Firm Management
Software Licensing and Privacy Policies – The Accounting Technology Lab Podcast – Oct. 2024
Hosts Brian Tankersley, CPA, and Randy Johnston discuss how changes in software licensing and delivery models can affect client data and privacy policies.
Oct. 03, 2024
Hosts Brian Tankersley, CPA, and Randy Johnston discuss how changes in software licensing and delivery models can affect client data and privacy policies.
View the video at: https://www.youtube.com/watch?v=L9wx78k7zsk
Or use the below podcast player to listen:
Transcript (Note: There may be typos due to automated transcription errors.)
Brian F. Tankersley, CPA.CITP, CGMA 00:00
Welcome to the accounting Technology Lab sponsored by CPA practice advisor. With your hosts, Randy Johnston and Brian Tankersley,
Randy Johnston 00:10
welcome to the accounting Technology Lab. I’m Randy Johnston with my co host, Bryan Tankersley, we’d like to talk to you today about software licensing and privacy policies now in prior accounting technology lab sessions, we talked about privacy related to AI and in general, and the more we thought about it, we the more we knew we needed to talk first about software licensing and privacy policies and then put the privacy against AI in place. Now, Brian has done a fair bit of research in this, and his content is exceptionally strong, as I would see it. He really got me to think about sub processors in license agreements. I should have been thinking about it long before now, but I realized that when you start reading the license agreements, sub processors are named, and one of the things I have not completed that’s now on my list to do, like I need one more bloody thing to do is, you know, making a list of subprocessors. And I’ve nicknamed that the naughty and nice list. So for those of you who might be thinking about that way. You know, who’s on the good list and who’s on the bad list. And it turns out because
Brian F. Tankersley, CPA.CITP, CGMA 01:24
Sanda ranty is, Sanda Randy is coming to town. Yeah,
Randy Johnston 01:28
I am going to come to town and, you know, I’m going to leave some coal for some sub processors looking at it. So in any case, Brian, I know that this could take both of us down rabbit holes that I can’t even forecast for our listeners, where this will go. But start us off on what you’re thinking about software licensing as it relates to privacy. Okay,
Brian F. Tankersley, CPA.CITP, CGMA 01:54
so software licensing is realistically, you know, the thing we have to all watch out for one of the things that the Cloud enables that you really couldn’t do with desktop software effectively, is it lets business, lets software companies in particular, have a data monetization plan where they sell the data either disaggregated, aggregated, You know, or even sometimes without anonymizing. And so the the software license and the terms of service and the privacy policy are key documents that we have that that govern the relationship between you and the software company. And so it is where they come out, and they say, this is what we do. And so, so we’re gonna, we’re gonna talk about that. You know, historically, we were worried more about the licensing when we had perpetual licenses. And, you know, have you bought enough perpetual licenses of the software so that you can use it with subscription pricing? They’ve largely addressed that, that that compliance issue. But there are still things you need to think about, like, if you’re using a if you’re using office 365 home, for example, at your work, that’s not a permitted use in there, and you wouldn’t know that unless you read the license. The license actually says, when you have office 365 home, you agree to not use this for any, any work or nonprofit business, and so they, they want you to pay for it. And yeah, so, you
Randy Johnston 03:28
know, at the risk of interrupting here, Brian, as you’re talking about it. You know, we used to talk about software licensing, because it could be a ethics violation, causing you to lose your CPA license. Point 1.2, this home license call out, when you read the license agreements, you’ll discover there’s restricted use like home. You can’t use it for not for profit. Pieces do you do? Not charitable, not for profit. Work in your town. You probably shouldn’t be using home. Then
Brian F. Tankersley, CPA.CITP, CGMA 04:01
but, I mean, I think realistically there, you know, my read of the license, just to so people don’t freak out, is that, if you use it occasionally for your, you know, for your church, you know, and you’re not an employee the church, I don’t think you’ve got a problem.
Randy Johnston 04:17
Yeah, yeah. I think that’s a fair call out. But you know, the other thing that we are, again, as they say in my part of the world, you know, a lot of firms share logins, and you know that’s a violation of most license agreements. And we understand you might be doing it because there’s only an occasional use need, and you know, you really didn’t. You were trying to avoid the expense of buying it for everybody. But that is actually a violation, not only of security issues, but also if the license agreement here’s the net that can be tracked at this point. Now, are the the software companies going to hunt you down like a dog? I don’t think so. In most cases. But we do know that firms are being pursued for violations of security licenses and some other things. And I don’t know how this is all going to play out, but we are far more worried about the privacy side right now.
