The story/rumor of the failed Twitter / Facebook combo [All Things D] is generating some buzz. I’m curious as to how these companies view the potential privacy issues presented by this sort of a merger. In general, my sense is that these networks that grow and sell (or grow to sell) don’t really think through the privacy issues. (I’m not saying Twitter is in this category, but many companies surely are.) Any company that was angling for acquisition would address up front any concerns raised by a sale/merger. I know from being on Twitter that it doesn’t really tell you anything about what happens to your profile/content or what information it collects. I think they “copied” Flickr’s terms of service and although the TOS is not necessarily going to rule the day in this context, the terms can provide clues as to whether this is something that has been given much thought.

I guess the first question is: what are the applicable rules?: The EU has some fairly strict rules around the collection and transfer of personal information. While individual states in the US have jumped into the fray, there is no generic federal privacy statute (and hopefully we won’t see one any time soon . . . but that’s a separate issue). Thus, the state rules aside, the starting point of the discussion will be the selling company’s privacy policy. Most people recall “the eToys issue” where the eToys’ customer information was sought to be transferred in a bankruptcy. Because this was contrary to eToys’ privacy policy, this became a problem [link]. That's the main issue companies want to avoid here.  (Many other laws could come into play - this is an issue that deserves some pretty extensive analysis.)

What Does the Policy Say? In reaction to eToys and other similar scenarios, most companies built in a “business transfer” exception to privacy policies. The policies now basically say that “we won’t transfer information to a marketer, but nothing will stop us from transferring your information wholesale to a third party who acquires us or who is a merger partner.” Twitter’s privacy policy (for example) has a nice carveout for business transfers. However, it contains a huge potential gotcha:

Business Transfers: Twitter may sell, transfer or otherwise share some or all of its assets, including your personally identifiable information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy. You will have the opportunity to opt out of any such transfer if the new entity's planned processing of your information differs materially from that set forth in this Privacy Policy.

So, if the transfer is to an entity that has a materially different privacy policy, then all Twitter users have an opportunity to opt-out of the transfer??  I won’t bother referencing Facebook’s policy here to argue that the two are materially different. Facebook’s past skirmishes with privacy advocates are enough.

What Does this Mean Practically Speaking? Practically speaking, Twitter must give notice to each and every user and an opportunity opt out of the transfer. I guess it could do this electronically, maybe with a pop up message, but these types of actions and decisions are fertile soil for any savvy class action lawyer. Also, Twitter’s great, but judging from its once-a-week “exceeding capacity” and other outages, it’s safe to say this will not be a smooth process for Twitter.

The other big issue that would worry me in the context of this type of a combination is that Twitter doesn’t own any content its users upload. (“We claim no intellectual property rights over the material you provide to the Twitter service. Your profile and materials uploaded remain yours.”) Could users argue that Twitter needs to seek their permission to transfer their content to a third party? A fairly complicated issue, but one that Twitter’s TOS glosses over.