Government Requests Guide

Last updated: February 28, 2023

 

Zoom supports the free and open exchange of thoughts and ideas. We are proud to facilitate meaningful conversations and professional collaboration around the world.  Because of our commitments to user privacy, security, and safety, Zoom subjects all government requests to a careful review, and we will not respond to government requests that fail that review.

 

Zoom Video Communications, Inc. (“Zoom”) provides these guidelines to law enforcement and government agencies seeking nonpublic information about Zoom’s customers. These guidelines do not apply to requests for customer data issued by anyone other than law enforcement or government agencies, including civil litigants and criminal defendants.

 

For quick reference, please see the below links to location-specific instructions.

How to submit a request

Law enforcement and government agencies must submit all inquiries and requests for information or preservation (and extensions) via our Law Enforcement Response System (LERS) here.

Requirements for all jurisdictions

Requests must:

  • Be in English;
  • Be in .pdf format, except in certain emergency situations;
  • Be addressed to Zoom Video Communications, Inc., 55 Almaden Boulevard, 6th Floor, San Jose, CA 95113 for requests about meetings, or to Zoom Voice Communications, Inc. at the same address for requests about Zoom Phone calls;
  • Come from an official government email address; and
  • Contain:
    • Requesting agent’s name,
    • Requesting agency’s name,
    • Requesting agent’s badge/identification number,
    • Requesting agent’s government-issued email address,
    • Requesting agent’s telephone number (including extension),
    • Requesting agent’s mailing address (no P.O. boxes),
    • A date and the signature of the authorizing official, and
    • A date by which the legal process requests a response.

Content of requests

Requests should be legally valid, appropriately scoped, and sufficiently detailed. This means they must:

  • Have a valid legal basis and have been issued pursuant to applicable laws and rules in the jurisdiction of the agency making the request.
  • Be signed and submitted by someone with the authority to make the request.
  • Be clear and not overly broad.
  • Include specific identifiers, such as the meeting number, date and time in UTC, the email address used to set up the meeting, and the username(s) of those targeted, if the request is about a meeting. Specify reasonable date ranges where applicable.

 

We may require that requests submitted without proper identifiers and/or reasonable scope and date limitations be narrowed before processing.

U.S. government requests for user information

U.S. government requests must comply with the Requirements for all Jurisdictions above. Here are the types of requests we accept and the information we may disclose in response to them:

 

Type of legal request What you may obtain Examples of data processed by Zoom (not exhaustive; dependent on customer settings)
Subpoena (administrative, trial or grand jury)* Non-content information listed in 18 U.S.C. 2703(c)(2) Usernames, emails, billing information, meeting or webinar metadata (such as the time a user joined)
Search warrant based on probable cause, supported by an affidavit, and describing with particularity the place(s) to be searched and the things requested User content and non-content information The above examples, plus Zoom cloud recordings, profile pictures, voicemails & voicemail prompts, SMS (Zoom Phone and Zoom Contact Center)

 

*We may require a 2703(d) order instead of a subpoena for non-content information other than what is listed in 2703(c)(2) and in certain other circumstances where a subpoena is legally insufficient.

We respect and seek to comply with the privacy laws in force where our customers and users live. We may object to requests for personal information or customer content if the request would require the violation of foreign privacy laws, including the European Union’s General Data Protection Regulation.

Non-U.S. government requests for user information

In addition to the Requirements for all Jurisdictions above, your request must be legally valid. Zoom does not consider a non-U.S. request to be legally valid unless:

  • It has a particular legal basis and meets applicable requirements in the domestic law of the requesting country; and
  • It pertains to the bona-fide prevention, detection, or investigation of a criminal offense in your jurisdiction.

 

If a non-U.S. request does not meet the requirements above, Zoom will challenge or reject it. You may always make a request pursuant to a Treaty on Mutual Legal Assistance in Criminal Matters (MLAT), a CLOUD Act agreement, or letters rogatory.

 

We scrutinize all non-U.S. requests on a country-by-country and case-by-case basis. We do this to balance our local legal obligations against our basic principles described above, including our commitments to promote the free and open exchange of ideas, keep our users safe, and protect our users’ privacy. Where those principles conflict with local law, we may reject a request, even if the request is proper under local law.

Requests for real-time interception or monitoring of user meeting content 

Zoom does not have the capability to facilitate law enforcement intercept for customer meetings and webinars, and we do not have the means to insert our employees or others into meetings without them being visible as participants.

Preservation requests

We accept preservation requests both from U.S. and non-U.S. governments. We will preserve a one-time snapshot of the relevant records for 90 days. We can extend a preservation request for up to 90 more days with a separate, formal extension request.

Preservation requests must meet all of the Requirements for all Jurisdictions above, and must specify the particular account, host, and/or meeting information to be preserved.

Types of data that Zoom may have

Account information

The account information we have depends on the type of account, what the customer chooses to share or store with us, and our data retention policies. We cannot determine or guarantee the accuracy of information provided by our customers and users.

 

Here are examples of the types of information that Zoom may have about an account:

 

Non-content Customer content
  • Name
  • Username
  • Email address
  • Phone number
  • Account owner name
  • Billing name and address (for paid users)
  • Payment method (we do not store user credit card information).
  • Profile picture
  • Meeting recordings and transcripts, chat messages, and files shared during a meeting that a customer elects to store in Zoom cloud
  • In the case of Zoom Phone and Zoom Contact Center, SMS messages, voicemails, and voicemail prompts

 

About content: Zoom only has meeting content if (1) an account owner or admin enables recording, (2) a host records a meeting or webinar, and (3) the host asks Zoom to store the recording in Zoom cloud. If a host records a meeting locally (to their device) instead of to Zoom cloud, then Zoom does not have access to any content from the meeting. If a host does not record a meeting at all, then no content exists.

