Slashdot Mirror
When a Company Gets Sold, Your Data May Be Sold, Too
An anonymous reader writes: A new report points out that many of the top internet sites have language in their privacy policies saying that your private data might be transferred in the event of an acquisition, bankruptcy sale, or other transaction. They effectively say, "We won't ever sell your information, unless things go bad for us." 85 of the top 100 websites in the U.S. (ranked by Alexa), had this sort of language, including Amazon, Apple, Facebook, Google, Hulu, and LinkedIn. (RadioShack did this recently.) "The potential ramifications of the fire sale provisions became clear two years ago when True.com, a dating site based in Plano, Tex., that was going through a bankruptcy proceeding, tried to sell its customer database on 43 million members to a dating site based in Canada. The profiles included consumers' names, birth dates, sexual orientation, race, religion, criminal convictions, photos, videos, contact information and more. Because the site's privacy policy had promised never to sell or share members' personal details without their permission, Texas was able to intervene to stop the sale of customer data, including intimate details on about two million Texans." But with this new language, users no longer enjoy that sort of protection. Only 17 of the top 100 sites even say they will notify customers of the data transfer. Only a handful allow users to opt out.
Reason #43385634 why I try to minimize my exposure by refusing to give as much personal information as I can as often as I can. Paying in cash for day-to-day transactions helps out a lot too.
This has been known for years. Those privacy promises do not survive bankruptcy, and your personal information they promised never to sell becomes another asset to be disposed of.
This has been happening for years. Don't want your personal information sold, don't provide it to them.
Even their privacy policies which say they'll never sell it will have legal language which says "unless we change our mind".
The promises by corporations to play nicely aren't legally binding and can be changed on a whim. I'm pretty sure we've seen other examples of this over the last decade.
Unless there are actual laws preventing this, any promises are pretty much worthless.
Some countries have enacted privacy laws, but I'm pretty sure the US never would -- because that would limit corporations.
This might finally becoming plain to everybody else, but the vast majority of people here should already know this.
Lost at C:>. Found at C.
This has been an issue with any Internet business, be it a cloud provider, dating service, or someone who services vend-a-goat machines. When they go bankrupt, no contracts are honored, and the data falls to the buyer of the company or the physical servers, and can be used, without restriction, by the new party. For example, if a cloud computing service goes bankrupt, the next owner of the physical servers can make a multi-terabyte torrent of the contents, there is nothing the former clients can do about the data legally.
The only real solution to this is having part of the bankruptcy law changed to mandate supervised destruction of all data as part of the handover of servers.
* A clear sky is blue
* The sun will rise tomorrow
* A bear...
When you sell a business as a whole, you sell its inventory, credits, debits and running contracts. If you want to do that differently than you have to stipulate. But then the business's value will be different. Private customer information is as much inventory as is the fish tank in the hall.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
"..Because the site's privacy policy had promised never to sell or share members' personal details without their permission,..."
Sounds like we could charge the corporate officers with 2 million counts of fraud at least.
If we actually set a strong precedent of punishing site owners for their cavalier disregard for the promises made, I suspect this wouldn't be something we'd have much worry about.
-Styopa
Most also say they can chance the agreement at any time. An agreement that one party can change at any time doesn't really mean anything anyway.
...and make no mention as to what happens to your data that they captured under their previous privacy policy.
Clauses like this allow data to be transferred to the new company running the business. Many of these agreements state that the company the purchases the data will be bound by the privacy provision of the rest of the privacy policy. For example many privacy agreement state that personal data will not be used for marketing. The new owner would also be bound by that policy. Here is Google's policy;
If Google is involved in a merger, acquisition or asset sale, we will continue to ensure the confidentiality of any personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.
Without this provision it would be much more difficult to sell a company or merge with another company. I am sure that the value of Google with it's user base is much more than the value of Google with no users.
Or require that the entity purchasing an asset out of bankruptcy also inherits the contracts binding that asset. If my landlord goes bankrupt I don't get to say "Woo! Free house!" and ignore the terms of my contract with the landlord, why should whoever takes over after the landlord not be bound by the terms of the contract either?
If I have been able to see further than others, it is because I bought a pair of binoculars.
Your data = "data which you fully control", usually a part of the data on your HDD. Its getting less and less year after year.
Data about you = "data you use as payment for 'free' services"
It's already too late for us early adopters. Our information is out there and can't be claimed back now.
For example, up to a year ago I used a cloud storage service to store some files (fortunately encrypted) that I didn't want to lose, tax records and statements in PDF format. I found a better alternative so copied all of the files before deleting them and then asking the company to close the account. Fast forward a year and my "better alternative" announced that they were going out of business so I contacted the first company. I couldn't create a new account because it was keyed to my email address which was already in the system so they offered to reopen the old account. When I closed the account I still had several months left on the subscription and they kindly credited those to the reopened account. When I first logged in I was shocked to find that not only had they restored my physical address in the account info but also my credit card info. They also had helpfully restored all of the files that I had stored in the account. Remember, I deleted them before closing but they pulled them out of the backup from the day before I closed. That now has me thinking about both companies. The one that is still in business but doesn't delete backup copies and personal information of deleted accounts, and the one that went out of business that, presumably, had the same sort of info. Who now owns the databases with my credit card info and the backup tapes with my data?
The only two things to learn from this story are, encrypt whatever and wherever you can, and chose companies that you think (hope) are in there for the long haul.
All these companies have almost no other valuable assets than your data to begin with!
Bingo. These companies make money collecting your data. It's their biggest asset, and that asset will be sold if the company is sold.