Section 508

August 30th, 2016

What Happens to Active Consent When Your Personal Data is Sold?

Should users of acquired companies be given the chance to provide new consent to use of their data when one company purchases another?

In order to answer this question, let’s look at the LinkedIn/Microsoft scenario. Should users be worried about their privacy following the announcement of Microsoft’s acquisition of LinkedIn?

On Monday the 13th of June, Microsoft announced that it had acquired LinkedIn. This was one of the largest user database acquisitions in history. LinkedIn has more than 433 million members worldwide with over 100 million active monthly users with a 19% increase in members year on year.

While LinkedIn connects the world’s professionals, Microsoft is the leading platform and productivity company for the mobile-first, cloud-first world. So how could they leverage each other’s services? For instance, connecting Office directly to LinkedIn could help attendees in meetings learn more about one another directly from invitations in their calendars. Sales representatives using Microsoft’s Dynamics software for managing customer relationships could pick up useful tidbits of background information on potential customers from LinkedIn data. Overall, new monetization opportunities will be created through individual and organization subscriptions and targeted advertising.

What Happened So Far

In 2007, Microsoft attempted to acquire Facebook for $15 billion. But it failed, and the firm ended up picking up a meagre 1.6 per cent stake for $240 million. That was what experts view as Microsoft’s first attempt to expose itself to social networking, which commands millions of eyeballs for targeted advertising. This acquisition means that the “deep insight into the majority of professionals in terms of relationships, interests, satisfaction with their work, intentions to leave their work” and so on that Linkedin has is now available to Microsoft.

A similar scenario occurred when Facebook acquired WhatsApp in February 2014 (and more specifically the WhatsApp user base of 450 million people). Back then, Facebook got access to the data of millions of users giving them better opportunities to understand mobile use patterns and mobile customers, and use that information in all sorts of contexts – perhaps in advertising within other mobile channels.

This raises issues around privacy. What are the consequences of company mergers for users? Should the users of the acquired companies be given the chance to provide new consent if the way the data is used has changed since the initial consent for collection was provided? Some will say “if you are not happy, you can just stop using the service”, but then what about the data collected up until today?

Despite being a very active LinkedIn member for many years, I had only skimmed through their Privacy policy and thought it would be a great starting point. I went onto the online privacy policy page and did some investigation around the purpose for which they collect my personal information and also what they had as their “sharing” or disclosure policies.

Some interesting elements I found:

  • If changes are made to the privacy policy (i.e. to the privacy practices), members will get a notice, but no further consent is required (opt-out mechanism).
  • Users’ personal information is shared with targeted advertising third-party companies.
  • Users’ personal information is shared with LinkedIn’s affiliates (meaning entities controlled by, controlling, or under common control with LinkedIn).
  • Users’ personal information may be disclosed to a third party as part of a sale of the assets of LinkedIn Corporation, a subsidiary, or division, or as the result of a change in control of the company or one of its affiliates, or in preparation for any of these events. Any third party to which Linkedin transfers or sells their assets will have the right to continue to use the personal and other information that users have provided in the manner set out in their Privacy Policy.
  • LinkedIn shall generally delete closed account information and de-personalize any logs or other backup information through the deletion process within 30 days of account closure, except if the information has been copied by other users or that which a user has shared with other users.

What Should I Be of Concerned about (If Anything) as a LinkedIn User?

Linkedin uses an opt-out mechanism which means they will not seek further consent if my personal information is shared to the acquiring company, but I can always stop using the service and delete my account at any time.

The example of LinkedIn helps you understand the complexities of the notion of consent. Companies are struggling to grasp the distinction between gaining users’ consent in order to comply with the law versus gaining users’ consent to increase their trustworthiness towards users.

It is important to remember that from a legal standpoint, if the (i) purpose for collection and (ii) the use evolves with time, whether through an acquisition or just an enhancement of the services, further consent should be sought from the users to this change. However, if the (i) purpose for collection and (ii) the use remain the same, that it was at the time the user joined the platform, an opt-out mechanism may be sufficient, if the only objective here is to comply with the law.

We recommend companies like yours obtain further consent as part of the idea of increasing communication with the users in generating trust. To learn more about privacy, download this free white paper on the 2016 privacy trends in the mobile space.

Agathe Caffier, Senior Counsel, International Operations and Privacy Specialist

Tags: privacy security

Connect with us

Job Openings

Want to be part of our growing team?

View More
Work with us

Learn how DMI can help you grow, or launch your business.

Get In Touch

See all of our locations around the world

View Locations