29 March 2021
When selling your business as part of a bankruptcy, merger, or acquisition process, the personal information you control may be considered an asset. But personal information isn't just any asset: Its sale has implications for your customers' rights and privacy.
The rules under these laws might mean you need to take certain steps before transferring personal information to your company's buyer. Or the law might say that you can't sell your customers' personal information.
In this article, we'll look at the steps all business owners should take before selling personal information as an asset during the sale of their business, and look at some laws that might apply.
All businesses must have an up-to-date and comprehensive inventory of all the personal information they collect, store, use, share, or otherwise process.
Check out our free tools for website owners:
This personal data inventory is particularly important when selling your business, as you will need to present a detailed inventory of all your company's assets.
You must be able to determine:
If you want to understand how to map all the personal information in your business, read our article Conducting a GDPR Data Audit (this article should still be relevant even if the GDPR doesn't apply to your business).
Here's an example from THOR Personal Care:
The assertion from THOR that the company will "never" sell its customers' personal information can be considered binding under most circumstances.
We're going to look at three laws that have implications for transferring personal information as an asset when selling your business as part of a bankruptcy, merger, or acquisition process.
A key consideration for companies seeking to transfer personal information in the event of bankruptcy is Title 11 of the U.S. Commercial Code (available here), known as the "Bankruptcy Code."
The Code sets out many rules about the bankruptcy process, including those governing the "use, sale, or lease of property." Such "property" includes personal information controlled by the business.
If you're not filing for bankruptcy, or your business isn't subject to U.S. law, the Bankruptcy Code doesn't apply. You can skip ahead to check any other laws that might apply to the sale of your business.
The Bankruptcy Code applies in particular where the legality of the sale of personal information is unclear.
The Code defines the term "personally identifiable information" (personal information) at 11 U.S. Code § 101(41A), as information that a business collects about an individual in the course of a transaction, including:
The Code also defines the following identifiers as "personally identifiable information" if they are identified in connection with one of the above identifiers:
Bear in mind that this is a relatively narrow definition of personal information. If you fall under the scope of any of the other privacy laws mentioned in this article, you should consider how those laws define "personal information" when complying with the Bankruptcy Code.
To sell or lease personal information in the process of a merger or acquisition resulting from bankruptcy, you may need to appoint a consumer privacy ombudsman.
Circumstances in which you might need to appoint a consumer privacy ombudsman include:
Where the trustee taking control of your business requests it, for example, where:
According to Section 332 (b) of the Code, the role of the consumer privacy ombudsman is to provide information to the court about the sale or lease of personal information in the event that there is some question about the legality of the sale.
You have appointed a consumer privacy ombudsman and the court approves the sale or lease of the personal information. The court must:
If your business is subject to the CCPA, there are important considerations when transferring personal information as part of the sale of your business.
Many businesses fall under the jurisdiction of the CCPA. It applies if you are processing the personal information of California residents, and:
As we explained in CCPA: Does Using Third-Party Cookies Count as Selling Personal Information, this definition may apply to your business if you use third-party tracking cookies and your website generates over 50,000 hits from California per year.
The CCPA sets strict rules about how businesses sell personal information. The Act's definition of "selling" is very broad, as we explain in our article CCPA: What Constitutes a "Sale" of Personal Information?
Broadly speaking, the CCPA defines a "sale" as any disclosure of personal information to a third party for "valuable consideration" (which can include anything that you receive in exchange for the personal information that provides a benefit, including, but not limited to, money).
However, the CCPA's definition of "sale" includes a carve-out for when a business transfers personal information as part of a merger or acquisition. Here's the relevant section of the law:
This provision states that "transferring" personal information to a third party as part of a merger, acquisition, or bankruptcy is not a "sale" if the following conditions are met:
The transfer complies with Section 1798.110 of the CCPA, meaning that:
The transfer complies with Section 1798.115 of the CCPA, meaning that:
If the acquiring business uses the personal information in any manner that is "materially inconsistent with the promises made at the time of collection," it must give consumers notice of this and provide an opportunity to opt out.
You should ensure that you obtain a commitment to CCPA compliance from the buyer as part of the sale of your business.
The GDPR doesn't specifically address mergers, acquisitions, and bankruptcy, but the law still has significant implications for the disclosure of personal information that occurs as part of the sale of a business.
Even if your business has no presence or employees in the EU, you'll still likely need to comply with the GDPR in respect of any personal information you have obtained from people in the EU.
Here are some of the relevant considerations under the GDPR when transferring personal information to a buyer as part of the sale of an online business.
The GDPR's principle of "purpose limitation" requires that you only process personal information for the purposes for which you originally collected it and that you do not process it for incompatible further purposes.
If your buyer intends to use your customers' personal information for a new purpose that is incompatible with the purpose for which you collected it, this will not normally be possible under the "purpose limitation" principle.
For more information, see our article 6 Privacy Principles of the GDPR.
Under the GDPR, you may only process personal information under one of the six legal bases for processing. There are different implications for the sale of your business depending on the legal basis on which you're processing your customers' personal information.
For more information, see our article Lawful Basis for Processing Under the GDPR.
The GDPR contains strict rules about the transfer of personal information to "third countries," i.e., jurisdictions outside of the EU. If your business is located inside the EU, and your buyer is located outside of the EU, this may present a serious issue for any transfer of personal information.
If the buyer is located in a third country with a current adequacy decision, then there is no issue and the transfer of personal information may go ahead. Otherwise, you will need to consider whether you can rely on one of the GDPR's mechanisms for making international transfers.
The only transfer mechanism that is likely to be appropriate is Standard Contractual Clauses (SCCs). These are clauses adopted by the European Commission, that you can insert agreement between your business and the buyer. SCCs guarantee you and the buyer will apply certain standards to the processing of the personal information.
For more information, see our article Transferring Personal Data Out of the EU.
We've looked at some rules regarding transferring personal information as an asset during the process of selling your business.