Skip to main content
Cisco Meraki Documentation

Meraki Data Privacy and Protection Features

  1. Last updated
  2. Save as PDF

Cisco Meraki is committed to protecting the data that our customers entrust to our cloud-hosted service. We have made all of our privacy features available globally. 

 

The General Data Protection Regulation (GDPR) introduced specific requirements that apply to companies established in the EU, or located anywhere in the world when processing personal data in connection with offering their goods or services to persons in the EU. Meraki has made improvements to its cloud-hosted service for organizations hosted in the Meraki EU cloud service as well as the rest of our serviced regions.

 

Our EU Data Privacy statement can be found on our privacy page.

Requesting Network User Consent

Meraki splash pages allow you to create a custom consent message, enabling administrators to notify end users that their data may be collected if they connect to the network. This custom splash page message can also be used to refer users to tools they may use to opt out of certain data collection services.

image.png

It is the administrator's responsibility to provide notice to, and obtain any necessary consents from, your network users regarding collection, processing, and storage of their data. Be sure to review applicable law for consent requirements in your location if you rely on consent to collect and process personal data.

To create a custom consent message:

  1. In the dashboard, navigate to Wireless/Security & SD-WAN > Configure > Splash page
  2. Select the desired SSID/VLAN from the SSID/VLAN drop-down menu at the top of the page
  3. In the Customize your consent message region of the page, select "On"
  4. Enter your custom message, which users must consent to in order to use your network
  5. Choose "Save changes" at the bottom of the page

Note that this Custom Consent Message is not compatible with/will not be displayed with the Fluid Theme, and must be used with the Modern theme.

Additionally, 'Cisco Identity Services Engine (ISE) Authentication,' 'Endpoint management enrollment,' and 'Sign-on with Facebook Wifi' are not supported with this Custom Consent Message because Meraki does not render the splash page for those splash-types. For the listed options, the splash pages are rendered through a 3rd party service.

Organization Data Storage

Data Storage Region Selection

When creating an organization, you are required to select a region where your organization will be hosted on Meraki's servers. Please take special considering when selecting this option to ensure that your data storage region choice complies with your country's legal requirements for data storage, and that it satisfies your personal/company's needs, given that the region may affect performance with dashboard latency, relative to your actual location.

Additionally, if a region is selected that does not match your browser's detected IP address during organization creation, you will be presented with a warning notification.

image.png

If you are presented with this notification, please ensure that you are sure of your selection, in order to best serve your network.

EU region organizations have some special data hosting considerations which should be noted. Learn more about EU region hosting in our EU Cloud Configuration Guide.

 

Verifying Data Storage Region

The region your organization is hosted on can be viewed at any time in the dashboard in the bottom-middle of every page.Screen Shot 2018-05-21 at 1.56.50 PM.png

Features Disabled by Default for EU Organizations

Certain features are required by EU regulations to be turned off by default, if they are not directly instrumental to the performance or outcome of the product. These features are not necessary for the networking/primary purposes of the product to function.

The following features are disabled by default for organizations stored on EU servers:

  • Location Analytics
  • Client Tracking
  • Location Heat Map

These features can be enabled under the Privacy > Privacy by default section in your organization's settings (Organization > Configure > Settings).

Note that if you are providing network service to end users in an EU region and have these features turned on, it is not required, but may be worth mentioning if using a Custom Consent Message as described above.

API Endpoints

In order to enable network administrators to comply with and satisfy data protection/data privacy requests, Meraki has built out several API endpoints to help facilitate privacy requests. More information on how to use the Meraki dashboard API can be found in our Dashboard API article. There are three types of API endpoints relevant to customer data privacy and GDPR compliance.

  • Data Deletion
    • Customers can delete dashboard data, either for themselves, or in response to requests from users of their networks.
  • Restriction on Processing
    • In Meraki’s dashboard, data can be identified, hidden, and removed upon a verified request to restrict processing.
  • Data Access and Portability
    • To honor customers’ requests to export their information, Meraki has built functionality to enable accessibility and export of dashboard data.

