Here is my take:
Loom is GDPR and CCPA compliant, and their security controls comply with TSPs set forth by AICPA (that's a fun document to read). AICPA Confidentiality rules have become a bit broader, actually, than 7216 and 7216 has a number of exceptions per TR 301.7216-2. Given that, I am comfortable that I am not violating either 7216 or AICPA Confidentiality in not requesting consent when the TPSP is AICPA compliant (broader than 7216) as well as CCPA compliant, which has expanded to include confidential information tax preparers possess.
https://www.loom.com/securityhttps://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/socforserviceorganizations.htmlhttps://www.thetaxadviser.com/issues/2015/feb/tpr-feb15.htmlThese videos are only provided to the client. They're 256-bit encrypted at rest and utilize TLS 1.2+ while in-transit. You can restrict who can open them via e-mail address or a password if you keep them hosted on Loom's platform. That is as secure as any client portal we all freely utilize.
It is more so the AICPA that sets forth tax preparers potentially violating confidentiality standards
by utilizing third-party services, including software, connected with the tax return preparation and filing. In that case, we should not be using any internet-connected service, such as Zoom, Teams, DocuSign, and could even go so far as to preclude us from utilizing tax preparation software in the first place since TPSPs are always involved.
Perform due diligence, do not be reckless, and keep it confined to client-use only and for the scope of the engagement. This is clearly for tax preparation and review with clients prior to filing, which falls within the scope of a tax engagement. 7216 and AICPA both express scope of coverage being disclosure of confidential information for purposes
other than preparation and filing a tax return without client consent.
Keep in mind, also, that if you utilize any taxpayer information you collected for the sole purpose of tax preparation services for something as innocuous as a CPA firm newsletter or birthday card, for example, you can be in violation of 7216 in absence of consent. Same for marketing other firm services to tax-only clients. You can violate it by allowing staff not involved in tax preparation to have access to such information.
If I am missing something in my reviews of 7216 and AICPA Confidentiality requirements, I'm all ears but my interpretation is I am not doing anything in violation since it is only for the preparation and filing of tax returns, or only to fulfill the scope of any other engagement.
All that said, I am inclined to add another layer of protection by downloading the videos and uploading to the clients' portals, and then delete off Loom's site.