5 Contract Considerations for Customers of Generative AI Solutions
Businesses have been providing and using artificial intelligence solutions to make predictions and automate decision making for many years. For example, banks have long relied upon machine learning to help predict fraudulent card activity. So, why does it seem to some as if artificial intelligence “came out of nowhere” in late 2022 to take the world by storm?
Up until recently, only those with appropriate education (ex. computer science) or sophisticated work experience could use an artificial intelligence solution to help make a prediction or automate a decision. Further, most artificial intelligence solutions produced prediction-based outputs that were focused on discrete business decisions.
Generative artificial intelligence solutions (“GenAI”), which are relatively new, changed these dynamics. GenAIs generate creative outputs such as text, software code, images, music, and videos (“Output”) in response to user prompts. Further, GenAIs incorporate easy-to-use interfaces that make GenAI accessible to the general public. So, in the “before times,” a small group of sophisticated individuals were using artificial intelligence solutions to help solve specific business problems. Now, just about anybody can use GenAI for a whole host of purposes – from generating software code to use in a mission critical program to creating funny images for personal entertainment.
One result of this new wave of GenAI enthusiasm is an increase in individuals and businesses contracting for the use and provision of GenAI. The contracts may come in the form of “standard terms and conditions” or negotiated, complex contracts. This article is the first part of a two-part series that highlights some, but not all, of the contract issues that GenAI customers and providers should consider. This first part addresses GenAI contract issues from the customer’s perspective.
1. Pre-Contract Diligence
Customers will be at an information disadvantage with respect to the GenAI. This is almost always the case with technology procurement deals, but the information gap can be very wide with GenAI. Customers should be thorough during the pre-contract diligence and negotiation phase, if possible. Of course, traditional leverage dynamics play a role here as well. For example, OpenAI is unlikely to answer a detailed list of diligence questions submitted by an individual user. In such a case, customers should do their own independent research to understand the provider, its practices and the GenAI as best as it can. However, if possible, customers may consider asking prospective GenAI providers the following questions prior to entering into the applicable contract:
- What contract will govern the use of the GenAI?
- Standard terms and conditions or negotiated contract?
- What limits does the provider intend to impose upon the customer?
- Enterprise use?
- Limited number of users?
- Output use restrictions?
- Will the provider disclose a “model card” that describes the model?
- What data was and will be used to develop and train the model?
- Proprietary data of provider?
- Third-party data licensed to the provider?
- Consumer data?
- Data, code or other materials subject to open source licenses?
- Data “scraped” from the internet?
- Customer-provided training data, testing data, inputs and prompts (“Inputs”)?
- Does the provider have all necessary rights to use such data to train the model?
- What will the provider do with Inputs?
- Use Inputs to improve the provider’s algorithms and models that will benefit other customers?
- Disclose Inputs to third parties?
- When will the provider delete Inputs?
- What technical dependencies does the provider rely on to provide the GenAI?
- Does the provider have a robust data privacy and security program?
- Does the provider maintain any controls to help prevent or limit “hallucinations” by the model?
- Does the provider have a program to monitor and comply with current and future laws and regulations?
Key takeaway: If the customer has enough leverage, thorough diligence will allow the customer to obtain information about the provider, familiarize itself with the provider’s practices and GenAI, identify potential risks, and mitigate those risks via contract. Even without enough leverage to conduct such “formal” diligence, robust research on the provider will allow the customer to better understand the risks involved with the GenAI and mitigate those risks via internal controls.
The customer may supply the provider with various Inputs: training data to “tune” the base model, testing data to test the model prior to production use, and prompts to generate the Output during production use. A customer may want to prohibit the provider from using Inputs and the “tuned” model for the benefit of the provider or any other customers. A prudent customer will attempt to get these express restrictions in the contract itself. Many providers will push back on these additions to the contract given common industry practices of using Inputs to improve the GenAI and related models, but the insertion of such provisions will, at the very least, start a discussion about the provider’s use of the Inputs.
Customers should be careful not to rely on “ownership” provisions to restrict the provider’s use and disclosure of Inputs. “Ownership” of the Inputs by the customer may not provide the necessary restrictions to prohibit the provider from using Inputs to benefit other customers or disclosing the Inputs to third parties. Again, express contractual restrictions are the best mechanism to ensure that the provider is prohibited from using Inputs for any purpose other than to provide the GenAI to the customer.
Finally, from an internal operational and compliance perspective, customers should ensure that they: (i) have all necessary rights and permissions to disclose the Inputs to the provider for the purposes of providing the GenAI and training the model; and (ii) refrain from disclosing Inputs that contain trade secrets, sensitive confidential information or personal information, unless the provider agrees to robust restrictions regarding the use and disclosure of such Input. Although a customer may consider Inputs “its data,” various laws and third-party contracts may prohibit the customer from disclosing Inputs to the provider for the purposes of providing GenAI and training related models. This is especially true for an Input that contains personal information. In addition, the customer may risk losing trade secret protection if it discloses trade secrets as Inputs into the GenAI without appropriate restriction on the provider’s use and disclosure of the Input.
