Venkat Balasubramani

Venkat Balasubramani: Did Facebook’s acquisition of FriendFeed comport with FriendFeed’s privacy policy? In arguing this point, lawyers may debate the nuances of the policy, but consumers are largely left in the dark.

Most observers pegged the recent acquisition by FriendFeed of Facebook and by Mint of Intuit as at least partially – if not totally – driven by FriendFeed’s and Mint’s user base.

Are the resulting transfers of user information in line with consumer expectations as far as privacy? Do the transfers comply with the privacy policies of these companies? From the consumer standpoint, the answer is “no,” and probably “don’t know.” Privacy policies are increasingly filled with vague legalese.

As a result, lawyers and regulators may argue about the effect of technical language in these policies, but consumers are left without a clear idea as to what to expect.

In addition, the privacy practices of a company often vary from the stated policy.

The FriendFeed and Mint acquisitions received little attention from a privacy standpoint, but given the stakes, privacy advocates and regulators are sure to take notice in the long term.

Background: With the exception of certain specific industries or categories of information, few laws expressly regulate the transfer of user information between entities in the context of an acquisition.

Whether a transfer of user information is appropriate is typically left to the privacy policy of the selling company. Initially, many privacy policies provided that consumer information would not be transferred at all, or would only be transferred to another company that has the same policy.

One famous example in the wake of the first dot-com collapse involved Toysmart.

When Toysmart shuttered, and attempted to transfer its user information, the Federal Trade Commission intervened.

The FTC argued that the transfer of user information was not permitted under Toysmart’s privacy policy.

Ultimately, a settlement was reached that would have allowed Toysmart to sell to a bidder but with certain restrictions set by the FTC.

Online retailer eToys faced a similar situation when it wound down and tried to transfer its user information – it was only allowed to transfer information about consumers who opted in.

Privacy Policies Are Vague to the Point of Being Useless

Since the days of Toysmart and eToys, most companies tend to draft policies that leave plenty of room when it comes to transferring user information.

But privacy policies are so filled with legalese and vague assurances to consumers that it’s tough to tell what the policies really say.

For example, here’s FriendFeed’s policy:

The policy provides that if personal information is transferred in the context of an acquisition and becomes subject to a “different privacy policy,” FriendFeed will provide advance notice. So, when Facebook acquired FriendFeed, did the information become subject to a “different privacy policy?'

Apparently Facebook and FriendFeed didn’t think so. As a FriendFeed user I don’t recall receiving any notice.

Mint: Here’s what Mint’s privacy policy says:

The first paragraph makes an emphatic statement that the user’s privacy is “not for sale.”

But the policy goes on to state that a user’s information may be transferred in the context of an acquisition, but if such a transfer occurs, Mint will: use [their] best efforts to require that the new combined entity follow this Privacy and Security Policy with respect to your personal information, as and to the extent required by applicable law and to require that you receive prior notice if your personal information could be used contrary to this Policy. “Best efforts?" "As and to the extent required by applicable law?"

I’m not sure what this language means really. Again, lots of open ended language surrounded by legalese.

When coupled with Mint’s contradictory but emphatic assurance that the consumer’s “privacy is not for sale,” the consumer is left with little idea as to what to expect from a privacy standpoint.

Twitter’s policy follows a similar pattern in that it allows for an acquisition, but requires notice if the transfer is to a company that has a “materially” different policy.

It also contains a potential gotcha for Twitter (and any potential suitor ) – Twitter’s policy states that it will give users the opportunity to opt-out of any transfer to an entity that has a “materially” different privacy policy.

The Stakes Have Changed

It’s tough to deny that the stakes have increased significantly for consumers.

Whether it’s Facebook or Google (Gmail; Google docs), consumers store an increasing amount of personal, intimate, and in some cases professional information on these networks.

An acquisition allows networks to combine data, and round out “profiles” of users. The cost in privacy terms to the consumer is undoubtedly higher than they were in the late nineties. An acquisition means that the information is often subject to a different privacy regime without any choice on the part of the consumer.

Additionally, there’s the discrepancy between what a company’s privacy policy says and what its actual privacy practices are.

Think of beacon and other Facebook privacy snafus in light of the assurances that are in Facebook’s privacy policy. Companies such as Facebook and Google also face threats from third party hackers. Facebook’s acquisition of FriendFeed allowed Facebook to gain access to user information for users who may have never trusted Facebook with their information in the first place.

The current climate of acquisitions present challenges for consumer privacy. Vaguely drafted privacy policies filled with legalese leave companies plenty of wiggle room, but consumers are left in the dark. It’s only a matter of time before privacy advocates and regulators focus on these issues.

Venkat Balasubramani is one of the founding lawyers at Focal PLLC , a Seattle-based law firm focused on technology, Internet and media clients. He blogs on technology and internet-related legal issues at Spam Notes. Opinions expressed in guest posts are those of their authors, and don't necessarily reflect the views of TechFlash or its staff.