Contracts and Licensing

Contracts and licenses are legally binding documents that state the expectations, rights, and responsibilities of all parties involved. They can also give vendors and other third parties rights to collect, process, and disclose user data, compromising user privacy. With some advanced planning and careful reading, you can identify these privacy risks and negotiate with the vendor for more privacy-friendly terms.

Contracts’ use of legal language can make them very dense and oblique for the average library worker reading them. Contracts might say that the vendor protects user privacy, but vendor privacy standards may not be the same as your library’s privacy standards.


Contract negotiation can be a stressful and complicated process. Identifying which areas you’re willing to compromise on as well as dealbreakers before the negotiation process can help. Do not be afraid to end negotiations over dealbreakers! There are other vendors who might have better privacy practices. Additionally, a vendor might be pressured to change its contract or its practices if enough libraries refuse to sign or renew contracts because of dealbreakers.



Here are some examples of language from actual contracts. You can see the variety of approaches to privacy. What possible privacy risks or protections can you find in the examples?

  1. “We take privacy very seriously. While we do log information on visits, queries and other site activity, this information is for evaluating the effectiveness and usefulness of [product name] only. All specific visit information is treated confidentially and anonymously, and is never shared with any other party, including the participating distributors. Aggregated data is shared with distributors.”

  2. “The Parties agree to maintain the confidentiality of any data relating to usage of the Licensed Materials by the Licensee and its Authorised Users. Such data may be provided to third parties in aggregated form only and shall not include any information relating to the identity of individual Authorised Users.”

  3. “Any and all transfers of personal information will be in compliance with applicable laws and regulations, including, the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”), the Family Educational Rights and Privacy Act (“FERPA”), and [State] Statutes §817.5681.”

  4. “Licensor shall be entitled to hold and process the personal data of Participating Institutions and Authorized users as defined in applicable privacy and data protection legislation; make such information available to (i) business partners, sub-contractors and/or suppliers who provide products, or services to Licensor; (ii) our branches; either of whom may be outside the European Economic Area for legal and administrative purposes in order to fulfil its obligations under this Agreement.”

  1. Admit they track user behavior. Aggregated data is shared, but not PII.“ We take privacy seriously” has no legal meaning.

  2. Aggregated data is shared; no PII data is shared.

  3. Anything not covered by HIPPA (not relevant), FERPA, HITECH and local state laws is fair game to be shared, this could be a lot of data.

  4. Personal data is shared with business partners, subcontractors and suppliers in regions where GDPR doesn’t apply. “Fulfil its obligations” is not defined, could be broad.