That respect could lapse, however, if the company is ever sold or goes bankrupt. At that point, according to a clause several screens deep in the policy, the host of details that Hulu can gather about subscribers — names, birth dates, email addresses, videos watched, device locations and more — could be transferred to “one or more third parties as part of the transaction.” The policy does not promise to contact users if their data changes hands.
Provisions like that act as a sort of data fire sale clause. They are becoming standard among the most popular sites, according to a recent analysis by The New York Times of the top 100 websites in the United States as ranked by Alexa, an Internet analytics firm.
Of the 99 sites with English-language terms of service or privacy policies, 85 said they might transfer users’ information if a merger, acquisition, bankruptcy, asset sale or other transaction occurred, The Times’s analysis found. The sites with these provisions include prominent consumer technology companies like Amazon, Apple, Facebook, Google and LinkedIn, in addition to Hulu.
“It’s ‘we are never going to sell your data, except if we need to or sell the company,’ ” Hal F. Morris, the assistant attorney general of Texas, said about industry practices.
Hulu declined to comment.
Sites, apps, data brokers and marketing analytics firms are gathering more and more details about people’s personal lives — from their social connections and health concerns to the ways they toggle between their devices. The intelligence is often used to help tailor online experiences or marketing pitches. Such data can also potentially be used to make inferences about people’s financial status, addictions, medical conditions, fitness, politics or religion in ways they may not want or like.
When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.
“In effect, there’s a race to the bottom as companies make representations that are weak and provide little actual privacy protection to consumers,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a nonprofit research center in Washington.
The potential ramifications of the fire sale provisions became clear two years ago when True.com, a dating site based in Plano, Tex., that was going through a bankruptcy proceeding, tried to sell its customer database on 43 million members to a dating site based in Canada. The profiles included consumers’ names, birth dates, sexual orientation, race, religion, criminal convictions, photos, videos, contact information and more.
“That is the type of information that people were entitled not to have trafficked and sold to the highest bidder,” said Mr. Morris, the Texas assistant attorney general. “I think it’s an important safety issue for consumers.”
If privacy policies contain unrestricted data-transfer provisions, however, consumers and government authorities have little recourse.
Among the top 100 sites in the Times analysis, at least 17 said they would alert consumers — by, for example, posting a notice on their site — if users’ personal details changed hands. But only Etsy, the crafts e-retailer, Weather.com and a few other sites promised to allow people to opt out of having their data handed over to a third party in certain circumstances.