Brian F. Tankersley, CPA.CITP, CGMA 05:15
Yeah, this is not like a Netflix login where, where, you know you should be sharing those kinds of things in a business context, because you know where Netflix may come after you and get, you know $500 or $1,000 for you share in your login with them in some kind of negotiated settlement if they prosecute you. When we start talking about software licensing, we typically start at about $50,000 and go up from there. So it gets it gets pretty pricey, pretty fast. Anyway. What we’re seeing, though, is, again, this, the criminal prosecution of this. You know, intellectual property rights have always been an issue, and the criminal prosecution of copyright violation and software, software licensing has largely disappeared in favor of civil recovery. They just want your money, and they’re going to want a lot of software suffered piracy is protected under copyright law, and with data as a marketable product, we need to look at again this, this concept of how the data gets treated, and so forth.
Randy Johnston 06:15
Yeah. So you know, Brian, your your your phrase, you just come up with some great phrases, and I want to give you credit, and it may have come from someplace else, but data pimping is actually, you know, one thing that you just get ballistic about, rightly so, and that there are many companies that the entire business model is around selling data or leveraging the data in ways that, as accounting professionals, you’ve got fiduciary protection issues, but if you haven’t read the license agreement, you don’t know that you’re giving your client state away. Yeah,
Brian F. Tankersley, CPA.CITP, CGMA 06:50
and and again, I’m not, I’m not, you know, I’m not suggesting that in these privacy policies that people are necessarily selling the data. But if they say they can, then this, chances are they will at some point. And so I want you to, want you to kind of understand it. This is, this is one of the things I think that really has, has been kind of a bee in my bonnet, as it were, about about a lot of the cloud solutions is because they, Silicon Valley loves to aggregate data and do things with data. And the problem is that our our Code of Professional Conduct doesn’t say, Well, unless somebody else says, says, you know, it says you will not dispose to third parties, you know, without authorization. And so it’s almost like you have to put something in your engagement letter to authorize it, otherwise you may have a problem if you’re if you, if you know with this, so it’s, it’s really important that you pay close attention to these things. Now we look at, we look at software licensing. It’s like airfare pricing, there’s, there’s, there’s many, many different prices. You know, Randy, if I booked a trip to come see you and Pam in in Hutchinson today, I would pay a crazy price, okay, if I did it in, if I booked it three months out, if I booked it three weeks out, I would pay less. If I booked it three months, six months out, I would pay even less. And so, so this is kind of like software licensing is in that the airfare airlines are trying to maximize their profits. And so the software companies do the same thing too. They will discount things to big customers. The objective, again, is they will segment you in using the licensing. And so that’s why, for example, my office 365 enterprise, my e3 plan, I think, is $32 a month, if I remember, right, I buy it through, through another package. But, you know, there, there, but then there are for one user, but then there are office 365, home plans. It gets discounted sometimes to 69 $79 and so that’s this, this difference in here, will they, the way they and the way they do this is they restrict the rights of what you’re allowed to do. For example, if I have office 365, home, I can’t run that in a terminal services Citrix, remote, remote desktop environment, not permitted. Okay, with my enterprise, I can. And, you know, there, there are different rules that that they add and removed there.
