You not only require the right language - the Business Transfer clause - in your Privacy Policy but you also must be prepared to give users notice when you decide to sell your application or company.
Users trust you with their data and that duty does not go away when you transfer your company's assets to another company.
A provision you must include in your Privacy Policy addresses what will happen if your company has the opportunity to merge with another or sell its assets entirely.
Often referred to a "Business Transfer" clause, this clause explains data transfer terms, notice requirements, and generally states that the new entity will have access to user data.
In those cases, your users will still require reassurance that the new entity will respect their data in the same way you did under the original Privacy Policy.
Privacy Policy agreements are a good business investment (and a legally required agreement) because the agreement informs users what to expect regarding the use of their personal data on the app.
For example, SurveyMonkey explains in its Privacy Policy page that the data you collect from a survey and the email addresses of respondents are held in confidence:
When you look these over, you can see that this is good business.
Users can feel reassured that their use of your app will not breach private information. If they submit user names, email addresses or other essential data needed to make an app work for them, they can go forward knowing that you will keep it secure and confidential.
CalOPPA (California Online Privacy Protection Act) has been in effect in the United States since 2004.
It requires that any website or mobile app that collects personal information from users in the state of California to post a Privacy Policy.
Because of the global nature of online business, the likelihood of someone from California finding your website or mobile app is so high that it's a safe bet to assume that you need to be CalOPPA-compliant.
CalOPPA has a short list of requirements for what must be included in this type of legal agreement, as seen below, including information on how users will be notified of any updates to the policy itself:
In Canada, PIPEDA (Personal Information Protection and Electronic Documents Act) strives to protect users' privacy by dictating how personal information can be handled.
Under PIPEDA, an organization must do the following to be compliant:
- Obtain consent before collecting, using or sharing personal information from users,
- Only use legal and fair methods and means when collecting personal information, and
- Provide an easy-to-understand, easy-to-find Privacy Policy to users that clearly breaks down your policies.
Other global privacy laws are in place, all of which strive to protect the personal information of users and emphasize the importance of letting users know what your practices are when it comes to collecting and using their personal information.
It's so common in the business world to buy and sell assets, including mobile apps.
Mergers and acquisitions happen regularly, and the business of building a start-up mobile app from something new into something big and then having it bought by a larger company happens all the time.
When this happens and a mobile app changes hands, what happens to all of the collected personal information?
This transfer of personal information that occurs when a business ownership is transferred can cause issues and concerns over the privacy of that personal information.
This can also be an issue if a business shuts its doors permanently, or shuts down and then reopens as a new brand, transferring personal information from users of the old business to the database of the new business.
What rights does the business have when it comes to the personal information collected from users? What rights do individuals have when it comes to the protection and privacy of their personal information?
Consider the Toysmart.com incident where Toysmart filed for bankruptcy and sought to sell all of its assets, including the database of user information it had collected.
Toysmart's Privacy Policy had included a clause that stated that any information collected from customers would never be shared with third parties.
The court here held that the information could not be sold on its own, but under a settlement agreement, Toysmart would be able to sell the database information as part of an entire business package, which includes the entire website. Only a qualified buyer could make the purchase, and the terms and clauses of the Toysmart's Privacy Policy were to be followed by the new buyer.
Any changes in data collection, use, etc., could only be done after notice was provided to customers and their opt-in affirmative consent was given.
A similar issue happened with Crumbs - a baked goods company - that went out of business.
Crumbs sought to sell their intellectual property, including names, phone numbers, and addresses of customers and users.
The Crumbs' Privacy Policy stated that customer information would be shared only in one of three scenarios:
- If compelled to do so by order of a duly-empowered governmental authority,
- If express permission of the consumer was given, or
- If it would be necessary in order to process transactions and provide Crumbs' services.
Bankruptcy or financial issues were not included in this exceptions list, and the court found that the sale of the personal information would violate the Crumbs' original Privacy Policy.
If your Privacy Policy says you won't share or sell information to a third party, you can't legally do it. If you list specific circumstances when you can sell information to a third party, you're limited to those circumstances.
