Federal and state privacy laws do not expressly prohibit most acquirers (e.g., acquirers of a retail brand) from internally transferring the target’s data for use by affiliated companies. That said, in 2000 the Federal Trade Commission took the position that a company which had included a broad statement within its privacy notice that it would not share personal information with third parties could not transfer personal information as part of the sale and/or acquisition of the company unless the acquirer met certain threshold qualifications (e.g., hailed from the same industry).1 Forty-six states, the District of Columbia, and two federal territories took an even more restrictive position that the information could never be transferred to an acquirer.2 As a result of the positions taken by the FTC and state regulators, as a best practice most organizations now include a clause within their privacy notices that affirmatively states that personal information may be shared as part of a merger or acquisition. For example, many companies include a provision along the following lines:
“If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage.”
If the target has a disclosure similar to the above, the acquirer arguably can take and disseminate to corporate affiliates the personal information collected by the target consistent with federal and (most) state laws.
This result is largely consistent with the approach taken by the California Consumer Privacy Act. The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.3 The CCPA includes an exception to the sale of information, however, in situations in which information is transferred as part of an acquisition in which the acquirer “assumes control of all or part of” the target.4 In those situations the Act permits internal transfers to occur without classifying those transfers as “sales” so long as the information is “shared” consistently with the target’s privacy notice.5 On a going forward basis (i.e., post acquisition) the CCPA’s rules concerning affiliate sharing likely apply. Under those rules, an entity that is owned by another entity is considered a separate business unless the two companies “share common branding.”6 For the purposes of the statute “common branding” is defined as a “shared name, servicemark, or trademark.”7
The net result is that if a privacy notice states that information can be shared between and among acquirers and affiliates, such sharing is arguably permitted at the time of acquisition. On a go-forward basis, at least in California, the target would need to share common-branding with the acquirer in order to continue the sharing of information without raising the possibility that such continued use constitutes the “sale” of information for which an opt-out right would need to be given. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.8