David Zwirner logo
David Zwirner

David Zwirner Terms & Conditions: 4 Critical Legal Risks & How to Fix Them

Our expert review of David Zwirner's Terms & Conditions uncovers 4 key legal risks—including GDPR, CCPA, and liability loopholes—that could cost millions. See actionable redlines and solutions.

When Art Meets Ambiguity: The Legal Risks Hidden in David Zwirner’s Terms & Conditions

Imagine a single privacy misstep triggering a €20 million GDPR fine, or a vague liability clause exposing a global gallery to six-figure lawsuits. Our analysis of David Zwirner’s Terms & Conditions reveals four critical legal and logical risks that could result in substantial financial and regulatory exposure. Here’s what every art business should learn from this case study.

1. Ambiguous Data Sharing with Affiliates and Third Parties David Zwirner’s policy allows sharing personal data with affiliates and third parties “only in the ways that are described in this privacy policy.” However, the scope and safeguards for such transfers remain vague, risking non-compliance with GDPR Article 28 and CCPA requirements for explicit contractual protections. A breach or misuse here could result in regulatory fines exceeding €20 million or 4% of annual turnover, plus class action risk in the US.

Legal Analysis
high Risk
Removed
Added
We may share your Personal Data with our affiliates (David Zwirner, Inc, David Zwirner Gallery LLC, URE Limited, David Zwirner Ltd, David Zwirner Books, LLC, DZGI LLC, David Zwirner Paris, David Zwirner Digital, LLC, Utopia Editions LLC, 52 Walker Street, LLC) and third parties who provide us with logistics and payment processing services (set out below), only in-party service providers solely for the ways that are describedpurposes expressly stated in this privacy policy, subject to written agreements that require such parties to implement appropriate technical and organizational measures in compliance with GDPR Article 28 and CCPA. No Personal Data will be transferred to any third party without ensuring contractual safeguards equivalent to those required by applicable data protection laws.

Legal Explanation

The original clause lacks specificity regarding the contractual safeguards and compliance obligations required by GDPR and CCPA for third-party data sharing. The revision mandates explicit written agreements and legal compliance, reducing regulatory risk and clarifying enforceability.

2. Insufficient Security Commitment Language While the T&C states that “all reasonable technical and organisational precautions” will be taken, this language is subjective and lacks reference to industry standards (e.g., ISO 27001, PCI DSS). In the event of a data breach, this ambiguity could undermine enforceability and expose the company to negligence claims, with average breach litigation costs surpassing $5 million in the art and luxury sectors.

Legal Analysis
high Risk
Removed
Added
We will take all reasonableimplement and maintain industry-standard technical and organisational precautionsorganizational security measures, including but not limited to encryption, access controls, and regular security audits, in accordance with recognized frameworks such as ISO 27001 and PCI DSS, to prevent the loss, misuse, or alteration of your personal information.

Legal Explanation

The original language is vague and subjective, which could weaken the company’s defense in the event of a breach. The revision references concrete security standards, strengthening enforceability and demonstrating due diligence.

3. Unclear Data Retention Policy The data retention clause states information will be held “as long as is necessary for the relevant service or as required by law,” but fails to specify maximum retention periods or deletion protocols. This ambiguity increases the risk of violating GDPR’s storage limitation principle (Article 5), which can trigger regulatory scrutiny and fines.

Legal Analysis
medium Risk
Removed
Added
We will holdretain your personal information on our systemsonly for as long as isthe minimum period necessary forto fulfill the relevant service or as requiredpurposes outlined in this policy, and in accordance with specific maximum retention periods set by applicable law (e.g., or7 years for accounting or regulatory purposesrecords). Upon expiration of the retention period, data will be securely deleted or as otherwise described in this privacy policyanonymized.

Legal Explanation

The original clause fails to specify maximum retention periods or deletion protocols, risking non-compliance with GDPR Article 5. The revision introduces clear limits and deletion requirements, reducing regulatory exposure.

4. Incomplete CCPA Consumer Rights Implementation The CCPA section outlines consumer rights but omits a clear, dedicated mechanism for California residents to opt out of data sharing or sale, as required under CCPA §1798.120. This exposes the company to statutory damages of up to $7,500 per intentional violation and reputational harm in the US market.

Legal Analysis
high Risk
Removed
Added
California residents have the right to opt out of havingthe sale or sharing of their Personal Information sold to third partiesat any time. To exercise this right, please visit our dedicated CCPA opt-out page or contact us at [specific opt-out email/URL]. We do not currently sell your information and we have not done sowill honor all opt-out requests in the preceding 12 months. As described above, we may share your Personal Informationaccordance with our Affiliates, the Program Affiliates,CCPA §1798.120 and our Service Providerswill not discriminate against you for exercising your rights.

Legal Explanation

The original clause lacks a clear, actionable opt-out mechanism as required by CCPA. The revision provides a dedicated process, ensuring compliance and reducing statutory damages risk.

---

Key Takeaways & Business Implications Our examination shows that even sophisticated art businesses can overlook enforceability gaps that carry multimillion-dollar risk. Proactive redlining—like the improvements above—can dramatically reduce exposure to regulatory fines, litigation, and reputational loss.

**Are your contracts as defensible as you think? What would a regulator or plaintiff’s attorney find in your T&Cs? How much risk are you willing to accept for ambiguity?**

---

*This analysis is for educational purposes only and does not constitute legal advice. For actual legal guidance, consult with a licensed attorney. This assessment is based on publicly available information and professional legal analysis. See erayaha.ai’s terms of service for liability limitations.*