The main takeaway here is that what you put in your Privacy Policy matters, and you must adhere to it.
It's important to have a thorough Privacy Policy.
The "Business Transfer" clause
Including a "Business Transaction" clause in your Privacy Policy is a common way of informing users of what your policy and practice is for transferring personal data in the event of a business transaction such as a merger, a sale of the business, a re-brand, or a complete shut-down.
Include an exception that says you will transfer or sell the personal information you've collected if you sell the company, go out of business, or merge with another company.
The New York Times looked at the top 100 websites in the United States as ranked by Alexa and found that 85 of these websites included language in their Terms of Service or Privacy Policies that said "they might transfer users' information if a merger, acquisition, bankruptcy, asset sale or other transaction occurred."
The "Business Transfer" clause takes many different forms. It's often found in:
- Its own section
- A general section in the Terms & Conditions agreement regarding mergers, acquisitions, bankruptcies, dissolution of the company or other similar events
- A mention in "Other Sharing" or a "Miscellaneous" section
- As part of a section regarding personally identifiable information and third parties
How conspicuous you make your "Business Transfer" clause depends on your preferences.
Many companies decide to integrate it with other sections for brevity purposes. Others give it a separate section because the chance of transfer or merger seems high, especially if the app is popular and has potential to be sold.
Your decision regarding this clause in your Privacy Policy depends on the particular circumstances of your app, but also the sensitivity of the data you collect.
Examples of "Business Transfer" clauses
Here are a few examples of Privacy Policies from different businesses and how they include a clause that addresses what happens to personal information of users in the event of a business transaction.
SurveyMonkey's Privacy Policy agreement is not only specific about the fact that data will transfer to the new entity if there's a change of ownership structure, but also adds that it will notify any relevant data protection agencies.
This is likely due to the fact that SurveyMonkey not only handles corporate trade secrets through its products but also the personal information and data of survey respondents.
Chartbeat, which offers publishing services, also handles data and material subject to copyright protection.
Its Privacy Policy addresses data security as well as how personal information regarding authors and other participants in its platform is managed.
With a separate provision addressing "Business Transfers", it explains that user information is considered a business asset and it can transfer to a new entity if Chartbeat sells all or part of its assets.
Chartbeat's "Business Transfer" clause explains this possibility and also, that the new entity will handle the data the same way as already set forth in Chartbeat's original Privacy Policy before the sale or merger:
Other companies are more casual about their "Business Transfer" clauses and do not give them a separate section.
These companies will include the clause in another section but still label it pretty conspicuously.
One example is Focus@Will. It offers music designed to assist with concentration.
Offering both enterprise and individual accounts, it collects email and credit card information. It will also accept feedback on the type of music a user found most conducive to efficient workflow.
The app is in a continuous state of data collection that is allowed through user consent early in the sign-up process for the service.
Focus@Will's Privacy Policy agreement includes its "Business Transfer" clause in a section "How We Share Your Information."
In that clause, it explains that a user's email address and visit information will be part of the transferred business assets:
Spotify is another music service that is very well known with a large user base. It allows users to create playlists and share them through social media connections, like Facebook.
Like other SaaS apps, it also collects email addresses, social media information, and credit card information for premium accounts, but it also takes the general approach and explains its business transfer policies under a section titled "Other Sharing" from its Privacy Policy:
A comparison of these SaaS services shows that the more sensitive the data, the more likely that the "Business Transfer" clause will have its own section.
SurveyMonkey and Chartbeat are more likely to handle trade secrets or copyrighted material than Spotify and Focus@Will, which explains why they made their clauses related to selling the company, including its users data, more obvious.
Seedrs includes a section titled "Changes of Business Ownership and Control" within its Privacy Policy. This section is separate from the section directly preceding it titled We Will Not Share Your Personal Data.
This clause acknowledges that the business may at some point expand, be reduced, or be sold, either in whole or in part. Personal data will be transferred to the new owner or controlling party, and that new owner or party will have to adhere to the terms of this Privacy Policy.
