Legal quicksand: Shrink-wrap, click-wrap agreements

Shrink-wrap and click-wrap agreements are the fine print you see, among other things, when you click through terms and conditions in accessing an online service (e.g., in connection with a cloud computing service) or as part of the installation of a piece of software.

They may also be encountered as part of the documentation provided with new software or a hardware component. They may even be found, with some searching, in a file entitled "license.txt" or similar name on the installation CD on which a new piece of software is delivered. Businesses seldom read these terms in any detail, generally view them as non-negotiable, and accept them as a necessary evil.

[Related: Click-wrap license agreement found binding on company even though it was accepted by the vendor]

The fact is, these types of agreements can present significant legal and business issues. They can place a business' sensitive data at risk, expose the business to liability, compromise the business' ownership of its own intellectual property, and cause the business to pay additional, unforeseen fees. Three specific examples:

* A bank's CIO comes into work one morning to find a group of auditors sent by a software licensor demanding the right to access the bank's computer systems and facilities to confirm the bank has properly used the software. When the CIO objects on the ground it cannot permit third parties to access its facilities and systems because it would put the bank's highly sensitive data at risk, the auditors point to a provision in the software license agreement permitting the licensor an unlimited right to conduct onsite audits without prior notice. The bank had no grounds to object or it would find itself in breach of contract. The bank had to permit the auditors access to its facilities and systems even though the software license agreement had no confidentiality protection for the bank's data.

* In another case, a small business signed up for a cloud-based service. A few months later, it received a letter claiming it was infringing the patent rights of a third party in its use of the cloud service. When the small business contacted the cloud service provider, it was shocked to find out that it had no protection under its cloud service agreement for this claim, even though the provider was the cause of the infringement. Worse yet, the cloud service agreement required the small business to indemnify and hold harmless the cloud provider for the cloud provider's own wrongful actions in infringing the third party's patent rights.

* Finally, a customer licensed a piece of software from a start-up company and spent time talking with the company about improving their software. Ultimately, the customer decided to take its ideas and create its own software for use within its business. The customer received a letter from the software company pointing out the customer could not use the customer's own ideas to create its software. In fact, the software company was demanding the customer pay a substantial fee for the customer to continue use of the customer's own ideas. When the customer objected, the software company pointed to a clause in its software license agreement that conveyed ownership of all rights from the customer to the software company relating to the customer's ideas.

This article discusses some of the key risks inherent in these types of transactions. Specifically, the following areas are addressed:

* Defining what constitutes a "shrink-wrap" license;

* The types of products commonly licensed or sold under shrink-wrap agreements;

* How the products are typically purchased;

* The difference between proprietary software and, so-called, open source software;

* The types of terms and conditions generally found in shrink-wrap agreements;

* The inherent risks presented by making purchases under a shrink-wrap agreement; and

* Potential methods of addressing risk.

What is a "Shrink-Wrap" License?

The term "shrink-wrap" derives from the method by which software was distributed as a package of installation disks and associated documentation sealed by shrink-wrap cellophane. The accompanying end user license agreement was often itself packaged in shrink-wrap cellophane and placed on the outside of the package or included as the top most item in the package. Today, shrink-wrap agreements can take a variety of forms and are found in both software and hardware acquisitions. However, they all have a common structure: essentially non-negotiable terms and conditions that accompany the product. The terms may appear as part of the documentation accompanying the product, as part of an on-line purchase process whereby the terms are displayed (and the purchaser, potentially, required to affirmatively click an "accept" button as part of the process), or presented to the purchaser on first use of the application as part of the installation process.

If the terms are displayed electronically, either online or in connection with the installation process, they are often referred to as "click-wrap" terms. For purposes of this discussion, there is no difference between click-wrap and shrink-wrap terms.

Courts in the United States have almost uniformly found that these types of agreements are enforceable (Conference America Inc. v. Conexant Sys. Inc., M.D. Ala., No. 2:05-cv-01088, 9/10/07). In fact, courts have held them enforceable even if the customer failed to read them (Druyan v. Jagger, S.D.N.Y., No. 06-cv-13729, 8/29/07).

