The Federal Trade Commission (FTC) has long been aggressive in holding businesses accountable for the commitments made to consumers in online privacy policies. Among the related issues that the FTC has revisited over the years is the validity of changing data use practices after a business acquisition or merger.
As early as 2000 in the Toysmart bankruptcy case, the FTC adopted a strict view that an acquirer — even one in a bankruptcy setting — could either not acquire (depending on the transaction structure) or undertake new uses of consumer data collected by an acquired company if the acquired company’s privacy policy did not put provide clear notice to consumers of a proposed change in use. Thus, statements that collected data would “never’ be shared with third parties was taken to mean just that, even following a business acquisition. In the FTC’s view, the acquirer generally must obtain affirmative consent to the proposed possession or new use, as applicable, from the affected consumers.
In a recent public statement by the FTC staff via an FTC Business Blog post on March 25, 2015, the FTC reiterated this view. Referencing Facebook’s acquisition of WhatsApp in late 2014, the FTC staff noted its previous public warnings to Facebook about honoring the privacy promises that WhatsApp had previously made to its users, especially in light of the fact that Facebook’s privacy policies were much less restrictive than those employed by WhatsApp.
The recent FTC statement suggests several options that an acquirer might take following a merger or acquisition:
1. Continue to honor the target company’s privacy promises made before the merger or acquisition.
2. In the event of a material change in privacy practices involving data collected before the closing, inform affected consumers and obtain affirmative consent to the new practices.
3. In the event of a material change in privacy practices involving data collected after the closing, affected consumers must be informed in some prominent manner so that consumers may exercise a choice in the matter, although obtaining affirmative consent to the new practices may not be required.
Notably, the above options were not stated as being the exclusive approaches available, nor did they address the validity of existing statements in a target’s privacy policy about possible changes in the event of an acquisition of the target.
For more information on Consumer Data, contact your Cybersecurity and Data Privacy Counsel at Smith, Gambrell & Russell.