COPYRIGHTS AND PRIVACY: What is the Irrevocable License and is it Really a Privacy Concern?


By submitting a Posting, you hereby authorize [us] to use, and authorize others to use, your Postings and User Names in whole or in part, on a royalty-free basis, throughout the universe in perpetuity in any and all media, now known or hereafter devised, alone, or together or as part of other material of any kind or nature, including without limitation commercial use on and advertising and promotion of the Site. Without limiting the foregoing, [we] will have the right to use and change the Postings in any manner, either with or without the User Name, that [we] may determine.”

Scary sounding, isn’t it? There are so many words, packed into two sentences that all seem to say “we can do whatever we want with your information forever!” But where did this (specific) “throughout the universe” license come from, typo and all? Was it Facebook? No. Google? No. Amazon? No. What about the controversial FaceApp? No, again. This specific license came from Nickelodeon’s terms of service.* Yes, the children’s media company that brought us Spongebob Squarepants also brings us a license that seems to say they can access an individual’s data forever and do whatever they want with it. As does PBS kids, the New York Times, Panda Express, Wells Fargo Banking, UnitedHealth Group, Wikipedia, School Loop, the National Park Service, the International Association of Privacy Professionals (IAPP), and basically every single other website that allows their users to interact, comment, or signup.

Whenever a new app or technology is unveiled, or new controversy that raises privacy concerns arises, eventually someone will go through the company’s Terms of Service (TOS), find this sort of licensing clause and reference this language to allege potential privacy abuses on a grand scale. (In 2017, there was an initial blog concerned about’s licensing language for DNA data, the Ancestry response, and even a Snopes article clarifying the specifics. More recently, Wired expressed similar concerns in an article on FaceApp). However, this language is not typically targeted at undermining privacy controls governing consumer data, but instead establishes the copyright permissions and liabilities a company has in users’ posted content. 

Due to the strength of copyright protections, and harsh penalties against those who violate them, this language must be broad to comply with existing laws. Unfortunately, this has the effect of making the language easy to misunderstand, especially for consumers who do not understand the variety of legal requirements that may apply. The truth is, while the perpetual license language affects the copyright of content, any personal information a company possesses is equally controlled and limited by its legally binding Privacy Policies. In addition,  there may be various state, national, and international laws that apply further restrictions. 

The reasons for the development and inclusion of these clauses, and the privacy controversies the terms can trigger, tell an interesting tale about the intersection of data protection and intellectual property law.

First, why does the “perpetual license” language exist? Simply put, this is a copyright clause used to protect the company from being sued for copyright infringement. Copyright law exists to allow content creators to protect their works. Under copyright law, unlike some other forms of intellectual property, the content creator automatically gains exclusive rights immediately upon creating their work in a “tangible medium,” i.e. making it exist in the world. These automatic rights include the right to reproduce or copy the work, to create derivative works (any work based on the original in any form of media or material), to distribute the work, and to publicly display or perform the work. Sound familiar? That is because these same rights are often listed using the same or similar language in perpetual licenses for digital products and services. All of these rights spring into existence the moment any person creates their own original text message, sound recording, picture, drawing, or other types of works. 

A user who posts content immediately has copyright rights in original content they provide, such as text, pictures, or other submitted content. Once the user clicks “post” or “submit” or “send,” the company or website or app receiving the copyrighted content needs to copy it onto their servers, transform it into different mediums for their servers, then copy, distribute, and publicly display the original (copyrighted) post for other users to see or to provide the service the user originally requested. In essence, the website must take actions that are governed by copyright law to accomplish exactly what the user intended when sharing the work with the platform. Platforms must make sure that the user, who likely owns the copyright, has provided them with the rights and permissions they need to provide the desired service.

While it is worth mentioning that the Digital Millennium Copyright Act does provide some exceptions to these infringement actions, these exceptions apply narrowly–to services that transmit or cache content, rather than display it. Companies that host and display content can rely on the DMCA to protect them from third party claims–but they still should ensure they have permission from the poster themselves to take all the actions needed to provide the service. Rather than risk copyright liability for displaying or altering content without a poster’s permission and expose themselves to statutory damages for copyright infringement, most websites prefer to get a license from their user that will be effective for as long as the business is active (perpetually), that will not require them to pay millions of users (royalty-free), that is accessible to other users (worldwide or throughout the universe), and that cannot be rescinded by consumers so the consumer can turn-around and sue the company (irrevocable and non-exclusive). 

So even though the perpetual license language exists because a website needs permission to use any original work that a user provides, isn’t that still a privacy concern? The company now has the information. Doesn’t that license still mean they can use the information however they like, even if they don’t own all rights to it? Because copyright law is distinct from privacy law, the answers are “not exactly,” and “no.”

The rights and requirements of the TOS are not independent of other contracts, terms, policies, and laws. As such, while the TOS legally create a license to some uses of the information a user provides, the Privacy Policy i limits what information can be collected, stored, used, and sold, by who, and for what purposes. Both the TOS and Privacy Policy bind the company and the language of one does not mitigate the language of the other. Take, for example, Nickelodeon’s “throughout the universe” license posted above. Nickelodeon also has a strong Privacy Policy that outlines, in very explicit terms, exactly what information they obtain and why (found here), exactly how and why they use the information they collect (found here) and exactly who they share information with and why (found here). Should Nickelodeon be found to be in breach of any of these specific terms in the Privacy Policy, they could be fined by regulatory agencies for deceptive trade practices–but not sued for statutory damages for copyright infringement

This same overlapping of restraints also affects the interplay of the perpetual license and the various legal statutes that govern data practices. Nickelodeon has both a “throughout the universe” license and a comprehensive Privacy Policy, but is still further constrained by required compliance with the Children’s Online Privacy Protection Act (COPPA). 

Thus, the existence of this licensing language dealing with copyright law does not mean that every website and company instantly has full and complete ownership, access, and control over every bit of information that a user provides, always and forever. The license is a protective shield used to create a right for the company to use original material created by someone else – even if that is just the text of a user-posted comment – as well as to limit liability under intellectual property law. These rights do not typically limit additional liabilities under other statutes. 

Perpetual licenses, while they may sound scary, are necessary for a functioning internet and are often substantially limited by both Privacy Policies and statutes. Although this language can become an easy target for privacy-minded critiques, the language itself is a product of intellectual property practices used to mitigate legal liabilities and has minimal impact on data collection, use, or privacy protections. The real privacy concerns come from weak or insufficient Privacy Policies that may not create sufficiently strong protections for user-provided data, including personal information well beyond that covered under copyright. It is their Privacy Policy that determines what a company can or cannot do with a user’s data and is where users should look for the details of what a company may be allowed to do with their data.

*FPF is not criticizing or critiquing Nickelodeon’s Terms of Service. Nickelodeon was chosen as a useful example to highlight the issue due to their unique position in media, strong privacy policy, and intersection with a federal privacy statute.

Co-Authored by Dan Neally, FPF Summer Intern, and Brenda Leong