Capturing the Value of Data in Technology Transactions

Introduction

Over the past few decades, the importance of data has grown dramatically. Deemed “the new oil”¹ in 2006, today data is more like the lifeblood of the modern world, enabling innovations in data analytics, artificial intelligence (“AI”) and other key technologies. Data-related issues in transactions have become more prevalent, complicated and important to the success of the deal and ultimately the survival of businesses. While the immense value of data is generally appreciated, companies are less aware of the protections available for data under US copyright, trade secret and other intellectual property (“IP”) laws. As a result, companies often make mistakes in their handling of data or misunderstand the available rights when contracting for data. This often leads to unnecessarily contentious negotiations over data ownership issues, which may detract attention from more impactful matters, such as the scope of permitted data usage.

In this article, we summarize data protections available under US law. We then explore practical approaches for companies to successfully understand and negotiate data-related terms in technology transactions.

How is Data Protected Under US IP Law?²

Data exemplifies the failure of US IP law to keep up with today’s technological advances. Instead of fitting neatly into a single IP regime, data rights are covered by a patchwork of copyright, trade secret and contractual protections, increasing the complexity of data-related transactions.

Copyright

US copyright law protects original works of authorship when those works are fixed in a tangible medium. It protects creative expression, not the underlying facts or ideas in works of authorship.³ Therefore, copyright is not well-suited for protecting the facts embodied in data, but it may protect other aspects of data (e.g., the creativity expressed in the data, the selection and arrangement of the data, or the particular data structure used for storing the data).⁴ This means the availability of copyright depends on the context of the data in question.⁵

Trade Secret

Trade secrets offer an important tool for protecting valuable business information, including data. To qualify as a trade secret, information must satisfy specific requirements imposed by applicable laws, which generally mandate that the information be subject to reasonable efforts to maintain its secrecy and derive value from it remaining secret.⁶ For instance, the person claiming data to be a trade secret must be able to show it was only disclosed to those who agreed to maintain the confidentiality of such data. This means that it is insufficient for a company to merely include in a contract provisions declaring data to be a trade secret; the company must actually treat the data as a trade secret.

Contractual Protections

Given the limitations of copyright and trade secret protections for data, companies often rely on contract terms to establish rights to and restrictions on data. Typically this is done through:

• confidentiality provisions that limit the permitted use and disclosure of data;
• IP provisions that acknowledge a party’s ownership of data; and
• license restrictions on provided data.

For example, in a typical services contract, a customer may grant the provider a limited license to use the customer’s data solely for performing the services, and a provider may grant the customer a license to the provider’s data solely for consuming those services. The specific rights and limitations included in a contract depend on, among other factors, the type of data and services in question and the bargaining positions of the parties.

In our experience, many companies see the benefit of using contractual provisions to protect data but fail to appreciate the substantial limitations of that approach. For instance, often the only recourse available for misuse of data is for a party to bring a breach claim under the contract. In such situations, recovery is usually limited to contract damages up to a specified liability cap and further limited by disclaimers of consequential and indirect damages. Since damages for data-related breaches are usually consequential in nature, these disclaimers may dramatically reduce or entirely eliminate the value of this remedy.⁷ Additionally, the party seeking to protect its rights in data usually will not have contractual privity with any third parties, which may mean it will not be able to enforce the contractual provisions against third parties to stop them from freely using or disclosing the data.⁸

Potential Pitfalls to Avoid in Technology Transactions

Below are key potential pitfalls related to data that arise in technology transactions and suggested approaches to help mitigate or avoid them.

Failure to Satisfy the Requirements for Data to Be a Trade Secret

This pitfall arises when companies assume their data will be protected as a trade secret because a contract labels it as such. This reliance is misplaced–contract language alone does not establish trade secret protection for data. In the US, in addition to federal law, each state has its own laws governing trade secrets. While there are differences among such laws, the primary requirements are that:

• the data derives at least some of its value from it being a secret; and
• the data to be subject to reasonable efforts to maintain its secrecy.

