When licensing software that processes user data, how should data rights be addressed?

• A. Define data usage rights, ownership of generated data, rights to use aggregated/derivative data, privacy compliance, data retention, and restrictions on data sharing with third parties or licensors.
• B. Only data retention.
• C. Data ownership and usage rights should be addressed, along with privacy compliance and restrictions on sharing.
• D. Data rights are determined by local laws only.

Answer: (A)

When licensing software that processes user data, you must spell out data rights in the contract. This means clearly defining how the data may be used by the processor, who owns data generated from the processing (including outputs, models, and analytics), and the licensor’s and licensee’s rights to use any aggregated or derivative data. It also covers privacy compliance obligations, data retention and deletion rules, and restrictions on sharing data with third parties or licensors. Putting all of these terms into the license helps manage risk, clarifies ownership and permissible uses, supports regulatory compliance, and governs data sharing and future improvements to the service.

Focusing only on data retention leaves out who owns the results of processing and how derived data or aggregated datasets may be used, which can create future disputes or compliance gaps. Addressing data ownership, usage rights, privacy, and sharing is essential, but without the explicit rights to aggregated/derivative data and clear retention terms, the arrangement remains incomplete. Relying solely on local laws isn’t enough either, since contracts should tailor data rights to the specific service, data types, jurisdictions involved, and business needs, ensuring consistent rights and obligations beyond what laws alone would determine.