Understanding Data Licensing Agreements

Data Licensing Agreements Help Protect Texas Businesses and Customers

Whether your company is licensing customer analytics, behavioral insights, or marketing lists, a data licensing agreement will play a key role in defining whether your business can collect and use data—and how. 

Understanding what data license agreements include, and how they align with state privacy laws like the Texas Data Privacy and Security Act (DPSA), is essential to protecting your business and maintaining consumer trust. In this article, Merritt Law shares a general guide to data licensing agreements, including key terms to know and sections of these agreements to watch for.

What Is a Data Licensing Agreement?

A data licensing agreement, or data sharing agreement, is a contract that allows one party (the licensor) to grant another party (the licensee) permission to use certain data under specific terms. Unlike a data sale, which transfers full ownership of the data, a data license allows the licensor to retain ownership and control while earning revenue or forming ongoing partnerships.

This distinction is important: once a business sells its data, it loses all control over how that data is used. A license, on the other hand, can restrict how the data is processed, who can access it, and how long it may be retained—ensuring continued oversight and compliance with applicable laws.

Getting to Know the Terms: Types of Data

Before drafting or signing a data licensing agreement, it’s critical to understand what kinds of information are being shared.

Personal Data

Personal data is any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. Common examples of personal data include customer names, email addresses, phone numbers, survey responses, in-store purchases, and gender. 

The term does not include deidentified data (data that cannot be reasonably linked to an identifiable individual) or publicly available information. 

Sensitive Data

“Sensitive data” is a category of personal data that is monitored more heavily by regulatory agencies. Sensitive data includes information such as:

• racial or ethnic origin
• religious beliefs
• mental or physical health diagnoses
• Sexuality
• citizenship or immigration status
• genetic or biometric data (e.g. fingerprints and facial recognition)
• personal data collected from a known child (under 13 years of age)
• precise geolocation data (GPS-level latitude and longitude coordinates that can identify a precise location of an individual)

Data Ownership, Controllers, and Processors

Ownership

Paramount to data licensing and sales is the concept of ownership. Technically speaking, data is not owned in the same sense that other types of intellectual property (IP) is owned. For example, IP law does not protect data ownership in the same way it protects other types of property, unless the “owner” takes additional steps to ensure the data qualifies as proprietary. 

For example, there are at least two ownership concepts that possessors of data can use to establish a right to license and sell their data: 

1. Trade Secret: Proprietary data sets that the owner 1) has taken reasonable means to keep the information secret, and 2) the information derives independent economic value (i.e. a competitive edge) by keeping such information a secret, may qualify as trade secret.
2. Copyright: Compiled and uniquely selected data that is selected, organized and arranged, such as a visual data presentation, may qualify for copyright protection. 

Because of the uncertain nature of data ownership, most state laws define those who determine how data will be used as the “controllers.” 

Controllers

Controllers are defined as those in control of the information and determine the purpose and means of using the data. For example, if a business determines that the names and purchase history of its customers will be used to sell to a third party for targeting advertising, that business is the “controller” of the data under most state privacy laws. 

Controllers have certain requirements and duties to consumers to responsibly handle the data with which they possess and ensure their consumers are given proper notice and consent options.

Processors

Processors are those that process personal data on behalf of a controller, such as collecting, using, storing, and analyzing data. An example of a processor is a third-party outsourcing service hired to process data on a controller’s behalf.

Like controllers, processors have certain statutory requirements they must comply with under state law.

Ensuring Compliance with the Texas DPSA

The Texas Data Privacy and Security Act establishes specific obligations for controllers and processors of personal data. Among other things, it requires clear instructions on data processing, confidentiality, and the handling of consumer rights requests. Including these elements directly in your data license agreement can help ensure compliance and reduce exposure to enforcement actions.

Key Components of a Data Licensing Agreement

Whether your business must comply with the Texas DPSA or any other privacy framework, any sharing of customer data will require a data sharing agreement. The following outlines the major components of a data license agreement, specifically, and what to look out for to ensure your agreement complies with Texas law.

Recitals

The recitals provide a chance for each party to clearly define their respective business, roles and expectations. If there is ever confusion about whether a party is a “controller” or a “processor,” the recitals may provide additional insight to the parties’ intent.

Definitions

A data license agreement should never skip the details, or in this case, the definitions. The definitions section is a place to clearly define which “applicable laws” apply to the agreement, whose intellectual property is being shared or retained, what information is being collected, and what data is being licensed. Failure to clearly define ownership and categories of data can be fatal in the event of a data breach or enforcement action.

License Grant

The license grant section is where you define the scope, purpose, and use of the license or right to share. If a business wishes to retain some control over how the data is used, this section should not be overlooked. As the business licensor, look for whether the license grant is revocable, limited, and non-exclusive.

Conditions to Use

Conditioning the use and license of a business’s data is critical. This section should require that the licensee comply with all applicable laws and regulations, limit or prohibit the right to sublicense or re-sell the data, and follow instructions from the controller for complying with consumer requests, such as a request to delete a consumer’s data. 

For example, under the Texas DPSA, an agreement between a controller and a processor must have clear instructions regarding the processing of data, requires the processor to maintain confidentiality of the data, and requires the processor to provide all information available regarding its compliance with the act, at the controller’s request. 

Fees

A business should clearly define the amount, frequency, and place for payment of any fees or revenue share that will be derived from the use of the data. 

Ownership and Intellectual Property

Having a distinct section to define what the parties own is also critical. In addition to defining ownership of the data, the parties may grant to each other a limited right to use each other’s images, trademarks and other proprietary information during the course of the relationship.

Confidentiality

As data collection and sharing is extremely sensitive, businesses will want to ensure strict compliance with confidentiality obligations of the data.

Representations, Warranties and Disclaimers

A business should consider disclaiming any warranties as to the accuracy, completeness or fitness for a particular purpose of the data it will be providing.

Anonymization

Extra care should be given to a party’s promise to de-identify or anonymize the data. Claims that data is “anonymous” or “will be anonymized” are often deceptive, and re-identification methods (the ability to re-link an individual to a data set) have become easier in recent years. Consider requiring the licensee of “anonymized” data to guarantee such data will remain anonymous and reduce the chance that data will become accidentally re-identified. 

Term

Make sure to clearly define a term for the processing of data, and what obligations each party will have upon termination or expiration, especially deletion and retention of data. 

Indemnities

Include clearly-written indemnities requiring the other party to indemnify you for their use or misuse of the data you provide them, and their compliance with all applicable laws. Ensure any limit on liability is appropriate by balancing the cost of the risk involved in improper use or disclosure of the data.

Exhibits

Don’t forget the exhibits. Ensure all referenced exhibits and schedules are included and minimally conflict with the main agreement. Businesses and attorneys, alike, may pay too little attention to the exhibits, when they are often the place where the parties get the most detailed.

Protect Your Business and Your Data with Merritt Law

Because of the complex legal and technical issues involved, businesses should never enter into a data licensing or sale agreement without consulting an experienced and trusted legal advisor. A knowledgeable attorney can help define roles, clarify ownership, and ensure your agreements comply with evolving privacy laws like the Texas DPSA.

Merritt Law is a trusted software and technology lawyer, and we regularly work with Texas businesses to draft, review, and negotiate data licensing agreements that safeguard their rights and reduce risk. Contact us online today or call (737) 279-7290 to schedule a consultation and ensure your business—and your data—are protected.