The API endpoints available are all documented in our API documentation, and can be found in the PII, SM and Client sections. Additional documentation and examples these endpoints can be found in our Postman collection

Data Deletion

Using the user provided PII key (MAC, iPv6, IMEI, email or username), to get the relevant networks and associated PII keys on each of those networks, use:

GET /organizations/[id]/piiKeys

If information for the provided PII key is found, use the following endpoint to delete information related to the PII key. 

POST /networks/[id]/pii/requests

The datasets by applicable to each type are: mac (usage, events, traffic), email (users, loginAttempts), username (users, loginAttempts), bluetoothMac (client, connectivity), smDeviceId (device), smUserId (user). To delete all applicable data for a specific piece of PII, select all datasets. 

Restriction on Processing 

Using the user provided PII key (MAC, iPv6, IMEI, email or username), to get the relevant networks and associated PII keys on each of those networks, use: 

GET /organizations/[id]/piiKeys

If information for the provided PII key is found, use one or both of the following endpoints to restrict processing. 

POST /networks/[id]/pii/requests
POST /organizations/{id}/pii/requests

 

To lift the restriction, use one or both of the following endpoints:

DELETE /networks/[networkId]/pii/requests/[id]

Data Access and Portability Requests 

Using the user provided PII key (MAC, iPv6, IMEI, email or username), use the GET /organizations/:id/piiKeys?mac=:endUserMac to get the relevant networks and associated PII keys on each of those networks. If information for the provided PII key is found, use one or all of the following endpoints to collect the end-user data. 

GET /networks/[id]/clients/[mac]/
GET /networks/[id]/clients/[mac]/events
GET /networks/[id]/clients/[mac]/usageHistory
GET /networks/[id]/clients/[mac]/trafficHistory
GET /networks/[id]/clients/[mac]/securityEvents
GET /networks/[id]/merakiAuthUsers/[email_or_username]
GET /networks/[id]/splashLoginAttempts
GET /networks/[id]/bluetoothClients/[bluetoothMac]

For Systems Manager

GET /networks/[id]/sm/users

GET /networks/[id]/sm/user/[id]/deviceProfiles

GET /networks/[id]/sm/user/[id]/softwares

GET /networks/[id]/sm/[id]/deviceProfiles

GET /networks/[id]/sm/[id]/softwares

GET /networks/[id]/sm/[id]/networkAdapters

GET /networks/[id]/sm/[id]/wlanLists

GET /networks/[id]/sm/[id]/securityCenters

GET /networks/[id]/sm/[id]/restrictions

GET /networks/[id]/sm/[id]/certs

GET /networks/[id]/sm/[id]/cellularUsageHistory

GET /networks/[id]/sm/[id]/performanceHistory

GET /networks/[id]/sm/[id]/desktopLogs

GET /networks/[id]/sm/[id]/deviceCommandLogs

GET /networks/[id]/sm/[id]/connectivity

Checking Data Protection Request Status

The status of any requests for data deletion or restricting processing can be viewed in the Meraki dashboard from Help > Data protection requests.

data_requests1.png

This page displays a list of all protection requests, their scope, type status, and other relevant information.

data_protection_requests.png

MV Camera Data Privacy Features

Several data privacy features were built specifically for Meraki's MV cameras to satisfy data privacy requests.

Note that these MV data privacy features are currently only available for organizations in the EU region.

Export Video

If you have export privileges, you can share video clips using the Export feature. Exporting of video clips currently requires at least 1Mbps upstream bandwidth per export. (Note this does not apply to the viewing of historical footage on dashboard, just exports.)

Export Video

  1. Navigate to a camera's video page, or to a video wall. If you are using a fisheye camera, you can zoom and pan into a specific dewarped view and export with that view. To view the fisheye camera in dewarp, refer to this article.

  2. Select Share > Export.

    • Note that for the fisheye camera, you can export in both the warped (circular) and dewarped views. 

      Screen Shot 2019-04-01 at 10.21.39 AM.png

  3. If exporting through the video wall with multiple cameras, you must also use the drop-down to select which camera you wish to export video from.
    select_camera.png
    Note: dewarp video tiles are not presently supported. Only full frame exports are possible from video wall at this time. For dewarped video exports of fisheye footage, use the single camera page, adjust your field of view as desired, and proceed with exporting the desired footage.

