The standard SaaS “improve our products” clause you clicked through at onboarding now doubles as an AI training license. A Stanford Law’s CodeX analysis of TermScout data found 92% of AI vendor contracts claim data rights beyond what’s needed to deliver the service, far exceeding the 63% SaaS market average. Most companies don’t know they’ve already signed.
The FTC flagged this in February 2024: quietly revising terms to enable AI training on previously collected data may be unfair or deceptive under the FTC Act. Provisions allowing vendors to “improve,” “build,” or “enhance” their products can already extend to AI training. Contracts written before generative AI drew no such distinction.
The liability math is lopsided. Only 33% of AI vendors offer protection from third-party IP claims, below the 58% SaaS market average, and just 17% of AI contracts clearly commit to following all applicable laws — compliance defaults to the customer regardless. Figma faces a proposed class action filed in California federal court in November 2025 alleging it automatically enrolled users in AI training without disclosure. Figma denies using customer data without explicit authorization.
Here’s the operator risk most procurement teams miss: a model trained on your proprietary workflows can reproduce those patterns in products sold to your competitors. The right question is who owns the insights the model derives from your data, not just whether the vendor has a privacy policy. Juanita DeLoach at Barnes and Thornburg recommends defining training data, establishing model-derived insights ownership, and requiring notification before model changes.
The FTC’s position is clear: consent from one set of terms doesn’t transfer to AI training added later. Update your vendor diligence checklist before the next renewal lands.
Nathan Zakhary