Privacy Considerations When Using Zoom

Guidance on Protecting Privacy and Data when using Zoom to conduct remote meetings while COVID-19 Modifications are in effect.  This guidance applies to administrative meetings; guidelines for use of Zoom for instruction can be viewed here.

A. Purpose and Principles

Zoom is one of the primary approved software tools for conducting remote/virtual meetings. This document provides basic guidance on how to protect your privacy and the privacy of others when using Zoom

Click on the hyperlinks throughout this document for quick access to important use instructions.

Note: For more general information on best practices for working remotely, please consult the Information Security Office’s Best Practices for Telecommuting Page.  For privacy guidance related to working remotely consult the Campus Privacy Office Homepage.

UC Berkeley’s Privacy Values:  Privacy is a basis for an ethical and respectful workplace; and privacy, together with information security, underpins the University’s ability to be a good steward of the information entrusted to it by its students and employees.  The University protects the privacy of faculty, students and staff while working or participating in educational programs and other university business. Use of remote delivery software and technologies heightens the criticality of privacy and the need to use the least invasive means of engaging in these alternative methods of conducting our activities. Existing law and policy that address privacy remain in effect when we work remotely.

Remember that UC Berkeley Security Policies and Standards do apply to any computer you use for your Zoom session. For more specific information regarding UC Berkeley’s Security Policies and Standards, consult the Information Security Office’s Policy Home Page.

All University staff, faculty and students should follow these principles when using Zoom to conduct remote meetings:

B. Technical Tips and Privacy Protections for Video Conferencing

  1. Visibility of Remote Work Locations:  Participants should use Zoom’s virtual background feature, when available, if they do not want to have their surroundings visible.  Managers should avoid requiring staff to use Zoom meeting settings that leave staff living areas visible.  
    1. To set up a Virtual Background in Zoom click the up arrow by the Zoom video icon and click on “Choose Virtual Background”.
    2. Select only appropriate virtual backgrounds.
    3. Be mindful of others in your remote location who may not wish to be visible or recorded in the background.
    4. Also consider if all participants need to be visible as limiting the meeting to a single video stream can ease bandwidth concerns for participants.
    5. Ensure sensitive conversations cannot be overheard or work observed by unauthorized persons.

  1. Screen Sharing Privacy
    1. Protecting Confidential Data on Your Device from Being Viewed: Avoid sharing confidential information visible on your other screens.  Before screen sharing, close all applications, emails and documents that you will not use in that session.
    2. Managing Whose Screen is Visible:   Zoom default settings for the campus are set to limit screen sharing to the host. The host can also allow screen sharing by participants.  Options are available by clicking on the up arrow by the Share Screen icon. The host can select the “host only” setting to prevent others from sharing their screens. If the host determines that screen sharing by participants is needed, sharing by “one participant at a time” should be selected.  The host should remind participants not to share other sensitive information during the meeting inadvertently.

  1. Managing Participants Some basic tips for limited preventing unwanted attendees or Zoom Bombing are listed below:
    1. Don’t post meeting IDs in public forums.
    2. Don’t reuse meeting access codes. You can generate a new access code for each meeting.
    3. Monitor participant list for unwanted attendees
    4. Using Zoom settings for meeting participants, the meeting host can:
      1. Limit attendance to participants who are signed in to the meeting using the email listed in the meeting invited
      2. Set up a Waiting Room Function
      3. Password protect meeting access
      4. Lock meetings once they start
      5. Mute participants who are not presenting
      6. Remove unwanted participants
      7. Disable private chat

Note: For more detailed instructions for how to prevent unauthorized access to your meeting in Zoom, consult the Information Security Office’s Settings for Preventing Zoom Bombing Page.

For further privacy features and options for Zoom see: https://blog.zoom.us/wordpress/2020/03/20/keep-the-party-crashers-from-crashing-your-zoom-event/

C. Recording of Zoom Meetings and Chats

Recording of Meetings – Notice/Consent: Do I need to obtain meeting attendee permission to capture their video and save sessions?

Yes. Some US states (including California) are “two party” or “all party” consent states, which generally require the permission of both or all parties involved in a recording. While attendees participating remotely may be coming from a variety of states (or countries), we must assume the “all party” consent rule applies.

Meeting hosts should always inform attendees at the start of the meeting or in advance of the meeting if they are going to record a meeting.   Zoom automatically notifies attendees present at the start of a meeting if the meeting is being recorded.  However, meeting hosts should also verbally notify attendees that a meeting will be recorded.  Meeting hosts may also choose to explicitly require consent to be recorded via Zoom.  Attendees who do not consent will be denied access to the meeting, so we suggest its use only after you’ve communicated with your attendees, given them a chance to express any concerns, and determined an alternative for individuals who have not consented.

We recommend that you inform meeting attendees, prior to a recorded meeting, how you intend to record, use, and share video. You may also consider giving attendees options to participate without having their image or voice recorded, such as allowing them to attend with no video or audio, and the option to pose questions only in the text chat window. Because you can start and stop recordings in Zoom at any time, you can choose to include unrecorded time throughout your Zoom session, giving attendees an opportunity to discuss topics or ask questions that they do not wish to have recorded. 

As a general rule, staff meetings should not be recorded absent an articulated business purpose (including as a reasonable accommodation) that requires recording of the meeting.  Generally, you should not record a meeting if the same meeting would not be recorded if it occurred in person. 

If a staff meeting is going to be recorded, hosts should inform attendees that the meeting will be recorded in advance of the meeting and also offer attendees the opportunity to opt out of the meeting or to mute their audio and video if they object to the recording of their image or voice.  Please consider whether it is necessary to record the meeting.  Bear in mind that the recording becomes a University record that must be stored and retained appropriately and may be subject to disclosure upon request (e.g., in response to a request under the California Public Records Act or California’s Information Practices Act).   If you believe it is necessary to record a meeting, but one or more participants object to the recording, please consult your People & Culture representative.

D. Disability Accommodations 

For guidance regarding accessibility and Zoom, see the Center for Teaching and Learning’s Zoom Accessibility Considerations page. If you have specific questions regarding employee disability accommodations in connection with use of Zoom, please consult UC Berkeley Disability Access and Compliance.

E. Privacy Data Protections with Zoom

Zoom’s Updated Privacy Policy states:

We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data.  

  • Your meetings are yours. We do not monitor them or even store them after your meeting is done unless we are requested to record and store them by the meeting host. We alert participants via both audio and video when they join meetings if the host is recording a meeting, and participants have the option to leave the meeting.  

  • When the meeting is recorded, it is, at the host’s choice, stored either locally on the host’s machine or in our Zoom cloud. We have robust and validated access controls to prevent unauthorized access to meeting recordings saved to the Zoom cloud.

  • Zoom collects only the user data that is required to provide you Zoom services. This includes technical and operational support and service improvement. For example, we collect information such as a user’s IP address and OS and device details to deliver the best possible Zoom experience to you regardless of how and from where you join.   

  • We do not use data we obtain from your use of our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You have control over your own cookie settings when visiting our marketing websites.

  • We are particularly focused on protecting the privacy of K-12 users. Both Zoom’s Privacy Policy (attached) and Zoom’s K-12 Schools & Districts Privacy Policy are designed to reflect our compliance with the requirements of the Children’s Online Privacy Protection Act (COPPA), the Federal Education Rights and Privacy Act (FERPA), the California Consumer Privacy Act (CCPA), and other applicable laws

Zooms use of Cookies:

When you log in to your Zoom account, Zoom will ask you to accept its use of "cookies".

For the most part, Zoom utilizes "cookies" that collect information about you, such as your log-in details, to enhance the functionality of its site.  However, in addition to the cookies that Zoom uses to help with the functionality of its services and user experience, it also uses "advertising cookies".   Advertising cookies are used by advertising companies to serve ads that are relevant to your interests. 

We recommend that you "opt out" of Zoom's use of such advertising cookies, which collect information about you and your use of Zoom's site for advertising purposes.   To opt out of advertising cookies, click on the  "more info" option when you sign in to your Zoom account and are prompted to accept Zoom's cookies.   When you click on "more info", you can then click on "cookie settings", which will  take you to a menu that allows you to select which cookies you permit Zoom to use: Required Cookies/CCPA Opt Out; Functional Cookies; and Advertising Cookies.  You can opt out of Advertising cookies by unselecting that option.

Despite these protections, users should use common sense and avoid sharing more information when necessary when using Zoom, especially when discussing confidential matters.

Additionally, as a user of Zoom, if you give Zoom access to any files or programs you need to manage cookies through your browser settings in the way you do with other applications.

Remember that UC Berkeley Security Policies and Standards do apply to any computer you use for your Zoom session. For more specific information regarding UC Berkeley’s Security Policies and Standards, consult the Information Security Office’s Policy Home Page.