Almost every business has a possibility of one day transferring to another entity due to a sale, merger or restructuring.
Because of this possibility, you should include a Business Transfer clause in your Privacy Policy. This clause will inform your users that their personal data will be transferred to the new business owners when and if an acquisition or merger is completed.
In this article, we will take a look at the legal requirements for a Privacy Policy and, more specifically, the complexities of a Business Transfer clause.
- 1. What is a Privacy Policy?
- 1.1. Global Privacy Policy Laws
- 1.1.1. United States
- 1.1.2. United Kingdom
- 1.1.3. European Union
- 1.1.4. Australia
- 1.1.5. Canada
- 2. Business Transfer Clause
- 2.1. Where to Include a Business Transfer Clause
- 2.2. When to Use a Separate Business Transfer Clause
- 2.3. Allow Users to Opt Out
- 3. Remember
What is a Privacy Policy?
A Privacy Policy is a legal document that discloses the specific ways a business collects, uses, manages, shares and protects personal consumer data. They're typically linked in website footers where users can easily access them to find out about a business's privacy procedures.
As people have become more and more concerned about their privacy and the handling and use of their personal information, privacy laws in countries around the world have been created and enhanced to protect consumers.
Global Privacy Policy Laws
A Privacy Policy is a legal requirement in most countries around the world. It is necessary in order to limit and protect the use of personal information.
You'll need to be aware of laws not only of where you're located, but also the laws of areas where you do business. For example, the GDPR from the EU applies not only to EU businesses, but also to businesses located anywhere in the world that deal with personal information from individuals located in the EU.
Here are a few of the global laws that will impact your Privacy Policy.
United States
In the United States, privacy matters are regulated under the following acts:
- The Cable Communications Policy Act of 1984
- The Americans With Disability Act
- The Computer Fraud and Abuse Act of 1986
- The Children's Internet Protection Act of 2001 (updated 2013)
- The Computer Security Act of 1997
- The Consumer Credit Reporting Control Act
- The Children's Online Privacy Protection Rule (COPPA)
The main privacy law in the US is the California Online Privacy Protection Act (CalOPPA), which requires a Privacy Policy for any business that collects personal information from residents of the state of California.
United Kingdom
In the UK, privacy law is covered by the Data Protection Act 1998 (DPA). This act requires the posting of a Privacy Policy when personal information of individuals in the UK is collected or used, and has 8 data protection principles.
European Union
As of May of 2018, the EU General Data Protection Regulation (GDPR) governs Privacy Policies for websites and apps attracting EU residents.
Australia
In Australia, data privacy law is governed by the Privacy Act of 1988, and this Act requires Australian businesses to have a Privacy Policy.
Canada
In Canada, user data is protected by the Personal Information Protection and Electronic Documents Act (PIPEDA). This Act requires Canadian businesses to have a Privacy Policy.
Business Transfer Clause
A Business Transfer Clause is a necessary component of a Privacy Policy. It should explain data transfer terms, the process for notifying users of changes, and the procedures for protecting and transferring personal data.
In the following example, Slack explains in its Privacy Policy that they may disclose their customers' data if they "engage in a merger, acquisition ... sale of some or all of Slack's assets...."
In Niantic's Privacy Policy, there's a section that lets users know how personal information is disclosed in connection with business transactions such as mergers, acquisitions or asset sales:
Typically, when a business is sold, the user data held by that business will be transferred to the new owner as part of the sale.
However, if a Privacy Policy states that the business will not disclose, share, or sell user information to a third party, then it cannot legally do so.
Additionally, if the business stipulates specific occasions when it might or can sell user data to third parties, then it is bound to those provisions.
Where to Include a Business Transfer Clause
There is no legal mandate for where to display a Business Transfer Clause within a Privacy Policy.
Some organizations simply opt for integrating this information into another clause within their Policy.
A mention in a "Miscellaneous" or "Other Sharing" section within the Privacy Policy may be sufficient.
However, since limiting liability is a goal, it is a good idea to create a dedicated Business Transfer clause if there is any likelihood of a future merger or transfer.
When to Use a Separate Business Transfer Clause
Including a separate Business Transfer Clause is ideal when:
- Trademarks, copyrighted material, trade secrets or highly confidential user data may be impacted.
- The website handles user data that could be personally identifiable, including names, home addresses, telephone numbers, passport numbers, etc.
- A merger or sale of the business or its assets is highly likely.
A separate Business Transfer clause also is ideal when a merger or sale of the business or its assets is highly likely.
Chartbeat's Privacy Policy incorporates a separate Business Transfers clause and clearly names it as such:
In its Business Transfers clause, Chartbeat explains that user information is regarded as a business asset and can be transferred to a new entity should the company be sold in part or in totality.
Reassurance is also provided that the new owner will look after user data as already described in the existing Privacy Policy.
Yelp informs their users that information will be passed to a new owner in the event that the company is sold. They state that the new owner will assume all rights and obligations with respect to that information.
Allow Users to Opt Out
Users may not wish to allow the new business owner to use their personal data, or they may not wish to continue doing business with them. Therefore, before any transfer of ownership of personal user data can take place, it is necessary to allow users the opportunity to opt out and delete all of their data from the app or site.
500px achieves this by informing their users that they can opt out by changing their user profile. There is also a note reminding users that they can opt out of cookies at any time via their web browser.
Remember
Any online business that collects and stores personal user data must have a Privacy Policy, and that Policy should include a Business Transfer Clause, especially if you think youâll possibly ever sell or merge your business.
The Business Transfer clause can appear:
- As a bullet point in the Privacy Policy
- In a subsection of a clause within the Privacy Policy
- As a stand-alone clause with a bold heading
The Business Transfer clause should explain that ownership of personal information will automatically pass to any new owners on completion of the transfer, unless users choose to opt out.
Users must be given prior notice of any impending sale or merger, with clear information about how the new owner will use their data.
Additionally, users must be provided with instructions for opting out of the transfer of or ongoing use of their personal information.
By following these guidelines, an online business can position itself to comply with applicable privacy laws, establish a good rapport with users and limit potential liability.
