Washington, DC - Every company takes a different approach to how it collects, maintains, and shares consumers’ personal information. Companies that want to do right by their customers are careful to explain how they handle that data. That way, consumers will know how their data will be treated.

But what happens when a company changes owners or merges with another entity? Do the representations the company made to consumers before a merger about how their information will be used apply after the merger? Are there limits on how it can be used and shared?

The Commission recognizes that to innovate and keep pace in today’s economy, businesses may acquire other companies or sell business units. However, companies must still live up to their privacy promises. One company’s purchase of another doesn’t nullify the privacy promises made when the data was first collected. When a purchase or acquisition does occur, companies have two choices. They can simply abide by their promises – that is, handle the data as promised when they collected it from consumers. Or, if they want to materially change how they collect, use, or share consumers data, they must get permission from the consumers to whom they made the original promise.   

The Commission has addressed this issue in its enforcement actions, and has made clear that it could be an unfair practice under Section 5 for a company to alter its privacy policies in a way that’s inconsistent with the promises made when the information was collected. For example, in Gateway Learning the company told consumers it wouldn’t share information with third parties. But after collecting consumers’ information, Gateway Learning changed its privacy policy to allow it to share the information with third parties and then proceeded to share the information without notifying consumers or getting their consent. The FTC alleged it was an unfair practice for Gateway to retroactively apply the new privacy policy to information it had collected from consumers when the earlier policy was in effect. 

These same rules apply when one company acquires another. For example, Facebook’s acquisition of WhatsApp raised certain privacy issues. WhatsApp had made promises to its users about what data it collected, maintained, and shared – protections that went beyond those promised to Facebook users. The FTC staff made it clear that regardless of the acquisition, WhatsApp must continue to honor its promises to consumers. And if WhatsApp failed to honor these promises, both companies could be in violation of Section 5.

So what should companies do in the event of a merger or acquisition? If you’ve acquired a company or merged with one and are thinking of changing how you handle people’s personal information, here are some options to consider:

  1. You can continue to honor the privacy promises made to consumers before the merger or acquisition.
  2. What if you want to materially change your practices for information you collected before the merger – for example, by sharing with third parties information you originally promised would not be shared? To change the privacy promises already made to consumers, you’ll need to inform consumers and get their express affirmative consent to opt in to your new practices.
  3. If you plan to change how you use information you collect in the future, you also need to provide consumers with notice of the change and choice about whether to agree it. Simply revising the language in a privacy policy or user agreement isn’t sufficient because existing customers may have viewed the original policy and may reasonably assume it’s still in effect. Although it may not be necessary to provide affirmative express consent, the notice and choice must be sufficiently prominent and robust to ensure that existing customers can see the notice and easily exercise their choices.