Therefore, rather than merely designating data to be a “trade secret”, companies must also treat the data as a secret and use reasonable efforts to maintain its secrecy. This may include:

• requiring those with access to the data to agree to restrictions on the use and disclosure of the data;
• implementing protocols and systems to protect the storage and transmission of the data;
• exposing the data to only those with a need to know; and
• training company personnel on the proper handling of the data.

Insisting on Data Ownership When a Right to Use Would Suffice

Too often, each party to a technology transaction insists on owning the resulting data without either party clearly understanding why it actually needs ownership. A party may believe ownership would give it benefits that would not be available if it merely had a right to use the data, such as the right to enforce IP rights, freely use the data, and generate revenue from the data. Depending upon the context, such presumed benefits may not be necessary or even realizable. Further, when parties disagree on which party should own data, negotiations may become needlessly contentious and they may not focus on more valuable issues.

The following examples illustrate some reasons each party may want to own the data resulting from a transaction:

• A company engages a digital marketing agency to run advertising campaigns that, in the process, collect data on customer demographics, engagement and conversation. The company wants ownership because it believes the collected data reflects its customer base and could reveal sensitive business insights. The agency wants ownership to reuse aggregated or anonymized data across campaigns benchmarking or for AI training.
• A SaaS vendor provides a proprietary tool that tracks and provides insights into user behavior on a company’s e-commerce platform. The vendor wants to own the data generated by the tool to improve its algorithms and products. The company wants ownership because the data includes personal details and other information about end-users and the company’s internal operations, like regulatory compliance and security vulnerabilities.
• A company hires a contractor to build a machine learning (“ML”) model based on the company’s internal data and the consultant’s know-how. The company wants to own the resulting ML model because it may contain sensitive, high-value data insights. The contractor wants ownership to be able to amortize its development costs by reusing the architecture of the model or training models for other clients.

Rather than one party having exclusive ownership of data, companies often agree to more nuanced compromise positions. For example:

• One party owns the data but grants the other party a broad usage license.
• The customer owns the data but grants the service provider a license to use the data in an aggregated or anonymized form for benchmarking, analytics or improvement of its products or services.
• The parties jointly own the data, and each party is subject to limitations on what it can do with the data independently of the other party.

Many other approaches are possible depending upon the circumstances; there is no “one size fits all” approach. Therefore, the parties should discuss data ownership and usage issues early in the negotiation process to reduce the risk that data rights will delay or derail the consummation of the transaction.

AI Training Data Issues

Today’s AI innovations have transformed how people interact with technology and the capabilities customers expect from technology products. These innovations depend on the availability of vast amounts of data to train AI models and which have, at times, appeared in the output of AI models. This raises a range of issues of concern for companies, including the following:

• A company may not want its data to be used for AI training purposes, particularly where it contains sensitive, proprietary information that could benefit the company’s competitors. Without contract provisions explicitly prohibiting use for AI model training, a provider may argue that such training is permitted by virtue of the typical general right to use data to improve the provider’s products.
• Even when a contract states the customer owns all data, the customer may be concerned that infringement, antitrust or other risks may arise if such data was produced by an AI model trained on competitor or other third-party data. Prior to entering into the contract, the customer should determine the extent to which AI model output will be part of the data provided by the provider and assess the data used to train such model and the associated risks.

Commingling Data Risks

In defining the scope of a data license, companies should carefully consider the future use cases for the data in question. For instance, if a company plans to create a collection of data from different sources (also known as a “data lake”), issues may arise when such data is subject to license terms of differing scope.

