Privacy FAQs: Do companies have to disclose within their privacy notice that they may share their information as part of a merger or acquisition?

May 8, 2019

The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Do companies have to disclose within their privacy notice that they may share their information as part of a merger or acquisition?

There are a number of laws within the United States that require various companies to provide privacy notices including the Gramm Leach Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), the Family Educational Rights and Privacy Act (“FERPA”), the Children’s Online Privacy Protection Act (“COPPA”), and state laws mandating privacy policies on website that collect information from state residents or in conjunction with the collection of Social Security Numbers.  In addition, California’s CCPA also requires the disclosure of privacy practices. 

While United States statutes that require privacy notices differ in terms of what they require to be included within a privacy notice, none mandate that an organization disclose the fact that information may be shared as part of a merger or acquisition.[1]  That said, in 2000 the Federal Trade Commission took the position that a company which had included a broad statement within its privacy notice that it would not share personal information with third parties could not transfer personal information as part of the sale and/or acquisition of the company unless the acquirer met certain threshold qualifications (e.g., hailed from the same industry).[2]  Forty-six states, the District of Columbia, and two federal territories took an even more restrictive position that the information could never be transferred to an acquirer.[3]  As a result of the positions taken by the FTC and state regulators, as a best practice most organizations now include a clause within their privacy notices that affirmatively states that personal information may be shared as part of a merger or acquisition.  For example:

“If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage.”


1. CCPA, Section 1798.115(c)(1), (2), 1798.130(a)(5)(C)(i), (ii).

2. See First Amended Complaint, Civil Action No. 00-11341 at ¶ 6 (D. Mass. 2000) available at http://www.ftc.gov/os/2000/07/toysmartcomplaint.htm.

3. Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, the District of Columbia, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Northern Mariana Islands, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Utah, Vermont, Virgin Islands, Virginia, Washington, West Virginia, Wisconsin, and Wyoming filed a joint objection.  See Docket No. 180, In re Toysmart.com, Case No. 00-14995 (D. Mass. Aug. 3, 2000).  New York and Texas filed separate objections.  See Docket No. 172, In re Toysmart.com, Case No. 00-14995 (D. Mass. Aug 3, 2000).