Image Rights Management: When Stock Licenses Expire

Editor's note: YetOnePro supports licence metadata via custom fields with date and select types, but the workflow logic — when to flag, when to archive, who gets notified — is something each team configures. This guide is tool-agnostic; the principles apply whether you use a DAM, a spreadsheet, or a folder of contracts. The article is image-only: video DRM, music sync, and audio rights are out of scope.

It usually happens like this. A stock photo is licensed in 2022 — rights-managed, one year, EMEA web and paid social — and dropped into the DAM. The person who bought it leaves the company; her order confirmation gets archived in an inbox nobody opens. Eighteen months later the image is pulled into a global print and OOH campaign. Three months after launch the stock agency’s reverse-image bot flags it. The settlement letter quotes clauses nobody on the current team has ever read, from an agreement that expired a year and a half ago.

We wrote about watermarks as the deterrent layer of asset protection. Image rights management is the layer below it: what watermarks can’t do, the law does. Watermarks signal provenance; rights metadata is what keeps the agency’s lawyer’s letter from showing up six months after the campaign launches.

Why Image Rights Are the Quietest Liability in Your Library#

Rights violations don’t make noise inside the company. The campaign launches, the photo does its job, the team moves on to the next brief. The stock-agency lawyer notices first — sometimes years later, often after a reverse-image-search bot pings their compliance team. By the time you hear about it, the unauthorized use has been live long enough to make the settlement number meaningful. U.S. copyright law sets statutory damages at between $750 and $30,000 per work, and up to $150,000 per work when the infringement is found to be willful(opens in new tab) — where statutory damages are available, which under 17 U.S.C. § 412(opens in new tab) requires that the work was registered before infringement (or within three months of first publication). That statutory exposure is what stock agencies often anchor their settlement demands to, and the willful-infringement ceiling is the number that tends to get quoted when the use has been long-running or commercially significant.

The reason this category of liability is quiet is that nothing in the file itself encodes its licence. The rights live in a contract that’s sitting in someone’s archived inbox; the asset is in your library. The two drift apart the moment anyone leaves, and the brand ends up exposed without anyone realising. Keep them connected: licence metadata at upload, contract linked to the asset, expiry-date awareness in the workflow.

Several forces are making this category worse than it used to be. AI-driven reverse-image search means stock agencies can find their photos in your campaigns automatically. Social channels republish content in ways the original licence didn’t anticipate — the copyrighted image you posted on Instagram in 2022 may now be in a Reels remix in 2026. And AI-generated images have introduced a copyright-status question the law hasn’t fully answered yet. The cumulative effect: rights tracking that worked five years ago doesn’t work now.

Copyright, License, Public Domain, Fair Use#

Four terms creative teams confuse, briefly disambiguated.

Copyright. The legal right to reproduce a creative work, automatic on creation in most jurisdictions. The copyright holder is the creator unless they’ve assigned the right to someone else (by contract, work-for-hire, or licence). In the U.S. you can register a work with the Copyright Office(opens in new tab), which both unlocks eligibility for statutory damages and attorneys’ fees (when registered before infringement, or within three months of publication) and — for U.S. works — is generally required before you can file an infringement suit. Registration isn’t required to hold copyright but materially changes what enforcement looks like. UK(opens in new tab) and EU(opens in new tab) copyright is also automatic on creation; neither maintains a public registry equivalent to the U.S. Copyright Office, and enforcement runs through the national courts directly under each jurisdiction’s domestic copyright law.

License. Permission granted by the copyright holder for someone else to use the work. The licence agreement defines the terms: which channels, which territory, for how long, exclusive or non-exclusive. Stock-photo licences are licences, not copyright transfers — the copyright owner remains the photographer or the agency. Royalty-free, rights-managed, and exclusive are the three common stock-licence types; Creative Commons is a family of standardised licences, each variant defining a different combination of attribution, commercial-use, and derivative-work rules. Every Creative Commons asset is still licensed; the terms are public and standardised.

CC-BY — attribution required.
Example: a CC-BY photo can run in a paid social campaign as long as the photographer’s name appears somewhere on the post — caption, alt text, or footer credit.

CC-BY-SA — attribution plus share-alike (derivatives must use the same licence).
Example: if you crop and colour-grade a CC-BY-SA photo for a brochure, the brochure version itself has to be released under CC-BY-SA — meaning anyone else is free to reuse your edit.

CC-BY-ND — attribution; no derivative works allowed.
Example: a CC-BY-ND illustration can be reposted with credit on a company blog, but cannot be cropped, recoloured, or composited into a new design.

CC-BY-NC — attribution; non-commercial use only.
Example: a teacher can drop a CC-BY-NC photo into classroom slides, but a brand cannot use the same image in an ad campaign — even with credit.