Randy Johnston 09:21
Yeah. And one other thing that’s maybe not so obvious. Last number, I knew you may know the right number, Brian, but I think it’s eight different versions of Excel are available based on your license agreement. So if you’ve got an e3, five, that’s different than the excel in an OEM, or a home, or so forth. So
Brian F. Tankersley, CPA.CITP, CGMA 09:40
So like, if you have a home version of Excel, a home version of Office, and you have the you don’t get the Excel data model and power pivot and and some of the tools, I’m not sure if you, I’m not sure if you even get power query. So some of the, some of the back end database tools that that we talk about that can. Really solve big problems for you. You just don’t have access to in the in the lower inversions. So, so, yeah, you’re absolutely right, Randy. It’s, it’s, it’s interesting times here now it again. You need to read these things. I’m not saying, you know, Randy and I, Randy’s always said that he’s one I’m going to steal from dad here. Now, one of the things that that he’s always suggested is that you don’t, not everybody has to read the software license, but somebody at your firm should read, read it in detail. Okay? And what I like to do my latest, my latest favorite thing to do is to feed it into chat GPT, and tell it to summarize it. Because there, these are huge documents, but there, again, key documents you want to look for are going to be the End User License Agreement, or EUA, that is, that is that typically is associated with perpetual, soft perpetual licenses. Terms of Service are typically associated with cloud services, and then you have the privacy policy. So again, there’s some common contract terms we’re going to talk about during this podcast. And again, we’ll kind of kind of go through here, as Randy mentioned, there are numerous bundles and skews that change frequently. SKUs, again, stop keeping units just different, different items that are sold. And even the experts struggled to do the logic. In fact, at one point, and I think it’s still there. There was actually a focus in the Microsoft Partner Program on volume licensing as a competency. And there were certifications you could get in volume licensing because of the complexity of their of their pricing plans and the things you’re allowed to do not allowed to do, yeah,
Randy Johnston 11:35
and you’re right on that. Brian, at one time, there were as many as 80 licensing approaches. And, you know, the big software distributors, the Ingrams and the CDWs, had licensing desks, and you could call in and get different answers from different peoples, from the experts. I mean, it was, it was a circus, but we there still is some of that type of approach. But because of this SAS approach of sales. Now it’s much more of a okay, just pick the model that might fit. But it is frequent that organizations pick the wrong models and that there are crossovers between the enterprise versions, the e3, fives and down into business premiums. For a lot of CPA firms, we recommend the Business Premium, plus, because of the Advanced Threat Protection, the data loss prevention, the MDM, other things that are in there that help you comply with your required 5293 5447 written information security plan. But I am not against having e3 licenses or e5 and normally in most firms, I want you to have at least one e3 or e5 and then maybe fill out the rest with business premiums, simply because you get different capabilities and different upgrade capabilities in it. But again, that’s not the goal of today’s podcast. You can see this is still, well, your word, Brian Byzantine, it’s like our tax code.
Brian F. Tankersley, CPA.CITP, CGMA 13:05
It really is. It’s like the, it’s, you know, there’s the devil is in the details, like the like salt, state and local tax, the devil is definitely in the details, and they matter. So let’s talk now about the End User License Agreement first. Okay? And so this is the these are the terms. These are the terms that you have of your agreement with the software license company. Software license with the software company, excuse me, the the terms are generally written in their favor. They almost always limit their liability. They almost always require binding arbitration and or state that the that the place where things are going to get disputed is is near their headquarters, as opposed to as opposed to near your in your jurisdiction, but it lets them define the terms of the use for the software in a way that’s favorable to them. Most of you just click on I agree, because you realize that you have very little ability to negotiate this. Now, if you are a big company or a government, you may have the ability to negotiate certain terms away, but there but other ones may be immobile. Now here’s the hard part about this. Is when we go in and look at the EULA or the terms of service for QuickBooks Online, it is 57,053 words, okay, and it according to Microsoft Word, because I copied and pasted it into it, it is at a flesh Kincaid grade level of 14.6 Okay, so it’s, it’s a fairly complex document. Desktop, QuickBooks only has 24,000 words, and zero has 5300 words. And so think these things get really, really long, really, really complex, and many times they’ll refer, by reference, to other documents. And so if you look at the 57,000 words I’m quoting here, I think that may incorporate the privacy policy. Or other things like that, but, but it’s they are very, very complex. The US, again and again, you’re going to look at the terms and scope of license. Where are you allowed to use it, where you’re not allowed to use it? What’s the duration of the license? What are what’s permitted, what’s not permitted? How much are you going to pay? Are there royalties or other fees you end up having to pay. They will disclaim any liabilities or warranties of things for merchantability and other things like that. They’ll limit their liability. And then they’ll also define things like how changes are made. Now, Randy, you want to go through some of the other ones, some of the other terms that are in this well,
Randy Johnston 15:37
you know, additional terms are how to get help with the application, and you know how you resolve disputes, the binding arbitration, as you’ve already mentioned, Brian tends to be in friendly jurisdictions, or near their headquarters, there are procedures for terminating the relationship, but they typically Again favor the vendor. Often, you know, 3060, day cancelations or more. And there are consents where you’ve agreed to receiving email or text messages or phone calls. And the key one that you taught me about this year, Brian was how the data is shared with other words, others outside the organization, such as the sub processors of data. Now, there’s some sub processors out there that are good guys, bank feed aggregators, I think might be a good example. But there are some that I’d consider bad guys, mass marketing groups and so forth,
Brian F. Tankersley, CPA.CITP, CGMA 16:37
