March 1, 2021

Volume XI, Number 60

Advertisement

March 01, 2021

Subscribe to Latest Legal News and Analysis

February 26, 2021

Subscribe to Latest Legal News and Analysis

What Step Do Most Businesses Take in Their Privacy Policies to Avoid M&A Issues From Arising?

While United States statutes that require privacy notices differ in terms of what they require to be included within a privacy notice, none mandate that an organization disclose the fact that information may be shared as part of a merger or acquisition.[1] That said, in 2000 the Federal Trade Commission (FTC) took the position that a company that included a broad statement within its privacy notice that it would not share personal information with third parties could not transfer personal information as part of the sale and/or acquisition of the company unless the acquirer met certain threshold qualifications (e.g., operated in the same industry).[2] Forty-six states, the District of Columbia, and two federal territories took an even more restrictive position that personal information could never be transferred to an acquirer after a company had taken the position that it does not share personal information with third parties.[3] As a result of the positions taken by the FTC and state regulators, most organizations now include a clause within their privacy notices that affirmatively states that personal information may be shared as part of a merger or acquisition. For example:

If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage.

Like other U.S. privacy statutes, the CCPA does not require that the above disclosure (or any other disclosure) be provided in anticipation of a merger or acquisition. The statute does require that if an acquirer plans to use or share personal information in a manner that is “materially inconsistent” with the promises that were made in the original privacy notice, the acquirer must “provide prior notice of the new or changed practices” to the consumer.[4]


[1] Cal. Civ. Code 1798.115(c)(1), (2), 1798.130(a)(5)(C)(i), (ii).

[2] See First Amended Complaint, Civ. Action No. 00-11341 at ¶ 6 (D. Mass. 2000).

[3] Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Vermont, Virgin Islands, Virginia, Washington, West Virginia, Wisconsin, and Wyoming filed a joint objection. See Docket No. 180, In re Toysmart.com, Case No. 00-14995 (D. Mass. Aug. 3, 2000). New York and Texas filed separate objections. See Docket No. 172, In re Toysmart.com, Case No. 00-14995 (D. Mass. Aug 3, 2000).

[4] Cal. Civ. Code 1798.140(ad)(2)(C).

Advertisement
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 22
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement