The deletion right in your AI vendor contract was written for databases. The data lived in model weights. A December 2025 paper and four FTC consent orders say the gap sits on your side of the line. Here is the clause that closes it, and the statute, science, and enforcement anchors that tell you why it has to.
Two things moved in the last four months that most commercial AI contracts haven't caught up to, and the gap now sits on the buyer. Your AI vendor's master services agreement (MSA) lets you request a deletion. It does not let you verify the deletion actually happened. And if a regulator asks you, in 2028, to prove that training data from your 2026 contract is no longer recoverable from your vendor's model, every standard commercial template written today gives you nothing to work with.
Here's what I'd tell any GC or CFO negotiating an AI vendor renewal this quarter. The "right to delete" you think you have is a promise about a database that was imported into a contract about model weights. Those are different compliance surfaces. The clause that bridges them, a training-data propagation audit right, does not currently exist in any commercial form paper. It should exist in yours.
This piece is the reference document: the science, the enforcement line, the statute matrix, the full five-part clause language, the audit mechanics, and the downstream enforcement question. This Thursday's issue of The Thursday Redline, Consilium Law's weekly newsletter on LinkedIn, runs the negotiation companion: how to sequence the redline against a real vendor, pushback patterns to expect, and the cost economics of a live renewal.
What Changed: The Science Anchor
In December 2025, researchers presented "Unlearned but Not Forgotten: Data Extraction after Exact Unlearning in LLM" (Wu, Pang, Liu, and Wu) at NeurIPS 2025 in San Diego. The paper attacks the gold-standard technique AI vendors rely on to remove training data from deployed models, a family of methods called exact unlearning, and shows that the deleted information leaks back out through a guidance attack when both the pre-unlearning and post-unlearning model checkpoints are accessible to the attacker.
The mechanics matter for drafting the clause. Exact unlearning approximates the effect of retraining the model from scratch without the deleted data. The promise is that after unlearning, the model behaves as if the data had never been seen. The NeurIPS result shows that if you can compare the weights before and after, you can often reconstruct what was deleted, because the delta between the two snapshots is itself a signal that points at the removed data.
Read in plain English: the mechanism your vendor points to when the contract says "we will delete your data" has a published, peer-reviewed vulnerability. It is not broken in every case. It is broken in enough cases that a sophisticated buyer cannot rely on it without independent verification. That verification is what the audit clause buys you.
The paper is not the last paper. The state of the art in machine unlearning is moving faster than contract renewal cycles. A three-year MSA signed in 2026 will outlive two or three publication rounds. Whatever mechanism the vendor uses today, the 2027 paper may invalidate. The clause has to price in the movement of the science, not a single snapshot.
The Enforcement Anchor: Four FTC Consent Orders
While the science was moving, the Federal Trade Commission was building a four-case line of consent orders that all impose a remedy at the model layer, not the data layer. The agency calls it algorithmic disgorgement. The remedy is that the vendor has to destroy the model.
Everalbum (2021). The FTC's order against Everalbum required the company to delete the facial-recognition models it trained on user photos and biometric data collected without adequate consent. The agency had first ordered algorithmic disgorgement in its 2019 Cambridge Analytica settlement; Everalbum extended the remedy into the facial-recognition and biometric context. The principle: records of improperly obtained data are not the only compliance artifact. The model trained on those records is itself a compliance artifact.
WW / Kurbo (2022). The Kurbo-WW order extended the principle to children's health data. WW International had to destroy the algorithms its Kurbo subsidiary built using data collected from children under thirteen in violation of COPPA. Two orders, same remedy pattern: the model goes with the data.
Rite Aid (December 2023). The Rite Aid order was the first time the FTC applied Section 5 unfairness to a discriminatory AI system. Rite Aid's facial-recognition deployment had falsely flagged shoppers, disproportionately women and people of color, as suspected shoplifters. The remedy was a five-year ban on the system, a multi-year monitoring program, and destruction of images and associated algorithms. The order is important for two reasons: it established that Section 5 unfairness is available against AI systems without a predicate statute like COPPA, and it treated the trained system itself as the unlawful object.