Key takeaway: Customers should: (i) require that the contract itself contain express restrictions on the provider’s use and disclosure of Inputs; (ii) confirm that customer has all rights and permissions to disclose Inputs to the provider for the purposes of providing the GenAI; and (iii) not disclose trade secrets, sensitive confidential information or personal information as an Input without robust restrictions on the provider’s use and disclose of such Inputs.
Output issues are dependent upon the customer’s anticipated use of the Output. An Output that will be used internally by the customer or for personal use will likely carry less risk than an Output that the customer will commercialize or incorporate into external products, services or marketing. In either case, the customer should ensure that the contract: (i) grants the customer the perpetual, irrevocable, royalty-free right and license to use the Output for all purposes contemplated by the customer; and (ii) does not contain restrictions on use of Output that prohibit the customer’s anticipated use of the Output. This will ensure that the customer can use the Output as intended free from potential claims by the provider.
Some customers may want the ability to prevent the provider and third parties from using the Output. If prohibiting others from using the Output is important to the customer, the customer may attempt to require the provider to assign to the customer all intellectual property rights covering the Output. This means, to the extent the provider owns any intellectual property rights covering the Output, such rights are transferred to customer. The assignment, in theory, gives the customer the right to exclude others from reproducing, distributing, displaying, and modifying the Output. In practice, the intellectual property right assignment may not provide much to customers above and beyond the approach described in the preceding paragraph because whether or not intellectual property rights apply to Output generated by GenAI is an open question under law that requires case-by-case analysis. So, again, the best tool for the customer to impose restrictions on the provider is a contract provision. The customer should rely on express contract restrictions to prohibit the provider from using Output, if provider’s use of Output is a critical concern for the customer.
Prohibiting third parties from “ripping off” Output developed by GenAI is more challenging. Contract provisions are tools that are generally unavailable with respect to third parties because one typically does not enter into contracts with such parties, although some exceptions do exist (ex. website terms and conditions). So, customers may have great difficulty commercializing Output that will be available to the public (ex. images, stories, screenplays, etc.) because they may not own the necessary intellectual property rights to prevent others from copying and commercializing such Output and they may not have an agreement that expressly prohibits such activity. If having the ability to prevent others from using Output is critical, customers should consider whether or not GenAI is the appropriate tool to generate such material.
In addition to the difficulty of preventing others from using the Output, customers may be subject to lawsuits from third parties claiming that the Output infringes upon their intellectual property rights or violates their privacy rights. This may occur if the provider “scraped” the internet for training data without owners’ permission – which is common practice in the industry. Providers claim that such practice is “fair use” under copyright law. Content creators and owners of such training data claim that such practice infringes upon their intellectual property rights, breaches their website terms and conditions, and violates other laws and regulations. Litigation of this nature is beginning to percolate through the court systems and will take many years to sort through. A prudent customer will attempt to insert contract provisions that transfer this liability to the provider. Most, if not all, providers will not protect the customer from this risk because it is perhaps the biggest “hot button” issue with respect to GenAI and the risk is difficult to quantify and mitigate under current legal frameworks.
Key takeaway: Customers should ensure that the contract expressly permits (and does not expressly restrict) all of the customer’s anticipated uses of the Output. Customers may have limited ability to prevent the provider, its other customers, and other third parties from using Output. If having the ability to prevent others from using Output is critical, customers should consider whether or not GenAI is the appropriate tool to generate such material. Finally, customers will bear the risk of third parties suing them claiming that the use of GenAI Output infringes upon their intellectual property rights.
4. Compliance with Law
This is a very broad topic that is rapidly changing as it relates to artificial intelligence, including GenAI. Despite its breadth and dynamic nature, there are some known legal compliance issues with respect to providers obtaining data to train the model, processing customer Inputs that contain personal information, and producing Output that violates law in ways other than infringement upon intellectual property and privacy rights.
Ideally, customers would include express terms in the contract that require providers to comply with all current and future applicable laws and regulations. Customers may be surprised to find out that providers will likely resist these terms for at least three reasons: (i) most providers “scrape” the internet for data to train the model, the legality of which is an unsettled issue under law (discussed above); (ii) laws and regulations applicable to GenAI are changing at a very rapid pace – both existing laws being interpreted in the GenAI context and new laws being proposed and enacted that are specific to GenAI; and (iii) legal compliance risk is also dependent upon the customer’s use of the Output (ex. using GenAI to help with hiring decisions vs. using GenAI to help prepare a internal only slide deck).
