Zoom for K-12/Primary and Secondary Schools Privacy Statement
Last updated: July 2020
Zoom Video Communications, Inc., and its subsidiaries, affiliates and parent companies (collectively “Zoom”, “we,” “us,” or “our”) are committed to continually improving how we communicate our privacy practices. This “K-12/Primary and Secondary Schools Privacy Statement” (or “K-12 Privacy Statement”) explains how we handle personal information of Student Users (as defined below) of K-12 Accounts (as defined below) who are under the age of 18 years. It also reflects Zoom’s compliance with the applicable requirements of the Children’s Online Privacy Protection Act (“COPPA”), the California Consumer Privacy Act (“CCPA”), the Family Educational Rights and Privacy Act (“FERPA”), the California Student Online Personal Information Protection Act (“SOPIPA”), the EU’s General Data Protection Regulation (“GDPR”), and other applicable laws.
For purposes of this K-12 Privacy Statement, personal information (or “personal data”) means information that relates to an identified or identifiable individual. Please refer to the Change Log section to review details regarding changes to the K-12 Privacy Statement.
Certain K-12 Accounts may be created under contracts between Zoom and the School Subscriber that include a data processing addendum or other specific provisions governing Student User personal information. To the extent there is any conflict between such contracts and the terms of this K-12 Privacy Statement, the terms of our contracts with School Subscribers will control.
- School Subscriber means a primary school, secondary school, school district or school system that is responsible for controlling all K-12 Accounts under the domain applicable to such school, district or system.
- K-12 Account Administrator means technical or administrative personnel designated by the School Subscriber with the right to use K-12 Accounts provided to the School Subscriber by Zoom for the purpose of administering the Service and responding to Student User personal information access requests from parents or legal guardians of Student Users.
- K-12 Account User means teachers, principals, and other educators and school personnel authorized by a School Subscriber to use its K-12 Account for educational purposes, including to facilitate meetings with Student Users.
- Student User means a student that the School Subscriber permits to use the Services under the supervision of K-12 Account Users.
School Subscribers can use Zoom’s video communications platform by establishing K-12 Accounts for their K-12 Account Users. K-12 Account Users can create K-12 Accounts as authorized representatives of a School Subscriber but should only use Zoom’s Services with the permission of their school, school district or school system (the School Subscriber).
Zoom encourages K-12 Account Users to securely and confidentially provide meeting information and meeting passwords to Student Users to ensure that the School Subscriber can supervise and control its Student Users’ meeting experiences. You can find additional information on best practices to secure meetings in our “Comprehensive Guide to Educating Through Zoom.”
Student Users are not permitted to create K-12 Accounts but may be provisioned with a K-12 Account by the School Subscriber. Although Zoom prohibits children and teens under the age of 16 from creating a Zoom account (and employs an online age screen to support this restriction), Student Users, even if under the age of 13, may join a meeting hosted by a K-12 Account User. School Subscribers are responsible for obtaining any parental consent necessary for use of the Services under their K-12 Accounts by Student Users, including children under the age 13.
The School Subscriber is the K-12 Account Owner. For purposes of FERPA, each K-12 Account User is a “school official” of the School Subscriber. The School Subscriber is the decision-maker that determines how personal information is processed in connection with Zoom’s provisions of Services under a K-12 Account. The School Subscriber decides if and why to host a Zoom meeting, and what features to use. For example, depending on how the School Subscriber has configured its K-12 Account, a K-12 Account User may record a meeting. Therefore, the School Subscriber is responsible for obtaining any necessary consent from meeting participants. (Zoom features provide visual and audio cues designed to help the host alert meeting participants of a recording.) A K-12 Account User may choose to store a recording of a meeting on the K-12 Account User’s local storage device, or in Zoom’s cloud.
When a Student User uses Zoom’s Services through a School Subscriber, the processing of Student User personal information by the applicable School Subscriber is determined and administered by the School Subscriber under its privacy policies. If a parent or legal guardian of a Student User has questions about how and why Student User personal information is collected, the legal basis for processing, or access requests, the parent or legal guardian should refer to the School Subscriber’s privacy policies and direct all inquiries to the K-12 Account Administrator or K-12 Account User.