Avast (2024). The Avast order required Avast to delete the browsing data it sold to third parties through its Jumpshot subsidiary, along with any algorithms or models developed in whole or in part from that data. By this point the pattern was settled: algorithmic disgorgement is a standard remedy in the FTC's toolbox for AI and data misuse, and it runs at the model layer.
What this line of orders tells a sophisticated buyer is that when improperly collected or processed data shows up downstream, the agency's remedy is not "delete the records." The remedy is destroy the model. That remedy can fall on your vendor. Your contract has to contemplate what happens to you when it does.
The Statute Anchor: The Deletion-Right Matrix
Five statutory regimes create the underlying deletion rights that trigger the vendor's obligation to act. Each one has a different trigger, a different scope, and a different enforcement tail. A buyer's contract has to sit on top of all of them, because enterprise AI deployments almost always implicate more than one.
California Consumer Privacy Act, Cal. Civ. Code § 1798.105. The CCPA right to deletion applies to "personal information" that a business has collected from a consumer. Verifiable consumer requests must be honored within 45 days, with a possible 45-day extension. The statute requires businesses to direct service providers to delete the information as well. Service provider contracts must include provisions obligating the service provider to carry out the deletion. A standard AI vendor MSA that does not explicitly extend the deletion obligation to model weights leaves the business exposed when the model, trained on that personal information, continues to be used.
Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1306. The Colorado right of deletion operates similarly, with a 45-day response window and a 45-day extension. Colorado's statute is stricter than California's on the question of data minimization (§ 6-1-1308(3)) and on specific sensitive-data categories that require opt-in consent. For AI vendors processing sensitive data, the deletion obligation is not a request-driven right; it is backed by an upstream minimization requirement that narrows what the vendor should have collected in the first place.
Colorado AI Act, SB 24-205 (operative date moved to June 30, 2026 by SB 25B-004, signed Aug. 28, 2025, effective Nov. 25, 2025). Colorado's AI Act, the first broad-scope state AI statute, requires developers and deployers of high-risk AI systems to provide consumers with the right to correct personal data and to appeal adverse consequential decisions. The statute does not yet impose a standalone deletion right at the model layer, but it does require developers to document the data used to train the AI system and to provide that documentation to deployers (§ 6-1-1702). A deployer who cannot demonstrate what trained the system cannot respond to an adverse-decision appeal with integrity. Your contract needs the upstream inventory to comply with the downstream statute. A caveat on currency: on March 17, 2026 the Governor's AI Policy Working Group released a draft repeal-and-replace framework that would trade the duty-of-care and impact-assessment regime for a narrower notice-and-transparency model. As of April 21, 2026, no successor bill has been formally introduced in the 2026 regular session, and the June 30, 2026 date remains the operative one; plan to the statute as written, and watch the session close (sine die May 13).
GDPR Article 17. The EU General Data Protection Regulation's right to erasure is the most aggressive of the five in its model-layer implication. In Opinion 28/2024, adopted December 17, 2024, the European Data Protection Board answered three referred questions and held that an AI model trained on personal data cannot be presumed anonymous; anonymity is a case-by-case determination the controller has to document (paras. 39-43). The test the EDPB set is two-pronged and strict: both the likelihood of extracting training data from the model and the likelihood of getting personal data out through queries must be insignificant, judged against "all the means reasonably likely to be used" (para. 43). When those thresholds aren't met, the model is still processing personal data, which means erasure requests under Article 17 reach it, and a supervisory authority can order deletion of the unlawfully processed dataset or, where that's not workable, the model itself (paras. 120-123, 133-135). The EDPB also flagged that a downstream controller deploying someone else's model has to verify lawful development under Article 5(2), which is the hook your Article 28 processor contract needs to carry. For US buyers with EU users, that obligation flows straight through to the AI vendor, and "we deleted the training record" is not a defense if the weights still leak it.
EU AI Act Article 10 (data and data governance for high-risk AI systems). Article 10 of the EU AI Act, effective August 2, 2026 for high-risk systems, requires that training, validation, and testing data sets be "relevant, sufficiently representative, and to the best extent possible, free of errors and complete in view of the intended purpose." It also requires data governance practices sufficient to ensure that bias is identified and corrected. The Article 10 obligation is not itself a deletion right, but it creates a continuous data-quality obligation that interacts with deletion requests: if a vendor cannot remove flagged data from the training set, the vendor is in active noncompliance with an EU AI Act obligation, not just a contractual one.