• When commingled data consists of data from different sources, the most stringent restrictions apply. For instance, if a company uses data in a data lake for its internal and external users, all the data in the data lake becomes accessible internally and externally. As such, if some of the data in the lake is subject to a prohibition on external use, the entire data lake is “polluted” by such data. When the lake contains data from numerous sources or was compiled carelessly,⁹ tracking down the applicable usage restrictions and identifying the most stringent restrictions can be burdensome.¹⁰
• Data usage rights that a company grants must be consistent with the terms on which the data was obtained. For instance, if a company collects data through its website, that data will generally be subject to the terms of the company’s privacy notice. Any downstream usage of that data must comply with those terms, regardless of whether such usage is by the company or a third party. If the company grants a provider rights to use that data to improve its products or services, the company must ensure that doing so does not violate the company’s privacy notice. The situation becomes even more complicated when data is subject to conflicting terms.

Companies can address these issues by determining in advance whether the data in question may be commingled in the future. If future commingling is a possibility, companies should, at a minimum, implement tracking and tagging processes to systematically identify which data are subject to certain usage restrictions.

Conclusion

In today’s data-driven environment, in-house counsel and management must be attuned to the potential risks and rewards of obtaining rights in and protecting proprietary data. Given the limitations of current US IP law, contractual provisions offer companies a way to draw the boundaries for data ownership, usage, and access rights. Unfortunately, there is no one-size-fits-all approach, and the terms each party needs depend on the data in question. Companies should prioritize clearly identifying their business and legal objectives and building their negotiating positions on data with a focus on those objectives. This approach makes companies more likely to win the real value points without wasting time and leverage negotiating issues that appear material on the surface but fail to move the needle in practice.

 

---

 

¹ See Clive Humby, “Data is the new oil!”, Conference, Association of National Advertisers (2006).

² This article focuses on data in the context of US IP laws. For a discussion of data under other legal regimes and data privacy, see Arsen Kourinian, Amber Thomson, Joshua Cohen & Megan Von Borstel, “The Evolving US Privacy Landscape: Essential Insights for 2024,” October 22, 2024.

³ See 17 USC §§ 101, 102(b). https://www.copyright.gov/help/faq/faq-protect.html.

⁴ It should be apparent that this copyright principle may depend on the level of abstraction at which the data in question is evaluated. Consider, for instance, a data file containing a digitization of this article. At the most basic level, the file contains numbers that appear merely as raw information to the computer reading the file. Yet when viewed as representing the content of this article, those numbers are seen as expressions.

⁵ See Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340 (1991). Unlike EU law (see EU Directive 96/9/EC on the Legal Protection of Databases), US law does not provide sui generis protection for databases independent of copyright and other IP rights.

⁶ See UTSA § 1(4) (1985); 18 U.S.C. § 1839(3). See also Richard Assmus, Nickolas Card, Brad Peterson & Mark Prinsley, “IP Protection Still Elusive For Data Compilations In US And EU”, Law 360 (July 16, 2019).

⁷ In most technology contracts, data confidentiality and security are not the main purpose of the underlying contract. Rather, they are ancillary to the provision of the software or service. US case law has found that, in such a scenario, a consequential damages waiver may bar all damages that arise from a data breach or other unauthorized disclosure of data. See Silverpop Systems, Inc. v. Leading Market Technologies, Inc., No. 14-14258 (11th Cir. 2016).

⁸ However, if the data qualifies as a trade secret, it is possible for the data owner to bring a claim against the third parties for trade secret misappropriation.

⁹ Companies have been known to dump massive amounts of data into a repository, creating a “data swamp” and making it difficult to keep track of usage restrictions. See Thor Olavsrud, “3 keys to keeping your data lake from becoming a data swamp”, CIO (2017), https://www.cio.com/article/230163/3-keys-to-keep-your-data-lake-from-becoming-a-data-swamp.html.

¹⁰ See Brian Stein & Alan Morrison, “The enterprise data lake: Better integration and deeper analytics”, Technology Forecast: Rethinking integration, PricewaterhouseCoopers (2014), https://www.pwc.com/us/en/technology-forecast/2014/cloud-computing/assets/pdf/pwc-technology-forecast-data-lakes.pdf.