 

For more information, please see below and review our Privacy Statement.

Zoom Meetings, Webinars, Phone, and Contact Center information

Zoom may process the following information about Zoom Meetings, Webinars, Phone, and Contact Center:

 

Non-content Customer content
  • IP address
  • MAC address
  • Device ID 
  • Device type
  • Operating system type and version
  • How the user connected
  • Network performance 
  • Zoom client version
  • Type of camera, microphone, and speaker
  • The date and time of a meeting/call
  • Length of the meeting/call
  • Email address, name, or other information that participants choose to enter in their profile or use to identify themselves in a meeting
  • When participants join and leave a meeting
  • Whether a user used video or audio, or shared their screen
  • Renaming events
  • How the participant disconnected
  • For Zoom Phone and Zoom Contact Center users, call “to” and “from” numbers
  • Meeting name
  • Content that a customer chooses to store in Zoom cloud (see above)

 

The information we process depends on (1) whether a user has a registered Zoom account, (2) the type of account, and (3) the Zoom product in question.

 

For more information on the data Zoom processes, please visit our Privacy Data Sheet.

 

For more information on Zoom Phone data processing, please visit our Zoom Phone Privacy Data Sheet.

 

For more information on Zoom Contact Center data processing, please visit our Zoom Contact Center Data Sheet.

User notification

Our policy is to notify users of requests for their information unless we are legally prohibited from doing so (e.g., by a judge under 18 U.S.C. § 2705), or where the matter involves child endangerment, an emergency involving danger of death or serious physical injury to a person, or a threat to Zoom services, rights, or property. Any non-disclosure order must have a fixed duration. If you are seeking an exception to our notice policy, include a description of the exigent circumstances or potential adverse result of notice so that we can evaluate the circumstances.

 

If the request draws attention to an ongoing or prior violation of our Terms of Service, Acceptable Use Guidelines, Privacy Statement, or other applicable policies, guidelines, or legal requirements, we may act to address the violation or prevent further abuse.

Production of records

Unless otherwise agreed upon, we provide responsive records in an electronic format. We may seek reimbursement for costs associated with producing information pursuant to legal process and as permitted by law. We may also seek additional reimbursement for costs incurred in responding to unusual or burdensome requests.

If you are seeking information about a Zoom customer who has provided consent for a government to obtain their account or meeting information, you should seek the information directly from the customer to the extent possible, as opposed to seeking the information from Zoom.

Emergency requests

We evaluate emergency requests on a case-by-case basis. If we have a good faith belief that an emergency involving danger of death or serious physical injury to any person requires us to disclose information without delay, we may provide information consistent with our Privacy Statement and applicable law (e.g., 18 U.S.C. § 2702(b)(8) and (c)(4)). We do not commit to producing records under any set of circumstances or within a particular timeline and may request additional information about the request or the identity of the requester.

 

Submit emergency requests via our Law Enforcement Response System (LERS) here and include all of the following information:

  • The detailed nature of the emergency, including how you learned of the threat, links to social media posts, chat logs, etc.;
  • Identify who is in danger of death or serious physical injury;
  • Describe the imminent nature of the threat, including information that suggests there is a specific deadline before which it is necessary to receive the requested information; or that suggests there is a specific deadline by which the harm will occur (e.g., tonight, tomorrow at noon);
  • Identify the specific information you are requesting from Zoom. Tailor your request narrowly – requesting all information associated with a user, account, or meeting may delay processing.
  • Explain how the information you seek will help avert the emergency.

Requests for Zoom to restrict access to services on our platform

Many countries have laws that may restrict one or more of their residents from participating in or hosting particular Zoom meetings or webinars. We will carefully review any government requests demanding we shut down a meeting or restrict user access to any part of the Zoom platform. If we receive a legally valid, appropriately scoped, and sufficiently detailed request from a legitimate government agency, we may take action to limit participation from the appropriately scoped jurisdiction. We will reject or challenge requests that do not meet this standard.

 

We strive to limit the actions we take to only those necessary to comply with our legal obligations. Unless we determine that there has been a violation of our Terms of Service or Acceptable Use Guidelines, we will not prevent our users from accessing our services if they are outside of the jurisdiction of the requesting government agency or if they are not subject to applicable local law.

 

Unless prohibited by law, we will attempt to notify those named in a request to restrict access. We will send notice to the email address associated with the account.

 

Except for the circumstance where we receive a request from a legitimate government agency, and we have a good faith belief that there is an emergency involving danger of death or serious physical injury to any person (a process for which will be outlined with governments directly), government personnel located outside of the U.S. seeking to restrict access should request a Zoom Law Enforcement Response System (LERS) account with their official government email address and submit all requests via LERS here.

Expert witness testimony and authentication of records

We do not provide expert testimony support except as required by applicable laws and regulations. Pursuant to relevant law, our records are self-authenticating and should not require the testimony of a records custodian. If a special form of authentication is required in your jurisdiction, please attach it to your request.

These guidelines are not intended to constitute legal advice. Nothing within this Guide is meant to create any enforceable rights or remedies against Zoom. Zoom may update and modify these guidelines from time to time without further notice. Any interested party should review this webpage from time to time for updates and modifications.