CC-BY-NC-SA — attribution plus non-commercial plus share-alike.
Example: a charity can adapt a CC-BY-NC-SA infographic for a fundraising email (with credit), but the adapted version also has to be released CC-BY-NC-SA — and it cannot appear on a paid product.

CC-BY-NC-ND — attribution plus non-commercial; no derivatives.
Example: a university course can show a CC-BY-NC-ND photo in a lecture deck with credit, but cannot edit it, remix it, or feature it on a commercial product page.

CC0 — copyright waived by the creator (closest thing to public domain).
Example: a CC0 stock photo can be used in a paid campaign, edited freely, and republished — no credit required and no licence to track.

Creative Commons(opens in new tab)

Public domain. Works whose copyright has expired or was never granted. Free to use without a licence, but verification matters. “I found it on Wikipedia” isn’t a public-domain check — Wikipedia hosts works under multiple licences. The asset’s actual provenance has to be traced to confirm the copyright term has expired. In the U.S. anything published before 1931 is public domain as of January 2026(opens in new tab); other jurisdictions calculate differently.

Fair use. A narrow set of doctrines allowing limited use of copyrighted material without the copyright holder’s permission — usually for commentary, criticism, parody, news reporting, education, or research. The mechanics differ across the three jurisdictions a creative team is most likely to operate in:

• U.S. — Fair use. A flexible doctrine codified at 17 U.S.C. § 107, weighed case-by-case against four statutory factors(opens in new tab): purpose, nature of the work, amount used, market effect.

  Example: a design publication reproduces a corporate logo at thumbnail size in a critical review of the company’s rebrand. Purpose (commentary) favours fair use, amount used is small, market effect on the brand is nil — the nature factor weighs slightly against because the logo is creative, but the balance tips fair use. The same logo placed on the cover of a competing brand’s marketing collateral is not fair use under any factor.

• UK — Fair dealing. Narrower than U.S. fair use and not a general doctrine; the Copyright, Designs and Patents Act 1988 grants specific fair-dealing exceptions(opens in new tab) for research and private study (s.29), criticism, review, quotation, and news reporting (s.30), and caricature, parody, or pastiche (s.30A).

  Example: a BBC arts programme shows stills of a copyrighted painting on screen while reviewing an exhibition (CDPA s.30, criticism and review), with attribution to the artist and only as much of the work as the review requires. The same painting reproduced on a commercial poster selling tickets to an unrelated event falls outside s.30 entirely — there’s no review, the use is promotional, and no other exception applies.

• EU — Exceptions and limitations. No general fair-use doctrine at all; instead an exhaustive list in Article 5 of the InfoSoc Directive 2001/29/EC(opens in new tab), supplemented by mandatory exceptions added by the 2019 DSM Directive(opens in new tab) (text and data mining, education, online content-sharing). Each member state implements them with national-law variations.

  Example: a German news site republishes a copyrighted news photograph for current-events reporting under Germany’s implementation of InfoSoc Article 5(3)(c), with the photographer credited. The same photograph embedded in a sponsored marketing campaign by the same publisher is outside any Article 5 exception, regardless of how the campaign is framed editorially.

None of these is a permission slip for commercial campaigns — each is a defence raised in court, not a green light up front. If you’re asking “is this fair use?”, the operational answer is to either get a licence or use a different image.

That’s the disambiguation. What fields to capture per asset is the broader metadata question covered separately; this article goes operational on the rights-specific subset.

Per-Asset Fields Worth Tracking#

Six minimum fields per asset, plus the licence document link. Anything less and you’ll regret it the first time someone asks “can we use this in print?”

• Source. Stock library (Getty, Shutterstock, Adobe Stock), commissioned photographer, in-house, AI-generated, public-domain repository. Drives every other rights question.
• Licence type. Royalty-free, rights-managed, exclusive, Creative Commons (and which CC variant), editorial-only, public domain. The category determines the rest of the workflow.
• Term. Perpetual or dated. If dated, the expiry date as a real date field, not a free-text note. This is the field that fails most often when teams use spreadsheets — “1 year from purchase” written as a string is unsearchable.
• Territory. Worldwide, by region, by country, or a list. Most rights-managed licences are territory-restricted and most teams forget this exists until a campaign launches in a new market.
• Permitted use. An explicit positive list: web, paid social, organic social, print, OOH, broadcast, internal-only. Never “anything not prohibited” — the agreement is the source of truth and it usually works as a positive list.
• Prohibited use. Often longer than permitted use. “No use in connection with adult, gambling, or controversial political content” is a common stock-agency clause.
• Licence document link. URL or DAM path to the actual contract or order confirmation. The licence is the source of truth; the metadata is the index.

The licence-type axis matters because the fields look different per type. Royalty-free is the simplest case; editorial-only is the easiest to misuse.

