01 February 2020
Users trust you with their data and that duty does not go away when you transfer your company's assets to another company.
Often referred to a "Business Transfer" clause, this clause explains data transfer terms, notice requirements, and generally states that the new entity will have access to user data.
When you look these over, you can see that this is good business.
Users can feel reassured that their use of your app will not breach private information. If they submit user names, email addresses or other essential data needed to make an app work for them, they can go forward knowing that you will keep it secure and confidential.
CalOPPA (California Online Privacy Protection Act) has been in effect in the United States since 2004.
Because of the global nature of online business, the likelihood of someone from California finding your website or mobile app is so high that it's a safe bet to assume that you need to be CalOPPA-compliant.
CalOPPA has a short list of requirements for what must be included in this type of legal agreement, as seen below, including information on how users will be notified of any updates to the policy itself:
In Canada, PIPEDA (Personal Information Protection and Electronic Documents Act) strives to protect users' privacy by dictating how personal information can be handled.
Under PIPEDA, an organization must do the following to be compliant:
Other global privacy laws are in place, all of which strive to protect the personal information of users and emphasize the importance of letting users know what your practices are when it comes to collecting and using their personal information.
It's so common in the business world to buy and sell assets, including mobile apps.
Mergers and acquisitions happen regularly, and the business of building a start-up mobile app from something new into something big and then having it bought by a larger company happens all the time.
When this happens and a mobile app changes hands, what happens to all of the collected personal information?
This transfer of personal information that occurs when a business ownership is transferred can cause issues and concerns over the privacy of that personal information.
This can also be an issue if a business shuts its doors permanently, or shuts down and then reopens as a new brand, transferring personal information from users of the old business to the database of the new business.
What rights does the business have when it comes to the personal information collected from users? What rights do individuals have when it comes to the protection and privacy of their personal information?
Consider the Toysmart.com incident where Toysmart filed for bankruptcy and sought to sell all of its assets, including the database of user information it had collected.
Any changes in data collection, use, etc., could only be done after notice was provided to customers and their opt-in affirmative consent was given.
A similar issue happened with Crumbs - a baked goods company - that went out of business.
Crumbs sought to sell their intellectual property, including names, phone numbers, and addresses of customers and users.
Include an exception that says you will transfer or sell the personal information you've collected if you sell the company, go out of business, or merge with another company.
The New York Times looked at the top 100 websites in the United States as ranked by Alexa and found that 85 of these websites included language in their Terms of Service or Privacy Policies that said "they might transfer users' information if a merger, acquisition, bankruptcy, asset sale or other transaction occurred."
The "Business Transfer" clause takes many different forms. It's often found in:
How conspicuous you make your "Business Transfer" clause depends on your preferences.
Many companies decide to integrate it with other sections for brevity purposes. Others give it a separate section because the chance of transfer or merger seems high, especially if the app is popular and has potential to be sold.
Here are a few examples of Privacy Policies from different businesses and how they include a clause that addresses what happens to personal information of users in the event of a business transaction.
This is likely due to the fact that SurveyMonkey not only handles corporate trade secrets through its products but also the personal information and data of survey respondents.
Chartbeat, which offers publishing services, also handles data and material subject to copyright protection.
With a separate provision addressing "Business Transfers", it explains that user information is considered a business asset and it can transfer to a new entity if Chartbeat sells all or part of its assets.
Other companies are more casual about their "Business Transfer" clauses and do not give them a separate section.
These companies will include the clause in another section but still label it pretty conspicuously.
One example is [email protected]. It offers music designed to assist with concentration.
Offering both enterprise and individual accounts, it collects email and credit card information. It will also accept feedback on the type of music a user found most conducive to efficient workflow.
The app is in a continuous state of data collection that is allowed through user consent early in the sign-up process for the service.
In that clause, it explains that a user's email address and visit information will be part of the transferred business assets:
Spotify is another music service that is very well known with a large user base. It allows users to create playlists and share them through social media connections, like Facebook.
A comparison of these SaaS services shows that the more sensitive the data, the more likely that the "Business Transfer" clause will have its own section.
SurveyMonkey and Chartbeat are more likely to handle trade secrets or copyrighted material than Spotify and [email protected], which explains why they made their clauses related to selling the company, including its users data, more obvious.
A clause like this lets users know that the terms in this policy regarding treatment of personal information will be upheld by a third party that may obtain this information from Seedrs, but that their information may be transferred in certain circumstances.
Note that there's no mention of the information being sold for any purpose - just transferred. This could potentially be an issue in the event of bankruptcy if Seedr attempted to sell personal information as Toysmart and Crumbs had done.
This section includes a clause titled Merger, financing or sale that says that kik may share or sell personal information in a number of circumstances including mergers, financing, dissolution transactions, bankruptcy and more.
Hightail also offers a breakdown on the right side of the policy where a simple summary of the clauses can be found.
Users here are told that while their data may be sold, shared or transferred under certain circumstances such as mergers, reorganizations or bankruptcy, notification will be given to the transfer.
There are 8 different bullet-points in this clause, with the 2nd one being Business Transfers. Here, 500px lets users know that their personal information is considered to be a business asset and may be sold or transferred along with other assets "in some cases."
This is vague but still allows 500px to have room to sell or transfer personal information as assets.
Adding more specific language for circumstances that may arise, like "bankruptcy, mergers, sale of business" as we've seen in other Privacy Policies is a good idea just for added clarity.
Note that there's no mention here of circumstances like bankruptcy. If Asana were to go out of business and attempt to sell its database of user's personal information, they would probably not be able to do so.
When making decisions regarding your "Business Transfer" clause you need to consider the sensitivity of the data you collect.
Consider giving this clause its own section if:
Another reason you may want to have a separate "Business Transfer" section is if your company is looking at a merger or sale of its assets.
If your app is especially popular but could benefit from the wider reach of a larger company, you may wish to make the clause more obvious to users in the event of a sale.
Even if these plans do not materialize, you have the perfect better-safe-than-sorry situation since you're unlikely to face impacts from making this clause clear to your users.
No matter your circumstances, you'll want to consider the following best practices when it comes to data and the possibility of a business transfer:
Reasonable notice generally.
When you add the "Business Transfer" clause or clarify a current one, you'll want to notify your users in an efficient manner.
Email, banner ads, and other online announcements are normally sufficient.
Notice of the sale or merger.
You do not want to spring the change of ownership on your users. That often causes feelings of resentment that will not benefit the reputation of your company's leadership or the value of the asset just purchased by the new entity.
Allow for opt-out.
Users may not wish to continue business with the new entity. Before the transfer of ownership, and user data, is complete, give users the chance to opt-out and delete all of their data.
Double-check for a "Business Transfer" clause:
This is especially important if you're handling more user data than you did when you first started the SaaS app or if you believe a transfer or sale is imminent.
This kind of clause, usually called "Business Transfer", protects your interests by reassuring your users and also allowing for the transfer of user data in case your company has an opportunity it cannot refuse.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.