Privacy laws create tussles over contract liability limits

Privacy is quickly becoming the thing that customers want to see companies assume unlimited liability for in contract negotiations, but if you make it clear what your risk tolerance is ahead of time, you can manage these types of requests, in-house legal leaders say.

It’s common to see customers of cloud-based software products ask companies to assume unlimited liability for willful misconduct or breach of confidentiality when negotiating sales contracts, but since the European Union enacted its big data privacy law and California has followed suit with its own sweeping law, privacy has become the thing customers are particularly worried about.

“We’re in a world of changing laws,” said Andy Dale, general counsel and chief privacy officer at OpenAP.

Customers, he said in a Cockpit Counsel webcast hosted by contract management software company Linksquares, are looking for accountability from you as a cloud software company, because “you’re processing my data.”

The problem with customers asking for unlimited liability, particularly when the product value is relatively small, like $25,000, is it can leave companies unreasonably exposed, even when the problem is outside the company’s control because the data is in the hands of a third-party, like AWS.

“Setting up that risk appetite can really help get through some of these conversations a little bit better,” said Tim Parilla, chief legal officer at Linksquares.

Parilla said he tries to look at indemnification and limitation of liability together when he approaches contractual negotiations with a potential customer.

“Inevitably, everyone’s like, ‘Oh, a data breach. You have to accept that along with your IP and confidentiality provisions,’” he said. “Realistically, if you think about what limitation of liability is meant to do, it’s meant to allow for categories of damages where direct damages are not readily apparent or calculable. So, when you think about a lot of these data protection laws that do have statutory damages associated with them, your direct damages are [those statutory] damages.”

In these circumstances, Parilla said, your company shouldn’t be on the hook for something like a customer’s lost profits.

“I’m absolutely going to try to pull those out,” he said. “Any of your financial indirect damages, same thing. It should be relatively calculable from an indemnification perspective to understand what your liability is going to be. How many people do you have whose information you’re putting into my hands? Or just guess. And accept it.”

“There are many ways to approach these types of negotiation,” Dale said. “One is a more methodical approach [like calculating actual personal data that would be handled]. The other is, I’m going to take responsibility for the things that are within my control.… So, it has to be calculable against the revenue I’m getting. So, there has to be a measurable relationship between those. I’m not giving you uncapped liability or $20 million in liability for a $25,000, one-year deal. I can’t do that.

“More and more,” Dale added, “I think people are understanding that. I think we can get to a yes on that. I like that there are different approaches.”

Protection from the start

Given these liability risks stemming from comprehensive privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), it’s crucial for legal leaders to look at privacy as core to their work and make the case to the company’s business units that privacy needs to be built in from the start.

“Setting that culture allows you to get privacy and legal champions in the business across product and engineering,” Dale said. "And marketing, in particular, has a big privacy touchpoint, and legal touchpoint as well.”