When a Company Gets Sold, Your Data May Be Sold, Too

An anonymous reader writes: A new report points out that many of the top internet sites have language in their privacy policies saying that your private data might be transferred in the event of an acquisition, bankruptcy sale, or other transaction. They effectively say, "We won't ever sell your information, unless things go bad for us." 85 of the top 100 websites in the U.S. (ranked by Alexa), had this sort of language, including Amazon, Apple, Facebook, Google, Hulu, and LinkedIn. (RadioShack did this recently.) "The potential ramifications of the fire sale provisions became clear two years ago when True.com, a dating site based in Plano, Tex., that was going through a bankruptcy proceeding, tried to sell its customer database on 43 million members to a dating site based in Canada. The profiles included consumers' names, birth dates, sexual orientation, race, religion, criminal convictions, photos, videos, contact information and more. Because the site's privacy policy had promised never to sell or share members' personal details without their permission, Texas was able to intervene to stop the sale of customer data, including intimate details on about two million Texans." But with this new language, users no longer enjoy that sort of protection. Only 17 of the top 100 sites even say they will notify customers of the data transfer. Only a handful allow users to opt out.

The cat is out of the bag

[daq+man]

It's already too late for us early adopters. Our information is out there and can't be claimed back now.

For example, up to a year ago I used a cloud storage service to store some files (fortunately encrypted) that I didn't want to lose, tax records and statements in PDF format. I found a better alternative so copied all of the files before deleting them and then asking the company to close the account. Fast forward a year and my "better alternative" announced that they were going out of business so I contacted the first company. I couldn't create a new account because it was keyed to my email address which was already in the system so they offered to reopen the old account. When I closed the account I still had several months left on the subscription and they kindly credited those to the reopened account. When I first logged in I was shocked to find that not only had they restored my physical address in the account info but also my credit card info. They also had helpfully restored all of the files that I had stored in the account. Remember, I deleted them before closing but they pulled them out of the backup from the day before I closed. That now has me thinking about both companies. The one that is still in business but doesn't delete backup copies and personal information of deleted accounts, and the one that went out of business that, presumably, had the same sort of info. Who now owns the databases with my credit card info and the backup tapes with my data?

The only two things to learn from this story are, encrypt whatever and wherever you can, and chose companies that you think (hope) are in there for the long haul.