Privacy Law Requirements When Selling an Online Business

When selling your business as part of a bankruptcy, merger, or acquisition process, the personal information you control may be considered an asset. But personal information isn't just any asset: Its sale has implications for your customers' rights and privacy.

Certain rules apply to the sale of personal information under laws such as the California Consumer Privacy Act (CCPA) as amended by the CPRA, EU General Data Protection Act (GDPR), and the U.S. Bankruptcy Code.

The rules under these laws might mean you need to take certain steps before transferring personal information to your company's buyer. Or the law might say that you can't sell your customers' personal information.

In this article, we'll look at the steps all business owners should take before selling personal information as an asset during the sale of their business, and look at some laws that might apply.

Understanding What Personal Information You Control

All businesses must have an up-to-date and comprehensive inventory of all the personal information they collect, store, use, share, or otherwise process.

This personal data inventory is particularly important when selling your business, as you will need to present a detailed inventory of all your company's assets.

You must be able to determine:

• Where your store personal information
• Who owns the personal information
• Whether you are relying on a service provider for the storage of personal information
• How the personal information is organized

If you want to understand how to map all the personal information in your business, read our article Conducting a GDPR Data Audit (this article should still be relevant even if the GDPR doesn't apply to your business).

Understanding Your Customers' Rights

Your company's Privacy Policy or Terms and Conditions agreement likely contains a section listing the third parties with whom you may share personal information, and information about whether or not you will sell your customers' personal information.

Here's an example from THOR Personal Care:

The assertion from THOR that the company will "never" sell its customers' personal information can be considered binding under most circumstances.

If your Privacy Policy contains such a clause, this may prohibit you from selling personal information as an asset in bankruptcy, merger, or acquisition proceedings. There is an exception in the case of U.S. businesses filing for bankruptcy, as we'll see below.

Legal Requirements

We're going to look at three laws that have implications for transferring personal information as an asset when selling your business as part of a bankruptcy, merger, or acquisition process.

U.S. Bankruptcy Code

A key consideration for companies seeking to transfer personal information in the event of bankruptcy is Title 11 of the U.S. Commercial Code (available here), known as the "Bankruptcy Code."

The Code sets out many rules about the bankruptcy process, including those governing the "use, sale, or lease of property." Such "property" includes personal information controlled by the business.

If you're not filing for bankruptcy, or your business isn't subject to U.S. law, the Bankruptcy Code doesn't apply. You can skip ahead to check any other laws that might apply to the sale of your business.

The Bankruptcy Code applies in particular where the legality of the sale of personal information is unclear.

For example, when RadioShack filed for bankruptcy in 2015, it proposed a sale of its customer database to General Wireless. RadioShack's Privacy Policy said it would not sell its customers' personal information under any circumstances. Pursuant to the Bankruptcy Code, the court placed certain restrictions on the sale.

Definition of Personal Information

The Code defines the term "personally identifiable information" (personal information) at 11 U.S. Code § 101(41A), as information that a business collects about an individual in the course of a transaction, including:

• First name (or initial) and last name
• Physical address
• Email address
• Home phone number
• Social security number

The Code also defines the following identifiers as "personally identifiable information" if they are identified in connection with one of the above identifiers:

• Birthdate, birth or adoption certificate number, or place of birth
• Any other information concerning an identified individual that, if disclosed, will result in contacting or identifying such individual physically or electronically

Bear in mind that this is a relatively narrow definition of personal information. If you fall under the scope of any of the other privacy laws mentioned in this article, you should consider how those laws define "personal information" when complying with the Bankruptcy Code.

Consumer Privacy Ombudsman

To sell or lease personal information in the process of a merger or acquisition resulting from bankruptcy, you may need to appoint a consumer privacy ombudsman.

Circumstances in which you might need to appoint a consumer privacy ombudsman include:

• Where your Privacy Policy states that you will not sell or lease consumers' personal information

• Where the trustee taking control of your business requests it, for example, where:

  • You control a lot of personal information
  • There is concern about your company's history of privacy protection
  • You may not have given consumers enough notice of the sale or lease of their personal information

According to Section 332 (b) of the Code, the role of the consumer privacy ombudsman is to provide information to the court about the sale or lease of personal information in the event that there is some question about the legality of the sale.

Selling or Leasing Personal Information

Section 363 of the Bankruptcy Code states that when filing for bankruptcy, you may not "sell, or lease" personal information if you have a Privacy Policy (or other policy) that prohibits you from doing so, unless:

• You have appointed a consumer privacy ombudsman and the court approves the sale or lease of the personal information. The court must:

  • Give "due consideration" to the facts, circumstances, and conditions of the sale or lease, and
  • Find that the sale or lease would not violate any other applicable (non-bankruptcy) law (such as the CCPA/CPRA or GDPR)

California Consumer Privacy Act (CCPA/CPRA)

If your business is subject to the CCPA (CPRA), there are important considerations when transferring personal information as part of the sale of your business.