A single AI vendor contract governing an enterprise deployment almost always sits on top of three or four of these regimes at once. The deletion clause that was good enough for a 2023 SaaS product is not good enough for 2026 regulatory reality.
The Clause
Below is the five-part training-data propagation audit clause. Treat this as a starting redline, not finished contract language. Every part is live-drafted for a commercial AI vendor MSA. Obligation ownership is labeled.
Part 1: Training Data Inventory Warranty (Vendor)
Vendor represents and warrants that, as of the Effective Date, Vendor maintains a complete and accurate inventory of all datasets, data sources, and data categories used to train, fine-tune, or otherwise modify any AI model provided to Customer under this Agreement. Vendor shall maintain this inventory for the term of this Agreement plus seven (7) years following termination and shall produce the inventory to Customer within thirty (30) days of a written request, subject to reasonable confidentiality protections for third-party training data.
Part 1 converts the vendor's internal recordkeeping into a contractual warranty. Regulators in 2027 and 2028 will expect the customer to be able to answer "what data trained this model" for any model decision that affected a data subject. Without this warranty, the customer cannot answer that question without the vendor's voluntary cooperation, and voluntary cooperation is unreliable.
Part 2: Propagation Audit Right (Customer)
Customer may, not more than twice per calendar year, commission an independent technical audit of the AI models provided under this Agreement to assess whether data identified in a deletion request submitted by Customer or a Customer end user remains recoverable from the model weights. Vendor shall cooperate with the audit, including providing reasonable access to pre-deletion and post-deletion model checkpoints, documentation of the unlearning or retraining procedure used, and logs sufficient to validate the procedure. Customer shall bear the cost of the audit. Vendor shall bear the cost of remediation if the audit identifies a failed deletion.
Part 2 is the clause that does not currently exist in any commercial template. It is the operational response to the NeurIPS 2025 result. It does not require the vendor to use any particular unlearning method. It requires the vendor to let the customer verify, once every six months at most, that whatever method the vendor used actually worked. The remediation-cost shift aligns the vendor's incentives with the customer's regulatory exposure.
Part 3: Unlearning Mechanism Warranty (Vendor)
Vendor represents and warrants that its unlearning, retraining, or data-removal mechanism is, at the time of use, consistent with the then-current state of the art as reflected in peer-reviewed publications in the preceding twenty-four (24) months. Vendor shall notify Customer within thirty (30) days of becoming aware of any published research identifying a material vulnerability in the mechanism Vendor uses. Vendor shall thereafter either (a) transition to a mechanism not subject to the identified vulnerability, or (b) provide Customer with a written remediation plan within sixty (60) days of such notice.
Part 3 solves the temporal problem. The NeurIPS paper is not the last paper. In Q3 2026, there will be another one. In 2027, another. The state of the art in machine unlearning is moving faster than contract renewal cycles. Without a notification-and-transition duty, a customer signing a three-year MSA in 2026 has no contractual recourse when the 2027 paper invalidates the vendor's 2026 mechanism.
Part 4: Regulatory Cooperation and Cost Allocation (Both)
If a governmental authority orders Vendor to disgorge, destroy, or materially modify an AI model provided to Customer on the basis of training data collected or processed in a manner that triggers such order, Vendor shall (a) notify Customer within five (5) business days of receipt of the order, (b) provide Customer with a reasonable-replacement AI model, trained on compliant data, within one hundred twenty (120) days of the order becoming final and non-appealable, and (c) bear the cost of retraining, data migration, and operational disruption up to the amount of fees paid by Customer under this Agreement in the preceding twelve (12) months. This allocation applies regardless of whether Customer is also subject to the order.
Part 4 is the direct response to the FTC's algorithmic-disgorgement pattern. Today, when a regulator tells a vendor to destroy a model, the commercial customer downstream of that model has no contractual mechanism to get a replacement. The 120-day window tracks the operational tolerance most AI-dependent workflows have before they break. The subsection (c) cost allocation is where the whole clause earns its keep: it has to survive the general limitation of liability or it is contract decoration. Carve it out of the consequential-damages exclusion and super-cap it, or sweep it into whatever super-cap the MSA already carries for data-breach and IP indemnity.
