The Standard Exclusions Every NDA Should Have (and What Happens If They Are Missing)

Why exclusions exist at all

The point of an NDA is to protect genuinely confidential information — things one party knows that the other should not freely share. But the definition of "confidential information" in most NDAs is sweepingly broad: every document, every conversation, every observation. Without exclusions, you would technically be liable for keeping secret things that are already in the New York Times, things you learned at your previous job, things a competitor told you over coffee last year. That obviously is not what either side actually wants.

Standard exclusions fix that by narrowing the protected information to what is genuinely secret. They do not weaken the NDA — they make it workable. An NDA without them is either oblivious to how information actually moves through the world or written aggressively to keep you guessing about what you can and cannot say. Either way, the fix is the same: add the exclusions.

Exclusion 1: information that is already public

The first and most basic exclusion: confidentiality obligations do not apply to information that is already public, or that becomes public later through no fault of the receiving party. If your competitor’s product launch is on the front page of their website, you should not be liable for repeating it just because they once mentioned it under an NDA. Without this exclusion, you could be sued for discussing publicly available facts, which is both unfair and unworkable.

The standard phrasing is something like "Confidential Information does not include information that is or becomes generally available to the public other than as a result of a breach by the Receiving Party." The key phrase is "other than as a result of a breach" — if you are the one who made it public by violating the NDA, you cannot then claim the public-domain exception. The exclusion protects you from liability for genuinely public information, not from leaking and pleading the leak.

Exclusion 2: information you already had

Second: confidentiality obligations do not cover information the receiving party already knew before the disclosure, demonstrated by written records. Without this exclusion, the NDA could rewrite what you knew before you signed it — anything that overlaps with the disclosing party’s information could become "confidential" retroactively, even though you had it independently first. That is unfair on its face and a real risk if the disclosing party’s information is in a field where you already work.

The phrase to look for is "information that was in the possession of the Receiving Party prior to disclosure, as evidenced by the Receiving Party’s written records." The written-records requirement matters: it makes the exclusion verifiable rather than a free pass for "well, I think I knew that already." If you have any pre-existing relevant material, save dated copies before signing, so you can prove what you knew when.

Exclusion 3: information you independently develop

Third: confidentiality obligations do not cover information the receiving party develops independently, without reference to or use of the confidential information. If a software company shares a roadmap with you under an NDA and you happen to be working on a similar feature on a parallel track that does not rely on what they told you, the independent-development exclusion protects you. Without it, the NDA could effectively bar you from building anything in the same space, even if your work is entirely your own.

The standard phrasing is "information independently developed by the Receiving Party without use of or reference to the Confidential Information." This exclusion is especially important if you are in a competitive or creative field. To preserve the exclusion, keep records — dated drafts, notes, code commits — showing your own work. If you ever need to invoke this exclusion, contemporaneous evidence of independent development is what makes it stick.

Exclusion 4: information received from a third party

Fourth: confidentiality obligations do not cover information you receive from a third party who is free to disclose it. If a fact about the disclosing party is shared with you by an unrelated source who is not bound by any confidentiality obligation, you should not be liable for already knowing it. Without this exclusion, the NDA could effectively gag you about anything anyone else also happens to tell you about the same subject — an unworkable result.

The typical phrasing is "information rightfully received by the Receiving Party from a third party without restriction and without breach of any obligation of confidentiality." The "without breach" qualifier matters: if your third-party source got the information by breaching their own NDA, the exclusion does not apply. The protection is for genuinely independent third-party sources, not laundering a leak through an intermediary.

Exclusion 5: information you are legally required to disclose

Fifth: confidentiality obligations do not bar disclosure required by law — a court order, a subpoena, a regulatory demand, a properly issued government investigation. Without this exclusion, the NDA could put you in an impossible position where complying with one law (responding to a subpoena) violates a contract. No reasonable contract would actually require you to defy a court, but the exclusion makes the answer explicit.

A well-drafted exclusion also typically requires you to give the disclosing party prompt notice of the legal demand (where legally permitted), so they can seek a protective order or otherwise try to limit the disclosure. That is reasonable and fair to both sides. The phrasing usually reads "disclosure required by law, regulation, or legal process, provided that the Receiving Party gives the Disclosing Party prompt written notice where permitted by law and reasonably cooperates in any effort to obtain a protective order."

A sixth exclusion worth knowing: the DTSA whistleblower notice

Under the federal Defend Trade Secrets Act (DTSA, 2016), employers and certain other parties using NDAs that cover trade secrets must include a whistleblower-immunity notice. The notice tells the receiving party they cannot be held liable under federal or state trade-secret law for disclosing a trade secret in confidence to a government official or attorney for the purpose of reporting or investigating a suspected violation of law, or in a court filing under seal. If your NDA does not include this notice and trade secrets are involved, the disclosing party may lose certain remedies under the DTSA. It is a small clause that protects both sides — the receiving party from being chilled out of legitimate whistleblowing, and the disclosing party from losing federal remedies.

What happens when exclusions are missing

An NDA without standard exclusions is not necessarily invalid, but it is unreasonably broad, and a few things follow from that. First, you are exposed to liability for keeping secret information that is not actually secret — public facts, things you already knew, things you build yourself. Second, you are potentially in conflict with legal duties to disclose, with no carve-out for compliance. Third, courts that look at the NDA may interpret it more narrowly than its words suggest, but you have to fight that case rather than rely on clear contractual language.

In practice, missing exclusions create chronic uncertainty. Every time you think about saying something related to the disclosing party’s business, you have to wonder whether you are violating the NDA, even when the information is plainly not secret. Standard exclusions remove that uncertainty by drawing the line between what is protected and what is not. They make the NDA usable in real life.

How to add them when they are missing

If an NDA you receive is missing standard exclusions, ask for them. This is one of the easiest negotiations in contract drafting — exclusions are universally recognized, well-drafted versions are widely available, and most disclosing parties will agree without much pushback because they recognize the request as standard. You do not have to draft from scratch. A simple paragraph along the lines of "Confidential Information does not include information that: (a) is or becomes public other than through breach by the Receiving Party; (b) was in the Receiving Party’s possession before disclosure, as evidenced by written records; (c) is independently developed without reference to the Confidential Information; (d) is rightfully received from a third party without restriction; or (e) is required to be disclosed by law, with notice where permitted" covers the standard set.

Read exclusions alongside the definition and the term

Exclusions do not stand alone — they interact with the definition of "Confidential Information" and the duration of the obligation. A broad definition is much more tolerable when the standard exclusions are present, because they carve away what is not really secret. A long term (or perpetual term) is more tolerable when exclusions cleanly end the obligation for information that has become public or was independently developed. So when you assess an NDA, look at the three pieces together: what is covered, what is excluded, and for how long. The combination determines your real obligation.

The bottom line

Five standard exclusions belong in every NDA — public information, prior knowledge, independent development, third-party sources, and legally compelled disclosure — plus the DTSA whistleblower notice when trade secrets are involved. Without them, the NDA can bind you to information that is not really secret and put you in conflict with legal duties. Adding them is one of the most uncontroversial requests you can make. If you want a quick read on whether an NDA includes all the exclusions it should, ClauseAudit reviews it in about a minute, flags missing carve-outs, perpetual terms, and broad definitions, and gives you the exact language to add — so the NDA you sign protects what should be protected and nothing more.