How to Negotiate an NDAWhat You Can (and Should) Push Back On

When a definition covers "any and all information" in "any form or medium," you are potentially bound to treat a casual hallway conversation as a protected trade secret. Courts have enforced absurdly broad confidentiality obligations — and the costs of a dispute, even one you ultimately win, can be significant.

The practical problem compounds fast. If you later work with a competitor, hire a former colleague of the disclosing party, or develop a product in the same general space, the overbroad definition creates ammunition for a lawsuit. The disclosing party doesn't need to prove you actually used their secrets — just that you had access to "information" that fits the sweeping definition.

A well-drafted NDA narrows the definition in two ways: it requires that confidential information be either marked as confidential in writing or identified as confidential within a specific time frame after disclosure, and it explicitly excludes categories that should never be restricted. Without those limits, you're signing a blank check.

Without standard exclusions, you could be legally barred from using information that you could obtain from a Google search. The absence of carve-outs isn't always intentional — it's often a sign of a poorly drafted NDA — but it creates real legal exposure even when common sense says you should be free to use that information.

There are four exclusions that every well-drafted NDA includes as a baseline: (1) information that is already publicly available through no fault of the recipient, (2) information the recipient already knew before disclosure, (3) information the recipient independently develops without reference to the disclosing party's information, and (4) information the recipient receives from a third party who is not under any confidentiality obligation. Without all four, you're arguably restricted from using information you legitimately obtained elsewhere.

The independently developed exception is especially critical for consultants and agencies who serve multiple clients in the same industry. If you're building a marketing strategy for Client A and later develop a similar strategy concept for Client B using your own expertise — without using Client A's confidential data — you need that carve-out to protect yourself. Courts look at these exclusions carefully in disputes.

Perpetual NDAs are legally disfavored and practically unenforceable in many jurisdictions, but that doesn't mean you should sign one. The problem isn't just what a court will enforce — it's what a litigious counterparty can threaten to enforce. A perpetual NDA gives them the option to sue you indefinitely, creating ongoing legal exposure for the life of your career.

For most business relationships — a vendor evaluation, a project proposal, a potential partnership — a 2–3 year confidentiality term is more than sufficient. Actual trade secrets (like proprietary formulas, manufacturing processes, or source code for complex software) may warrant longer protection, but those should be specifically carved out with tailored terms, not buried under a blanket perpetual obligation.

Five-year NDAs are becoming common even in routine commercial relationships, and they're worth pushing back on. If the disclosing party genuinely has trade secrets they need protected long-term, they should identify them specifically and argue for a longer term on those specific categories — not impose perpetual obligations on everything disclosed in a working relationship.

If you are sharing meaningful information about your own business, methods, pricing, clients, or strategy during the course of the relationship, a one-way NDA leaves you completely unprotected. The other party can use everything you share freely, while you are bound to protect everything they share.

This structure often appears when a larger company presents a template NDA to a smaller vendor, consultant, or partner. The template was written when the company was the sole discloser — a product demo, a due diligence process — but it gets reused for ongoing relationships where information flows in both directions. The company doesn't always do this in bad faith; they're just using their standard form without thinking about whether it fits.

The asymmetry becomes acute in consulting and agency relationships. You may share your methodologies, your client list, your pricing model, your team structure. A one-way NDA protects none of it. Push for mutual obligations or, at minimum, an explicit acknowledgment that your disclosures are confidential and subject to equivalent protections.

Without a residuals clause, you are arguably prohibited from using general knowledge, expertise, and skills you've absorbed during the relationship — even if that knowledge is now part of your general professional experience rather than any specific confidential data point. Courts vary widely on how they interpret this, but the ambiguity is a risk.

A residuals clause protects your right to use knowledge retained in unaided human memory — the general know-how, approaches, and skills that become part of your expertise after exposure to a client's environment. It explicitly carves out what your brain naturally absorbs and distinguishes that from deliberate use of specific confidential files, documents, or data.

Technology companies and large consulting firms routinely include residuals clauses in their own NDAs precisely because they don't want their people constrained from applying general knowledge in future engagements. If it's good enough for them, it's reasonable to ask for it in your own contracts. Some parties will resist it, but many sophisticated counterparties will recognize it as standard and accept it without pushback.

Non-solicitation clauses hidden inside NDAs are a well-known drafting trick. The NDA gets presented as a routine confidentiality agreement, but buried in the middle is a clause that functions as a de facto non-compete for employees and contractors. Because it's in the "confidentiality agreement," people often sign it without recognizing what they've agreed to.

A blanket prohibition on soliciting any employee, contractor, or agent of the other party is often overbroad. If the disclosing party has hundreds of employees and contractors, you're effectively prohibited from hiring anyone in their orbit for two years — even people you knew before the relationship, even people who approach you unsolicited.

Courts in some jurisdictions (including California) refuse to enforce non-solicitation clauses on the grounds that they impermissibly restrict worker mobility. But even if the clause is ultimately unenforceable, the threat of litigation — and the cost of defending against it — is real. Push back on scope, duration, and the mechanism: prohibition on active solicitation is more defensible than prohibition on any hiring.

Consent to injunctive relief language pre-waives your right to argue against an emergency court order. Courts do not automatically grant injunctions — the moving party normally has to demonstrate irreparable harm, likelihood of success on the merits, and that the balance of hardships favors relief. A clause like this short-circuits that analysis by having you acknowledge in advance that harm is irreparable and that no bond is needed.

The "without bond or security" provision is what makes this particularly sharp. In most injunction proceedings, the party seeking an injunction must post a bond to compensate the other side if the injunction turns out to be improvidently granted. Waiving that bond removes a meaningful check on strategic use of injunction threats.

In practice, these clauses rarely eliminate judicial discretion — courts still exercise independent judgment. But the clause creates leverage: the disclosing party can credibly threaten to seek a temporary restraining order, which can be filed on an emergency basis and impose immediate operational disruption while the case is pending. That threat alone has settlement value, which is why the clause is included.

If there's no obligation to return or destroy confidential information at the end of the relationship, you are holding potentially sensitive material indefinitely — with ongoing confidentiality obligations attached. That creates two problems: you bear perpetual compliance risk for information you may have forgotten you have, and you have no documented endpoint to your obligations.

From a practical security standpoint, retention of confidential data is a liability. Data that sits in email archives, shared drives, or backup systems can surface years later in unrelated disputes, audit requests, or data breach scenarios. Having a clear contractual obligation to destroy and certify destruction provides a clean break and limits your ongoing exposure.

Return or destruction provisions also matter when the relationship ends badly. Without them, there's no mechanism for the disclosing party to verify their information is no longer in your possession, and no mechanism for you to demonstrate you've complied. A certification of destruction — a simple written statement confirming all confidential materials have been returned or destroyed — provides documentation that protects both sides.