A founder uses an AI writing tool to produce marketing copy for a client. The vendor’s terms run to six pages; the section on training data is two paragraphs of legal language she skipped when she signed up. The tool works. The copy goes out.
In March 2026, the House of Lords Communications and Digital Committee decided somebody should be asking what the model was trained on, and whether the rights were cleared.
The committee backed a licensing-first approach to AI training, rejecting the opt-out model the UK government had been exploring at the time. The implications reach further down the supply chain than is immediately obvious, and for owner-managed businesses buying AI tools, the shift matters even if you have never trained a model yourself.
What is the Lords’ licensing-first stance on AI training?
The House of Lords Communications and Digital Committee published its position in March 2026, backing a regime where AI developers must license content from rights-holders before using it to train their models. The committee rejected the text-and-data-mining opt-out model the UK government had been exploring and framed the choice as binary: responsible, licensed AI development, or tacit acceptance of large-scale unlicensed use of creative content.
The opt-out model the Lords rejected would have allowed AI developers to train on any content unless a rights-holder explicitly objected. The Lords’ preferred approach inverts that: developers clear rights first, and training without a licence is not the default.
Technology minister Liz Kendall signalled a government reset in January 2026, describing the earlier AI copyright proposal as a “mistake” and saying the review would focus on giving creators “reward and control.” Google’s evidence to the committee illustrated that platforms are already building around this expectation. Google described Google-Extended, an opt-out control launched in 2023 that lets site owners stop their content being used for AI training while remaining in search results, alongside licensing deals it has struck for training content directly.
The Lords’ position is a committee recommendation, not enacted law. The government retains room to land somewhere between the Lords’ preferred model and a lighter approach, and courts may shape practical boundaries before Parliament does. The direction of travel, though, is towards greater upstream accountability for what AI models are trained on.
Why does this matter if you’re running an owner-managed business?
The direct risk for an owner-managed business usually comes from the supply chain. You are almost certainly buying access to a model someone else built. If that model was trained on copyrighted content without a licence, any output it generates for your firm carries an IP exposure that vendor terms may not adequately cover. That is the liability the Lords’ stance is bringing into view.
The Lords’ framing is essentially about upstream accountability. As licensing becomes a clearer expectation rather than an optional practice, vendors who have struck licensing deals will be in a more defensible commercial position than those who haven’t. For buyers of AI tools, the question “what was your model trained on?” is shifting from a technical curiosity to a procurement checkpoint.
There is also a reputational dimension. If client-facing content is later linked to AI-generated output built on unlicensed creative work, the reputational exposure lands on your business, not on the vendor who trained the model. That asymmetry is worth understanding before you publish AI-assisted work under your firm’s name.
Where will you actually meet this issue?
The copyright question surfaces most directly when you use AI tools to produce content that clients or the public will see. Marketing copy, proposal text, summarised reports, and knowledge-base material are all places where a vendor’s training-data decisions could matter. Any output that closely resembles protected source material could attract a rights claim against the business that published it.
Three situations stand out. The first is client-facing content generation, where AI output goes to a customer under your firm’s name. The second is internal knowledge-base building, where AI is summarising or synthesising third-party documents that may themselves carry copyright protection. The third is marketing and social content, where volume increases the probability of output that resembles a protected source closely enough to attract a claim.
The ICO adds a separate compliance layer. Its guidance on generative AI expects organisations to meet UK GDPR obligations wherever personal data is involved in AI processes. If your AI tool is processing client records, staff information, or any identifiable data, the ICO expects a lawful basis, transparency with data subjects, data minimisation, and a risk assessment before deployment. Copyright and data protection are distinct regimes, but they frequently apply to the same tool at the same time.
When should you act on this, and when can you step back?
The Lords’ position is a committee recommendation, not enacted law. The government may land on a lighter approach than the Lords prefer, and the practical shape of UK AI copyright rules remains uncertain while the government’s own review plays out. That said, treating this as somebody else’s problem until Parliament decides is a straightforward way to accumulate exposure without meaning to. The questions worth asking now are contractual, not technical.
Three questions cover the immediate ground. First: what was the model trained on, and can the vendor confirm rights were cleared or that a licensing arrangement is in place? Second: does the vendor offer an indemnity if a copyright claim arises from content you publish that was generated by their tool? Third: what controls exist over what data you send to the model, and how is that data retained or processed downstream?
A vendor who deflects all three questions is communicating something useful. The licensing-first pressure the Lords are pushing for will eventually make training-data disclosure and content indemnities a commercial norm. Getting into the habit of asking now costs nothing and gives you useful information before you sign.
One more calibration: if you are using AI only for internal processing of your own documents or drafting materials that never leave the firm, the copyright exposure is lower. The concern rises as output goes into the world under your firm’s name.
What else connects to this?
The copyright debate sits alongside a wider set of regulatory obligations that already apply to owner-managed businesses using AI. UK GDPR through the ICO, cyber security through the NCSC, and third-party risk rules through the FCA for regulated firms: each is independent of the copyright question but pushes towards the same discipline, knowing what your AI tools are doing and having a contractual position if something goes wrong.
The ICO expects any organisation using AI to process personal data to have a lawful basis under UK GDPR, provide meaningful transparency to data subjects, minimise data use, and assess risks before deployment. This applies to AI customer-service tools, AI-generated client communications, and anything that ingests staff or client records.
The NCSC treats AI as a supply-chain and cyber security issue. It advises organisations to consider prompt injection attacks, where malicious inputs manipulate an AI tool’s behaviour, data leakage, where content sent to an external model could be retained or exposed, and supplier assurance, meaning the security standards your AI vendor actually meets before you rely on their platform.
For regulated services firms, the FCA’s outsourcing and third-party risk guidance applies where an AI tool contributes to a material service or a regulated decision. The FCA expects written agreements, documented risk assessments, and contingency plans in place before you depend on a third-party AI system.
Finally, the EU AI Act. If your business serves EU customers, or your vendors deploy models within the EU, the Act’s transparency and documentation requirements may apply to parts of your supply chain even if your firm is entirely UK-based. That makes it a supplier question worth raising with any vendor pitching AI tools to UK businesses.
The Lords’ vote is a signal in a regulatory environment that is still forming. Whether Parliament ultimately enacts the licensing-first model the committee prefers, the trajectory of UK AI copyright policy is towards greater accountability for what models are trained on. For owner-managed businesses, the practical step is to start asking the procurement questions now: what the model was trained on, what the vendor will warrant, and what happens if a rights claim arises. These are reasonable due-diligence questions, and asking them gets easier with practice.
