The New York Times (NYT) sounded an alarm this week with respect to wholesale transfers of consumer data in the context of corporate mergers, acquisitions and bankruptcy transactions. The NYT's research demonstrates that regardless of the promises in a company’s privacy policy, when the company is up for sale all bets are off. The article looks at 100 of the most popular websites, finding that “of the 99 sites with English-language terms of service or privacy policies, 85 said they might transfer users’ information if a merger, acquisition, bankruptcy, asset sale or other transaction occurred.” This should not come as a surprise, given that regardless of industry, consumer data has become one of the most valuable assets a company has to offer. The report states that “data fire sale clauses” have become standard among popular websites, noting that even the NYT’sown privacy policy allows consumers’ information to be included among transferred assets without requiring notification to affected consumers or their consent.
The Rise of the All-Encompassing Privacy Policy
Arguably, the proliferation of broad privacy policies allowing unrestricted data transfers can be traced to the Federal Trade Commission (FTC) enforcement case against Toysmart in 2000. Toysmart, an online retailer of children’s toys, collected personal information about its consumers, including their children’s names and dates of birth. it initially stated in its privacy policy that information collected from consumers would never be shared with third parties. Yet, in May of 2000, the company went bankrupt and announced that it was closing its operations and selling all of its assets—including its detailed customer databases. Soon after this announcement, the FTC filed a complaint against Toysmart, claiming that by offering its customer details for sale, the company violated Section 5 of the FTC Act, misrepresenting in its privacy policy that it would never disclose, sell or offer for sale customers’ personal information to third parties.
Companies reacted to the Toysmart case by revising their privacy policies to avoid placing burdensome restrictions on data transfers. For example, soon after the Toysmart settlement, Amazon added a clause to its privacy policy, referenced by Richard A. Beckmann in Privacy Policies and Empty Promises: Closing the “Toysmart Loophole,” stating as Amazon continued "to develop our business, we might sell or buy stores or assets. In such transactions, customer information generally is one of the transferred business assets. Also, in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.”
As the NYT article points out, companies continued the trend of writing broad privacy policies, with a majority of today’s popular websites maintaining policies that allow expansive data transfers. The report claims that such “unrestricted data-transfer provisions” offer consumers and regulators little recourse in the case of a pursuant data transfer. Yet this concern is tempered by a string of FTC Section 5 enforcement actions dealing with material changes to uses of previously collected consumer data. These cases hold that even if not deceptive, broadly stated privacy policies that allow for material changes in companies’ use of consumer data constitute an unfair trade practice under Section 5 of the FTC Act. Consequently, operationalizing consumer information pursuant to a corporate sale of control may require obtaining existing consumers’ affirmative opt-in consent.
Material Changes to Privacy Policies and Section 5
In a recent blog post, the FTC discussed how companies should handle existing consumer information in the case of a merger or acquisition. The blog post states “companies must still live up to their privacy promises. One company’s purchase of another doesn’t nullify the privacy promises made when the data was first collected. When a purchase or acquisition does occur, companies have two choices. They can simply abide by their promises—that is, handle the data as promised when they collected it from consumers. Or, if they want to materially change how they collect, use or share consumers data, they must get permission from the consumers to whom they made the original promise.”
The FTC’s position on the issue has precedent. In its 2004 case against Gateway Learning Corp., the FTC challenged a material change to the company’s privacy policy, asserting that despite Gateway’s promises that it would not “sell, rent or loan any personally identifiable information regarding our consumers with any third party unless we receive customers’ explicit consent,” the company started to rent consumers’ personal information—including their names, addresses, phone numbers and their children’s age ranges and genders—to direct-marketing vendors. Although Gateway eventually revised its privacy policy to state that “from time to time” it would provide customers’ personal information to “reputable companies” whose products or services consumers might find of interest, the FTC asserted that Gateway also rented out information collected under the original policy.
In addition to charges that the company’s actions were deceptive, the FTC alleged that posting a revised privacy policy containing material retroactive changes was an unfair practice likely to cause substantial injury to consumers. As part of its settlement agreement, the FTC required Gateway to obtain opt-in consent from individuals prior to implementing any material change to its privacy policy. Therefore, after Gateway, companies that changed their privacy policies to contradict earlier terms were expected to do so with heightened notice and choice for their existing user base. This rationale was later extended to include retroactive changes to privacy settings in the FTC’s case against Facebook.
Recently, the FTC confirmed that the rules established in Gateway apply when one company acquires another. In response to Facebook’s announcement that it was acquiring the massively popular messaging app WhatsApp, the FTC notified the companies of their continued obligation to protect the privacy of their users. In a letter to the two companies, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, noted that before making any material changes to the usage of WhatsApp user data, the companies must get those users’ affirmative opt-in consent. In her letter, Rich states “WhatsApp has made a number of promises about the limited nature of the data it collects, maintains and shares with third parties—promises that exceed the protections currently promised to Facebook users. We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers.” Rich warned that failure to honor these promises could result in both companies being charged with violations of Section 5 of the FTC Act.
Conclusion
While privacy policies that broadly permit unrestricted sale of consumer data may fall outside the FTC’s authority to bring a deception claim, the FTC could still pursue these cases as an unfair trade practice. Through its enforcement actions, the FTC has made clear that altering a privacy policy in a way that is inconsistent with promises made at the time information was collected can constitute an unfair practice under Section 5 of the FTC Act. To avoid an FTC enforcement action, the FTC suggests companies continue to honor the privacy promises made to consumers, and notify consumers—obtaining express consent when necessary—of any material policy changes. For companies that want to change how information is collected in the future, the FTC stresses that consumers still need to be notified of the change and given a choice about whether they agree to it.
photo credit: eli.pousson via photopincc