Customer data is an extremely valuable business asset. It influences how companies communicate with customers, understand purchasing preferences, track time spent interacting with the brand, and identify habits and trends among their target markets. Additionally, user information can be leveraged for laser-focused marketing campaigns and making strategic business decisions about the direction and growth of a company. In view of its value and sensitivity, safeguarding and respecting customer information must be a top priority for all businesses; the guidelines for collection and use of such information is typically set forth in the company’s Privacy Policy.

An important, but often overlooked, component of Privacy Policies are business transfer clauses, which allow businesses to share users' information in the event of a change in business ownership, such as by merger, acquisition, or other proceeding involving the transfer, sale, or divestiture of business assets. Failure to include a suitable business transfer clause can result in violating data privacy provisions (and laws), diminished value of the data, and legal wrangling with the Federal Trade Commission and the courts. In this case, an ounce of prevention is absolutely worth a pound of cure! 

(1) Business Transfer Clauses Help Companies Keep Their Promises

When customers disclose their personal information and authorize its use, they're trusting the receiving company will collect, use, and share it only as set forth in its Privacy Policy. Such restrictive policies may inspire consumer confidence, but they can quickly become an Achilles heel should the business need to transfer its assets -- including valuable customer data – pursuant to transfer of business ownership. Having to secure each customer's affirmative consent prior to "closing the deal" will inevitably create significant delays, impose undue administrative burdens, and generate otherwise avoidable expenses. Including a business transfer clause that carves out an exception for sharing dating in the event of an ownership transfer will eliminate the need for such consent and associated frustrations.

(2) Business Transfer Clauses Help Companies Protect the Value of Customer Data

The value of customer data is on the rise in the digital marketplace and has become an important component of competitive advantage. Arguably, companies with a large warehouse of valuable user information can leverage this data and potentially render themselves more attractive for a lucrative acquisition. However, if the ability to share user information is hindered by an overly restrictive Privacy Policy requiring affirmative consent prior to a data transfer, it may have a chilling effect on the transaction, and may diminish the value of the entire deal.

(3) Business Transfer Clauses Help Companies Steer Clear of the Federal Trade Commission

As the government's consumer protection watchdog, the Federal Trade Commission (FTC) carefully monitors the transfer of customer data as part of business asset transfers to ensure consumers' privacy rights aren't violated. In essence, if the transaction does not fully comply with the terms of the original Privacy Policy, the FTC may block the sale and deem it a deceptive trade practice. This situation is not uncommon in the case of bankruptcies, where the debtor's original Privacy Policy failed to account for transferring data in the event of a bankruptcy asset sale and the FTC and/or the bankruptcy courts had to intervene. This, unfortunately, has played out with some big-name brands including the former Borders book store, education technology company ConnectEDU's bankruptcy, and more recently, high-end cupcake company Crumbs. Because none of these companies included business transfer clauses in their Privacy Policies, their asset sales violated the terms of the original Privacy Policies, resulting in the transactions being riddled with complications, delays, and increased costs.

Practice Points

Privacy Policies are promises to customers that can't be broken without dire financial and legal consequences. Following are a few key points for companies to consider vis-à-vis their Privacy Policies.

  • Draft Privacy Policies that are consistent with business goals and carve-out exceptions for sharing data if there is a transfer of business ownership.
  • Immediately revise and update deficient Privacy Policies to include a well-crafted business transfer clause, and notify customers of the change by sending a Privacy Policy Update email, making online announcements, and/or creating banner ads and popups to spread the word.
  • A point of caution! Be sure to review the original policy, and consider any relevant laws, to determine whether affirmative opt-in consent is required before the change can be fully implemented.