Privacy policies with an escape hatch

Many technology companies including Hulu, are adopting data fire sale clauses, allowing private consumer information to be sold to third parties if the company is ever sold or goes bankrupt.
Many technology companies including Hulu, are adopting data fire sale clauses, allowing private consumer information to be sold to third parties if the company is ever sold or goes bankrupt. NYT

The privacy policy for Hulu, a video-streaming service with about 9 million subscribers, opens with a declaration that the company “respects your privacy.”

That respect could lapse, however, if the company is ever sold or goes bankrupt. At that point, according to a clause several screens deep in the policy, the host of details that Hulu can gather about subscribers – names, birth dates, email addresses, videos watched, device locations and more – could be transferred to “one or more third parties as part of the transaction.” The policy does not promise to contact users if their data changes hands.

Provisions such as that act as a sort of data fire sale clause. They are becoming standard among the most popular sites, according to a recent analysis by The New York Times of the top 100 websites in the United States as ranked by Alexa, an Internet analytics firm.

Of the 99 sites with English-language terms of service or privacy policies, 85 said they might transfer users’ information if a merger, acquisition, bankruptcy, asset sale or other transaction occurred, The Times’ analysis found. The sites with these provisions include prominent consumer technology companies such as Amazon, Apple, Facebook, Google and LinkedIn, in addition to Hulu.

“It’s ‘we are never going to sell your data, except if we need to or sell the company,’” Hal F. Morris, the assistant attorney general of Texas, said about industry practices.

Hulu declined to comment.

Sites, apps, data brokers and marketing analytics firms are gathering more and more details about people’s personal lives – from their social connections and health concerns to the ways they toggle between their devices. The intelligence is often used to help tailor online experiences or marketing pitches. Such data can also potentially be used to make inferences about people’s financial status, addictions, medical conditions, fitness, politics or religion in ways they may not want or like.

When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.

“In effect, there’s a race to the bottom as companies make representations that are weak and provide little actual privacy protection to consumers,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a nonprofit research center in Washington.

Little recourse

The potential ramifications of the fire sale provisions became clear two years ago when, a dating site based in Plano, Texas, that was going through a bankruptcy proceeding, tried to sell its customer database on 43 million members to a dating site based in Canada. The profiles included consumers’ names, birth dates, sexual orientation, race, religion, criminal convictions, photos, videos, contact information and more.

Because the site’s privacy policy had promised never to sell or share members’ personal details without their permission, Texas was able to intervene to stop the sale of customer data, including intimate details on about 2 million Texans.

“That is the type of information that people were entitled not to have trafficked and sold to the highest bidder,” said Morris, the Texas assistant attorney general. “I think it’s an important safety issue for consumers.”

If privacy policies contain unrestricted data-transfer provisions, however, consumers and government authorities have little recourse.

Among the top 100 sites in the Times analysis, at least 17 said they would alert consumers – by, for example, posting a notice on their site – if users’ personal details changed hands. But only Etsy, the crafts e-retailer, and a few other sites promised to allow people to opt out of having their data handed over to a third party in certain circumstances.

Jordan Breslow, Etsy’s general counsel, said that enabling the site’s members to control their personal information tallied with the company’s values of respect for consumer trust.

Odd coincidences

After one data-driven service buys another, it can leave consumers questioning how their details will be used. Unless the company has made a previous promise to inform them, or the data is specifically regulated by a law such as the federal Video Privacy Protection Act, sites and apps generally do not need to be notified about transfers of their information.

Last year, for instance, Facebook bought WhatsApp, the stand-alone messaging service, for nearly $22 billion. Subsequently, some people who regularly used both services, such as Neil Kirkpatrick, a digital project manager in Berkhamsted, England, began to notice some odd coincidences.

“Added someone to my iPhone contacts to chat on @WhatsApp and now Facebook is recommending them as a friend,” Kirkpatrick wrote on Twitter recently.

In a phone interview, Kirkpatrick said he had not permitted Facebook access to his contact list and had set his Facebook profile to prevent people outside his network from using his phone number to locate him. So he did not understand how Facebook could have connected him to new contacts on WhatsApp.

“They could do a lot more to be upfront and honest about what information they have on you and where they are getting it,” Kirkpatrick said. “It doesn’t feel like you are in control of your own data.”

Jonathan Thaw, a Facebook spokesman, said Facebook did not use contact information from WhatsApp. He added that Facebook used a variety of factors – such as mutual friends, work and education information – to suggest friends.

WhatsApp did not respond to emails seeking comment.

Fire sale clauses

Some sites first adopted fire sale clauses after the Federal Trade Commission in 2000 sued, a bankrupt online toy retailer, for deceptive practices regarding data gleaned from its site visitors. Toysmart was seeking to sell customer details – including their children’s names and birth dates – even though the company’s privacy policy had promised never to share that information with third parties.

In an effort to avoid similar complaints, other sites began claiming the right to sell or share user data as part of business transactions.

It’s a trend that is likely to widen as companies introduce new Internet-enabled products, such as connected cars and video cameras, which can collect and transmit a constant stream of data to the cloud.

Rather than wade through companies’ data-use policies before registering with websites, however, many people simply click the agree button.

“I think society views it as what you have to do to get to the next page of the website,” said Elise S. Frejka, a lawyer who served as the consumer privacy ombudsman in the recent RadioShack bankruptcy case.