Zoom provides a video communications platform to K-12 Account Users on behalf of and at the direction of the School Subscriber. For purposes of FERPA, Zoom is considered a “school official” and may receive Student User personal information through its contractual agreements because Zoom is performing a service that furthers a “legitimate educational interest” (i.e., the provision of educational services in a remote setting). Zoom maintains Student User personal information on behalf of, and at the direction of, the School Subscriber and does not use the Student User personal information for other purposes except as permitted by applicable law, including FERPA and applicable agreements with School Subscribers.
Zoom is responsible for following the directions of the School Subscriber. For example, on a School Subscriber’s instructions, Zoom may provide reports containing personal information relating to the K-12 Account and its users (including Student Users) to that School Subscriber. Please visit our Zoom and FERPA Compliance webpage for additional information.
Residents of the European Economic Area (EEA) and the UK should review our Privacy Statement for additional information regarding how Zoom addresses European privacy rights.
When creating a K-12 Account under the direction of a School Subscriber, the K-12 Account User must provide certain information, such as:
- K-12 Account User’s first and last name;
- school or district name;
- job title;
- school issued-email address; and
- information about the school’s location.
Depending on how the School Subscriber configures its K-12 Account, Zoom may receive personal information contained in “Customer Content.” Customer Content is any data a K-12 Account User uploads to the Zoom communication platform connected with use of the Service.
For example, School Subscribers may enable features that allow meeting hosts or co-hosts to record meetings locally or to Zoom’s cloud, allow K-12 Account Users to display or upload information that may be seen by other users of that K-12 Account, allow meeting participants to share files, allow hosts or co-hosts to create meeting transcripts, or allow meeting participants (including Student Users) to communicate in-meeting via chat and create chat logs.
Such Customer Content may include personal information that is part of an “educational record” as defined by FERPA.
Zoom accesses Customer Content only upon the documented request of a School Subscriber, or if required by law.
Zoom collects certain personal information automatically through the use of a K-12 Account including:
- Information about the use of the Zoom platform, including type and frequency of actions taken, number of logs in or meeting entries, date and time, duration, quantity, quality, network connectivity, other platform performance metrics, and feature usage information, including use of video and screen sharing; and
- Information about a user’s device, network, and internet connection, such as IP address(es), MAC address, other device ID, device type, operating system type and version, type of camera, microphone and speaker, and client version.
Zoom uses personal information collected from and about Student Users only as needed to deliver the functionality of the Zoom platform, operate the business (including to enhance or improve the Zoom Services), and as directed by School Subscribers. For Student Users, this means that:
- Zoom never sells Student User personal information
- Zoom does not use Student User personal information to deliver behavioral advertising.
- There are no third-party advertising or analytics cookies on Zoom’s product pages.
Regarding cookies, Zoom publishes two types of webpages: product and marketing. A product webpage enables a Student User to click on a hyperlink and join a Zoom meeting. Zoom’s product webpages serve only third-party cookies that are necessary for technical support and to deliver the service. There are no advertising or analytics cookies on our product webpages.
We do not share personal information with companies, organizations, or individuals outside of Zoom unless one of the following circumstances applies:
We will share personal information with companies, organizations, or individuals outside of Zoom when we have K-12 Account User consent (as applicable) and in compliance with applicable laws (including FERPA as applicable).
School Subscribers have access to personal information (including Student User information) connected with their K-12 Account(s). School Subscribers may also direct us to share personal information with others.
- To Provide Our Services
We provide personal information to third-party service providers to help us provide the Service. Such service providers are prohibited from using personal information for any reason other than to provide the contracted-for services, and in compliance with appropriate privacy and security obligations.
- With other meeting participants
We may share personal information collected during a Zoom meeting with other participants of the same meeting during the use of the Service. For example, video and audio recordings, chat messages and other content shared by a Student User during a meeting, which may contain personal information of Student Users, may be available to all other participants in that meeting, as well as to any K-12 Account Users who host or co-host that meeting and the K-12 Account Administrator.
