By Daniel J. Solove
A recent New York Times article discusses the issue of what happens to your personal data when companies go bankrupt or are sold to other companies:
When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.
This has long been a problem, and I’m glad to see it receiving some attention. The issue arose in one of the early FTC cases on privacy about 15 years ago.
FTC v. Toysmart
As we continue to develop our business, we might sell or buy stores or assets. In such transactions, customer information generally is one of the transferred business assets. Also, in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.
Some criticized Amazon for retroactively changing its policy for the data it had already collected and for not allowing people to opt out. But on the positive side, Amazon was at least disclosing to consumers what might happen in the event of a sale or bankruptcy. Not many privacy policies at the time did this.
In an article written more than a decade ago, Collateralizing Privacy, 78 Tulane Law Review 553 (2004), Professor Xuan-Thao Nguyen pointed out that companies were using their customer data as collateral for loans but still retaining privacy policies that promised not to share data with third parties:
Not much attention was given to this issue afterwards, but it appears from the New York Times article that companies have slowly been addressing bankruptcy and sale in their privacy policies.
Privacy Policies Today
According to NYT analysis, “[o]f the 99 sites with English-language terms of service or privacy policies, 85 said they might transfer users’ information if a merger, acquisition, bankruptcy, asset sale or other transaction occurred.” Still, 15% are not including such a provision in their privacy policies (or “privacy statements” as they are often called).
However, merely having such a provision doesn’t address all of the privacy issues. The NYT article goes on to note:
Among the top 100 sites in the Times analysis, at least 17 said they would alert consumers — by, for example, posting a notice on their site — if users’ personal details changed hands. But only Etsy, the crafts e-retailer, Weather.com and a few other sites promised to allow people to opt out of having their data handed over to a third party in certain circumstances.
Additionally, some of these provisions do not ensure that the terms of the privacy policies would still be applied after the data would be transferred. Indeed, one of the privacy policies quoted in the article states that in the event of a bankruptcy or sale, “we may not be able to control how your personal information is treated, transferred, or used.”
At a minimum, I believe that companies should follow the practices below:
1. Privacy policies should disclose whether customer data would be one of the assets transferred in the event of a bankruptcy or sale. Without such a disclosure, privacy policies would likely be deceptive, especially if a company has secured a loan where customer data is used as collateral.
2. Privacy policies should disclose more details about the consequences to a consumer’s data in the event of a bankruptcy and sale. There should be a disclosure about basic consumer rights that will be maintained, restrictions on the use of the data, and restrictions on the type of entity the data can be sold to.
5. Consumers should be notified or alerted in the event their data will be sold in a bankruptcy or sale of the company or its assets. I don’t think that the FTC would find failure to notify to be a violation of Section 5, but notifying consumers would certainly be a good practice in my opinion. More companies should promise to do so.
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.