Zoom Conceals Essential Webinar Data

Dave Clark | Mar 30, 2022 | CWC Blog

Outraged Man

I fear I've been focusing this blog too much on Zoom lately. That's really not my intention, despite the fact that this is my fourth consecutive post explicitly about Zoom, either praising them or panning them. It's just that Zoom has now become, by far, the largest player in the webinar and virtual event space and anything they do, good or bad, is of consequence to millions of webinar organizers, presenters, and attendees. Indeed, almost all of my clients use Zoom for their webinars now. So I find myself thinking or writing about Zoom on an almost daily basis.

In early February, my heart skipped a beat when Zoom posted a message to its customers saying that on March 1, the e-mail addresses of Zoom meeting and webinar attendees would no longer be shown on post-event reports unless those attendees met certain criteria. I care only about Zoom "webinars," not standard Zoom "meetings," so I quickly scrolled down the list of exceptions to see what, if any, implications this change would have on webinar attendee reports specifically. Essentially, what I was reading indicated that a webinar attendee's e-mail address would only be made available to webinar organizers if the attendee "entered their email address during the...webinar registration flow."

Okay. Phew. Nothing to worry about. For those webinars where I enable Zoom's built-in registration system, I would still see the e-mail addresses of attendees on post-webinar reports. And for those webinars where I don't enable Zoom's built-in registration system—where attendees enter the webinar using the generic join link that Zoom pre-generates for webinar hosts who, for whatever reason, don't require the use of the Zoom registration system—I would also still see the e-mail addresses of attendees on post-webinar reports because attendees are still prompted to enter their name and e-mail when joining via the generic link. Right? Surely, Zoom must consider that as part of the "webinar registration flow." Even though, technically, Zoom registration is disabled, Zoom is still requiring attendees to "register" at the start time of the webinar by entering their name and e-mail? Right? Yes, of course.

Fast forward to March 1...

Oh, how wrong I was.

Just to be sure, that morning I set up and started a test webinar, entered it as an attendee, and quickly shut it down. Went to the reports screen... Downloaded the attendee report...

And the "E-mail" column was empty.

Suddenly, as a webinar organizer, if I didn't want to use Zoom's built-in registration system, I was no longer allowed to see the e-mail addresses of people who attended my webinars. Never mind that attendees are still voluntarily entering that information when joining a webinar. Never mind that an individual's e-mail address is the only unique identifier available to a webinar host of the people who attend their webinars. Never mind that over the last 25-odd years webinar attendees have universally accepted the fact that they need to enter their e-mail address to attend a webinar (and really don't care that they have to).

And that last point alludes to why Zoom made this change. They think attendees do care. Zoom's official justification for this change is that it's part of their "continuous efforts to implement best-in-class privacy and security practices." Apparently, this is what happens when a global pandemic results in a company becoming an overnight behemoth with a userbase that spans almost everyone on the planet. The lawsuits, both legitimate and opportunistic, start emerging out of the woodwork and you hire a crack team of privacy and security experts to help fix the mess. Some of the practices they implement may well be important and effective. Others, clearly, can be cosmetic and meaningless...and detrimental.

In fact, I recently received an e-mail inviting me to participate in a class-action lawsuit settlement against Zoom. You may remember how often Zoom was in the news early on in the pandemic after everybody moved their lives online. Almost daily, Zoom users were complaining of having their meetings "hacked" or "hijacked" or of getting "Zoombombed." Some of these reports were truly horrifying, with bad actors doing all kinds of offensive and illegal things, but many of these incidents resulted from user error and simple, avoidable mistakes. For example, randomly guessing a meeting ID and entering a Zoom meeting you weren't invited to because the meeting host didn't password-protect the meeting isn't "hacking." But regardless, the lawsuits started to fly.

The lawsuit I was invited to join, along with thousands of other everyday people who just happened to use Zoom between 2016 and 2021, is focused on "alleged privacy and security issues" and alleges, among other things, that Zoom "should have done more to prevent unwanted meeting disruptions by third parties." Although Zoom denies the allegations, they agreed to pay $85 million to settle the suit.

(Side Note: If you need a good laugh today, consider that the lawsuit provides examples that suggest that an average Zoom user might receive between $15 and $25 as part of the settlement. The attorneys bringing the suit, on the other hand, are seeking to receive a share equal to $21,250,000, not including expenses.)

