information.
Learn seven conditions for valid consent under the GDPR.
In the US, state-level data privacy laws generally operate on an opt-out model, with some exceptions. However, these laws typically require prior opt-in consent when the data is classified as sensitive or if it belongs to a known minor. Federal laws like COPPA impose consent obligations on schools using Zoom with students. Under state privacy laws such as the California Consumer Privacy Act (CCPA), you must give individuals a clear method to opt out of the sale or sharing of their personal information, even when it is not classified as sensitive. Where sensitive data is involved, you must also provide a way to limit how it is used and disclosed.
Unsure about what type of consent you need? Learn the differences between opt-in and opt-out consent and which you need under different global privacy laws.
Consider an acceptable use policy document for your business
An acceptable use policy (AUP) can set the rules for how employees — and students, if your organization is an educational institution — are permitted to use Zoom, including its AI features.
This document may include, among other things:
- What types of information can be discussed in meetings and how sensitive topics must be handled
- Which security and privacy settings must be enabled before hosting or joining calls
- Clear contact details for the IT or security team so users know where to turn with questions or to report issues
A well-defined AUP helps prevent users from inadvertently sharing sensitive data through insecure configurations or using AI features that haven’t been approved.
In addition to the AUP, you could also consider creating a Zoom privacy and security policy document with tips or checklists to help users use the platform securely.
Your business should work with privacy or security experts to draft a version tailored to your organization’s specific needs and legal obligations.
Zoom’s Business Associate Agreement for HIPAA
If your business is subject to HIPAA or handles protected health information covered by HIPAA, you likely need a Business Associate Agreement with Zoom. Without a BAA, any use of Zoom for PHI could fall outside HIPAA’s requirements and expose your organization to liability.
After signing the BAA, you must also configure account and meeting settings in line with HIPAA safeguards. This includes enabling end-to-end encryption so patient data cannot be intercepted, and setting role-based permissions so only authorized users can view, download, or delete meeting content.
Be transparent with users
If your business uses Zoom, your privacy policy must clearly explain how this affects employees, clients, patients, students, or anyone who attends a call or webinar your business hosts.
Read more about what a privacy policy is, and why your business needs one.
Below is a non-exhaustive checklist of what to include in a Zoom privacy policy.
- Describe how your business collects, uses, and shares personal data with Zoom and for what purposes. Explain that Zoom may use collected data according to the DPA.
- Disclose that personal data processed in Zoom may be shared with third parties, including Zoom’s subprocessors or connected apps.
- Explain users’ rights under relevant privacy laws, such as the right to delete under the GDPR and the right to opt out under the CCPA/CPRA. Provide clear instructions on how users can exercise these rights.
- If you use personal data for behavioral targeting, provide a “Do Not Sell Or Share My Personal Information” link for California users, as required by state law.
- Provide a clear point of contact for any questions or concerns about your data practices. If your organization has a Data Protection Officer (DPO) or a designated privacy contact, include their information.
Your privacy policy must be written in clear, simple language that is easy for a general audience to understand. It should also be easy to find, such as through a persistent link in your website’s footer or within your application’s settings menu.
Keep it updated to reflect any changes in your organization’s data practices, Zoom’s terms, or relevant privacy laws. If you host webinars, link to your privacy policy in the registration form and include it in confirmation emails.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.