Three years ago, I wrote a blog post, “Is Zoom Call Data the Next Investigative Frontier for DOJ?” And then, in the recent subpoenas to transgender medical providers, the government specifically asked for all “communications,” including those by “virtual meetings (e.g., Zoom, WebEx, Teams).” Sometimes it’s not fun to be right.
These HIPAA subpoenas were directed to the medical providers under investigation. But the government can issue subpoenas to, or obtain a search warrant directly for, the virtual meeting companies. And I think that will be the playbook in the coming years.
I was curious what data these companies store, what settings might prevent them from storing data, and how they would respond to a government subpoena/search warrant.
Because I <heart> Zoom and I intensely do not care for Teams, I picked Zoom. (I had high hopes of including a chart to compare the three companies so you could make an informed choice about them, but my day job got in the way.)
Zoom has a Privacy Policy that was last updated on April 15, 2025.
What data does Zoom store?
The Privacy Policy lists a few categories of data that Zoom stores.
Customer Content Data
This is “information provided by the Customer through use of the Services including all data the Customer chooses to record or share during a meeting or webinar.” It includes:
- audio
- video
- in-meeting messages
- in-meeting and out-of-meeting whiteboards
- chat messaging content
- transcriptions
- transcript edits and recommendations
- responses to account owner / host-sponsored post-meeting or webinar feedback requests
- responses to polls and Q&A
- files
- invitation details
- meeting or chat name
- meeting agenda
The policy was not clear whether Zoom stores any artificial intelligence (AI) data. It references that it uses third-party vendor for AI but does not say whether those vendors store the information either. We should assume that Zoom stores the follow up emails that it sends after calls and perhaps more than that, though.
Diagnostic Data
This is data that is “automatically generated or collected by Zoom about the use of Zoom’s meeting and webinar product.” It does not include Customer Content Data or the Zoom user’s name or email address.
Meeting Data
This includes a range of information:
- when participants join and leave a meeting
- whether participants sent messages and who they message with
- mouse movements, clicks, keystrokes or actions (such as mute/unmute or video on/off)
- edits to transcript text
- use of third-party apps and the Zoom App Marketplace
- features used (such as screen sharing, emojis, or filters)
How long does Zoom store this data?
The Privacy Data Sheet does not specify retention periods for any category of data. The policy is delightfully vague on this point:
We retain personal data for as long as required to engage in the uses described in this Privacy Statement, unless a longer retention period is required by applicable law.
In fact, the Privacy Policy does not make clear that the data is deleted if you close your account. That may happen but the policy does not say it does.
So, my working approach is that Zoom is keeping all of this data forever.
Can I change what data Zoom stores?
This is not 100% clear. If you live in California, there is a special section about your rights. But even that part is not clear about whether Zoom will save less data about California users.
There is also a form you can fill out to request that Zoom (a) inform the user about what data it has, (b) “[a]mend or correct such personal data or any previous privacy preferences you selected, or (c) ”[d]elete such personal data or direct you to applicable tools.”
BUT Zoom reserves the right to decline a user’s request.
Where legally permitted, we may decline to process requests that are unreasonably repetitive or systematic, require disproportionate technical effort, or jeopardize the privacy of others. As an account owner or a user under a licensed account, you may also take steps to affect your personal data by visiting your account and modifying your personal data directly.
So Zoom may or may not delete data, even if you request it.
How Zoom Will Respond to Government Requests
Zoom’s policy on responding to government requests is fairly straightforward. It will provide only non-content data if it receives a subpoena. The government must obtain a search warrant to obtain content data. A search warrant takes more work for the government than a subpoena since the prosecutor has to ask a judge to issue a search warrant. But the standard for a search warrant—probable cause—is still quite low.
The website has a handy chart as to what information Zoom will produce in response to different types of requests.
Zoom’s policy “is to notify users of requests for their information unless we are legally prohibited from doing so (e.g., by a judge under 18 U.S.C. § 2705), or where the matter involves child endangerment, an emergency involving danger of death or serious physical injury to a person, or a threat to Zoom services, rights, or property.”
It also requires that any non-disclosure order “have a fixed duration,” so Zoom can tell users about the request when the non-disclosure order ends. I’d love to hear from anyone whether Zoom follows this policy and actually does tell customers about these requests.
What is “Content” Data Versus “Non-Content” Data?
The privacy policy has a lot of information about what counts as “content” data and is thus more difficult for the government to obtain. The government would need a search warrant for most of it.
Can Zoom Permit the Government to Monitor Calls in Real Time?
Nope.
Zoom’s policy says that it “does not have the capability to facilitate law enforcement intercept for customer meetings and webinars, and we do not have the means to insert our employees or others into meetings without them being visible as participants.”
I wonder if Zoom—quite smartly—decided not to develop this capability for a few reasons. It ensures that its employees can’t secretly watch or record meetings among celebrities, political figures, or even their own family members. (Who wouldn’t want to watch Travis and Jason discuss what kind of ring Travis would buy?)
Plus, it means that Zoom cannot be conscripted by the government into spying on its customers in real time. That’s not a good look.
When Does Zoom Record Meetings?
In good news, Zoom’s policy makes clear that Zoom does not record meetings on its own that could then be provided directly from Zoom to the government. This makes sense given that some states are “two party consent” states and you need every participant’s consent to record.
As the government request policy says, Zoom only has recordings if three requirements are met:
(1) an account owner or administrator enables a recording,
(2) a host records a meeting or webinar, and
(3) the host asks Zoom to store the recording in Zoom’s cloud storage service.
It’s also worth noting that the Zoom policy says that “[i]f a host records a meeting locally (to their device) instead of to Zoom cloud, then Zoom does not have access to any content from the meeting.”
Finally, to be crystal clear, the policy provides: “If a host does not record a meeting at all, then no content exists.”
What about Artificial Intelligence (AI) Features – Can the Government Get that Information?
I have been impressed by Zoom’s AI feature’s ability to create a list of follow up tasks and assign them to the right people. To be clear, I only use the AI function for internal, non-client-related meetings—usually with our amazing legal assistant Betsy.
Although the policy is not crystal clear on this point, I would suspect that AI-generated information in Zoom should be considered “content data” and require a search warrant.
Some Takeaways
For the love of Pete, make sure you are creating as little data as possible for Zoom to store about your clients. Do not record client meetings. Do not enable AI for client meetings. Tell your clients not to record meetings.
The other thing that struck me was just how much data Zoom stores. If I were a prosecutor <shudder> then I could imagine that one day the data showing when someone joined a meeting would be relevant to showing that they joined a conspiracy. I would also be dreaming about being able to show a video of the defendant making statements showing that he knew what he was doing was in the gray area or cautioning others not to talk about the “plan” or saying not to ask the legal department for advice.
As a defense lawyer, I could also imagine using the time when someone joined and left a meeting to establish an alibi. Or using or to use the time when someone left a meeting to try to show that the person did not join the conspiracy that was discussed only at the end. Or editing a transcript to remove incriminating statements, producing the edited transcript to the government under a subpoena–and DOJ then gets a search warrant and learns about the edits. Oh dear. Go ahead and add an obstruction charge to the list.
And I also have nightmares about watching my client on a recorded Zoom call at trial. That day will come, I’m sure.