Contract Red Flags

Here are some common contract red flags:

  • “Reasonable” and use of vague terms; overall lack of transparency on data privacy and security
  • Lack of definitions for terms (such as “data”)
  • Indemnity/liability clauses that leave the vendor blameless when something goes wrong on their end
  • Lack of information regarding what happens to data after termination of the contract
  • Lack of information about responses to law enforcement or government data requests
  • Vendor claims ownership over library user data
  • Vendor reserves the right to resell or disclose user data to other third parties for marketing or other non-essential business purposes
  • Vendor reserves the right to monitor users on services or products (including use of web analytics products or other tracking software or methods)
  • Using “Aggregated,” “Anonymized,” or “De-identified” without defining these methods
  • Providing a URL to the privacy policy on the vendor website. The policy on the website can change at any time without renegotiation of the signed contract


Exercise | scavenger hunt

If you have access to a vendor contract, read through the contract and compare it with the list of red flags.

  • What vendor contract(s) did you look at?

  • What red flags did you find?

  • What other red flags not listed did you discover?

  • What else did you find that you didn’t understand?

  • Take these red flags to your vendor or library worker that handles vendor contracts. Express your concerns and ask for clarification.