AI Vendor Contracts: The Terms And Conditions Trap – Above the Law

Every
week,
in-house
lawyers
receive
requests
to
review
contracts
for
AI
tools.
The
pitch
is
always
the
same.
It
will
save
time.
It
will
make
us
more
efficient.
If
you
review
the
terms
and
conditions
in
those
contracts
carefully,
however,
you
realize
that
they
can
come
at
a
high
cost.

I
have
written
before
about
how
contract
review
needs
to
extend
beyond
a
simple
checklist.
That
principle
has
never
been
more
relevant
than
it
is
right
now,
as
AI
vendors
market
directly
to
teams
across
our
organizations.
The
contracts
for
these
tools
arrive
with
standard
terms
and
conditions
that
most
people
click
through
without
reading.
In-house
lawyers
cannot
afford
to
do
the
same.

I
recently
reviewed
a
contract
for
an
AI-powered
content
platform.
The
tool
would
generate
written
content
using
its
client’s
data.
The
subscription
cost
was
modest.
The
sales
materials
looked
polished.
The
standard
agreement
looked,
at
first
glance,
like
a
straightforward
contract.
It
was
not.

When
I
dug
into
the
terms,
I
found
four
significant
problems
that
had
nothing
to
do
with
cybersecurity
or
data
breaches.
They
had
everything
to
do
with
data
control.

The
vendor
claims
co-ownership
of
your
content. The
agreement
gave
the
vendor
joint
ownership
of
every
piece
of
content
the
AI
tool
generated
using
the
organization’s
data.
The
vendor
could
use
that
content
for
any
purpose,
including
marketing
to
competitors,
without
consent.
The
organization
would
have
been
handing
over
co-ownership
of
its
own
storytelling
to
a
third
party.

The
vendor
walks
away
with
your
data. The
agreement
granted
the
vendor
a
perpetual,
irrevocable
license
to
the
organization’s
data
once
it
was
incorporated
into
something
the
vendor
called
“Aggregated
Statistics.”
The
definition
of
that
term
was
broad.
There
was
no
defined
standard
for
how
the
data
would
be
anonymized.
There
was
no
mechanism
to
claw
that
data
back
after
the
contract
ended.
Once
the
data
went
in,
it
would
be
gone.

The
vendor
can
walk
away,
but
you
cannot. The
agreement
gave
the
vendor
the
right
to
suspend
the
platform
for
a
wide
range
of
reasons,
including
its
own
operational
issues,
with
no
liability
for
data
loss
or
service
disruption.
The
organization
had
no
corresponding
termination
rights.
If
the
vendor
decided
to
suspend
service
indefinitely,
the
organization
would
have
had
no
recourse,
no
refund,
nothing.

You
are
paying
for
something
you
may
not
own. Part
of
the
subscription
included
a
branded
microsite
where
content
would
be
published,
but
the
agreement
did
not
specify
who
owned
the
domain.
It
did
not
address
what
would
happen
to
published
content
if
the
relationship
ended.
It
did
not
restrict
the
vendor
from
adding
its
own
branding
to
the
page.
The
organization
could
have
ended
up
paying
for
a
site
that
the
vendor
controlled,
with
no
ability
to
take
it
along
at
the
end
of
the
relationship.

None
of
these
issues
appeared
on
a
standard
contract
review
checklist.
A
checklist
would
have
flagged
the
limitation
of
liability,
the
indemnification
provision,
and
the
governing
law
clause.
Those
things
mattered,
too,
but
the
real
risk
in
this
agreement
was
something
different.
Once
the
organization’s
data
entered
the
vendor’s
ecosystem,
the
organization
would
have
had
very
little
control
over
how
it
was
used,
how
long
it
was
retained,
or
whether
it
could
ever
be
recovered.

This
is
the
pattern
I
see
over
and
over
with
AI
vendor
agreements.
The
technology
is
new,
but
the
contracting
playbook
is
old.
Vendors
draft
terms
that
give
them
maximum
flexibility
and
minimum
accountability.
They
use
familiar
language
to
wrap
around
terms
that
would
raise
red
flags
if
anyone
took
the
time
to
read
them
carefully.

Here
is
what
in-house
lawyers
can
take
away
from
this:

Read
the
IP
ownership
provisions
word
by
word.
If
the
vendor’s
AI
tool
generates
content
using
your
data,
the
default
should
be
that
you
own
the
output.
Joint
ownership
sounds
reasonable
until
you
realize
it
means
the
vendor
can
do
whatever
it
wants
with
content
built
from
your
organization’s
data.

Trace
your
data
through
the
entire
agreement. Find
every
term
that
references
your
data,
including
definitions
of
aggregated
data,
anonymized
data,
and
derived
data.
Understand
what
happens
to
your
data
during
the
contract,
after
the
contract,
in
the
event
of
a
suspension,
and
upon
termination.
If
the
agreement
does
not
give
you
a
clear
path
to
get
your
data
back,
that
is
a
problem.

Look
for
asymmetry
in
termination
and
suspension
rights. If
the
vendor
can
suspend
service
without
liability,
but
you
cannot
terminate
without
penalty,
the
contract
is
one-sided.
Push
for
mutual
termination
rights,
defined
cure
periods,
and
data
return
obligations
upon
termination
or
suspension.

Ask
what
you
actually
own
when
you
pay
for
a
deliverable. If
the
agreement
includes
a
website,
a
microsite,
a
dashboard,
or
any
other
deliverable,
make
sure
the
contract
specifies
who
owns
it,
who
controls
it,
and
what
happens
to
it
when
the
relationship
ends.

AI
tools
are
going
to
keep
flooding
in.
The
technology
will
keep
getting
better.
The
sales
pitches
will
keep
getting
more
persuasive.
Our
job
as
in-house
lawyers
is
to
look
past
the
demo
and
into
the
contract.
The
terms
and
conditions
are
where
the
real
deal
lives.
Right
now,
too
many
of
those
terms
are
written
to
benefit
the
vendor
at
the
expense
of
the
customer.

We
need
to
dig
in.
We
need
to
push
back.
We
need
to
do
it
before
we
click
“I
agree.”

---

Lisa
Lang
is
an
accomplished
in-house
lawyer
and
thought
leader
dedicated
to
empowering
fellow
legal
professionals. She
offers
insights
and
resources
tailored
for
in-house
counsel
through
her
website
and
blog,
Why
This,
Not
That™
(www.lawyerlisalang.com).
Lisa
actively
engages
with
the
legal
community
via
LinkedIn,
sharing
her
expertise
and
fostering
meaningful
connections.
You
can
reach
her
at [email protected],
connect
on
LinkedIn
(https://www.linkedin.com/in/lawyerlisalang/).