News Analysis
Zoom hasn’t had the best week. It recently came to light that in an update to its Terms of Service (TOS), the web conferencing platform stated that it could essentially use any customer data, including calls, messages and videos, to train its own artificial intelligence (AI) models.
Unsurprisingly, this didn’t go over well. After social media uproar, the company took a series of steps to clarify the language, and ultimately changed its policy on AI training entirely. Although the new terms should put users at ease, it’s raised larger questions about data privacy in the age of generative AI.
Terms of Service Confusion
The trouble began on Aug. 6 when Stack Diary ran a blog post highlighting Zoom’s March Terms of Service Update, which, among other things, suggested that the company had the right to use any type of data collected on the platform for machine learning and AI purposes.
The story led to a pretty significant backlash across social media, with individual users and company executives alike voicing their unhappiness about the invasion of privacy and the potential misuse of sensitive data. At least a few executives vowed to migrate off the service. In a post on LinkedIn, Whitecoat Captioning CEO Norma Miller said the company would stop captioning into Zoom as a result. Advocacy group Fight for the Future launched a petition to keep Zoom from using (and profiting) from this data.
Zoom, for its part, was quick to respond. The company updated its terms to specify that it wouldn’t use customer data without consent, and issued its own blog post to explain the change in greater detail. However, many have pointed out that despite Zoom’s new codified promise not to do so, the company was still granted broad permissions to use customer data.
Privacy lawyer and director of advisory services at PrivacyTeam, Avishai Ostrin said that while he doesn’t suspect the wording of the original update was intentionally vague, he found it strange that the company wouldn’t update the terms themselves instead of adding a clarification.
“It's one of those cases where the legal text simply wasn’t clear enough and could leave room for interpretation," he said. “Even though they say that they're not going to do that, their terms simply didn’t reflect that the way they were worded.”
CEO Eric Yuan also published a LinkedIn post apologizing for the confusion, which he blamed on an internal process failure. Any lingering doubts users had, however, were addressed in an Aug. 11 update to the TOS that stated, in no uncertain terms, that the company would not use customer data to train its AI models.
“I suspect what happened here is that it's just a case of lawyers trying to be as comprehensive and as sort of exhaustive as possible in terms of what they're covering in the policy,” Ostrin said. “Sometimes that just comes at the expense of using simple, straightforward language."
It’s worth noting that this isn’t the first time Zoom has run into these types of issues: it previously had to settle a multi-million dollar lawsuit for unlawfully sharing data with authorized third parties such as Facebook, Google and LinkedIn and misrepresenting the strength of its end-to-end encryption protocols, among other things.
Related Article: Video Meetings Are Here to Stay, Despite Return to Office
Customer Content vs. Service Generated Data
Mind Over Machines Chief Innovation Officer Tim Kulp believes the confusion in part lays in how Zoom differentiates different types of data: customer content and service-generated data.“Service generated data is the data generated by the actual Zoom application itself about Zoom, like telemetric data or the performance of the application,” Kulp explained. "When you look at it through that lens, it appears they’re going to use machine learning to make their systems better based on how they're running. That makes sense, but that’s not how users are thinking about data.”
In its Aug. 11 update, the company more clearly distinguished between these two types of data, and reiterated that the company does not use “audio, video, chat, screen sharing, attachments or other communications-like customer content” to train Zoom or other third-party AI models.
Meaningful Consent and Privacy Legislation
The issue of consent for data sharing is now moot with Zoom’s latest update, but experts and users did flag the platform’s lack of a meaningful consent mechanism.
Previously, according to Gizmodo, users who wanted to use Zoom’s new AI assistant, ZoomIQ, could opt-out of sharing their information for training purposes; however, they had to do so manually, as the feature defaults to sharing information with Zoom when it’s enabled (now, the service won’t use this data regardless of whether a user consents).
More concerningly, the ability to opt out was only available to meeting administrators. Participants on a call had the option to either consent to sharing their data or leave the meeting, something Ostrin doesn’t view as meaningful consent.
“You didn’t actually have the option to remain in the meeting while opting out to your data being used to train models,” he explained.
This may have run afoul of the European Union’s General Data Protection Regulation (GDPR), which Ostrin said is viewed as the gold standard for privacy legislation.
“There is a very high bar for consent under GDPR,” he said, “and the regulatory guidance says that people need to actually have a meaningful choice about whether they consent to something or not.”
More broadly speaking, Kulp and Ostrin also pointed out that under GDPR and similar regulations, users have “the right to be forgotten,” or to be able to revoke their consent for data sharing at any point. This gets tricky with AI models.
“If I consent to the use of my data for training AI models and then revoke my consent, how are you gonna take my data out of an AI model that has already run?” Ostrin said. “It's already in the system and it's very difficult, bordering on impossible, to then remove that.”
Furthermore, Kulp said that if a business uploaded customer data into an AI model, and there was then a data breach, there’s no clear guidance on whether that company would have to notify the customer.
Conference
Sep
16
HR Tech Conference Las Vegas 2025
Register
Conference
Oct
27
Gartner HR Symposium/Xpo Orlando 2025
Register
“This is new territory, but there is also a lot of regulation activity happening right now,” Kulp said, pointing to the EU AI Act and new legislation in Maryland.
Related Article: NYC's New AI Bias Law Is in Effect. Here's What it Entails
What Does This Mean for Me?
The incident highlights how critical it is for companies to read the fine print or terms of service when working with vendors to ensure they understand how their data is being used — whether for AI purposes or otherwise. But with the high demand for AI training data showing no signs of flagging, will expecting users to trade away their privacy to make use of products, and more specifically, AI tools, become the norm?
Kulp believes that, to the contrary, companies with clear data protection policies surrounding AI will be able to position it as a differentiator, the same way Apple has a reputation for stellar privacy protections.
“I think we're gonna see markets shifting,” he said, “As companies get concerned, we will see them migrating away from platforms that are not clear about what they’re doing with their data and what it means for them.”
In his LinkedIn post, Yuan himself said he believes “any company that leverages customer content to train its AI without customer consent will be out of business overnight.”
Ostrin said that for individuals, there will always be some kind of trade off of privacy, particularly when using free tools. But on platforms like Zoom, where a company may be the one volunteering up this data, it becomes their responsibility as well.
“It's up to us to safeguard our own data and demand that the companies that are stewards of that data treat it with respect, give us information about what they're doing with it and ask for meaningful consent,” Ostrin said.
