If a company ever is sold or goes bankrupt, some provisions act as a sort of data fire-sale clause.

Share story

The privacy policy for Hulu, a video-streaming service with about 9 million subscribers, opens with a declaration that the company “respects your privacy.”

That respect could lapse, however, if the company is ever sold or goes bankrupt. At that point, according to a clause several screens deep in the policy, the host of details Hulu can gather about subscribers — names, birth dates, email addresses, videos watched, device locations and more — could be transferred to “one or more third parties as part of the transaction.” The policy does not promise to contact users if their data changes hands.

Provisions like that act as a sort of data fire-sale clause. They are becoming standard among the most popular sites, according to a recent analysis by The New York Times of the top 100 websites in the United States as ranked by Alexa, an Internet analytics firm.

Of the 99 sites with English-language terms of service or privacy policies, 85 said they might transfer users’ information if a merger, acquisition, bankruptcy, asset sale or other transaction occurred, The Times’ analysis found. The sites with these provisions include prominent consumer-technology companies like Amazon, Apple, Facebook, Google and LinkedIn, in addition to Hulu.

“It’s ‘we are never going to sell your data, except if we need to or sell the company,’ ” said Texas Assistant Attorney General Hal Morris.

Hulu declined to comment.

Sites, apps, data brokers and marketing-analytics firms are gathering more and more details about people’s personal lives — from their social connections and health concerns to the ways they toggle between their devices. The intelligence is often used to help tailor online experiences or marketing pitches. Such data can also potentially be used to make inferences about people’s financial status, addictions, health, politics or religion.

When sites and apps get acquired or go bankrupt, the consumer data may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies may end up with their information.

“In effect, there’s a race to the bottom as companies make representations that are weak and provide little actual privacy protection to consumers,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center.

The potential ramifications became clear two years ago when True.com, a dating site based in Plano, Texas, was going through a bankruptcy proceeding and tried to sell its customer database on 43 million members to a dating site based in Canada. The profiles included consumers’ names, birth dates, sexual orientation, race, religion, criminal convictions, photos, videos, contact information and more.

Because the site’s privacy policy had promised never to sell or share members’ personal details without their permission, Texas was able to intervene to stop the sale of customer data, including details on about 2 million Texans.

“That is the type of information that people were entitled not to have trafficked and sold to the highest bidder,” said Morris. “I think it’s an important safety issue for consumers.”

If privacy policies contain unrestricted data-transfer provisions, however, consumers and government authorities have little recourse.