Many businesses fall under the jurisdiction of the CCPA (CPRA). It applies if you are processing the personal information of California residents, and:

1. Have annual gross revenues exceeding $25 million,
2. Annually buy, sell, receive, or share personal information from at least 100,000 California consumers, households, or devices, or
3. Earn 50 percent or more of your gross annual revenue from selling or sharing personal information

As we explained in CCPA: Does Using Third-Party Cookies Count as Selling Personal Information, this definition may apply to your business if you use third-party tracking cookies and your website generates over 100,000 hits from California per year.

Mergers, Acquisitions, Bankruptcy Under the CCPA (CPRA)

The CCPA (CPRA) sets strict rules about how businesses sell personal information. The Act's definition of "selling" is very broad, as we explain in our article CCPA: What Constitutes a "Sale" of Personal Information?

Broadly speaking, the CCPA (CPRA) defines a "sale" as any disclosure of personal information to a third party for "valuable consideration" (which can include anything that you receive in exchange for the personal information that provides a benefit, including, but not limited to, money).

However, the CCPA/CPRA's definition of "sale" includes a carve-out for when a business transfers personal information as part of a merger or acquisition. Here's the relevant section of the law:

This provision states that "transferring" personal information to a third party as part of a merger, acquisition, or bankruptcy is not a "sale" if the following conditions are met:

• The transfer complies with Section 1798.110 of the CCPA, meaning that:

  • Consumers must be able to exercise their right of access
  • Consumers must be presented with a CCPA-compliant Privacy Policy and notice at collection

• The transfer complies with Section 1798.115 of the CCPA, meaning that:

  • Consumers must be presented with all relevant information regarding the sale of their personal information, or the use of their personal information for business purposes

If the acquiring business uses the personal information in any manner that is "materially inconsistent with the promises made at the time of collection," it must give consumers notice of this and provide an opportunity to opt out.

You should ensure that you obtain a commitment to CCPA (CPRA) compliance from the buyer as part of the sale of your business.

General Data Protection Regulation (GDPR)

The GDPR doesn't specifically address mergers, acquisitions, and bankruptcy, but the law still has significant implications for the disclosure of personal information that occurs as part of the sale of a business.

Even if your business has no presence or employees in the EU, you'll still likely need to comply with the GDPR in respect of any personal information you have obtained from people in the EU.

Here are some of the relevant considerations under the GDPR when transferring personal information to a buyer as part of the sale of an online business.

Purpose Limitation

The GDPR's principle of "purpose limitation" requires that you only process personal information for the purposes for which you originally collected it and that you do not process it for incompatible further purposes.

If your buyer intends to use your customers' personal information for a new purpose that is incompatible with the purpose for which you collected it, this will not normally be possible under the "purpose limitation" principle.

For more information, see our article 6 Privacy Principles of the GDPR.

Legal Basis

Under the GDPR, you may only process personal information under one of the six legal bases for processing. There are different implications for the sale of your business depending on the legal basis on which you're processing your customers' personal information.

• Consent: Consent must be specific and informed. If you're relying on consent for the processing of your customers' personal information, the buyer will likely need to refresh consent for processing. However, note that it might not be lawful for the buyer to even contact your customers.
• Legitimate interests: If you're relying on legitimate interests, you should have carried out a three-part legitimate interests assessment before collecting your customers' personal information. This test is context-specific and may not be relevant to your buyer.
• Contract: If relying on the lawful basis of "contract," your processing of customers' personal information is necessary for you to carry out your obligations under the contract. If this contract continues after you have sold your business, then the buyer may have grounds to continue processing.

For more information, see our article Lawful Basis for Processing Under the GDPR.

Third-Country Transfers

The GDPR contains strict rules about the transfer of personal information to "third countries," i.e., jurisdictions outside of the EU. If your business is located inside the EU, and your buyer is located outside of the EU, this may present a serious issue for any transfer of personal information.

If the buyer is located in a third country with a current adequacy decision, then there is no issue and the transfer of personal information may go ahead. Otherwise, you will need to consider whether you can rely on one of the GDPR's mechanisms for making international transfers.

The only transfer mechanism that is likely to be appropriate is Standard Contractual Clauses (SCCs). These are clauses adopted by the European Commission, that you can insert agreement between your business and the buyer. SCCs guarantee you and the buyer will apply certain standards to the processing of the personal information.

For more information, see our article Transferring Personal Data Out of the EU.

Summary

We've looked at some rules regarding transferring personal information as an asset during the process of selling your business.

• Bankruptcy Act: If your business is subject to U.S. law and your sale comes as the result of a bankruptcy, ensure your Privacy Policy or Terms and Conditions permit you to sell your consumers' personal information. If not, you'll need to appoint a privacy ombudsman to consider whether the sale can proceed.
• CCPA (CPRA): Transferring personal information as part of a bankruptcy, merger, or acquisition process isn't prohibited under the CCPA, but you may need to give notice, offer the opportunity to opt out, or place restrictions on the buyer's use of the personal information.
• GDPR: Complying with the GDPR means considering your legal basis for processing customers' personal information, abiding by the principles of data processing, and restricting transfers of personal information outside of the EU. These factors may prohibit the sale of your customers' personal information as an asset.