Acquisitions Don't Nullify Prior Privacy Promises--FTC's Letter to Facebook & WhatsApp Gives Caution to All to Honor Privacy Protections in Mergers

Social networking site Facebook announced in February its plans to acquire WhatsApp—a “rapidly growing cross-platform mobile messaging company”—for the princely sum of $19 billion. While Facebook and WhatsApp are looking forward to a bright future together, the Federal Trade Commission is keeping a watchful eye on both companies regarding the privacy protections that WhatsApp promised its users in the past.

On April 10, 2014, the Director of the FTC’s Bureau of Consumer Protection Jessica Rich wrote executives at Facebook and WhatsApp and made clear that both companies must continue to honor WhatsApp’s prior policies and statements against collecting and sharing user data with advertisers—policies that, as Director Rich notes, exceed Facebook’s current privacy protections for its users.

As the FTC highlights in its letter, WhatsApp has promised its users both in public statements and in its privacy policy that it will not collect, sell or share user information without their consent. WhatsApp even declares its commitment against using consumer data for advertising on its blog, pulling a colorful quote from the movie Fight Club to point out how contrary selling ads is to WhatsApp’s ethos. Since the acquisition announcement, both WhatsApp and Facebook have said that essentially nothing will change in terms of WhatsApp’s security and privacy commitments to its users. And the FTC is bound to hold the companies to their word, stating that “Facebook’s purchase of WhatsApp would not nullify these promises, and WhatsApp and Facebook would continue to be bound by them.”

The FTC points out that a company’s failure to keep promises about privacy and how consumer data is used can constitute deceptive and unfair practices under its Section 5 of the Federal Trade Commission Act, and as evidenced by its cases against Wyndham and LabMD, the Commission is not afraid to go there. Should WhatsApp fail to keep its word and protect user data, both companies could be found in violation of Section 5 and a prior FTC Order against Facebook that could lead to civil penalties of $16,000 per violation (no small sum, given that WhatsApp currently has hundreds of millions of users).

The FTC closed its letter stating that the companies must either get user consent or provide any avenue for users to stop using WhatsApp’s service should they wish to alter WhatsApp’s data collection and use policies.

According to the FTC, this should not come as a surprise. Instead, this should serve as a reminder that companies cannot apply their own, less-restrictive privacy policies to the businesses that they acquire simply by osmosis; instead, the users of the acquired company must be given an opportunity to either agree to any privacy changes or opt out from further use. As the FTC’s Business Center blog simplifies it, “[Director Rich’s] letter makes it clear that regardless of the proposed acquisition, consumers have a right to rely on those [privacy] promises remaining in full effect.”

Though it may not be a shock to those who follow the FTC, it at least serves as an important note to those who do not: in acquisitions, you will need to be aware of and continue to honor the privacy protections of those businesses and products you bring into the fold. Otherwise, an FTC enforcement action may mean that you got more than you bargained for in your merger—with even greater risks if one of the parties is already subject to an existing FTC order.