Products Purchased Under Shrink-Wrap Agreements -- Common Elements

While there are no bright-line rules as to the specific types of products that are made available under shrink-wrap agreements, the following are common elements:

* The product typically has a relatively low cost per unit (e.g., less than $20,000). While the cost per unit for a given product may be low, or even trivial (e.g., less than $100), the total cost to the organization should not be overlooked (e.g., 1,000 units at $100 per unit results in aggregate fees of $100,000). An easy example would be a copy of Microsoft Word or Adobe Acrobat. Essentially all open source software is licensed under shrink-wrap terms;

* The product is provided "off-the-shelf," meaning that it is not customized for the purchaser. Each purchaser purchases the exact same version of the product as every other purchaser, without modification;

* The product requires very little implementation effort. The purchaser generally assumes all of the installation effort without obtaining professional services from the vendor or a third party;

* The product is generally not mission critical; and

* The product is typically well understood and established in the marketplace. Frequently, the product is available for trial and evaluation before a license is required.

The above are, of course, only generalities. It is important to note that there are many instances in which shrink-wrap agreements are used for the purchase of products that cost hundreds of thousands of dollars, require extensive customization and a significant implementation effort, and are mission critical to the organization. As discussed below, the risk of the products purchased under a shrink-wrap model can increase dramatically when the proposed application varies from the foregoing common elements.

Methods of Purchasing Shrink-Wrap Products

There are essentially two means of purchasing shrink-wrap products. First, the product can be directly purchased from the vendor that created it (e.g., downloading a copy of Acrobat from Adobe's Web site). Second, the product can be purchased through a reseller or similar entity that is authorized by the vendor to distribute the product.

One benefit of using a reseller is the potential to license and purchase products, particularly large orders, at a substantial discount. Another advantage is the possibility of negotiating an enterprise or master contract with favorable legal and business terms for all licenses and purchases made through the reseller. In many instances, however, the use of resellers results in the licensee or purchaser obtaining substantially less favorable terms than if the licensee or purchaser directly negotiated with the vendor and eliminated the use of the reseller. Resellers generally insist on highly protective agreements that absolve them of liability for the products they distribute.

Any protections relating to the products are provided in the form of non-negotiable shrink-wrap agreements from the manufacturers or, worse yet, provided through Web sites that may change at any time. In either case, the product terms are (i) non-negotiable, and (ii) almost always very minimal, offering little in the way of substantive warranties and indemnities. A growing number of manufacturers are turning to reseller arrangements for the express purpose of avoiding having to extend appropriate, market-based contractual protections to their customers.

Reseller arrangement should generally only be considered when the product satisfies the common elements described above (e.g., low fees, non-critical use, off-shelf, well established, potentially trialed, etc.) and the cost-benefit of proceeding with transaction is justified. This usually means the reseller will be used for the purchase of a narrow range of pre-approved products for the organization. For example, purchases of standard office productivity applications (e.g., Microsoft Word, Adobe products, etc.).

Proprietary Versus Open Source Software

Software licensed under shrink-wrap terms can be broadly grouped into two categories: proprietary software and open source software.

Proprietary software is software that is generally developed by a single vendor, licensed for a fee, furnished in object code form only (i.e., the licensee has no access to the source code or the actual programming for the software), and provided under a license agreement that is specific to that vendor. Purchasers generally have no right to modify proprietary software. In contrast, open source software is software that is generally developed by multiple developers, provided without charging a license fee, for which the licensee is furnished with a complete copy of the source code and is encouraged to modify the software.

This article focuses only on the licensing of proprietary software. Open source software raises a different set of issues that are beyond the scope of this discussion.

Typical Shrink-Wrap Terms and Conditions

While the type of terms and conditions found in shrink-wrap agreements vary greatly from vendor to vendor, there are a number of common themes. In general, shrink-wrap agreements include the following potentially problematic terms:

* Little or no warranty protection. In most instances, all warranties are expressly disclaimed -- meaning the software is provided entirely "as-is."

* There is generally no protection in the event the purchaser is sued for intellectual property infringement arising out of its licensed use of the products (e.g., a purchaser could be sued for patent infringement arising out of use of a software product and, even though the vendor is the cause of the infringement because of the way it developed the software, find itself with no protection under its software license agreement with the vendor). These types of claims have become more and more prevalent. In fact, entire businesses have been founded based on developing large patent portfolios and then, as their revenue source, suing the licensees of software for damages. Most negotiated agreements include an indemnification from infringement claims.

* A limitation of liability that absolves the vendor of all or substantially all liability for all damages of every kind and type. If an indemnity for intellectual property infringement is provided, the indemnity is generally subject to the overarching limitation of liability, significantly diminishing the vendors obligation to indemnify.