  4. Select start and end time and date for the export. You can also schedule your export so that you can choose the time most convenient for exporting.  Scheduling exports after hours can help reduce the potential bandwidth impact on other business critical applications, allowing your organization to run more smoothly.
    export_options.png

    • Alternatively, use the timeline slider to chose the export duration.slider.png

  5. Click Export to start the export.

  6. You can monitor the status of your exports by navigating to Share > Show recent exports. Click on each item to download the export, copy link to clipboard, delete the export, or calculate the checksum. You can also view all exports within your network from the Exports page.
    show recent.png

Note: The current minimum time allowed for a single export is 5 seconds and maximum time allowed for a single export is 12 hours. Video exports are trimmed to the requested size with no buffer. If an invalid time range is selected, the export will automatically default back to 30 seconds to provide a valid export. The download link for an export is good for one hour at time of page load. Refreshing the dashboard page generates a new download link. 

Exports Checksum

You can verify the integrity of a video clip by saving a copy of the original export's calculated SHA-256 checksum provided on the dashboard and referring to it every time you need to compare a copy to the original. A SHA-256 checksum is a 256-bit or 32-byte hash serves as the file's "signature", and can be calculated over and over again to the same result. However, once the file is changed in any way, this value becomes different. It is generated using the SHA-256 secure hash algorithm. The algorithm is a one-way function, it cannot be decrypted back. 

 

  1. You can find out what the video checksum is by clicking on the export under Recent Exports and then Calculate checksum.
  2. The 256-bit checksum will be printed underneath. Take a screenshot or copy-paste to save this in a safe place.Screen Shot 2019-04-01 at 9.56.05 AM.png
  3. Every time you want to verify that any copy of the exported video is legitimate, you can calculate this copy's checksum and compare it to the one provided on the dashboard. If they match, the video is identical. Otherwise, it has been corrupted or tampered with.
    • To calculate the SHA-256 of a downloaded file, you can use a terminal. We provide the instructions for Windows, Mac or Linux below.
      • Windows Power Shell
        • Get-FileHash -Algorithm SHA256 .\Filename.mp4
      • Linux
        • sha256 .\Filename.mp4
      • Mac OS Terminal
        • shasum -a 256 .\Filename.mp4

Exports Page

You can also view all exports within your network from the Exports page. Additionally, combine exports into a single file from this page.

Exports Retention Period

By default, an export will be stored for a year in the Meraki cloud ecosystem. If a max retention time is set on a node, the export retention period will respect that value.

 

Note: If a firewall is in place, it must allow outgoing connections on particular ports to particular IP addresses. This is due to MV export functionality requiring connectivity to the Cisco Meraki cloud infrastructure. The most current list of outbound ports and IP addresses for your particular organization can be found here.

 

Mark Video/Pause Processing

The pause and delete options are only available for organizations located in EMEA for GDPR purposes.

Video that needs to be set aside or marked for further review can be set under the Share menu on the Camera Status Page or Video Wall

Video can be marked and paused by selecting the arrow next to Share > Pause processing for GDPR. A slider will appear that allows you to select a time section to pause. Once a section has been selected, click Pause Processing at the top-right section of the video screen. The paused selection will be added to the Paused clips list.

Paused clips will not be viewable in the stream and will not be processed until 'Unpaused.' These clips will be stored and will not be overwritten. Each paused clip can be up to 24 hours long.

Note that paused video clips are stored locally and will consume space on the internal storage of the camera. Storing large amounts of video in Paused clips may impact video retention times, as the internal storage of the camera will not overwrite paused clips and will not be able to use the storage they consume while paused.

Delete Video

The pause and delete options are only available for organizations located in EMEA for GDPR purposes.

Video that needs to be permanently deleted can be deleted under the Share menu on the Camera Status Page or Video Wall

Video can be deleted by selecting the arrow next to Share > Delete. A slider will appear that allows you to select a time section to delete. There is a maximum time range of 24 hours that can be selected for each deletion request; any request greater than 24 hours will not be actioned.

Once a section has been selected, click Delete Video at the top-right section of the video screen. The deleted selection will be permanently removed, and will no longer be marked as green on the timeline slider.

Note that video which has been deleted is permanently lost and cannot be recovered. Meraki cameras store all video on local storage and Meraki does not keep backups of camera video.