SkarpSkarp

Chapter 6 of 9

Confidentiality, IP, and Data: Protecting Information You Care About

From NDAs to data‑sharing terms, information‑related clauses can quietly decide who owns what and what happens if data is misused. This module helps you read these sections with confidence instead of guesswork.

15 min readen

Big Picture: What Are We Protecting?

Three Big Buckets

In contracts, a few quiet sections decide what happens to information and ideas. We focus on three buckets: confidentiality (keeping secrets), IP (who owns ideas, code, designs), and data (how data is collected, used, shared, and secured).

Where You See These

You will see these clauses in NDAs, service agreements, employment contracts, research collaborations, and SaaS terms of service. They often do more than the law strictly requires.

Your Goals

By the end, you should be able to spot key clauses, restate them in plain English, and notice when restrictions look overreaching or risky so you can slow down or ask for help.

Laws in the Background

Data protection laws keep evolving. In the EU, GDPR has applied since 2018. In the US, state laws like CCPA/CPRA apply. Contracts sit on top of these laws and often go further.

Step 1: Reading Confidentiality and NDA Clauses

Three Questions

Confidentiality clauses and NDAs answer three questions: 1) What is confidential? 2) How long must it stay confidential? 3) What can and cannot be done with it?

Typical Structure

You will see a definition of "Confidential Information", obligations of the receiving party, exceptions (what is not confidential), and sometimes remedies if confidentiality is breached.

Scope and Obligations

Check how broad "Confidential Information" is and what you must do: use only for a stated purpose, protect with reasonable security, and whether you can share it internally or with advisors.

Exceptions and Duration

Healthy clauses exclude information already known, public, independently developed, or required by law to disclose. Duration is often 2–5 years, sometimes perpetual for trade secrets.

Step 2: Example NDA Clause and Plain-English Rewrite

Sample Clause

Sample NDA: Confidential Information is non‑public info that is marked confidential or obviously sensitive. You must use it only to evaluate a potential deal and protect it with reasonable care.

Plain-English Points

Plain English: 1) Covered: non‑public, marked or clearly sensitive. 2) Use: only to decide whether to work together. 3) Share: only with staff/advisors who need it and are bound by similar duties.

Exceptions and Time

Not covered: public info, what you already knew, what you independently develop, or what law forces you to reveal (with notice). Duties last 3 years after the last disclosure.

How to Practice

Visually, think of all shared info as a big circle and confidential info as a smaller inner circle. Practice turning legal text into 4–6 short bullets in your own words.

Step 3: IP Ownership vs Licenses (Who Owns What?)

Ownership vs License

IP clauses decide who owns what is created and who can use it. Ownership is legal control. An assignment transfers ownership. A license is permission to use, without giving up ownership.

Background vs Foreground

Background IP is what each party already had. Foreground or Project IP is what is created during the contract. Clauses decide who owns each and how they can be used.

License Details

Licenses can be exclusive or not, worldwide or limited, perpetual or time‑limited, and sometimes sublicensable. These adjectives (exclusive, perpetual, royalty‑free) change the deal a lot.

Reading Checklist

Ask: Who owns pre‑existing stuff? Who owns what is created? How broad is any license? Are there surprise transfers like "hereby assigns all right, title, and interest" beyond the project?

Step 4: Spot the IP Red Flags

Try this thought exercise. For each clause, decide if it feels balanced or overreaching for a student freelancer designing a logo for a small startup.

Clause A

"Designer hereby assigns to Client all right, title, and interest in and to the final logo delivered under this Agreement. Designer retains ownership of and may reuse any underlying tools, templates, and design methods used to create the logo."

Clause B

"Designer hereby assigns to Client all right, title, and interest in and to any intellectual property conceived, developed, or reduced to practice by Designer during the term of this Agreement, whether or not related to the services."

Clause C

"Designer grants Client a perpetual, worldwide, exclusive, royalty‑free, sublicensable license to use, modify, and distribute any of Designer's pre‑existing materials included in the logo, for any purpose."

Your task

  1. Mark each clause in your notes as OK, Maybe, or Danger.
  2. Then compare with the guidance below.

Guidance (do not peek until you decide)

  • Clause A: Often OK. The client owns the final logo (normal), but you keep your tools and methods.
  • Clause B: Likely Danger. It grabs all IP you create during the contract, even unrelated side projects.
  • Clause C: Usually Danger or at least Needs negotiation. It gives the client a very broad, permanent license to your pre‑existing materials, with no payment beyond the logo fee.

When you read real contracts, do this mental labeling. Anything you mark as Danger is a candidate for questions or legal review.

Step 5: Data Protection and Security Clauses (High Level)

What Are Data Clauses?

Data clauses say how data is collected, used, shared, and protected. In 2026 they are shaped by laws like GDPR in the EU and CCPA/CPRA and similar laws in various US states.

Key Concepts

Key ideas: personal data (identifies a person), controller vs processor (or business vs service provider), data processing agreements (DPAs), and security measures like encryption and access control.

Reading Checklist

Ask: What data is handled? What can they do with it? Who can they share it with? What security measures are promised? What happens in a breach or misuse?

Your Summary

Aim to summarize: what data they get, allowed uses, sharing rules, protections in place, and what happens if something goes wrong. That is enough to flag major concerns.

