Many companies have come to appreciate the fact that data collected from online activity is a valuable, core asset in and of itself, whether it be data about customers, transactions, service statistics or web analytics. Before handing over the rights in this data to third party business partners, take the time to consider the risks and benefits. Does this make sense from a strategic perspective? What are the potential downsides? If granting rights in data does seem to make sense from a business perspective, then the next step is evaluating legal compliance hurdles and ensuring your contracts accurately describe the rights allocated and properly reflect the allocation of risk and benefit.
Everyone seems to be jumping on the data bandwagon these days. For many companies, the potential benefits associated with exploitation of customer information represent the pot of gold at the end of the advertising rainbow. With the benefits, though, come responsibilities.
The web of relationships between companies and these third parties has continued to grow in complexity as online businesses have begun to mature. Transitioning some services to the cloud has introduced hosted service providers as well as a myriad of other contractors supporting them. Companies also rely on third party ad networks, ad agencies, affiliate networks, web analytics companies and multiple marketing relationships to grow their customer base, and with these relationships, more and more data is being collected about customers and their behavior. The web has become more dense and complex, and with this, the level of data sharing has grown exponentially. Much of the data being collected and analyzed for companies about customer online behavior on their websites and the transactions occurring over those sites is being performed by strategic business partners, third party service providers and contractors.
But are companies as careful as they need to be in their contracting practices? I would argue no. Along with increased sophistication about privacy and security, companies also need to pay attention to the provisions in their third party contracts that address what data may be collected, who owns the data and what each party can do with this data once collected.
When it comes to negotiating contracts with third parties, here are some simple rules of the road:
- Determine the types of data the third parties will collect or otherwise have access to
- If access to personally identifiable or otherwise sensitive data is required, then consider any company policies that should apply to the third party’s activities (e.g., privacy, security, confidentiality).
Practice Tip: In today’s environment, it is becoming increasingly easy to trace anonymized information back to the individual, so use caution when granting rights to any sort of information about individuals or their behavior. Some data sets, even if anonymized and aggregated, can be traced back to the company or to an individual. If this occurs, violations of privacy policies can result and disclosure of damaging business information can emerge.
- Apply appropriate data security requirements to the protection of data that is collected and stored by third parties.
- If data is to be collected, make sure that the contract requires the proper level of reporting and disclosure of data back to your company.
- Be specific about how data can be disclosed. If your third party service provider, for example, is allowed to subcontract any of its activities, and those activities involve sharing of data, be sure to require the subcontractor be bound by the provisions of the agreement that apply to the use and disclosure of data as well.
- Carefully define how data collected can be used. Be particularly cautious about granting rights beyond that required to perform services on the company’s behalf. Often companies will want the right to develop new products and services, or to market their own products and services to customers. These rights can result in violations of many privacy policies. Also, be aware that granting such rights can run afoul of local laws and regulations, especially if the data reasonably can be traced back to an individual.
- Depending on the type of data, consider whether there are any specific regulatory requirements that apply. Here are a few examples that are by no means exhaustive:
- If health information is disclosed to a contractor, for example, a special type of agreement called a Business Associate Agreement is required.
- If financial information is disclosed, then adequate information security procedures are mandated.
- If SMS or other cellular communications are involved, then FCC regulations may restrict the activities.
- If targeted users under age 13, then the Children’s Online Privacy Protection Act (COPPA) will apply, requiring parental permission to obtain personal information.
- Consider the legal compliance issues of transferring data across jurisdictional boundaries or storing it abroad, and take these issues into account in structuring the services to be provided and the related business arrangements. This analysis can be complex, so it is best not to “wing” this exercise, but rather to get proper guidance from local counsel in the relevant jurisdictions.
- Evaluate carefully any requests to use aggregated data (i.e., data that has been anonymized and otherwise is not traceable back to an individual). Beware of the potentially damaging impact that use and disclosure of aggregated or statistical information that can have it is possible to trace it back to your company. The same risk noted above about ease of traceability back to the individual also applies to the company.
- Data can be a valuable asset. If rights are shared, make sure that the value is reflected in the overall economics of the arrangement.
- Contractual risk allocation is often heavily negotiated. Review the related contractual provisions carefully. Those that are relevant include for example data security, use of data, compliance with law, confidentiality, and related indemnification and limitations of liability.
Data rights are addressed in nearly every online agreement, but companies do not always consider the long-term implications of these provisions. Don’t be the company that is left asking where all of its data has gone and why none of the value has been left behind to benefit the company. Pay attention to those contract provisions!