Why personal data is at risk when a company is sold or goes down

Douglas Crawford

Douglas Crawford

July 9, 2015

In today’s data-hungry world, even fairly innocuous technology companies collect a considerable about of information about us – our billing details, login locations, and often a great deal about our internet usage habits. When dealing with a company that we trust, and which has a privacy policy that…well… ‘respects our privacy’, this may not bother us too much.

A question most of us rarely consider, however, is what happens to our data if a company goes bankrupt, or is bought by another company that may have far less respect for our privacy?

The answer is… it depends. But a worryingly large number of websites now specifically contain a clause in their privacy policy stating that user data may be included in assets transferred in the event of a bankruptcy, acquisition, merger, asset sale or such like event.

A recent survey by the New York Times, in fact, found that out of the 99 sites with English-language terms of service or privacy policies listed by Alexa as the top 100 websites in the US, 85 included such a clause. These include internet luminaries that harbor huge amounts of highly personal data on just about all of us, including Facebook, Google, Apple, Amazon and LinkedIn.

Hulu is another exemplary case in point. Despite its privacy policy loudly proclaiming in the opening sentence that Hulu ‘respects your privacy,’ it then proceeds to outline how it logs data,

This information may include your IP address, device and software characteristics (such as type and operating system), location, activity on the Hulu Services including title selections and watch history, page views, ad data, referral URLs, network state, device identifiers or other unique identifiers such as advertising identifiers (e.g., “ad-ID” or “IDFA”), and carrier information.

Additional data is collected though cookies and ‘similar technologies’ (Flash cookies and HTML5 web storage are specifically mentioned), through social networking data, and other third party sources,

We may collect information about you from other sources, such as data aggregators, public databases, and our business partners. This may include information about your interests, demographic data, purchasing behavior, and your activities online (such as websites visited and advertisements viewed).

Wow… that is a lot of data! But, hey, we can trust Hulu to keep it safe can’t we? Well, maybe while Hulu is fully operational we can, although its privacy policy lists a large number of ways in which data is already shared with all sorts of partners, social networks, service providers, third party advertisers and so on (albeit mainly ‘in aggregated or de-identified forms’). Hidden deep within the long document, however, is this,

If we sell all or part of our business, make a transfer of assets, or are otherwise involved in a change of control transaction, or in the unlikely event of bankruptcy, we may transfer information from or about you to one or more third parties as part of the transaction.

And that’s it… absolutely no guarantees are made about what happens to your data subsequent to such an event.

The mass of data that all modern internet services collect about their customers as a matter of course these days (and Hulu is not alone here), in fact represents one of their major assets. It can provide a very detailed picture of an individual’s likes, dislikes, sexual preferences, religious views, health and fitness, addictions, and (most importantly of all), spending habits.

This kind of information is pure gold to web companies and marketers, who use it to deliver ever more personalized and targeted (and therefore higher yield) advertising to consumers. As executive director of, Marc Rotenberg, observes,

‘In effect, there’s a race to the bottom as companies make representations that are weak and provide little actual privacy protection to consumers.

In 2012, dating website filed for bankruptcy and attempted to sell its database of 43 million members to an unnamed ‘Canadian-based online dating service.’ This sale of huge amounts of incredibly personal and potentially damaging data was blocked by the Texas Attorney General on the grounds that,

 Debtor’s privacy policy contains ambiguities as to whether Customers will have a right to opt-out or opt-in to consent to the transfer of their PII.  The Attorney General believes this ambiguity should be construed against the Debtor and thus an opt-in procedure is required.

The cynical lesson that other internet companies were quick to take from this incident was to explicitly state in their privacy policy or Terms of Service that data collected about their customers is an asset that can be transferred in the event of a ‘business transaction.’ As users have agreed to these terms when they agree to a company’s’ ToS, this sale cannot be blocked.

Of the Alexa top 100 sites surveyed by the NYT, only 17 said they would alert users if their data was sold (such as by posting a message on their website). Only Etsy,, ‘and a few other sites’ promised users the option to opt-out of their data being sold-on in the event of a ‘business transaction.’

The big question of then, of course, is what can we do about this terrible situation? Unfortunately the short answer ‘not very much’. Even if we take the time to wade through the ridiculously long and deliberately obtuse Terms of Service for every service that we use (an almost impossible task in itself) in order to determine if they are up to something sneaky (they almost all are!), then… what?

If we want to use the service then we have to agree to its ToS. Okay then, so why not just go elsewhere? Well, not only is it often very difficult to just choose to use another service (for example, if all your friends are on Facebook, and have no intention of going elsewhere), but (as the NYT survey demonstrates) they are all at it, and are just about as bad as each other!

What you can do is, where possible, signup to services and websites using a pseudonym, false personal information, and a dummy email address (although this will be stymied if you need to provide billing details). You can also use VPN to hide your true IP address, and anti-tracking browser extensions and tweaks to limit the amount of cross-site tracking performed by websites you visit (and therefore data collected about you.)

A real solution, however, would require meaningful legislation aimed at protecting internet users’ data, but as just about every government is in the pocket of big business, this is very unlikely to happen…

Your Information will never be shared with any third party.
Enter your email address to receive your Beginner's Guide to Online Security for Free
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the ebook:
Your Information will never be shared with any third party.
Enter your email address to receive your Ultimate Online Privacy Guide eBook!
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the eBook:
Special VPN Deal
Exclusive Offer
Get a Special Deal - 72% OFF!
With a biannual subscription
Exclusive Offer for Visitors!
50% Off Annual Plan
Limited Time Only
Exclusive price of
Exclusive Offer
Get NordVPN for only