While United States statutes that require privacy notices differ in terms of what they require to be included within a privacy notice, none mandate that an organization disclose the fact that information may be shared as part of a merger or acquisition. That said, in 2000 the Federal Trade Commission (FTC) took the position that a company that included a broad statement within its privacy notice that it would not share personal information with third parties could not transfer personal information as part of the sale and/or acquisition of the company unless the acquirer met certain threshold qualifications (e.g., operated in the same industry). Forty-six states, the District of Columbia, and two federal territories took an even more restrictive position that personal information could never be transferred to an acquirer after a company had taken the position that it does not share personal information with third parties. As a result of the positions taken by the FTC and state regulators, most organizations now include a clause within their privacy notices that affirmatively states that personal information may be shared as part of a merger or acquisition. For example:
If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage.
Like other U.S. privacy statutes, the CCPA does not require that the above disclosure (or any other disclosure) be provided in anticipation of a merger or acquisition. The statute does require that if an acquirer plans to use or share personal information in a manner that is “materially inconsistent” with the promises that were made in the original privacy notice, the acquirer must “provide prior notice of the new or changed practices” to the consumer.