Standardising these fields is most of the discipline. The photos that don’t carry them are where the lawsuits come from.

Where Rights Tracking Always Breaks#

The classic failure modes show up in almost every team that ships content on a budget — most have hit at least one of them.

The licence lives in someone’s email. A team member buys a stock licence, downloads the image, uploads it to the DAM with a filename. The order confirmation arrives in their email. Three years later they’ve left the company, their email is archived, and the image is being reused for a new campaign. The team using it doesn’t know there’s a licence to consult. They might assume it’s an in-house asset; they might assume it’s royalty-free. Either assumption is a guess. Require licence metadata at upload — block the upload if the licence type isn’t set, link the contract document, capture the agreement at the moment the asset enters the library.

The asset gets reused on a channel the licence doesn’t cover. “We posted it on Instagram, and then someone took screenshots and used those in a sales deck, and now it’s on the website.” The original licence covered paid social — not the website, and almost certainly not the screenshots being downloaded and republished. Each channel hop dilutes the legal certainty of the use. Filter by channel before approving an asset for a new campaign: if the licence permits web and the campaign is print, the system flags it before the asset gets used.

The licence expires and nobody notices. The asset stays in the library, stays in the campaign, stays on the website. The licence ended six months ago. Nothing flagged it because nothing was watching the date. The team that ran the original campaign moved on; the team running the current campaign assumed the asset was cleared because it’s in the DAM. Automated expiry stops this: flag expiring-soon assets a configurable interval before expiry (30 days is standard), archive expired assets out of active use, and surface a list of currently-published-but-already-expired assets for legal review. If you’ve never audited your library, you don’t actually know which licences are expired; the audit is the first place expired-and-still-published assets surface.

The pattern across all three failures: the rights information separated from the asset somewhere in the workflow. Reconnecting them is operational work. Doing it after the agency’s letter arrives costs a lot more.

The Rights Workflow in a DAM#

A DAM that takes rights seriously enforces metadata at four lifecycle stages. None of these are unique to one platform; they’re patterns any management system can implement.

At upload. Licence metadata is required. The upload doesn’t complete until source, licence type, term, and (if dated) expiry date are populated. The licence document is attached or linked. The contract enters the library at the same time the asset does, which is what prevents the “licence in someone’s email” failure mode.

During use. When an asset is added to a new campaign, the system filters by “licence covers this channel and this territory.” If the licence is rights-managed for web in EMEA and the campaign is print in North America, the asset doesn’t pass the filter. Teams approve overrides explicitly; the override gets logged.

At expiry. An expiring-soon flag fires at a configurable interval (commonly 30 or 60 days). The asset moves to a hold state — still visible, still searchable, but flagged. Once expired, the asset is archived out of active use. From there, teams handle the replacement themselves or through whatever automation they’ve wired up: renew the licence, swap the asset for a cleared one, or pull the campaign use entirely. The expiry flag is the starting point; someone still has to act on it.

At audit. A monthly report surfaces two lists: assets expiring in the next 30 days and assets that are already expired but still published. The second list is the legal-exposure list; that’s the one the compliance team cares about. Quarterly the team reviews the audit report and the override log together.

Brand-restricted assets carry the same workflow rules — the brand library is the most common place this discipline first lands, because brand assets often have explicit usage restrictions (font licences, partner-supplied imagery, restricted logos) that map naturally onto the same metadata model. If the brand library has rights tracking and the rest of the DAM doesn’t, the discipline tends to spread. If neither has it, neither will.

On the platform side: YetOnePro’s custom fields support date types and select types, which is enough to model the seven fields above. The workflow logic — when to flag, when to archive, who gets notified — is something each team configures with the platform’s automation primitives. There’s no out-of-the-box “rights workflow” module that ships with every DAM; the field shape and the workflow logic are usually configured per workspace. That’s the operational reality across most management platforms in the space.

Special Cases (Releases, AI-Generated, UGC, Editorial, GDPR)#

Beyond stock-licensed images, five special cases carry their own rights mechanics. Each one breaks at a different point in the standard workflow.

Talent and property releases. When you commission a shoot, the photographer holds copyright by default unless your agreement transfers it. Separately, the people in the photo and the property in the photo each carry their own consent layer: model release for identifiable people, property release for identifiable buildings or branded objects. Both releases have their own term — some are perpetual, many expire with the campaign. In a DAM, releases sit as a parallel metadata layer alongside the licence — with their own expiry dates, their own permitted-use filters, and their own place in the audit cycle. Studios run this exact pattern: release at shoot time, expire with the campaign, archive when the campaign ends.

