Desperate companies will resort, if they can, to selling the detailed data they’ve meticulously collected about their users—whether it’s personally identifiable information, data about preferences, habits, and hobbies, or national-security files. That data, formerly walled-off and spoon-fed only to paying advertisers, would be attractive to both licit and criminal buyers. Easily searchable datasets could generate new innovations and investments—but it would be difficult to know who’s buying up sensitive datasets, and why.
If contracts and privacy policies prevent a floundering company from selling user data, there’s still another way to profit. Most privacy policies that promise not to sell user data include a caveat in case of bankruptcy or sale. In fact, a New York Times analysis of the top 100 websites in the U.S. last year found that 85 of them include clauses in their privacy policies like this one from Facebook:
If the ownership or control of all or part of our Services or their assets changes, we may transfer your information to the new owner.
This is the virtual equivalent of a beater getting hauled to the junkyard. If a Facebook-like social media company can’t legally sell off its data, then it may just sell itself in order to cut its losses. Among the post-crash rubble, the principal value that a potential buyer might see in snapping up the company is its data. It’s like an acquisition hire, but for a huge and detailed dataset.
But it’s not just social-networking, online shopping, and other technology companies that have to plan for this eventuality. Just about every company holds user data now, in one form or another. Even our own privacy policy here at The Atlantic says that a sale, merger, or bankruptcy may lead to a transfer of personally identifiable information. (To be sure, the data that a magazine maintains doesn’t measure up to the trove of private tidbits that people share with their social-networking apps—it’s mainly information about print subscribers.)
Even without doomsday scenarios, there’s already evidence of what the demise of a data-rich company would look like. When RadioShack filed for bankruptcy last year, one of the assets it put up for sale was its meticulously compiled database of information on millions of its customers. This set off a scramble of opposition from all sides: AT&T and Apple claimed to be the rightful owner of some of the data, and officials in a handful of states warned that the sale could violate state laws. The Federal Trade Commission stepped in, too, suggesting to a judge that RadioShack should only be able to sell the data to a company “substantially in the same line of business,” and that the buyer should be bound by the same privacy policy that was in place when consumers shared their personal data with RadioShack. If the buyer wanted to use the data differently, the FTC said, it should have to get the consent of the consumers.