Legal & compliance checklist for data providers

The following article was contributed by Renita Sharma and Hope Skibitsky, experienced litigators in Quinn Emanuel's New York practice.

It is an exciting time for the alternative data space, with thought leaders across all industries continuing to discover the vast potential of alternative data. But as demand for alternative data increases at an exponential rate, the legal landscape surrounding data access and usage remains many steps behind the marketplace.

And, to complicate matters, there is no single legal or regulatory regime that might apply to data providers; rather, the application of any particular state, federal, or foreign laws may depend on a variety of factors specific to individual providers.

As a result, providers may have looming questions regarding their data collection and usage practices.

There is no “one-size-fits all” guidance appropriate for alternative data providers desiring to understand and mitigate legal risk factors. That said, there are certainly steps data providers can take to ensure that they are best positioned to address any legal developments impacting their business.

The below checklist offers some preliminary steps data providers might consider taking in attempting to navigate these bumpy and unpredictable legal waters.

• Understand the nature of your data. Data providers should be intimately familiar with the nature of the data they are collecting and selling. For example, are you providing data that is exclusively publicly available? Are you providing personal (even if not “private”) information? And is any of the data copyrighted? The nature of data may inform a provider’s legal obligations and risk profile. For example, data about individuals may be subject to various privacy laws governing the use of that data, and those laws are rapidly expanding.
• Understand how your data is obtained. A data provider’s risk profile may vary depending on, among other factors, the manner in which they obtain data. For example, data obtained from web-scraping may have different risk factors from data obtained from an API or directly from the data source. For these reasons, it is important to understand the “how” of your data collection.
• Educate your employees and agents on the rules. It is important to have company policies on collecting, storing, and using data. And it is just as important to ensure that your employees are familiar with and compliant with those policies. While some companies ensure education and compliance by requiring annual signing of company policies, data providers should consider more extensive education on these topics, especially for employees whose jobs might involve experimentation with data collection (including in the areas of research and engineering).
• Consider asking an attorney to review your contracts. To the extent your data is sourced from third-parties, it is important to have sound contracts with provisions that best position you in the event of a dispute down the road, regardless of the nature of that dispute.
• Keep up to date with any rules imposed by your data sources. For example, if you are aggregating data from a website that allows for it, make sure you are up to speed on the website’s rules. Sources may – without warning – change their terms or permissions, and you will want to be aware of any such changes as soon as possible.
• Diversify your data sources. At any time, a source of data may go dormant or stop offering that data.  For that reason, providers should have a variety of data sources to ensure that they are not wholly reliant on any singular source.

In short, for alternative data providers, education and awareness is the first step to ensuring that they can continue to thrive in this exciting industry.

Renita Sharma and Hope Skibitsky are experienced litigators in Quinn Emanuel’s New York office. They have extensive experience representing clients in the data scraping space, including on issues relating to the intersection of data scraping/aggregation and the Computer Fraud and Abuse Act, violations of terms of service and related torts. They also frequently advise clients on ways to mitigate their legal risk profile with respect to data collection and usage.