Zoom TOS Update: Gaps In Translation or Privacy Violation?

In response to Zoom's TOS updates, how should you decide what steps to take.

Zoom TOS Update: Gaps In Translation or Privacy Violation?

The recent updates to Zoom TOS have come under fire because it apparently permits training of AI models on customer data without the ability to opt-out.

Many observers have been quick to call this an abuse of users and a violation of their privacy. Zoom responded to these concerns in a blog post, but it created more confusion because portions of it seemed to differ from their TOS.

So was this merely a gap in translation or a purposeful violation of user privacy?

What Does TOS Say

  • Customer data to train the model: The plain language of the TOS originally did suggest that Zoom can use customer data to train its AI models. This data includes customers' audio, video and chat content, as well as the service generated data related to telemetry, diagnostics and product usage.
  • Customer content requires consent: An update to the TOS posted on Aug 7 clarified that customers' audio, video and chat content will not be used to train the models without customer consent.
💡
An update to the TOS clarified that customers' audio, video and chat content will not be used to train the models without customer consent.

What Does Blog Post Add

  • Service-generated data is in aggregate: The blog post further clarified that service generated data which may be used to train the AI pertains to how customers in the aggregate use the product, as opposed to their individual use.
💡
Service generated data which may be used to train the AI pertains to how customers in the aggregate use the product.
  • Admin controls use of AI features: The blog post identified that customers' audio, video and chat content can be used to train the AI models when the customer enables the use of advanced AI features. It indicated that the default setting for using advanced AI features is set to "OFF" and an admin needs to explicitly toggle it to "ON" to enable it. After choosing to enable them, the admin is provided the opportunity to consent to the data sharing. Even after enabling it, the admin can again turn it back to "OFF". It also stated that meeting participants will receive a notification when this feature is turned on, and can decide if they wish to join that meeting.
💡
The default setting for using advanced AI features is set to "OFF" and an admin needs to explicitly toggle it to "ON" to enable it.

What Are Your Options

As a company that uses Zoom for communication, your strategy would depend on how you view the gap between TOS and the blog post.

  • Business as usual: If you view that as merely a gap in translation, and accept their explanation in the blog post, it should not be a cause of concern. This is because the service generated data is shared only in aggregate, and any sharing of customer content for training the AI models happens only if your company decides to leverage the advanced AI features, and you can choose not to do so.
💡
If you accept their explanation in the blog post, it should not be a cause of concern to continue to use Zoom.
  • Suspend its use: If you view the gap as intentional, and impute nefarious motives to it, you can follow in the footsteps of those who stopped or suspened using the service. However, they may have acted before Zoom had a chance to provide the clarifications in the blog post, which does address the trust issues that those who quit were asking for.

How To Manage the Risk

If you are still undecided, or even if you choose to continue to use it, you should assess the risk of using Zoom with or without enabling the advanced AI features.

  • Perform risk evaluation: Its always a reasonable option to perform a risk assessment on your vendors when you onboard them and when there is any material change to their service. Your goal may be to decide whether you should continue to use it with or without the advanced AI features, or discontinue its use. The important steps as part of this process will be to review Zoom's Privacy Policy, Zoom's DPA and its obligations with respect to its role as a Controller and Processor, as well as performing an internal DPIA to highlight any high risk processing and associated mitigations.
💡
You can perform a risk evaluation to decide whether to continue to use it with or without the advanced AI features, or discontinue its use.
  • Contractual obligations: The decision to continue the use of Zoom with or without advanced AI features may also have an implication for certain regulated entities. For e.g., healthcare entities may need to review or update their BAAs to ensure that the contractual obligations are aligned with the continued use of the service.
💡
Healthcare entities may need to review or update their BAAs to ensure that the contractual obligations are aligned with the continued use.

Connect with us

If you would like to reach out for guidance or provide other input, please do not hesitate to contact us.