A March 2023 terms of service change disclosed that Zoom reserves the right to scrape customer accounts, including potentially confidential meeting videos and file uploads, for AI data collection. A customer uproar has the company backpedaling to some degree, but it may still be in violation of European Union (EU) terms requiring consent to process personal data.
Zoom AI data collection quietly initiated in March, many users unaware of change
The issue started with a Zoom terms of service (TOS) update in March, which largely slid under the radar (as policy updates often do). The change didn’t begin to attract scrutiny until Zoom announced in May that it was partnering with AI firm Anthropic to bring its “Claude” virtual assistant to the platform, and with OpenAI to create a tool called “Zoom IQ” meant to create summaries of meetings.
Zoom’s plan for AI data collection is apparently to scrape it from internal customer activity. The March TOS update changed the platform terms to announce that Zoom reserved the right to use platform video, audio and chat content to train AI models. This change specifically enumerated files, documents, content and pretty much anything else that users send through the platform as being fair game (Zoom refers to this material collectively as “Customer Input” and “Customer Content”).
The wording of the TOS update appears to go beyond simple internal AI training, however. Zoom reserves a laundry list of rights involving Customer Content, including (but not limited to) publishing, sharing, redistributing, displaying and creating derivative works. Zoom also grants itself a “perpetual, worldwide, non-exclusive, royalty-free” license to make use of Customer Content in seemingly whatever way it sees fit.
After mounting customer complaints and negative media coverage over the past week, Zoom made some small changes to the TOS. It now says that it will not use “audio, video, or chat Customer Content” as part of its AI data collection without user consent. It issued a further update on its blog to include elements such as sticky notes, whiteboards, comments and calendars. However, elsewhere in the TOS Zoom grants itself similar unfettered access to what it calls “Service Generated Data.” Along with telemetry and diagnostic information, this data category includes “product usage data” and “similar content or data” that could still very well apply to user uploads.
And even if an opt-in system worked entirely as advertised, it appears that the opting in could be done on behalf of every participant by the administrator of a meeting. Individuals would not have the ability to opt themselves or their own contributions out of a collaboration that an administrator has already greenlit.
Zoom could be looking at trouble from EU privacy rules, under both the terms of the General Data Protection Regulation (GDPR) and the ePrivacy Directive. The regulatory approach would vary a little for each law. At a glance, Zoom appears to be falling short of the GDPR’s requirement that individuals provide opt-in consent for this level of personal data processing. An administrator providing “consent” for a meeting all users are obligated to attend would almost certainly not cut the mustard if an investigation is opened. The ePrivacy Directive could potentially be invoked by any individual EU nation on the basis of wiretapping, since the end user must consent to the manner of third-party data interception employed by the company’s AI data collection.
AI data collection highlights ongoing trust issues
The crux of the issue is that Zoom may well have no plans to help itself to the extent of user data that its TOS allows, but the company has also given its clients little reason to trust it since it rocketed to the top of the office collaboration charts during the Covid-19 pandemic.
The company has already been dinged repeatedly for data privacy and rights overreach issues, all in the space of under three years. Zoom first told users that it offered end-to-end encryption when it did not, and then engaged in subterfuge on Apple devices that made it unnecessarily difficult to remove the program, both of which prompted a 20-year consent order from the FTC. It also settled a class action suit for $85 million in 2021 after it was found to be sharing user data with LinkedIn, Facebook and Google without authorization or notification, and one of the legal terms it will be laboring under is the requirement that it not misrepresent its data collection practices.
Allen Drennan, Co-Founder & Principal of Cordoniq, notes that Zoom’s AI data collection pickle is one that numerous platforms will be dealing with as they struggle to balance competitiveness in the AI race with preserving customer trust: “When private organizations are uploading internal confidential information and IP into a meeting, they are not considering the ramifications of providing their data to a third-party provider that is managed in a cloud they do not control. The issue is not just limited to shared screens or multi-page confidential shared documents. It is also extended to recordings of the meetings and the audio and video used within the meeting. When implementing these types of online meeting services, you really must have control over both security and privacy but also the entire deployment including the backend and your organization should be in a legal position to provide your own terms of service and license agreement to your consumers.”
“As major companies are rushing to add AI relevance to their product portfolio and thereby boost their overall value in the marketplace, businesses whose primary source of information is customer derived are going to be caught in a struggle between doing what is right in protecting their own customers’ privacy and the demand from shareholders to aggressively attack emerging AI opportunities. We are going see more of these issues over the next year that pit user content and content creators against big tech,” noted Drennan.
In terms of potential GDPR action on Zoom’s AI data collection, no wheels are in motion as of yet and there is some general confusion as to exactly how that would proceed. Zoom maintains an EU office in the Netherlands, but the Dutch data protection authority says that it is not registered as its lead regulator. If the company does not have an EU office that meets the standard for a data controller, it could potentially be investigated (and penalized) by any country in the bloc.