yeah, and so, you know, again, there’s, there’s a lot to these things, so don’t think that you’re going to get through these things in a fairly short period of time. Now, the good news is there are tools you can get that will help. So here’s what one called utilizer. It’s actually a free download, and you can use it for personal use, for free if you want to buy a license for it, it’s 20 bucks. It can help you summarize it. I think I find honestly chat GPT before is probably a little bit better, in my mind, at summarizing these things than than ululizer is. But it’s a tool that’s available. There’s another one called terms of tosdr@tosdr.org. It’s a database of privacy ratings. This is more consumer oriented, but it’s there, and you have privacy spy, that’s another web database that’s that seems like it’s a little bit dated, but you know, there’s, there’s some stuff in here. Now, when we jump over and look at the privacy policies, these will go through and talk about what data gets gathered, how your information is going to be used, the purpose of data, the information, when your data will be disclosed, but they’re not always specific as to who they’re disclosing it to. They will say, generally, we may share it with our with our strategic partners. Okay, who’s that? Oh, I don’t know. So they, they don’t they’re not always explicit in there and their security policies and procedures. And again, this is, this is pretty heavy duty. Again, we have Intuit at 12,000 words, zero at 2600 words, ADPs, general privacy policies, 13,000 words. They have a glossary. That’s another 2600 words. And then for client employees, they have a 900 word privacy policy. Yodly Invest net, that is the bank feed aggregator that that’s used by many of your applications is has a 5900 word privacy policy. Now let’s go through and talk about some of these uses. Okay, so for example, here’s into its privacy policy, and this version of it is the one that was current as of March of this year. And so I haven’t updated this of late, but it says that you represent you’ve complied with all applicable laws and receive proper authority or consent to allow us to collect and process such information, to process our business. You further agree that, other than with respect to information furnished to TurboTax in connection with the prep of an individual tax return, any sharing of personal information among into Intuit group policies is contemplated as a part of the platform. That is, they’re going to share it with all these folks, okay, so that includes Credit Karma, Intuit Insurance Services, Intuit mortgage, you know, all all these other ones. Okay? And so I just kind of mentioned this to you here, because you may not know that Intuit has they, I think they did this to comply with GDPR and allow them to still do some of the things they do with privacy, but I want you to see that they allow the sharing between all these different companies. So you may not even, you know, you may have data that’s in Credit Karma that you didn’t even realize was was shared about you, and this may be part of the way it got to Yeah,
Randy Johnston 19:36
so it turns out, Brian, you know, into it does list all the companies. But I think you called out about 11 related entities on Intuit alone, and they’re a big company, they’re public. You know, one would presume that public companies might have different responsibilities than private companies. That may or may not be a good assumption, as we would see it. Again, we’re not kicking into it under the bus on this, but we are illustrating because so many of you use QuickBooks Online or Lacerte or pro series, and many of your downstream clients may be using simple products like TurboTax or Credit Karma, and all of a sudden you may have a client coming at you saying, you know, I got telemarketed, and these people had a lot of my detailed information. And to my knowledge, you’re the only person CPA firm I’ve ever shared this with,
Brian F. Tankersley, CPA.CITP, CGMA 20:36
and I will say the one that really the one that’s really the salt in the wound for me, or the payroll payroll services here. So the Intuit Payroll in particular, that’s one that really makes me nervous, because if I think about it, you know, if I’m doing payroll for a client, I’m, let’s say I’m using Intuit Payroll, and that information on the employees gets out to the to the public. You know, I don’t have a contractual relationship with with the employee, and in my contractual relationship with the client, I may not have said that. I may not have said anything about Intuit sharing of data. And so if that data gets shared, I may have a professional, professional, you know, again, a confidential information breach that I have to disclose now. Now I want you to also see that they may, the platform may include information about third party services or other products to connect your account to it into it may be compensated by third parties. Okay, so they may, they may sell ads. Basically in here, they also say that you grant Intuit a license to use your content, including host, host, reproduce, distribute, communicate, sub license and use, publish or publicly display your content if you’ve made it visible to others, modify and create derivative works based on your content. Now the the other thing here is that Intuit actually says, and I think I’ve got a slide on this later, Intuit actually says that they will use your data that they have on you in the creation of their Genos AI models. And that’s a that’s something that, again, is, I don’t know, can be problematic. We’ll talk more about that, I think, in our in another episode. But we also have, we also have things like yolis terms. So for example, this is out of the zero privacy policy. They actually say that yod is a sub processor and that that you’re subject to their terms. And so there are companies like Yodlee, Fiserv and others that that do this, do these, do the bank aggregation, and sometimes there are restrictions on those things that are different from what you might think or from what there is on the software. Now, ADP does a good job of documenting their, documenting their their ethics. In particular, they have some ai ai ethics statement. They say what their approach is, what they do with it, how they are, what their principles are used in here, what principles they use, how their AI’s models are evaluated and governed. And they do a good job of kind of explaining that. But again, I want you to know that this, this use of AI, and we’ll talk about this in future episode. The problem here is that we can have data that leaks out of AI models based on it being used to train Yes,
Randy Johnston 23:27
so and you are right there, Brian, and you know the ADP ethics principles here, I think bear mentioning a human oversight, governance, privacy by design, explainability and transparency, data quality, the culture of responsible AI and inclusion and training. And there’s actually more, but I wanted to call those out, because we think ADP is doing a good job on their AI and ethics, but this ability to be training models is a big deal. Well, you know, as we wrap up this session, we want to just talk to you a little bit about acceptable use policies. And, you know, a few closing thoughts.