AI-generated images. The copyright status of pure AI output is unsettled. The U.S. Copyright Office’s January 2025 guidance(opens in new tab) is that work generated by AI from a text prompt alone is not eligible for copyright — the human-authorship requirement isn’t met by prompt-writing on its own, however detailed the prompt. Work with sufficient human creative input can be copyrighted by the human contributor, but the threshold for “sufficient” is being tested case by case. The UK has a longstanding computer-generated works provision(opens in new tab) (CDPA 1988 s.9(3)) that assigns authorship to the person making the arrangements for the work’s creation; the EU has no equivalent rule on AI-output copyrightability, and the EU AI Act (Regulation 2024/1689)(opens in new tab) mainly adds transparency obligations on training data and outputs — chiefly Article 50 (disclosure of AI-generated and deepfake content) and Article 53 (training-data summaries for general-purpose AI providers). Practical guidance: track which assets in your library are AI-generated, which tool produced them, and what prompts were used. That metadata is the audit trail when the law settles. We wrote about using AI to tag images; the rights questions around AI-generated images are moving faster than most legal teams can track. Worth knowing which assets in your library came from a model.

User-generated content. The implicit licence pattern (“post our hashtag and we might repost”) is fragile. Hashtag participation does not transfer copyright. If a team plans to republish UGC on owned channels, they need explicit permission from the original creator — usually via a reply-to-rights tool or a direct DM with documented consent. The metadata pattern: source = UGC, licence type = explicit-consent, term = whatever the consent message specified. Without that documentation, republishing UGC is unauthorized use even if the original poster used your hashtag.

Editorial-only assets. A common stock-library category. Cleared for journalistic, commentary, or news reporting use; almost never cleared for paid commercial campaigns under standard stock-licence terms. The label is the agreement. Editorial-only images of public figures, news events, or branded products are easy to license and easy to misuse — the failure mode is a marketing team finding an image labelled “editorial” and assuming editorial means “available for editorial-style content” rather than “legal only for editorial use.” Common cause of expensive lawsuits. The metadata fix: source the licence-type field as a select, with `editorial-only` as one option, and add a workflow rule that prevents editorial-only assets from being attached to commercial campaigns.

GDPR and identifiable people. Under EU law (and similar regimes elsewhere), images of identifiable people are personal data. The copyright/licence layer doesn’t cover the data-protection layer: even if you have a licence for the photo, the processing itself needs its own lawful basis under GDPR Article 6, and the subject retains separate rights of access, erasure, and objection. For shoots involving identifiable people in EU-relevant campaigns, record the GDPR legal basis(opens in new tab) alongside the release — consent is one of six bases, and commercial photography often relies on contract or legitimate interest instead. For UGC including faces, the same applies. The General Data Protection Regulation is its own compliance regime; rights metadata can’t replace it but should record the legal basis and release status alongside the licence.

Image DRM. Image-specific digital rights management exists as an enforcement layer: visible and invisible markers, perceptual hashing and reverse-image matching against republished copies, takedown enforcement against republishers. Image DRM enforces a rights answer that’s already been made; it doesn’t replace the licence. A watermark that survives a re-upload to a competitor’s site triggers a takedown request. Hash-matching catches reuse against known-stolen databases. DRM sits below the licence layer; by the time it kicks in, the licence question has already been answered and the job is preventing further unauthorized use. Video DRM is a separate and much larger topic; this article is image-only and the video case is out of scope.

Wiring This Into Your Library#

The shape of the work doesn’t change much across teams. Rights metadata keeps the contract attached to the asset; the workflow keeps the contract attached as the asset moves through campaigns, channels, and time. Everything else — the audit cycle, the expiry flags, the channel filters — exists to make sure those two stay connected.

Two concrete next actions. First, audit the existing library: pull a sample of fifty active assets and check whether each one carries a source, licence type, term, territory, permitted-use list, prohibited-use list, and a link to the licence document. Whatever fraction comes back complete is the baseline; the rest is the backlog. Second, change the upload flow so licence metadata is required at intake and the contract document gets attached at the same time. The audit measures the past; the upload rule keeps the past from repeating.

The unflashy part: rights tracking is mostly metadata discipline, not legal expertise. The legal expertise becomes the expensive part once the discipline has already failed.

Viacheslav Shuranov

Co-Founder at YetOnePro

Entrepreneur and software engineer with 20+ years building products that matter. From payment systems to telemedicine to media encoding, Viacheslav has led technical teams as CTO and Tech Lead across multiple startups. He co-founded YetOnePro to solve the creative workflow problems he encountered firsthand.

Contact author

If you want to leave feedback, suggest an addition, or report something outdated — reach out.

Related Articles

Guide15 min read

Watermark Protection: Sharing Without Losing Control

Guide15 min read

DAM Metadata Taxonomy: How to Tag, Classify, and Organize

Guide14 min read

Creative Asset Audit: Find What You Have Before You Organize It