Step 6: Non-Compete, Non-Solicit, and Similar Restrictions

Types of Restrictions

Common restrictions: non‑compete (no working for competitors), non‑solicit (no poaching staff or clients), and no‑hire/no‑deal clauses. They often sit near confidentiality or IP sections.

Non-Compete Nuance

Non‑competes limit where and when you can work in similar fields. Many places restrict or ban them, especially for employees and students. Rules differ by region and have changed a lot recently.

Reading Checklist

Ask: What is restricted? For how long? In what geographic area? Is it tied to real interests like trade secrets, or does it just block future work? Is it necessary for this deal?

Your Role

You do not need to judge enforceability. Your role is to notice when a restriction is unusually broad in scope, time, or geography and flag it for questions or legal review.

Quick Check: Confidentiality and IP

Test your understanding of the last few steps.

A contract says: "Contractor hereby assigns to Client all right, title, and interest in and to any intellectual property developed in connection with the Services." For a narrow consulting project, what is the most accurate plain-English reading?

  1. The client owns only the final report, but the contractor keeps all underlying ideas.
  2. The client owns all IP the contractor creates that is connected to the services, not just the final deliverable.
  3. The contractor and client jointly own any new IP, and either can use it freely.
Show Answer

Answer: B) The client owns all IP the contractor creates that is connected to the services, not just the final deliverable.

The phrase "assigns all right, title, and interest" plus "in connection with the Services" usually means the client gets full ownership of all IP developed that is connected to the services, not just the final report. It does not say anything about joint ownership.

Step 7: Practice Reading a Data Clause

Try this short exercise. Read the clause and then answer the questions in your notes.

Clause

"Provider may collect and process Customer Data, including personal data of Customer's end users, solely to provide and improve the Services. Provider shall not sell Customer Data or use it for targeted advertising. Provider may share Customer Data with its subprocessors listed at the URL provided in Exhibit A, subject to written agreements requiring data protection measures no less protective than those set forth herein. Provider shall implement appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, and shall notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data."

Questions (answer in your own words)

  1. What data is being handled?
  2. What can the provider do with it?
  3. Who can they share it with?
  4. What security and breach duties do they have?

Model answers (check after you try)

  1. Customer Data, including personal data of end users.
  2. Use it to provide and improve the services; they cannot sell it or use it for targeted ads.
  3. Share with listed subprocessors, under similar data protection obligations.
  4. Use appropriate security measures and notify the customer without undue delay after a breach.

This is the exact approach you should take on real contracts: pull out the "what data", "allowed uses", "sharing", and "protection" pieces.

Step 8: Key Term Flashcards

Flip through these quick flashcards to reinforce core vocabulary.

Confidential Information
Non‑public information that is protected by a confidentiality clause or NDA, usually defined in the contract (for example, marked confidential or obviously sensitive).
Non‑Disclosure Agreement (NDA)
A contract that sets rules for sharing and protecting confidential information, including what is covered, how it can be used, and for how long.
Intellectual Property (IP)
Legal rights in creations of the mind such as code, designs, text, music, inventions, and brand names (copyright, patents, trademarks, trade secrets).
Assignment (of IP)
A transfer of ownership of IP rights from one party to another, often signaled by language like "assigns all right, title, and interest".
License (of IP)
Permission to use IP under certain conditions (for example, non‑exclusive, worldwide, royalty‑free) without transferring ownership.
Personal Data / Personal Information
Any information that identifies or can reasonably identify a person, such as names, emails, IP addresses, device IDs, or student IDs.
Controller / Business
The party that decides why and how personal data is processed (called a controller under GDPR and a business under CCPA/CPRA).
Processor / Service Provider
The party that processes personal data on behalf of the controller/business, following its instructions.
Non‑Compete Clause
A restriction that limits a person's ability to work for or start a competing business for a certain time and in a certain area.
Non‑Solicitation Clause
A restriction that prevents a party from poaching the other party's employees or customers for a certain period.

Key Terms

License
Permission to use intellectual property under specified conditions, without transferring ownership.
Assignment
A transfer of ownership of intellectual property rights from one party to another.
Background IP
Intellectual property that a party already owned before entering into the contract.
Foreground IP
Intellectual property created during the performance of a contract; also called Project IP or Developed IP.
Non-Compete Clause
A contract term that restricts a person from working for or starting a competing business for a period and in a region.
Controller / Business
The party that decides why and how personal data is processed (GDPR: controller; CCPA/CPRA: business).
Non-Solicitation Clause
A term that restricts a party from soliciting or hiring the other party's employees or customers.
Confidential Information
Non‑public information protected by a confidentiality clause or NDA, defined in the contract.
Intellectual Property (IP)
Legal rights in creative and innovative works such as software, designs, text, music, inventions, and brands.
Processor / Service Provider
A party that processes personal data on behalf of a controller/business, following its instructions.
Reasonable Security Measures
Industry‑standard technical and organizational steps (like encryption and access control) to protect data from unauthorized access or loss.
Non-Disclosure Agreement (NDA)
A contract that governs how confidential information is shared, used, and protected.
Data Processing Agreement (DPA)
A contract or schedule that sets rules for how a processor/service provider handles personal data.
Personal Data / Personal Information
Information that identifies or can reasonably identify an individual.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself