When a Company Gets Sold, Your Data May Be Sold, Too 92
An anonymous reader writes: A new report points out that many of the top internet sites have language in their privacy policies saying that your private data might be transferred in the event of an acquisition, bankruptcy sale, or other transaction. They effectively say, "We won't ever sell your information, unless things go bad for us." 85 of the top 100 websites in the U.S. (ranked by Alexa), had this sort of language, including Amazon, Apple, Facebook, Google, Hulu, and LinkedIn. (RadioShack did this recently.) "The potential ramifications of the fire sale provisions became clear two years ago when True.com, a dating site based in Plano, Tex., that was going through a bankruptcy proceeding, tried to sell its customer database on 43 million members to a dating site based in Canada. The profiles included consumers' names, birth dates, sexual orientation, race, religion, criminal convictions, photos, videos, contact information and more. Because the site's privacy policy had promised never to sell or share members' personal details without their permission, Texas was able to intervene to stop the sale of customer data, including intimate details on about two million Texans." But with this new language, users no longer enjoy that sort of protection. Only 17 of the top 100 sites even say they will notify customers of the data transfer. Only a handful allow users to opt out.
File this under "no big surprise:" (Score:5, Insightful)
Re:File this under "no big surprise:" (Score:4, Interesting)
Reason #43385634 why I try to minimize my exposure by refusing to give as much personal information as I can as often as I can. Paying in cash for day-to-day transactions helps out a lot too.
No kidding.
With regard to True, I once used their service, very briefly. And then, a year later, I started getting all kinds of spam to the email address I had created just for that one account. Mind you, I literally had given this email address to only one entity, ever...the True website. I ended up just re-creating the email account and blackholing it.
So either they had a breach (and didn't report it) or they sold the email address in violation of their own agreement. Since there are criminal legal consequences to not reporting a breach of PII and there have been many studies that indicate that companies (especially ones that are failing) violate their own privacy terms, I think the latter is more likely.
Re: (Score:2)
Cue the "Why not both" girl...
Re: (Score:2)
You do know that any agreement can be changed by the company with or without notifying a consumer. This happens enough that is is not unusual.
Scott McNeally, the CEO of Sun Microsystems, said that "Privacy is dead" when the Internet hit mainstream. He was correct and anyone who thinks differently really is living in an unreal world.
POTUS Obama has proposed (and is going about to accomplished) placing all the USA health records "online" or "in the Cloud". This will make everyone's HIPPA and PII available to the entire world. This goes beyond USA companies contracting the paperwork to foreign companies. POTUS Obama has simplified the process for pirates to have your data. And no one complains.
Your point has one problem; as of the time when True went out of business, the "we don't share information" part of their terms of service as still in effect.
Oh, and you misspelled HIPAA, in your quest to make this about the ACA. And also used it correctly...there is no "HIPAA and PII", it's just PII, which happens to be governed by a law called HIPAA. You'll do a lot better trying to convince others of your conspiracy theory if you can get the basic terms straight. Just sayin'.
Re: (Score:2)
Exactly that.
It seems slashdot editors are short of news if this comes to first page.
In other news, water is wet. News at 11.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Yeah, there a laws specifically forbidding this in the EU for a reason.
Re: (Score:2)
Re: (Score:2)
I agree, and I more or less expect surprises.
Re: (Score:2)
This is why private data about EU citizens must be stored in the EU, or the company storing it outside needs to sign a special contract with the EU (which has some extra US law to back it, so it isn't just a normal contract).
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
My guess is that most slashdotters would happily go along with doing away with cash.
Your guess would be dead wrong, at least for this slashdotter.
Re: (Score:2)
Help me I'm a blindly trusting Millenial! (Score:1, Funny)
Oh why why why did I trust crappy companies? Because all my peers were doing it? Is the Internet a gateway drug??
Re: (Score:2)
The obvious solution is to just make sure they never go out of business. Too big to fail.
The company gets to keep profiting off of you, and you get to keep providing them with data that will help further their profiting off of you. Win-win!
Re:Help me I'm a blindly trusting Millenial! (Score:5, Insightful)
Or require that the entity purchasing an asset out of bankruptcy also inherits the contracts binding that asset. If my landlord goes bankrupt I don't get to say "Woo! Free house!" and ignore the terms of my contract with the landlord, why should whoever takes over after the landlord not be bound by the terms of the contract either?
Re: (Score:2)
Then perhaps it should be.
"Too much personal data to fail" (Score:2)
The obvious solution is to just make sure they never go out of business. Too big to fail.
I think you maybe mean "Too much personal data to fail"... which is an incredibly disturbing thought.
Just remember who decides... (Score:2)
I think you maybe mean "Too much personal data to fail"... which is an incredibly disturbing thought.