- For Certain Corporate Transactions
We may share personal information where, whether for strategic or other business reasons, Zoom decides to sell, buy, merge, or otherwise reorganize its businesses. In such transactions, we may disclose or transfer personal information to actual purchasers or receive personal information from sellers. Student User personal information will remain subject to this K-12 Privacy Statement unless it is changed by a successor entity.
We share personal information outside of Zoom if we believe that access, use, preservation or disclosure of the information is reasonably necessary to:
- comply with any applicable law, regulation, legal process or enforceable governmental request.
- enforce applicable provisions of the Terms of Service and Acceptable Use Policy, including investigation of potential violations.
- detect, prevent, or otherwise address fraud, security or technical issues.
- protect against harm to the rights, property or safety of Zoom, our users or the public as required or permitted by law, including to help prevent the loss of life or serious injury of anyone.
For more information about data we disclose in response to requests from law enforcement and other government agencies, please see our Guidelines for Government Requests.
Zoom does not share personal information with third parties other than as described herein, or as required by law, except at the direction and on behalf of a School Subscriber.
Maintaining the confidentiality, security, and integrity of students’ personal information is a top priority. We use appropriate technical and organizational measures designed to help protect personal information from unauthorized access, use, or disclosure. Customer Content is encrypted in transit between any devices running a Zoom client and at rest when in permanent storage in the Zoom Cloud. We also have taken steps to minimize the risk that meetings that include Student Users are disrupted by uninvited participants. Examples include enabling meeting passcodes and virtual waiting rooms by default for K-12 Accounts and configuring default screen share settings to limit in-meeting content sharing. For guidance on how to secure virtual classrooms, please review “Best Practices for Securing Your Classroom” and “How to Keep Uninvited Guests Out of Your Zoom Event.”
All K-12 Accounts have the Report a User feature enabled by default. The Report a User feature is available to the meeting host or co-host via the Security icon on the meeting taskbar. If an unwelcome participant joins the meeting, the host or co-host can select Report a User, which automatically takes a screenshot of the reported user(s) and their shared content (if any) and creates a report. The feature then sends the report to Zoom’s Trust & Safety team. A member of the Trust & Safety team will review the report and investigate the reported user(s) for violation of our Terms of Service. Confirmed offending users will have their accounts terminated, and, where appropriate, we will notify relevant law enforcement authorities.
Zoom retains K-12 Account Users’ and Student Users’ personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.
If a Student User or his or her parent would like to request to access, review, refuse further collection of or delete a Student User’s personal information, they must contact their school subscriber with his or her request. Because Zoom is required to comply with contractual confidentiality obligations related to Student Users’ data, we are not able to respond to parental or student requests directly. School Subscribers may direct requests to access, delete or restrict further collection or use of a Student User’s personal information to firstname.lastname@example.org. Zoom also deletes information associated with K-12 Accounts upon receiving a valid deletion request from a School Subscriber or automatically following the termination of the K-12 Account. K-12 Account Users can delete their content
K-12 Account Users may access or request deletion of their personal information in the same manner as set forth in our Privacy Statement.
Additional Rights of California and European Users
If you are a resident of the State of California or the European Users, please refer to our Privacy Statement and our California Privacy Rights Statement for additional information on the rights that you may have and how you can exercise those rights.
Interpretation of Conflicting Terms
This K-12 Privacy Statement provides summary information about our collection and use of personal information from related to K-12 Accounts. It is consistent with the Privacy Statement, which provides additional examples and explanations that may be useful. Where terms differ, as with the limitations on advertising in K-12 Accounts, this K-12 Privacy Statement takes precedence.
If we make any material changes to this K-12 Privacy Statement, we will post the revised statement with the date of revision on this page and provide notice of this change on our website. We will duly inform K-12 Account Users of any material changes via our platform. We will provide our School Subscribers the opportunity to express consent for processing personal information for different and new purposes, or we will, in any case, provide the legal basis of such processing other than consent.
Zoom Video Communications, Inc.
55 Almaden Blvd, Suite 600.
San Jose, CA 95113
Date of Update
Summary of Changes
Revised entire statement to be more readable and transparent. We did not change any data practices, only how we described them. Previous version available here.