On April 10, 2014, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, wrote a letter to both Facebook, Inc. and WhatsApp Inc. warning the companies that the FTC expects both companies to honor the privacy promises made by WhatsApp prior to its acquisition by Facebook. In late February, Facebook announced that it would acquire the stock of WhatsApp, a company that offers instant messaging services with hundreds of millions of users worldwide. WhatsApp has built a reputation for its privacy promises. Conversely, Facebook’s privacy reputation is not a stellar one, as Facebook is the subject of a twenty year Consent Agreement with the FTC arising from a settlement of past allegations of deceptive practices in handling user data. The April 10 letter from Ms. Rich offers a reminder to companies engaging in acquisitions to plan for the handling of personally identifiable information.
In the April 10 letter, Ms. Rich points out that the privacy promises made by WhatsApp in its privacy statement exceed the protections currently promised to Facebook users. Ms. Rich explains that, if the acquisition is completed and WhatsApp fails to honor its promises, both companies could be in violation of Section 5 of the FTC Act and, possibly, the FTC order against Facebook. Ms. Rich highlights other cases that the FTC has brought charging that companies failed to keep their privacy promises, including In re Genelink, Inc., In re Upromise, Inc., and In re Twitter, Inc. In addition, the FTC made clear in in re Gateway Learning Corp.
that, absent affirmative express consent by a consumer, a company cannot use data in a manner that is materially inconsistent with promises made at the time the data were collected.
Accordingly, Facebook and WhatsApp are not permitted to amend the WhatsApp privacy statement going forward and have the amended privacy statement apply to data that were collected by WhatsApp prior to the amendment. If the companies want a modified privacy statement to apply retroactively to data that had been collected by WhatsApp in the past, they will need to obtain an opt-in consent from the impacted consumers. Further, Ms. Rich indicates in her letter that, because Facebook and WhatsApp are now making promises that the companies will not modify WhatsApp’s privacy practices following the acquisition, if the companies do decide to change WhatsApp’s privacy practices following the transaction, the FTC recommends that the companies offer existing users the ability to opt out of the future collection of their information, or at least make it clear to consumers that they have the ability to stop using the WhatsApp service.
The letter from Ms. Rich is an important reminder to companies that process personally identifiable consumer data that the handling of those data is an important consideration in any M&A transaction. When looking at structuring an acquisition, the parties must consider whether the privacy statements or consents under which personal data were collected allow disclosures of that data to a third party acquirer. If they do not, then an asset acquisition may not be possible without violating those privacy statements and consents, because an asset acquisition necessarily involves a change in the legal entity that owns the data. Companies must also anticipate this issue when preparing privacy statements and consents, and must include language that allows personal information to be disclosed to the purchaser of the business. Further, even in a stock purchase where the target legal entity collecting and holding the data does not change (so there is arguably no disclosure of the data to a third party acquirer), the buyer should conduct diligence on the privacy promises of the seller to ensure that the buyer can live with the promises made regarding the data, understanding that any material change in the uses and disclosures of the data following the acquisition may require opt-in consent from the impacted consumers, which in many instances is nearly impossible to obtain.