A clause like this lets users know that the terms in this policy regarding treatment of personal information will be upheld by a third party that may obtain this information from Seedrs, but that their information may be transferred in certain circumstances.
Note that there's no mention of the information being sold for any purpose - just transferred. This could potentially be an issue in the event of bankruptcy if Seedr attempted to sell personal information as Toysmart and Crumbs had done.
The Privacy Policy of kik has a linked section titled Information We Share.
This section includes a clause titled Merger, financing or sale that says that kik may share or sell personal information in a number of circumstances including mergers, financing, dissolution transactions, bankruptcy and more.
Hightail has a Business transfers section in its Privacy Policy that's very short and to the point.
Hightail also offers a breakdown on the right side of the policy where a simple summary of the clauses can be found.
Users here are told that while their data may be sold, shared or transferred under certain circumstances such as mergers, reorganizations or bankruptcy, notification will be given to the transfer.
500px includes a Sharing Your Information clause within its Privacy Policy.
There are 8 different bullet-points in this clause, with the 2nd one being Business Transfers. Here, 500px lets users know that their personal information is considered to be a business asset and may be sold or transferred along with other assets "in some cases."
This is vague but still allows 500px to have room to sell or transfer personal information as assets.
Adding more specific language for circumstances that may arise, like "bankruptcy, mergers, sale of business" as we've seen in other Privacy Policies is a good idea just for added clarity.
Asana places a clause within the "How We Share Your Information" section of its Privacy Policy. This clause is titled "In Connection With a Sale or Change of Control" and outlines how if the ownership of Asana changes either fully or substantially, personal information will be transferred to the new owner.
Note that there's no mention here of circumstances like bankruptcy. If Asana were to go out of business and attempt to sell its database of user's personal information, they would probably not be able to do so.
The right approach for a "Business Transfer" clause
When making decisions regarding your "Business Transfer" clause you need to consider the sensitivity of the data you collect.
Consider giving this clause its own section if:
- You're likely to be exposed to trade secrets, trademarks, and copyrighted material
- You handle personally identifiable information from users like names, addresses, social security numbers, and telephone numbers
- Your app manages private communication between individuals that could be privileged
Another reason you may want to have a separate "Business Transfer" section is if your company is looking at a merger or sale of its assets.
If your app is especially popular but could benefit from the wider reach of a larger company, you may wish to make the clause more obvious to users in the event of a sale.
Even if these plans do not materialize, you have the perfect better-safe-than-sorry situation since you're unlikely to face impacts from making this clause clear to your users.
No matter your circumstances, you'll want to consider the following best practices when it comes to data and the possibility of a business transfer:
- Reasonable notice generally.
When you add the "Business Transfer" clause or clarify a current one, you'll want to notify your users in an efficient manner.
Email, banner ads, and other online announcements are normally sufficient.
For a good example, check out how Microsoft covered its Privacy Policy changes.
- Notice of the sale or merger.
You do not want to spring the change of ownership on your users. That often causes feelings of resentment that will not benefit the reputation of your company's leadership or the value of the asset just purchased by the new entity.
Just as you would inform users of any changes in your Terms & Conditions or Privacy Policy, also keep them in the loop when your company sells off its assets or merges with a new entity.
- Allow for opt-out.
Users may not wish to continue business with the new entity. Before the transfer of ownership, and user data, is complete, give users the chance to opt-out and delete all of their data.
- Double-check for a "Business Transfer" clause:
Even if you are mostly certain that your Privacy Policy contains one, make another review to make sure.
This is especially important if you're handling more user data than you did when you first started the SaaS app or if you believe a transfer or sale is imminent.
It's also good to reconsider how you present the "Business Transfer" clause in your Privacy Policy agreement in case making it more visible is a better option for circumstances you enjoy now.
This kind of clause, usually called "Business Transfer", protects your interests by reassuring your users and also allowing for the transfer of user data in case your company has an opportunity it cannot refuse.
Since your business circumstances can change quickly, it's a good idea to audit your Privacy Policy now to confirm that it contains this essential clause.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.