What happens if the company goes bankrupt and someone else buys the IP including the data? Can they do whatever they want with the data? Without some enforceable legal restrictions here the data seems to be at risk.
IANAL and I don't claim to understand any of this well, but I would naively assume that if Company A collected data under a binding legal agreement that they can only use it for X, then they go bankrupt, that shouldn't give Company B the ability to buy the data as a "liquidation asset" then do anything they feel like with it. Shouldn't the binding restrictions "move" with the data?
Another question is what happens if/when they get hacked. Remember: to you, it's a locked box. You have no control over their security - or, for that matter, for the security of whoever may buy the company in the future. Much less them deciding to sell your data sometime in the future. (Remember RadioShack?)
I think this is a great point. Does anyone know if it's possible to bulletproof against what an acquirer might want to do with the data? Is there a way, for instance, to shift the ownership away from the company gathering the data such that if ownerhship of the company changes, ownership of the data does not?
Could some form of copyright or ownership help with this? The reason they can sell it is because it's theirs. Not yours. If you retained ownership of that data somehow would they need a warrant for it?
Legally, they don't own the data, but they do have a perpetual license to the data and can do basically whatever they want it with it. Not much of a difference but it's one of these things where the details might be crucial.
Almost nothing prevents them from retroactively applying a new policy to old data.
Even in cases where using the data would directly violate a contract, bankruptcy courts / acquisition agreements routinely sell the data off as an “asset” and nullify any restrictions from existing agreements.
A change in the law that kept the copyright of personal data with the individual the data was about would improve the situation somewhat, but it’s probably safer to just ban the collection of this sort of data set (unless there’s explicit opt-in, and people derive no benefit from opting in).
I don't believe accessing any of it is legal. The rights to the data would be a separate line item to be sold. I believe the relevant law in the US would be trade secret law. Copyright law might also apply if company A was going to sell copies.
You're now assuming the new owners are willing to commit illegal acts, or at the very least breach a contract. (And the newly started company would be breaching the contract as well, if it was written to exclude that.) That's at least a significantly higher bar than "the highest bidder can do whatever they want with the data", which is the current state of things.
But yes, even better protection would be never collecting data you don't need in the first place.
Did they sell the data or the company? I'd be curious to know if the new owner is still obligated to follow the same privacy statement? In either case, I'm not going to lose any sleep over this.
While RS had no real data on me, what this story points out is that companies will do this in bankruptcy, maybe even after carrying a no-share/no-sell policy for years. The wider issue it illuminates is that there seem to be few general protections for these cases, where having your data sold wasn't part of the bargain you were asked to make, until they changed the deal.
So if/when these companies get bought out, go out of business or liquidate their assets in a downturn, then what?
Until they legislate some sort of data expiration date or "do not track lists (similar to do not call lists), it looks like the onus is on the individual to protect their interests/data.
Super helpful -- thanks for chiming in. I think its really interesting that this isn't worked out yet. It feels like there should be a way to say to a consumer "I'm just looking after your data -- you still own it, etc. Even if I go bankrupt or get bought, I can't change that and the acquiring company should consider that when valuing me." I mean, banks do it with money (and other assets). One bank buys another and there's no way for it say "Now your money is mine! Muwahaha". Feels like it's a whole missing regulatory / legal area to me.
reply