Every company takes a different approach to how it collects, maintains, and shares consumers’ personal information. Companies that want to do right by their customers are careful to explain how they handle that data. That way, consumers will know how their data will be treated.
But what happens when a company changes owners or merges with another entity? Do the representations the company made to consumers before a merger about how their information will be used apply after the merger? Are there limits on how it can be used and shared?
The Commission recognizes that to innovate and keep pace in today’s economy, businesses may acquire other companies or sell business units. However, companies must still live up to their privacy promises. One company’s purchase of another doesn’t nullify the privacy promises made when the data was first collected. When a purchase or acquisition does occur, companies have two choices. They can simply abide by their promises – that is, handle the data as promised when they collected it from consumers. Or, if they want to materially change how they collect, use, or share consumers data, they must get permission from the consumers to whom they made the original promise.
These same rules apply when one company acquires another. For example, Facebook’s acquisition of WhatsApp raised certain privacy issues. WhatsApp had made promises to its users about what data it collected, maintained, and shared – protections that went beyond those promised to Facebook users. The FTC staff made it clear that regardless of the acquisition, WhatsApp must continue to honor its promises to consumers. And if WhatsApp failed to honor these promises, both companies could be in violation of Section 5.
So what should companies do in the event of a merger or acquisition? If you’ve acquired a company or merged with one and are thinking of changing how you handle people’s personal information, here are some options to consider:
- You can continue to honor the privacy promises made to consumers before the merger or acquisition.
- What if you want to materially change your practices for information you collected before the merger – for example, by sharing with third parties information you originally promised would not be shared? To change the privacy promises already made to consumers, you’ll need to inform consumers and get their express affirmative consent to opt in to your new practices.