Government Requests FAQs
Government requests for customer data must comply with applicable laws. A subpoena or its local equivalent is required to request non-content data, and a warrant, court order, or its local equivalent, is required for content data.
Non-content data include basic subscriber information, such as an email address, name, state, country, postal code, and IP address information. Additional non-content information may include IP connection history, and credit card or other billing information. Zoom requires a valid legal demand, such as a subpoena, before we will consider disclosing non-content data to law enforcement.
Content is what Zoom’s users create, communicate and choose to store on or through Zoom services, which can include cloud recordings, transcripts, chat and instant messages, files, whiteboards, and voicemails for Zoom Phone users.
Zoom discloses customer data solely in accordance with applicable law, including the federal Stored Communications Act ("SCA"), 18 U.S.C. Sections 2701-2713. Under U.S. law:
- Non-Content: A valid subpoena issued in connection with an official criminal investigation is required to compel the disclosure of basic subscriber records (defined in 18 U.S.C. Section 2703(c)(2)), which may include: name, length of service, credit card information, email address(es), and a recent login/logout IP address(es), if available.
- Non-Content: A court order issued under 18 U.S.C. Section 2703(d) is required to compel the disclosure of certain records or other information pertaining to the account, not including contents of communications, which may include message headers and IP addresses, in addition to the basic subscriber records identified above.
- Content: A search warrant issued under the procedures described in the Federal Rules of Criminal Procedure or equivalent state warrant procedures upon a showing of probable cause is required to compel the disclosure of the stored contents of any account, which may include messages, photos, videos, timeline posts, and location information.
Requests from all government authorities must be issued pursuant to applicable laws and rules and through official channels, including by requiring an official, signed document, or a request by email from the government (provided these are transmitted from the official email address of a government entity). Please send all requests, in English, to firstname.lastname@example.org.
As with any government request, we consider a foreign government request to be legally valid if it has some particular legal basis in the domestic law of the requesting country and pertains to the bona-fide prevention, detection, or investigation of offenses. A Mutual Legal Assistance Treaty request, a request from a country meeting the obligations under the CLOUD Act, or letters rogatory may be required to compel the disclosure of information. In the circumstance where we believe that there is no valid legal basis, or that the request is vague or overbroad, Zoom will challenge or reject the request.
Importantly, we will further scrutinize all international government requests on a country-by-country and case-by-case basis in order to consider and balance our local legal obligations against our basic principles, including our commitments to promoting the free and open exchange of ideas, keeping our users safe, and protecting our users’ privacy. We may choose to respond differently to information requests from different countries where our principles with respect to the meaningful exchange of ideas and collaboration conflict with local law. Key factors we will consider include whether we have a good faith belief that the request involves child sexual exploitation material or an emergency involving danger of death or serious physical injury to any person. We will also limit our response to only the user or meeting data deemed necessary to prevent these harms.
All requests must be supported by a valid legal basis and must be clear and appropriately tailored in breadth and duration. Zoom will reject or challenge requests that are not legally valid or that are overly broad or vague.
All requests must identify requested records with particularity, including the specific data categories requested and date limitations for the request. Requests must also include: (1) the name of the issuing authority and agent, email address from an official government domain, and a direct contact phone number; (2) for user records, the email address, phone number, user display name, IP address or account number; and (3) for meeting records, the meeting ID, the meeting host’s email address and meeting date and time, or the meeting registration URL.
Zoom’s law enforcement team reviews government demands for customer data to ensure the requests are valid, rejects those that are not valid, and only provides that data specified in the legal order.
Yes. Our policy is to notify users of requests for their information, which includes a copy of the request unless we are legally prohibited from informing the user (e.g., an order under 18 U.S.C. § 2705).
Consistent with applicable law and industry practice, Zoom will, on occasion, disclose limited information to law enforcement if we have a good faith belief an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency, we may provide information consistent with our privacy policies and applicable law (e.g., 18 U.S.C. § 2702(b)(8) and (c)(4)).
Zoom will consider emergency requests from law enforcement agencies around the world, but requires an official, signed document, or a request by email from an official government email address. The request must contain a summary of the emergency, and an explanation of how the information sought will assist law enforcement in addressing the emergency. Zoom will carefully review each request to ensure any disclosures are limited to the data that we believe would enable law enforcement to address the emergency.
Many countries, including the United States, have laws that may restrict one or more of its residents from participating in or hosting particular Zoom meetings or webinars. We will carefully review any government requests demanding we shut down a meeting and/or restrict user access to Zoom. If we receive a legally valid, appropriately scoped, and sufficiently detailed request from a legitimate government agency, we may take action to limit participation from the appropriately scoped jurisdiction. We will reject or challenge requests that do not meet this standard.
We strive to limit the actions we take to only those necessary to comply with our legal obligations. Accordingly, Zoom will not shut down a meeting unless it violates Zoom’s Terms of Service, including instances of child sexual exploitation materials or the danger of death or serious physical injury. Apart from determining a violation of our Terms of Service, we will not prevent our users from accessing our services if they are outside of the jurisdiction of the requesting government agency, or if they are not subject to applicable local law.
Unless prohibited by law, we will attempt to notify those named in a request to restrict access. We will send notice to the email address associated with the user’s account, along with the opportunity to challenge any decision regarding the account.
Except for the circumstance where we receive a request from a legitimate government agency and we have a good faith belief that an emergency involving danger of death or serious physical injury to any person (a process for which will be outlined with governments directly), government personnel outside of the United States transmitting requests to restrict access should transmit it directly from their official government email address to: email@example.com.