Should users of acquired companies be given the chance to provide new consent to use of their data when one company purchases another?
In order to answer this question, let’s look at the LinkedIn/Microsoft scenario. Should users be worried about their privacy following the announcement of Microsoft’s acquisition of LinkedIn?
On Monday the 13th of June, Microsoft announced that it had acquired LinkedIn. This was one of the largest user database acquisitions in history. LinkedIn has more than 433 million members worldwide with over 100 million active monthly users with a 19% increase in members year on year.
While LinkedIn connects the world’s professionals, Microsoft is the leading platform and productivity company for the mobile-first, cloud-first world. So how could they leverage each other’s services? For instance, connecting Office directly to LinkedIn could help attendees in meetings learn more about one another directly from invitations in their calendars. Sales representatives using Microsoft’s Dynamics software for managing customer relationships could pick up useful tidbits of background information on potential customers from LinkedIn data. Overall, new monetization opportunities will be created through individual and organization subscriptions and targeted advertising.
What Happened So Far
In 2007, Microsoft attempted to acquire Facebook for $15 billion. But it failed, and the firm ended up picking up a meagre 1.6 per cent stake for $240 million. That was what experts view as Microsoft’s first attempt to expose itself to social networking, which commands millions of eyeballs for targeted advertising. This acquisition means that the “deep insight into the majority of professionals in terms of relationships, interests, satisfaction with their work, intentions to leave their work” and so on that Linkedin has is now available to Microsoft.
A similar scenario occurred when Facebook acquired WhatsApp in February 2014 (and more specifically the WhatsApp user base of 450 million people). Back then, Facebook got access to the data of millions of users giving them better opportunities to understand mobile use patterns and mobile customers, and use that information in all sorts of contexts – perhaps in advertising within other mobile channels.
This raises issues around privacy. What are the consequences of company mergers for users? Should the users of the acquired companies be given the chance to provide new consent if the way the data is used has changed since the initial consent for collection was provided? Some will say “if you are not happy, you can just stop using the service”, but then what about the data collected up until today?
Some interesting elements I found:
- Users’ personal information is shared with targeted advertising third-party companies.
- Users’ personal information is shared with LinkedIn’s affiliates (meaning entities controlled by, controlling, or under common control with LinkedIn).
- LinkedIn shall generally delete closed account information and de-personalize any logs or other backup information through the deletion process within 30 days of account closure, except if the information has been copied by other users or that which a user has shared with other users.
What Should I Be of Concerned about (If Anything) as a LinkedIn User?
Linkedin uses an opt-out mechanism which means they will not seek further consent if my personal information is shared to the acquiring company, but I can always stop using the service and delete my account at any time.
The example of LinkedIn helps you understand the complexities of the notion of consent. Companies are struggling to grasp the distinction between gaining users’ consent in order to comply with the law versus gaining users’ consent to increase their trustworthiness towards users.
It is important to remember that from a legal standpoint, if the (i) purpose for collection and (ii) the use evolves with time, whether through an acquisition or just an enhancement of the services, further consent should be sought from the users to this change. However, if the (i) purpose for collection and (ii) the use remain the same, that it was at the time the user joined the platform, an opt-out mechanism may be sufficient, if the only objective here is to comply with the law.
We recommend companies like yours obtain further consent as part of the idea of increasing communication with the users in generating trust. To learn more about privacy, download this free white paper on the 2016 privacy trends in the mobile space.
Agathe Caffier, Senior Counsel, International Operations and Privacy Specialist