Aside from agreeing to pay out $85 million to make this problem go away, the suit also notes that Zoom agreed to "make certain changes to its policies and practices." That's why waiting rooms are now required for Zoom meetings, along with a range of other security-related measures that went into effect relatively recently on Zoom. As for maintaining the confidentiality of a webinar attendee's e-mail address in certain situations, that seems to be the latest expression of Zoom's apparently litigation-inspired "continuous efforts to implement best-in-class privacy and security practices."

But that's where the logic and the common sense disappear. What in the world is the difference between an attendee entering their e-mail address on Zoom's webinar registration page and an attendee entering their e-mail address upon joining a webinar using the generic join link? Why is that data hidden from a webinar host in one case but not in the other?

That morning of March 1, I submitted a support ticket to Zoom on the off chance that this was a mistake. Hey Zoom, this was a mistake, right? Let's get that webinar attendee data back on the reports!

But, of course, it wasn't a mistake. Zoom knew exactly what they were doing. An attendee who enters their e-mail address upon joining a webinar using the generic join link is technically not entering their e-mail address as part of the "webinar registration flow." So there.

When you're dealing with a company as big as Zoom has become, there's no arguing with them. You can't plead common sense and try to reason with them. You're no longer dealing with people, per se, you're dealing with a machine, an entity. It's like finding a problem with Gmail and trying to convince Google to fix it. Impossible! You can't do it.

Even if Zoom did have a logically reasonable explanation for hiding important webinar attendee data in some cases but not in others, what right do they have to do that anyway? Sorry Zoom, but it's my webinar, not yours. You're just a tool I use to conduct my webinars. You don't own my webinar data. If I want to collect the e-mail addresses of my webinar attendees in exchange for allowing them to attend my webinar, that's my decision. And if the attendees aren't cool with that, they don't have to attend (or, heck, they can just use a fake e-mail address and I would never know the difference!)

And while you're listening, Zoom... There's nothing private about a person's e-mail address anyway. Your e-mail address is everywhere! It's bought and sold on a daily basis by thousands of parties, both legitimate and nefarious. It can be found, quite literally, in thousands of databases around the world. Hiding it from one person—the person who needs it to conduct meaningful analysis and follow-up for their own webinar—is preposterous.

And that's why this is such an important issue and problem in the first place. As already mentioned, an e-mail address is the only unique identifier available to a webinar host of the people who attend their webinars. If three John Smiths attend, the only way to know that is because there are three different e-mail addresses associated with that name.

Without e-mail data, a webinar host can't follow up with attendees after a webinar is over. They can't send them resources that might have been promised during the webinar and they can't send them a link to a recording of the webinar in case they missed something or just want to view it again. For marketing and lead generation webinars, the webinar organizer can't follow up with calls to action or other sales funnel touchpoints.

Most critically, perhaps, there's no way to reach out after a webinar with an answer to a question that an attendee asked but didn't get answered during a live Q&A session. And if you're an organization that provides continuing education credits that are awarded based on strict attendance criteria, forget about doing that without the data that uniquely identifies who attended a webinar and for how long. Did Zoom ever consider that webinar attendees might actually want the webinar organizer to have their e-mail address?

As it stands right now, if a webinar host wants access to attendee e-mail data, they'll have to enable Zoom's built-in registration system for their webinars. (Again, why?) This is what the everyday Zoom user will probably end up doing. Even if they deem registration to be a completely unnecessary burden for their attendees and would prefer to send attendees a quick and easy join link, they'll have no choice but to turn on registration and force their audiences to register. The data is too important not to have.

For those companies and organizations that use their own custom, stand-alone registration systems, it's doubtful they'll opt to switch from a branded, professional-looking landing page that lives on their own web site to Zoom's ugly, generic registration form. And for membership groups or companies that conduct fee-based webinars that need to lead their registrants through a precise set of steps to register for and gain access to a webinar, they simply can't switch to Zoom's system. These types of larger institutional Zoom customers will have to make other arrangements, perhaps at significant cost and effort. Maybe they'll utilize a third-party CRM platform that integrates with Zoom. Or, much easier, drop Zoom and find a new webinar platform all together.

Fortunately, for my clients at least, I've implemented a workaround solution that will enable them to keep using their own custom registration systems, or no registration system at all if they choose, and still get access to attendee e-mail data after a webinar is over. But this was custom web development that re-purposed a sophisticated stand-alone registration system that I already had in use. Obviously, the average Zoom user will have to figure something else out or just conform to Zoom's new rules. And all of it is completely and ridiculously unnecessary.

Clark Webinar Consulting provides hands-on expertise and support to help businesses, nonprofits, and other organizations conduct and deliver worry-free, professional webinars. Learn more about our full range of webinar services.