If the provider is unwilling to provide a blanket guarantee that it will comply with all current and future laws, the customer may require the provider to permit the customer to audit the provider and its model training practices, cooperate with the customer’s legal compliance efforts, and cooperate with the customer in connection with any regulatory inquiries or investigations. Perhaps not surprisingly, most providers will resist audit rights and will “box in” their cooperation obligations, if they agree to them at all. At the very least, customers will prompt a detailed discussion regarding the provider’s approach to legal compliance if they insert these edits – providing more information to assess the provider and potential risks.
If Inputs will contain any personal information, the customer needs to consider whether or not it is required, or desires, to impose robust data privacy and security obligations upon the provider. These obligations typically address compliance with data privacy laws, implementation of data security systems that adhere to certain industry standards, data breach response reporting and procedures, etc. Of course, providers will very likely resist these obligations and may even go further by contractually prohibiting customers from providing Inputs that contain personal information.
Finally, Output may create third-party liability other than infringement upon others’ intellectual property and privacy rights. For example, Output may include material that is defamatory or discriminatory. If possible, a customer will require the provider to ensure that the GenAI will generate no such Output, but it is unlikely that a provider will make such guarantees due to the unpredictable nature of GenAI. A customer can best mitigate this risk by ensuring that a human reviews all Output on behalf of the customer prior to deploying the Output.
Key takeaway: Customers should attempt to require providers to comply with all current and future laws and regulations that apply to the provider’s provision of GenAI. Providers will likely push back on such a broad obligation, in which case customers should insert “softer” legal compliance obligations that can help ensure the customer’s use of GenAI does not create compliance issues for the customer or subject it to third-party litigation. Customers should not rely solely on GenAI for use cases that may create greater legal compliance risk (ex. hiring decisions).
5. Risk Allocation
“Risk allocation” provisions typically refer to representations, warranties, indemnities, and limitation of liability provisions that disclaim, transfer and cap risk related to the transactions contemplated under the applicable contract. If using a GenAI under “standard terms and conditions,” the customer should review the risk allocation provisions carefully. Most providers will push as much risk as they can to the customer and limit their own risk as much as possible. Providers do this in a number of ways.
First, providers will likely require that customers represent and warrant that the customer has acquired all necessary permissions and licenses to provide the Input for GenAI use. This is not an unreasonable ask from providers, as this risk is within the customer’s control. The customer should, in fact, confirm that it has acquired all such necessary permissions and licenses. However, providers commonly add overly broad Input warranties and indemnification obligations that go beyond this reasonable ask. For example, a provider may require the customer to represent and warrant that the provider’s use and disclosure of Inputs will comply with all laws and not infringe upon any right of any other party. Further, the provider may require the customer to defend and indemnify the provider from and against any and all claims, suits, damages, and losses that arise from or relate to the provider’s use or disclosure of Inputs. Representations, warranties, and indemnities of this nature shift a lot of risk to the customer that is outside of the customer’s control.
Providers also limit, or almost eliminate, their risk vis-à-vis the customer. Almost all of GenAI “standard terms and conditions” contain disclaimers that the provider makes no representations or warranties regarding sourcing training data, training the model, or the Output. This is especially true for providers that “scrape” the internet for data to train the model without permission from the website and data owners. The disclaimers typically cover performance, accuracy, infringement, and compliance with law. Essentially, customers will have little or no ability to recover damages from providers if anything “goes wrong” with respect to the GenAI or Output. In addition, providers are unlikely to provide any indemnification protection with respect to Output. So, customers will have to bear the cost and financial fallout of suits against them by third parties that claim the customer’s use, disclosure, or commercialization of the Output infringes upon the third party’s intellectual property rights or violates their privacy rights.
Finally, most providers contain a very strong waiver of consequential damages provisions and liability cap provisions that restrict the customer’s ability to recover any meaningful amounts from the provider in the unlikely event that the customer has a breach of contract claim, or any other claim, against the provider relating to the provision of GenAI. Of course, providers’ “standard terms and conditions” are unlikely to contain similar protections for the customer, so customer’s liability with respect to the provision of GenAI and related contract may be unlimited.
Key takeaway: Providers’ “standard terms and conditions” shift a lot of risk to the customer and limit, sometimes almost eliminate, the provider’s risk between the provider and the customer. If the customer has any ability to negotiate the contract governing the use and provision of GenAI, these are likely some of the most important provisions to edit to ensure that the customer is not taking on unreasonable risk. At the very least, customers should review these provisions in detail to understand the risk associated with using GenAI.
Above is a non-exhaustive list of some issues that customers of GenAI should consider prior to contracting for, and using, GenAI. Customers should regularly monitor these issues because they are changing by the day, given the rapid pace of innovation and new litigation working its way through the court systems. If you find these considerations relevant to your business and need guidance in navigating them, don't hesitate to reach out to one of our dedicated attorneys in our Commercial and Technology Contracts practice. Additionally, stay tuned for the second part of this series, which will address GenAI contracting issues from the provider’s perspective.
*Special thanks to summer associate Charles Erker for his contributions to this article.