Update Your Privacy Policy Before Selling Your Online Business

Selling your website or online business can be a great way to turn your hard work into a big profit. Many prominent figures in our modern society got their start by creating a successful website and then selling it for a lot of money.

If you're considering selling your website or online business, there are some things you need to do when it comes to your Privacy Policy. Disclosing to your users what will happen to their personal information in the event of new ownership or a merger is a good start.

Even if selling your website is just a remote possibility, having a business transfer clause in your Privacy Policy that covers what will happen in this case is a good idea.

What's a Privacy Policy?

A Privacy Policy is an agreement found on most websites and mobile apps that discloses how and why the app or website collects and uses personal data from its users.

Depending on which privacy laws the app or website complies with, there are different disclosures that must be made. Many apps and websites also go beyond what is required to provide more information about how they handle personal data and protect the privacy of their users.

Disclosing what will happen to personal data in the event of new ownership or a merger is not a major component of most Privacy Policies. However, it's wise to have a disclosure covering these events if you plan to sell your business in the near or far future.

The overall purpose of a Privacy Policy is to keep your users informed about the personal data that they have entrusted you with, so letting them know what will happen to their personal information when you sell your business to another entity is an important inclusion that your users will certainly appreciate.

What's a Business Transfer Clause?

Every day, websites are sold, shut down, or merged with other websites. In all of these cases, the personal data held by these websites has to go somewhere. What is the procedure for the personal data you possess in each of these events?

For those who do have plans to sell their online business or website, you should definitely have a business transfer clause in place. It is your responsibility to keep your users and data subjects informed about your policies and what is being done with their personal information. If you know that your business and/or website will soon be changing ownership along with the personal data affiliated with it, your data subjects have a right to know that.

If, for one reason or another, your website shuts down within the next year, will you simply delete all of the personal information stored on your servers?

If a generous offer arrives tomorrow to buy your website and you decide to sell, will the new owner inherit all of the personal data currently entrusted to you as part of your sale?

Will you have any protections in place to protect the privacy and rights of your users when your business/website is under new ownership? How will your data subjects be notified of a change of ownership, if at all?

Providing answers to these questions along with any other relevant information pertaining to a change in ownership of your online business or website will strengthen the legitimacy of your operation, protect your data subjects, and help any such transaction run smoothly by having procedures in place for the aspect of personal data assets.

You can disclose what will happen to your users' personal information in a business transfer clause. This type of clause can be found in the Privacy Policy of many apps and websites.

Here's an example from Spotify:

The clause explains when user data may be shared during the sale or negotiation of sale of their business, as well as what they are doing to protect that data. Spotify's policy is to keep data secure until it is transferred. In many cases, this is about all that can be done.

You can also send out Update Notices for changes you make to your Privacy Policy.

Where to Put Your Business Transfer Clause

You can choose to have a standalone business transfer clause in your Privacy Policy titled "Business Transfer Clause" or something similar that your users will be able to recognize and easily find.

Or, you can add the information to another section or clause in your Policy, such as one of the following sections:

• How we use your personal information
• Sharing of information
• How long we retain your personal data
• Partners and affiliates

These are just some of the other areas where information regarding business transfer policies may be found. A good way to find this information is often to search for the word "transfer" within a Privacy Policy as this word is often used in conjunction with these disclosures.

Examples of Business Transfer Clauses

Let's check out some examples of business transfer clauses from major websites to see how they do it and what information they include.

Amazon

Near the top of Amazon's Privacy Policy under their section "Does Amazon.com Share the Information It Receives?" is a subsection titled "Business Transfers" that reads as follows:

While somewhat vague and generic, this simple paragraph clearly states that customer information is generally considered a business asset that will be included in a business transfer. It also states, however, that personal information will remain "subject to the promises made in any pre-existing Privacy Notice" unless the customer gives their consent for otherwise.

So under Amazon's policy, the personal data of users will be transferred in the event of acquisition, but this data will remain protected by the last Privacy Policy that the user agreed to.

This is a great example of how to protect the privacy of your users while still being able to include valuable user data as part of a sale.

GameStop

About midway through GameStop's Privacy Policy in the "Sharing of Information" section is a subsection called "Sale or Acquisition of Business Units."

GameStop's business transfer clause is remarkably similar to Amazon's, sharing much of the same verbiage. GameStop's clause has more of a focus on the acquisition or sale of divisions and subsidiaries, but otherwise is virtually identical to Amazon's including the protection of users being subject only to the most recent Privacy Policy that they consented to.

Once again, this protects data subjects from becoming subject to a new company's policies that they may not agree with.

Funimation

Funimation includes its business transfer clause within its "Sharing of Information" section of its Privacy Policy:

This business transfer clause is much more business-like, using more legalese and essentially stating that user data is a part of the business and may be shared during any merger, sale, or negotiation for such a transaction.

This business transfer clause might benefit from some more specific explanations about what exactly happens to personal data and data subjects in each of these scenarios, but it's still sufficient.

Crunchyroll

Crunchyroll has a small paragraph under its "Information Sharing and Disclosure" section that covers its business transfer policy.

Crunchyroll's business transfer clause simply states that its users' personal information is included in the assets that may be sold, transferred, or otherwise shared in the event of sales, acquisitions, mergers, reorganizations, or bankruptcy.

In this case, the brevity of these clause doesn't make it abundantly clear what consequences data subjects might face in any of these events.

The above examples probably give you a pretty good idea of what your business transfer clause should look like. These clauses or sections in your Privacy Policy don't need to be overly long or cumbersome, but you do want to ensure that they inform your data subjects about the fate of the personal data that they have entrusted you with.