* In contrast, the purchaser will have unlimited liability for all forms of damages. The purchaser may also be required to give the vendor a broad and frequently poorly defined indemnity for a wide-range of claims, some of which may arise from the vendor's own conduct.

* Little or no protection for confidentiality of the purchaser's information. The lack of this protection is a critical risk if the vendor has the right to access the purchaser's facilities and systems to conduct audits. Shrink-wrap and click-wrap agreements frequently contain specific language permitting the vendor to have broad rights to conduct onsite audits of their customer's facilities and computer systems, frequently with little or no notice. Those audits can expose highly sensitive information of the purchaser.

* The location (venue) at which a potential litigation or arbitration must be conducted may be in a location that is likely not convenient for the purchaser. For example, a purchaser in California may be required to arbitrate a dispute under the agreement in Florida. If the value of license is only, say, $10,000, having to engage an attorney and attend meetings in a distant location will be cost prohibitive.

These are general observations only. The specific language of a given shrink-wrap agreement may present additional risks. In particular, as discussed in the next section, a growing number of shrink-wrap agreements may present substantial risks to the purchasers own intellectual property or, if the purchaser is in a regulated industry (e.g., financial services or healthcare), to the purchaser's data.

Inherent Risks of Shrink-Wrap Products

The end result of the terms and conditions commonly found in shrink-wrap agreements, as discussed in the preceding section, is that the purchaser has little or no remedy against the vendor in the event there is an issue with the product or damages arise (e.g., the product has a substantial bug in it, ceases to function, causes an intellectual property infringement claim) out of use of the product. The product is, essentially, being licensed on an "as-is" basis. In most instances, the purchaser's only remedy in the event of a problem is to cease use of the offending product. A refund or other compensation is unlikely.

In general, the purchaser's primary protection in purchasing shrink-wrap products is the concept of "safety in numbers." That is, the product is widely distributed and usually well established in the community. This reduces the potential for a substantial bug or defect to go without a fix from the vendor. The purchaser is essentially relying on the power of the market to force the vendor to correct issues (i.e., vendors with poorly designed or buggy products will lose market share and, at least arguably, be easy to identify).

A growing number of shrink-wrap agreements present additional risks beyond those identified in the preceding section. Two of the most common additional risks relate to the purchaser's own intellectual property and data.

Some shrink-wrap agreements contain expansive "feedback" and similar clauses that could result in the licensor gaining ownership of the purchaser's own intellectual property. The contract actually includes language that the purchaser is assigning its intellectual property rights to the vendor. In some cases, almost anything the purchaser shares with the vendor, including during support discussions, may become the vendor's property or, at minimum, result in the vendor having an unbridled license to use what it has learned for its own business purposes. At best, this can result in the purchaser essentially granting the vendor a free license to the purchaser's valuable intellectual property. At worst, it can result in purchaser losing all control over its intellectual property.

Shrink-wrap agreements may also include broad audit rights, permitting the vendor almost unlimited access to the purchasers facilities, records, and systems. In some instances, these rights permit any or all of the vendor's agents, contractors, and licensors to also have full access to the purchasers facilities, records, and systems. Under these terms, purchasers assume the additional risk of having third parties, with whom the licensee has no contract and no confidentiality protection, unfettered access the licensees facilities, records, and systems. For regulated entities (e.g., in financial services and healthcare) and all others in possession of consumer information, these audit rights subject the licensee to the additional risk and potential of exposing highly sensitive and regulated data to vendors and other third parties without adequate contractual protections (e.g., confidentiality clauses, information security protections, limitations on use, etc.). Consider the potential risk presented by a vendor showing up at a purchaser's facility, without notice, and demanding full access to their systems and records -- without any protection for the purchaser's highly sensitive confidential information and data or any protection if that access causes a disruption in the purchaser's operations.

Audits can also be excessive and abusive, disrupting the licensees normal operations and potentially making the licensee liable for substantial financial liability for third party auditor fees (which can reach the hundreds of thousands of dollars). This is because Many vendors view these audit rights as a means to derive additional revenue from its purchasers. Some auditors even work on a contingency basis, forcing them to either find a problem or not be paid. This creates an undue incentive for the auditor to search until they find something. In a number of instances, audits have led to substantial additional fees being paid by purchasers in agreements that were not properly negotiated. In one case, an audit revealed a relatively minimal excess use of the software which resulted in the payment of a few thousand dollars in additional license fees. Unfortunately, the customer was also responsible for paying nearly forty thousand dollars in audit costs.

