Book a demo Log in / Sign up

Data Release Agreement Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Data Release Agreement?

A Data Release Agreement becomes necessary when organizations need to share sensitive or valuable data while maintaining control over its use and ensuring regulatory compliance. This document is particularly crucial in the United States, where various federal and state laws govern data protection and privacy. The agreement specifies permitted uses, security measures, confidentiality requirements, and compliance obligations. It's essential for protecting both the Data Provider's interests and ensuring the Data Recipient's adherence to applicable regulations such as HIPAA, CCPA, or FERPA, depending on the nature of the data involved.

Frequently Asked Questions

Is a Data Release Agreement legally binding in the United States?

Yes, a Data Release Agreement is legally binding in the United States when properly executed with valid consideration, mutual consent, and clear terms. Courts will enforce these agreements as long as they comply with applicable federal and state privacy laws such as HIPAA, CCPA, and FERPA. The agreement creates enforceable obligations for both parties regarding data use, security, and compliance requirements.

How does a Data Release Agreement differ from a Data Processing Agreement?

A Data Release Agreement governs the transfer or sharing of data ownership between organizations, while a Data Processing Agreement establishes terms for processing data on behalf of another party without transferring ownership. Data Release Agreements typically involve permanent data transfer with broader usage rights, whereas Data Processing Agreements maintain the original owner's control and limit processing activities to specific instructions.

How long does it take to create a Data Release Agreement in the US?

Creating a Data Release Agreement typically takes 1-3 weeks depending on complexity and the parties involved. Simple agreements with standard terms may be completed in a few days, while complex arrangements involving sensitive data, multiple jurisdictions, or extensive compliance requirements can take several weeks. Legal review and negotiation between parties often extends the timeline.

Can I share data without a Data Release Agreement if both parties agree verbally?

No, verbal agreements are insufficient for data sharing involving sensitive information subject to US privacy laws. Federal regulations like HIPAA require written agreements with specific safeguards, and state laws like CCPA mandate documented compliance measures. Without a written Data Release Agreement, organizations face significant regulatory penalties and have no legal protection if disputes arise or data breaches occur.

Which US privacy laws must be considered in a Data Release Agreement?

Key US privacy laws include HIPAA for health information, FERPA for educational records, CCPA for California residents' data, and COPPA for children's information. Federal sector-specific regulations like GLBA for financial data and state privacy laws in Virginia, Colorado, and Connecticut may also apply. The agreement must include appropriate safeguards and compliance measures based on the specific type of data being shared.

Does a Data Release Agreement need to address GDPR if my company is US-based?

Yes, US companies must comply with GDPR if the shared data includes information about EU residents, regardless of where the company is located. The Data Release Agreement should include GDPR-compliant terms such as lawful basis for processing, data subject rights, and appropriate safeguards for international transfers. Failure to comply can result in significant fines even for US-based organizations.

Common mistakes people make when drafting Data Release Agreements?

Common mistakes include failing to specify permitted data uses, inadequate security requirements, missing breach notification procedures, and unclear data retention terms. Many agreements also lack proper compliance provisions for applicable privacy laws, fail to address data subject rights, or don't include appropriate indemnification clauses. These oversights can lead to regulatory violations and legal disputes between parties.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Release of Information Form

Sector

Business

Cost

Free to use

Last updated

About the Data Release Agreement

A Data Release Agreement is a legal contract that establishes the terms and conditions for sharing data between organizations while maintaining compliance with United States privacy laws. You'll use this agreement to protect sensitive information, define permitted uses, and ensure both parties understand their legal obligations under federal and state regulations.

When do you need this document?

You need a Data Release Agreement whenever your organization plans to share data that could be subject to privacy regulations or contains sensitive information. This includes healthcare providers sharing patient data under HIPAA, educational institutions releasing student records under FERPA, or companies handling California residents' personal information under CCPA. Research institutions collaborating on studies, businesses sharing customer data with third-party processors, and government agencies releasing public datasets all require these agreements. The document becomes essential when the data involves minors (triggering COPPA requirements), financial information (under GLBA), or when EU residents' data is involved (requiring GDPR compliance even for US organizations).

Key legal considerations

Your agreement must clearly define what constitutes "data" and specify exactly which information is being shared, including format and sensitivity levels. You'll need to establish permitted purposes for data use and explicitly prohibit unauthorized uses or disclosures. Security requirements are crucial - your agreement should mandate appropriate safeguards like encryption, access controls, and breach notification procedures. Include provisions for data retention and destruction timelines, as many privacy laws require data minimization. Consider liability allocation and indemnification clauses to protect against potential regulatory violations or data breaches. If you're sharing data internationally, include cross-border transfer provisions and ensure compliance with both US and foreign privacy laws.

Legal requirements in United States

Under United States law, your Data Release Agreement must comply with applicable federal and state privacy regulations based on the type of data being shared. For healthcare data, HIPAA requires business associate agreements and specific safeguards for protected health information. Educational records fall under FERPA, which restricts disclosure without consent and requires certain disclosures for legitimate educational interests. If you're handling California residents' data, CCPA grants consumers rights to know, delete, and opt-out of data sales. For children's data, COPPA requires parental consent for information collection from users under 13. Financial institutions must follow GLBA requirements for customer information protection. The FTC Act provides overarching authority to investigate unfair or deceptive data practices. Your agreement should include compliance certifications, audit rights, and procedures for handling data subject requests under applicable laws.

GOVERNING LAW

Applicable law

This Data Release Agreement is drafted to comply with United States law. Key legislation includes:

GDPR: General Data Protection Regulation - Must be considered if the data involves EU residents' information, even for US-based companies

CCPA: California Consumer Privacy Act - Provides California residents with rights regarding their personal data collection and processing

HIPAA: Health Insurance Portability and Accountability Act - Regulates the use and disclosure of protected health information

FERPA: Family Educational Rights and Privacy Act - Protects the privacy of student education records

COPPA: Children's Online Privacy Protection Act - Regulates the collection and use of personal information from children under 13

FTC Act: Federal Trade Commission Act - Prohibits unfair or deceptive practices in data handling and privacy

GLBA: Gramm-Leach-Bliley Act - Requires financial institutions to explain their information-sharing practices and protect sensitive data

FCRA: Fair Credit Reporting Act - Regulates the collection and use of consumer credit information

SOX: Sarbanes-Oxley Act - Requires public companies to maintain certain standards for data security and integrity

PCI DSS: Payment Card Industry Data Security Standard - Sets security standards for organizations handling credit card data

State Breach Laws: Various state-specific laws requiring notification of security breaches involving personal information

State Privacy Laws: State-specific privacy regulations, with notable examples in California (CCPA), Virginia (VCDPA), and Colorado (CPA)

Data Retention Requirements: Various federal and state requirements governing how long different types of data must be retained or destroyed

International Data Transfer Requirements: Regulations governing how data can be transferred across international borders, including Privacy Shield and Standard Contractual Clauses

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it