Part 5: Survival
Sections Part 1 (Training Data Inventory Warranty), Part 2 (Propagation Audit Right), Part 3 (Unlearning Mechanism Warranty), and Part 4 (Regulatory Cooperation and Cost Allocation) survive termination of this Agreement for seven (7) years.
Seven years matches the outer limit of the statute of limitations for most state privacy enforcement actions and the record-retention standards in EU AI Act Articles 11 and 12. Shorter survival periods convert the warranty into a contractual fiction.
Audit Mechanics
In my experience, the commercial-terms negotiation almost always lands on Part 2. So the audit mechanics deserve their own treatment.
Frequency. Twice per year is a defensible starting point. Vendors will counter with once, tied to renewal. Accept annually only if the audit right is coupled with a for-cause trigger: a customer-side deletion request, a published vulnerability in the vendor's mechanism, or a regulatory inquiry that names the vendor.
Access. The audit requires access to the pre-deletion and post-deletion model checkpoints, documentation of the unlearning procedure, and logs sufficient to validate the procedure. Vendors will push back on checkpoint access as a trade-secret concern. The compromise is a third-party auditor under NDA with vendor-approvable credentials. The buyer holds the audit right; the buyer does not personally get the weights.
Test methodology. The audit should be able to run the published attacks against the checkpoints, including the NeurIPS 2025 guidance attack and any successor methods published in the preceding twenty-four months. The warranty in Part 3 does the forward-looking work; the audit in Part 2 does the backward-looking verification.
Cost allocation. Customer pays the audit absent a finding. On a positive finding, vendor pays the audit cost, the cost of re-unlearning or retraining, and a liquidated sum for notice and remediation costs the customer incurs with data subjects and regulators. The liquidated sum is negotiable; the shift of base audit cost on a positive finding is not.
Third-party auditor access. The buyer should pre-approve a short list of qualified auditors at contracting, not at the moment of an active request. The list should include at least one university-affiliated research group and at least one commercial AI-security firm. Vendors will attempt to limit the list to their own preferred auditors. A three-name joint list is the defensible compromise.
What Happens to You When the Vendor Gets Disgorged?
The hardest question in this space isn't what happens to the vendor when the FTC acts. The vendor's lawyers are paid to worry about that. The question is what happens to you, the downstream buyer, when your vendor's model gets destroyed.
Three things, in sequence. Your contract decides who pays for each.
First, your production pipeline breaks. The API endpoint returns errors. The feature your product relies on goes dark. Depending on the integration depth, restoration may take days, weeks, or a quarter. Without Part 4, you absorb the operational loss, and the vendor's standard force majeure clause probably applies.
Second, your own regulatory exposure activates. If your CCPA or Colorado Privacy Act deletion response relied on the vendor's deletion, and the FTC has just found the vendor's deletion insufficient, your deletion response is in question too. You may owe notice to data subjects and, in some states, to the attorney general.
Third, your customer contracts light up. Your own downstream service-level and data-processing agreements include representations that your subprocessors are compliant with applicable law. A disgorgement order against your AI vendor is evidence that one of your subprocessors was not. The indemnity call chain runs through you.
Part 4 of the clause is designed to shift the first loss back to the vendor and, through the cost allocation, to fund at least part of the second and third. It cannot eliminate the exposure. It can move enough of it that the loss stops being existential.
What to Do in the Next Thirty Days
Six moves. If only one of them gets attention this quarter, make it the first.
- GC: pull every active AI vendor MSA and locate the deletion clause. In one sitting, confirm whether it is scoped at the data layer or extends to model weights. Most will be at the data layer.
- GC and outside counsel: draft the five-part propagation audit clause as a redline package. Use the clause language above as the starting draft. Stage the ask so Parts 1 and 3 lead and Parts 2 and 4 are the harder negotiation.
- CFO: price the cost-allocation carve-out in Part 4. The number tied to fees paid is negotiable. The carve-out from the general liability cap is not. Be ready to make that distinction to procurement.
- CTO: inventory every production AI integration that relies on a single vendor's model. Any integration that cannot survive 120 days of vendor-model unavailability is a business-continuity risk independent of the contract.