Given the current economic climate, vendors are conducting these audits on an ever increasing basis to try to squeeze more revenue from their customers. The headlines are full of instances where companies have paid substantial additional fees for excess license uses. Some examples:

* Arcadian Healthcare Inc. paid $150,000 to settle claims that it had unlicensed copies of Microsoft Corp., Symantec Corp. and McAfee Inc. software.

* BioTrove Inc. paid $82,442.70 to settle claims that it had unlicensed copies of Adobe Systems Inc., Apple Computer Inc., Microsoft and Symantec software.

* Dimensional Innovations Inc. paid $80,000 to settle claims that it had unlicensed copies of Adobe, Microsoft and SolidWorks Corp. software.

With regard to reseller relationships, additional risk can arise in situations in which the reseller is providing support or subcontracted support for the licensed product. Splitting the agreements governing the purchase of the product from support obligations and having two different responsible contracting parties can lead to finger pointing when failures occur and leave a customer without adequate remedies to bridge the two agreements (e.g., if the purchaser purchases a piece of hardware and the reseller breaches its support agreement, the customer may be able to show damages under the support agreement, but will likely have no claim or remedy under the purchase agreement).

Addressing Risk

There are essentially three methods of addressing the risk of shrink-wrap agreements: blind acceptance, knowing acceptance, and mitigation.

Blind Acceptance. Blind acceptance refers to the practice of looking at a proposed use of a product, ensuring its falls within the common elements of shrink-wrap products identified above (e.g., low fees, non-critical use, off-shelf, well established, potentially trialed, etc.), and electing to proceed with the purchase without further consideration. Few sophisticated organizations take this approach. It would require the purchaser to proceed without regard for the risk -- abandoning any effort at due diligence.

Knowing Acceptance. Knowing acceptance refers to the process of quickly reviewing the applicable license agreement for a proposed purchase of a shrink-wrap product and assessing whether it presents any unique risks (i.e., something beyond the typical terms identified above). Unless a unique risk is identified or the purchase would present conditions beyond the common elements identified above, the transaction is approved. If unusual or unique risks are present (e.g., the aggregate value of the transaction is substantial, the contract presents risks to the purchasers intellectual property or data, etc.), the risks would be clearly identified in a memorandum for review and, if the cost-benefit of the engagement warrants, potential approval by senior management. This is the most prevalent means employed by sophisticated organizations in addressing risk in transactions of this kind.

Mitigation. The mitigation approach is used in circumstances where the relevant license agreement presents unusual risks or in situations where the purchaser operates in a regulated industry where the protection of data and contracting requirements, in general, are of heightened concern. It has become common in those industries to review proposed uses of shrink-wrap products as they would for any other product purchase transaction. With due regard for the relatively limited ability of purchasers to negotiate these types of agreements, purchasers quickly assess the risks posed by a new engagement and focus on mitigating only the most substantial risks. This is commonly done in the form of an amendment to the shrink-wrap agreement. Such amendments are usually brief, addressing only terms like basic warranties, basic infringement indemnity, audit rights, and protection of the purchasers own intellectual property. A number of large organizations are now using these types of amendments to quickly mitigate key risks in these engagements. Their acceptance by vendors, particularly in larger transactions, is growing. If the amendment is rejected by the vendor and no alternate vendor of a similar product is readily available, the risks would be clearly identified in a memorandum for review and, if the cost-benefit of the engagement warrants, potential approval by senior management.

The mitigation approach presents the most mature approach to addressing risk in shrink-wrap engagements.


The risks presented by shrink-wrap and click-wrap agreements should not be minimized. As with any contract, they must be reviewed and assessed to identify risk. The business can then conduct a cost-benefit analysis to determine whether the risk is warranted and whether that risk can be controlled, at least to some degree, through the use of the mitigation approach discussed above.

Michael R. Overly is a partner in Foley & Lardner LLP's Information Technology & Outsourcing Practice and the Privacy, Security and Information Management Practice. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information Systems Security Professional (CISSP), Certified Information System Auditor (CISA), Certified in Risk and Information Systems Controls (CRISC), and Certified Information Privacy Professional (CIPP) certifications.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Adobe SystemsAdobe SystemsAppleApple ComputerInc.LPMcAfee AustraliaMcAfee AustraliaMicrosoftSolidWorksSymantecTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael R. Overly

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place