Software has become a major industry, particularly amid the significant and ongoing expansion in artificial intelligence (AI). AI and emerging changes in state privacy laws raise new issues for End User License Agreements (EULAs). If your company sells a software product, it may be time to reevaluate and update your product license agreements and privacy policies. Regulations can vary by state, so it is important to stay informed and ensure compliance with local guidelines and laws.
1. AI-Driven Licensing Complexities and Transparency
Ownership of AI-Generated Content
If your software involves AI-generated outputs—images, text, or code—your EULA needs to clearly define ownership rights, including whether these outputs can be used only internally or commercially. This can be particularly crucial when AI depends on data and ownership of that data can be commercially valuable for licensing or sale to third parties.
Certain State Disclosure Mandates for National Software Licensors
Some states such as Utah and Tennessee now require explicit disclosure if content is AI-generated. Additionally, California’s AI Training Data Transparency Act mandates developers to disclose whether training data includes third-party or personal information.
EULAs must contain clear disclosure of AI functionality and limitations, especially where human-like communication is involved. In New York, the FY 2025–26 budget package introduced several consumer safeguards, including AI Companion disclosures: If your software includes AI agents or companions, they must clearly indicate to users that they are not human—and include protocols for self-harm or suicidal content escalation.
Agentic AI & Liability
The increased use of autonomous “AI agents”—systems that act on users’ behalf (e.g., booking travel)—produces unique liability concerns. EULAs must clearly define who is accountable when complications arise: the developer, the user, or another party.
2. Consumer Rights & Digital Ownership Laws
California AB 2426: No More “Buy” If It’s a Revocable License
As of January 1, 2025, California law forbids the use of terms such as “buy” or “purchase” when a revocable license is granted. Now, digital stores must be transparent about what the user is obtaining. Essentially, EULAs should avoid misleading language suggesting permanent ownership where none exists.
3. Arbitration, Class Action Waivers & Consumer Pushback
Recent updates now include arbitration clauses and class-action waivers, which severely limit consumer recourse. Critics argue the opt-out process (e.g., requiring mailed letters within 30 days) is deliberately burdensome, causing frustration and discouraging individuals from exercising their rights. In 2025, courts and regulators may scrutinize such clauses more aggressively, deeming them unfair or unenforceable.
4. Privacy, Data Protection & Consent Standards
Move to Server-Side Tracking
Server-side tracking via APIs is gaining traction as cookies are becoming less popular. EULAs should reflect these shifts by distinguishing how and what personal data is collected, processed, and shared.
Sensitive Data and DPIAs
Regulators increasingly target sensitive data like geolocation and health info. They’re also demanding Data Protection Impact Assessments (DPIAs). Given this, EULAs should transparently disclose sensitive data handling and reference any DPIA processes.
5. Enforceability, Consent, and Jurisdiction Battles
Clear Assent Mechanisms
Traditional “browse-wrap” agreements (hidden terms via links) are under intensified legal scrutiny. Enforceability hinges on clear, conspicuous consent mechanisms like click-wrap or dual-click designs, with robust version control and audit trails.
Cross-Border Jurisdiction Issues
Given the international nature of software, EULAs must navigate jurisdictional challenges and clarify governing law provisions. For example, in jurisdictions like California, Colorado, or Utah, EULA enforceability and consumer protections differ significantly. There may be a need for additional provisions or exceptions for end users that reflect the regulations of given jurisdictions.
6. Clarity, Trust, and Fair Termination Practices
Plain Language Required
Complex and dense legal language undermines trust. EULAs should use plain, precise language (e.g., “up to 4 concurrent users” rather than vague phrasing) and highlight critical elements like data collection, automatic renewals, and cancellation policies in plain language.
Unfair Termination Clauses
Vague or overly broad termination clauses that allow providers to revoke access without cause can be costly for users. Ensuring fairness has become crucial to maintaining user trust and preventing potential conflicts.
New York’s Changing Laws
In June 2025, New York passed the Fostering Affordability and Integrity through Reasonable Business Practices Act (FAIR Act), marking the first substantive update to state consumer protection law in over 45 years. It expands General Business Law §349 to cover not only deceptive practices but also “unfair” and “abusive” acts, significantly broadening enforcement powers for the Attorney General. In regard to EULAs, providers doing business in New York must now ensure that their EULAs are not only free from misleading terms but also avoid clauses that could be construed as unfair or abusive. For instance, EULAs should not include overly burdensome cancellation processes, hidden fees, or confusing auto-renewal mechanics.
Moreover, New York’s FY 2025–26 budget package introduced several important consumer protections including “Click-to-Cancel” mandates: Subscription services must offer cancellation procedures that are as simple as the sign-up process. Update your license agreements to emphasize transparent auto-renewal and cancellation terms with straightforward exit options.
The proposed New York Privacy Act (2025-A8158 / S3044) imposes stricter requirements on companies processing personal data of 500 or more individuals:
- Must disclose data de-identification methods.
- Ensure special safeguards around data sharing.
- Give users the right to request names of third parties with whom their data is shared
EULAs must be updated to clearly outline how user data is de-identified and any data sharing practices including with whom and why, and user rights to request that information.
7. Digital Fairness Act: Notice & Consent for Personal Data Use
The Digital Fairness Act (S4276) expands user privacy protections by requiring businesses processing personal information to provide:
- Meaningful, clear notices in plain language.
- Affirmative opt-in consent for collection, use, retention, or monetization of user data.
- Prohibits discriminatory profiling in areas like housing, employment, or credit based on sensitive characteristics.
EULAs should be updated to use plain-language privacy sections and avoid legal jargon. They should also ensure that opt-in consent elements are clearly outlined and are not hidden in annexes. Moreover, they should avoid terms that allow discriminatory or targeted practices.
8. AI Copyright Litigation: Knock-On Effects on EULAs
In early 2025, several high profile lawsuits targeted AI developers like OpenAI and Anthropic for alleged copyright infringement. Specifically, these developers were pursued for using copyrighted content without the necessary permissions to train models. Outcomes of these cases may force EULAs to incorporate indemnifications, licensing disclosures, or usage limitations around copyrighted training inputs.
Takeaways for EULA Updates in New York
In 2025, EULAs face unprecedented legal and regulatory changes, from AI transparency and civil protections to digital goods legislation and privacy enforcement. By proactively addressing these emerging issues such as using plain language, well-defined user protection provisions, and compliance with new laws and regulations, software providers can foster trust, prevent disputes, and ensure their EULAs remain enforceable and equitable.
- Reassess fairness: Ensure cancellation, fees, and renewals are equitable and easy to understand.
- Clarify AI behavior: If your application includes automated chat or agents, disclose limits and responsibilities.
- Simplify language: Especially for privacy and consent—plain, accessible, and transparent.
- Audit data disclosures: Be ready to explain data handling, sharing partners, and allow user inquiries.
- Align with new rights: Integrate emerging user protections proactively into your licensing structure.
If you need assistance with updating your EULAs, reach out to Tracy at Tjong@EvansFox.com.
Tracy Jong is a Senior Attorney at Evans Fox LLP with 30 years of experience focusing her practice in business law, intellectual property and licensing for alcohol and cannabis. Tracy Jong is a member of the New York Bar and is a registered attorney at the United States Patent and Trademark Office. She can be reached at Tjong@EvansFox.com.
ATTORNEY ADVERTISING
The content has been prepared for informational purposes only; it should not be construed as legal advice, does not create or constitute an attorney-client relationship, and readers should not act upon it without seeking professional counsel.