- Procurement: add the audit-right ask to the standard AI vendor RFP response template. The vendors that refuse outright are telling you something. The vendors that negotiate are telling you something else.
- Board: the audit committee should see one slide this quarter on AI vendor deletion exposure. Frame it as a known gap with a defined remediation path, not as a new risk discovered today.
Frequently Asked Questions
Does my company need this clause if we only use off-the-shelf AI products like ChatGPT Enterprise or Microsoft Copilot?
Yes, though the negotiation dynamic is different. Enterprise agreements from the major AI vendors already include data-handling representations, but those representations are scoped at the data layer, not the model layer. If an employee submits sensitive customer data through an enterprise AI product and you later need to prove that data is no longer recoverable from the vendor's model, your current enterprise agreement probably does not let you verify that. The five-part clause gives you the verification mechanism, adjusted for the reality that pushback from a hyperscaler will be stiffer than from a smaller AI vendor.
What does a failed propagation audit actually cost the vendor?
Under Part 2 of the clause, the vendor bears the remediation cost when the audit identifies a failed deletion. Under Part 4, if a regulator orders the vendor to disgorge the model, the vendor absorbs retraining, migration, and operational-disruption cost up to twelve months of fees paid, or whatever super-cap the parties negotiate. The cap number is negotiable. The carve-out from the general limitation of liability is the part that makes the number collectible.
Is the propagation audit right required by any current regulation?
No. Today it is purely a contract mechanism. The statutory backdrop is moving in that direction: the EDPB's Opinion 28/2024 holds that an AI model trained on personal data cannot be presumed anonymous, and a supervisory authority can order deletion of the model itself when unlawful processing is identified. EU AI Act Article 10 takes effect August 2, 2026 for high-risk systems and imposes continuous data-governance obligations. CCPA §1798.105 and Colo. Rev. Stat. §6-1-1306 already require businesses to direct service providers to delete personal information. The audit clause is the buyer-side mechanism that operationalizes compliance with those obligations.
When should a GC start this redline conversation with an AI vendor?
Before the vendor's form paper crosses the desk. The audit right negotiates hardest when it is surfaced for the first time inside a compressed renewal window; vendors respond with "we have never agreed to this" unless they have time to route the ask through their GC and product legal. Raise it at the first substantive contract call, not during final redlines. For renewals already scheduled this quarter, the conversation should start this week.
What We're Watching
- EU AI Act Article 10 enforcement guidance. The EU AI Office is expected to publish practical guidance on data governance obligations for high-risk systems before the August 2, 2026 effective date. The guidance will influence what Article 10 compliance looks like in an AI vendor contract. - Successor papers to "Unlearned but Not Forgotten." The NeurIPS 2026 submission window closes in May. Extraction-attack research is a crowded subfield now, and the 2026 round is likely to narrow or widen the attack surface. Part 3 of the clause is designed to absorb whichever direction the research moves. - The next FTC algorithmic-disgorgement order. Pattern recognition suggests one per year. When the 2026 order arrives, the buyer's bargaining position on Part 4 in renewal conversations strengthens. - State AI impact assessment rules under the Colorado AI Act. The Attorney General's implementing regulations are in progress. The documentation obligations under § 6-1-1702 will shape the inventory warranty in Part 1.
Close
The contract language you need is not in anyone's form paper yet. The buyers who ask for it first set the precedent. The vendors who agree to it first position themselves as the safer counterparty in 2027, when the FTC's fifth disgorgement order lands on someone else.
Your AI vendor did not write a fraudulent deletion clause. Your AI vendor wrote a 2022 deletion clause, imported from a SaaS template, applied to a product built on model weights. The gap between that clause and the verifiable deletion your regulators will expect is the space the propagation audit right fills. Renew into the gap, or close it.
This article is for informational purposes only and does not constitute legal advice. Every company's situation is different, and you should consult with qualified legal counsel before making compliance decisions based on the developments discussed here.
Consilium Law works with founder-led and mid-market companies on AI vendor contracting, governance program design, and cross-border AI compliance under the EU AI Act and state AI statutes. If your next AI vendor renewal is this quarter, the redline conversation should start before the vendor's form paper crosses your desk.