Not really - remember that it is your government who decides which companies are too important to fail. So just make sure that you use websites that your politicians use and you should be fine!
How is this new? (Score:5, Insightful)
This has been known for years. Those privacy promises do not survive bankruptcy, and your personal information they promised never to sell becomes another asset to be disposed of.
This has been happening for years. Don't want your personal information sold, don't provide it to them.
Even their privacy policies which say they'll never sell it will have legal language which says "unless we change our mind".
The promises by corporations to play nicely aren't legally binding and can be changed on a whim. I'm pretty sure we've seen other examples of this over the last decade.
Unless there are actual laws preventing this, any promises are pretty much worthless.
Some countries have enacted privacy laws, but I'm pretty sure the US never would -- because that would limit corporations.
This might finally becoming plain to everybody else, but the vast majority of people here should already know this.
Re: (Score:2)
Agreed. Can we file this under:
No Shit, Sherlock
Re: (Score:2)
Agreed. Can we file this under:
No Shit, Sherlock
Given that the editors can't even manage to file stories with "Ask Slashdot" in the title under the "Ask Slashdot" section (I'm looking at you Timothy!), I would have to say probably not.
Re: (Score:2)
The question is not, does it happen (we all know it does), but should it happen, and should we be quiet about it.
Re: (Score:2)
This article is valid and delivers more data to the subject.
It's always a great thing to remind individuals of language within these site's terms of service. Due to the fact that I don't have time to find to comb through terms of service, this particular language was new to me. In general, most of us know that data on the internet isn't safe is a good assumption.
I give a thumbs up to the author.
Well... duh. (Score:4, Insightful)
This has been an issue with any Internet business, be it a cloud provider, dating service, or someone who services vend-a-goat machines. When they go bankrupt, no contracts are honored, and the data falls to the buyer of the company or the physical servers, and can be used, without restriction, by the new party. For example, if a cloud computing service goes bankrupt, the next owner of the physical servers can make a multi-terabyte torrent of the contents, there is nothing the former clients can do about the data legally.
The only real solution to this is having part of the bankruptcy law changed to mandate supervised destruction of all data as part of the handover of servers.
Re: (Score:3)
In other news... (Score:4, Funny)
* A clear sky is blue
* The sun will rise tomorrow
* A bear...
That's normal business transaction (Score:5, Insightful)
Re: (Score:3)
Except that the company never told people nobody else would ever have the fish tank in the hall.
If we only set a string precedent... (Score:3)
"..Because the site's privacy policy had promised never to sell or share members' personal details without their permission,..."
Sounds like we could charge the corporate officers with 2 million counts of fraud at least.
If we actually set a strong precedent of punishing site owners for their cavalier disregard for the promises made, I suspect this wouldn't be something we'd have much worry about.
Re: (Score:2)
They can easily change the agreement by updating the TOS and have a statement in said link that continued use of the site constitutes acceptance of the new terms. For a bankrupt company, that would be enough legal CYA to prevent any judge from ever piercing the corporate veil.
Re: (Score:2)
This led me to wonder about the following scenario:
- You sign up with SomeCompany.com and enter some personal information. They promise never to sell your information.
- You stop using SomeCompany.com.
- SomeCompany.com updates their TOS saying "We can now sell your info. Your continued use of this site is acceptance of this new TOS."
- You still d
Re: (Score:2)
"..Because the site's privacy policy had promised never to sell or share members' personal details without their permission,..."
Sounds like we could charge the corporate officers with 2 million counts of fraud at least.
If we actually set a strong precedent of punishing site owners for their cavalier disregard for the promises made, I suspect this wouldn't be something we'd have much worry about.
Who are you going to charge when the business has closed its doors and a bankruptcy court is discharging its assets to creditors?
Re: (Score:2)
If the corporate officers aren't DEAD, then they should still be culpable.
In the particular context of data, it's their choice whether or not they retain that data in a way that it could be sold. If at the end of the day the site fails, the business fails, and they go into bankruptcy, it's entirely their choice to preserve that data and sell it to mitigate their losses OR to destroy it based on their previous commitment to do so.
Now, I recognize that a bankruptcy court might frown on that as destruction of
Duh. (Score:3)
Most also say they can chance the agreement at any time. An agreement that one party can change at any time doesn't really mean anything anyway.
Like when comparnies change their Privacy Policy.. (Score:3)
...and make no mention as to what happens to your data that they captured under their previous privacy policy.
Business Asset (Score:1, Flamebait)
It's a business asset and as such can be transferred and despite the terms of service and policies set forth, a bankruptcy judge can pretty much throw that away if it means getting revenue for creditors and bond holders. In a lot of cases, the value of customer data can be considered significant, why do you think WhatsApp was so valuable to Facetard?
It's also boggling that people still think that terms and conditions actually protect them in any way, shape or form. They don't, they describe your "
There is no privacy when you don't control data (Score:2, Insightful)
The same goes for any cloud application.
Sale of a company (Score:4, Insightful)
Clauses like this allow data to be transferred to the new company running the business. Many of these agreements state that the company the purchases the data will be bound by the privacy provision of the rest of the privacy policy. For example many privacy agreement state that personal data will not be used for marketing. The new owner would also be bound by that policy. Here is Google's policy;
If Google is involved in a merger, acquisition or asset sale, we will continue to ensure the confidentiality of any personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.
Without this provision it would be much more difficult to sell a company or merge with another company. I am sure that the value of Google with it's user base is much more than the value of Google with no users.
Duh (Score:2)
When a Company Gets Sold, Your Data May Be Sold, Too
Duh. Are poster and editor new - to like everything?
Please don't confuse (Score:4, Interesting)
Your data = "data which you fully control", usually a part of the data on your HDD. Its getting less and less year after year.
Data about you = "data you use as payment for 'free' services"
Duh. (Score:2)
And why did you _every_ think it was otherwise.
If you care, code your data. This is easy to do with small spelling variations. Some address correction systems get rid of them but you can get it through if you're creative. Then you can track the flow of your data. It's fun. But there is no privacy. Welcome to 1984 all over again.
Re: (Score:3)
All these companies have almost no other valuable assets than your data to begin with!
Bingo. These companies make money collecting your data. It's their biggest asset, and that asset will be sold if the company is sold.
Assets (Score:2)
When buying a company, part of what you're buying are their assets, both tangible and intangible. This is NOT exclusive to just modern internet companies. Go anywhere as far back in history as you'd like. When one company buys another, why would they NOT transfer over customer account records?
Just imagine the inverse for a second... The company you're doing business with gets bought out, but are not allowed to transfer over their records. You walk into that business the next day, and before you can even do
Re: (Score:1)
You expect them to pass along the customer records if they transfer a business unit to another company, for the reason you stated. You don't expect those records to be separately sold as an asset in-and-of-themselves.
Re: (Score:2)
The cat is out of the bag (Score:3, Informative)
It's already too late for us early adopters. Our information is out there and can't be claimed back now.
For example, up to a year ago I used a cloud storage service to store some files (fortunately encrypted) that I didn't want to lose, tax records and statements in PDF format. I found a better alternative so copied all of the files before deleting them and then asking the company to close the account. Fast forward a year and my "better alternative" announced that they were going out of business so I contacted the first company. I couldn't create a new account because it was keyed to my email address which was already in the system so they offered to reopen the old account. When I closed the account I still had several months left on the subscription and they kindly credited those to the reopened account. When I first logged in I was shocked to find that not only had they restored my physical address in the account info but also my credit card info. They also had helpfully restored all of the files that I had stored in the account. Remember, I deleted them before closing but they pulled them out of the backup from the day before I closed. That now has me thinking about both companies. The one that is still in business but doesn't delete backup copies and personal information of deleted accounts, and the one that went out of business that, presumably, had the same sort of info. Who now owns the databases with my credit card info and the backup tapes with my data?
The only two things to learn from this story are, encrypt whatever and wherever you can, and chose companies that you think (hope) are in there for the long haul.
Re: (Score:2)
It's already too late for us early adopters.
I don't know about that. Google, Facebook and other services 'real names' policies are a relatively recent feature of on-line services. Back when I began setting acounts up, I used throw-away e-mail addresses, pseudonyms and other tactics which are increasingly discouraged. Having put my files and other info. out there encrypted, I feel relatively secure in knowing that all a service provider will have to sell is unintelligable binary blobs.
Re: (Score:2)
While you obviously see it as a privacy issue, and I agree it is, many people would probably see what you experienced as great service. The fact that you could close your account and then re-open it and not have to go through the trouble of re-uploading all the data and reconfiguring all your payment information would probably be seen as a great feature by many people.
My cousin lost her phone, and upon getting a new one was very thankful that all her contacts got restored onto the new phone. She didn't car
Re: (Score:1)
I agree with you. It was actually very useful to me too that they did such a diligent job of restoring everything. My point, and warning, was that, even though I deleted my files myself and then closed the account the files were still "out there" on backup tapes etc. I wasn't too concerned for myself because everything was encrypted twice (encrypted files on encrypted disk images, yes I'm paranoid but it was tax data). What occurred to me after reading this Slashdot article is that someone could store unenc
And the 15%? (Score:2)
85 of the top 100 websites
So the 15 out of a 100 websites:
-destroy your data upon merger/bankrupsy/...
-don't collect any data about you
-lie