Brian F. Tankersley, CPA.CITP, CGMA 24:13
Sorry, sorry about that. Now we talked about acceptable use policies. This is how you govern what your employees do. So you basically have, you know, with with these, this governs, yet what they’re allowed to do with the data and other things like this. So this says what’s acceptable to do, what’s not acceptable. This is an important document for you to have. It’s a key part of your Wisp in my mind, because if you don’t have things laid out for how you work with your staff and what they’re supposed to do, what they’re not supposed to do with things, it’s going to be difficult for you to say with any authority as to what they’re what actually is getting done. Now you can actually get you know, but it talks about ownership and use of technology secured, security and handling confidential information, unacceptable uses email and communication, blogging, social media. It and consequences for violations. So we need to, we need to consider that Now sometimes you’ll have also what’s called an open source library. And there are different kinds of licenses. There are permissive licenses, that are academic licenses, where you don’t have to provide source code. There are also copy left licenses that require source code to be distributed with it. Okay? And I’ve listed some of these, some of these types of things, which which licenses are permissive, and which rise, which licenses are a copy left as it were, and so that kind of, that kind of takes us through here. Now there are a lot of, you know, there are a lot of laws and regulations that we’ll discuss in a future episode, but that’s kind of our introduction to licensing. I hope that helps you. Hope it helps you understand kind of what’s going on there.
Randy Johnston 25:51
Yeah. So part of the setup on this friends is we know that there are actively seven pieces of privacy legislation here in the United States, of which 19 are scheduled for enforcement. And so we thought, if we’re going to talk about privacy, we had to really lay the groundwork with software licensing first, and then in other episodes, we’ll be applying those privacy laws and regulations. So we you can see that Brian has a fair bit of background in this. Yet, I can tell you the license agreements change. You know, I used to recommend that you create a copy of the license agreement at the start of your term. In other words, if you license Microsoft Office, it’s licenses for a year, you fall under the terms on the day of your the execution of your agreement, and one year later, when you renew, you get a fresh license agreement. And Microsoft was changing their license agreements monthly for a while, and so I think one month, I saw three different versions of their license agreement in a single month. So I just want you to understand this is a very volatile, very risky area to your clients and to your firm. So Brian, other parting thoughts here on licensing and privacy.
Brian F. Tankersley, CPA.CITP, CGMA 27:15
You know, I just generally think that this is an area that we’ve got to pay attention to, because there are people, you know, you heard Randy. Heard Randy mentioned the data pimping, you know. And it really, I’m really troubled when people are selling your data to services like Experian, where they’ll, they’ll, they’ll sell data to the credit bureau about how much you make. And there are things like that that really just seem unseemly to be used to for, for, I guess, software providers, to accounting firms to be doing that kind of stuff. Now, there are reasons for it, but again, you need to somebody in your somebody in your business needs to understand the licenses and needs to, needs to, again, kind of be the lead on this, so that you don’t get surprised by some of these things that are happening.
Randy Johnston 28:01
Yeah, well, sorry to have kind of a dark sounding episode for you today, but the more you know, the less you may like or maybe you have a different attitude and just say, hey, everything’s public. Anyway, people can you know know everything about me that is not a problem. Again. I’m not trying to tell you how to think, I’m just trying to tell you what the concerns are from our perspective. Well, Brian and I appreciate you listening in. We’ll talk to you again soon in another accounting Technology Lab.
Brian F. Tankersley, CPA.CITP, CGMA 28:32 Thank you for sharing your time with us. We’ll be back next Saturday with a new episode of the technology lab from CPA practice advisor. Have a great week.
= END =