Skip to main content

Zoom Privacy Guidance for BYU

Several concerns have been expressed regarding the privacy and security of using Zoom for campus meetings and online classroom instruction. This statement has been prepared to address these concerns. The major privacy questions expressed include:

1. Does Zoom sell or share our data?
2. Does Zoom meet our privacy and security standards?
3. Does Zoom protect personal information and recordings?
4. Should we be concerned with Zoom-bombing?

Findings and Recommendations

Does Zoom sell or share our data?

Zoom updated its privacy policy on March 29, 2020, to counteract recent data protection complaints. Zoom confirms it does not share or sell any personal information, or any data regarding user activity, including video, audio, and chat contents.
The updated privacy policy contains all of the necessary elements found in a sound compliant privacy policy. It is common for organizations to share customer data with law enforcement or courts, who produce an authorized subpoena/court order. It is also appropriate for Zoom to mine data and use analytics to better understand and provide services to their customers, as long as personal data is not shared or sold.

Does Zoom meet our privacy and security standards?

Zoom appears to meet BYU privacy standards, including FERPA and GDPR requirements:

FERPA: It is acceptable for students to see other students and share their personal information in a Zoom meeting. Students do not need to provide consent if the meeting is recorded, as long as the recording is not shared outside the classroom environment. If recordings are shared outside the classroom environment, faculty need to obtain student consent, as these recordings are considered education records and the FERPA rules for disclosure apply.

GDPR: Zoom features an explicit consent mechanism for EU users. Existing or new users coming from IP addresses detected from the EU will be presented with a one-time privacy policy update.

Although Zoom displays a notification when a meeting is recorded, the meeting host should also inform the participants when the meeting begins. Zoom recordings for classroom instruction should be retained for one year after the end of the semester, if needed, to document class participation when participation contributes to the grade, or if needed by the student to complete an incomplete grade.

Does Zoom protect personal information and recordings?

Privacy requires that personal information is adequately protected against unauthorized access or use. Zoom meets BYU security standards for the protection of personal information, including the encryption of Zoom meetings during transmission and requiring two-factor authentication, using Duo, to obtain access to the system.
Zoom is actively addressing security issues and vulnerabilities and the CES SOC will continue to closely monitor this work.

Should we be concerned with Zoom-bombing?

Zoom-bombing can be controlled with appropriate Zoom meeting settings. It is recommended that current BYU default settings be set in Zoom meetings to protect the privacy and security of our Zoom meetings. To prevent Zoom-bombing, hosts should avoid sharing the meeting link or password publicly or record meetings where sensitive information may be discussed. The host should also apply the following configuration settings:
1. Require a meeting password.
2. Use the automatically generated Meeting ID. Do not use your Personal Meeting ID.
3. Use the waiting room option, when appropriate, to monitor and admit users to the meeting.

Specific instructions on how to safeguard Zoom meetings can be read in our article Protect Your Zoom Meeting from Zoom-Bombings .