Golden Data
Published in

Golden Data

Case Study: The WhatsApp Acquisition & Facebook Privacy Promises.

Promise Land by Alan Levine

When one company acquires another, there’s usually a lot of discussion about how to harmonize divergent procedures — everything from personnel policies to buying paper clips. But, what should companies do in the event of a merger or acquisition with regards to privacy promises?

Organizations that acquire a company or merge with one and are thinking of changing how you handle people’s personal information, have three options to consider:

  1. Continue to honor the privacy promises made to consumers before the merger or acquisition.
  2. Change the privacy promises already made to consumers: To materially change the practices for information collected before a merger or acquisition — for example, by sharing with third parties information where the original promise was not to shared- organizations need to inform consumers and get their express affirmative consent to opt in to the new practices.
  3. Change practices only with regards to information collected in the future: For this organizations also need to provide consumers with notice of the change and choice about whether to agree it. Simply revising the language in a privacy policy or user agreement isn’t sufficient because existing customers may have viewed the original policy and may reasonably assume it’s still in effect. Although it may not be necessary to provide affirmative express consent, the notice and choice must be sufficiently prominent and robust to ensure that existing customers can see the notice and easily exercise their choices.

Facebook’s 2014 acquisition of WhatsApp raised privacy issues for not following these rules. In a nutshell, WhatsApp had made promises to its users about what data it collected, maintained, and shared that went beyond those promised by Facebook to Facebook users.

In 2011, Facebook settled FTC charges that it deceived consumers by failing to keep its privacy promises.

Under the terms of the FTC’s order against the company, it must get consumers’ affirmative consent before making changes that override their privacy settings, among other requirements.

The FTC action made it clear that, regardless of the acquisition, WhatsApp had to continue to honor those promises (or both companies could be in violation of Section 5.)

The 2014 FTC Letter to Facebook on the WhatsApp Acquisition

In April 10, 2014, Jessica L. Rich who at the time was the director of the Federal Trade Commission’s Bureau of Consumer Protection sent a letter to Facebook and WhatsApp about their obligations to protect the privacy of their users in light of Facebook’s proposed acquisition of WhatsApp. Bureau Director Jessica Rich noted that WhatsApp had made clear privacy promises to consumers, and that both companies have told consumers that after any acquisition, WhatsApp will continue its current privacy practices.

“We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers. Further, if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC’s order against Facebook,”

The letter notes that before making any material changes to how they use data already collected from WhatsApp subscribers, the companies must get affirmative consent. In addition, the letter notes that the companies must not misrepresent the extent to which they maintain the privacy or security of user data. The letter also recommends that consumers be given the opportunity to opt out of any future changes to how newly-collected data is used.

The 2011 Facebook consent decree

Facebook’s privacy practices were the subject of complaints filed with the FTC by the Electronic Privacy Information Center and a coalition of consumer groups.

In 2011, the social networking service Facebook agreed to settle FTC charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The settlement required Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established.

The FTC complaint lists a number of instances in which Facebook allegedly made promises that it did not keep:

  • In December 2009, Facebook changed its website so certain information that users may have designated as private — such as their Friends List — was made public. They didn’t warn users that this change was coming, or get their approval in advance.
  • Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.
  • Facebook told users they could restrict sharing of data to limited audiences — for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
  • Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
  • Facebook promised users that it would not share their personal information with advertisers. It did.
  • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
  • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

The proposed settlement bared Facebook from making any further deceptive privacy claims, required that the company get consumers’ approval before it changes the way it shares their data, and required that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years. Specifically, under the proposed settlement, Facebook is:

  • barred from making misrepresentations about the privacy or security of consumers’ personal information;
  • required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
  • required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.

“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said Jon Leibowitz, Chairman of the FTC. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”




A community of professionals who help answer each other’s questions about data laws.

Recommended from Medium

Hitting Reset on Airline Retailing

Apple’s New iPhone 8 Looks Like a Dud

What Are Revenue and Yield Management, and Dynamic Pricing?

Q&A: The Basics of VR and AR Branding and Production

Story Health raises $22.6M for Series A funding

Spaceti Raises Funding Spherical


OPUS — Your questions answered!

MDisrupt Raises $6M in Seed Funding

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Golden Data Law

Golden Data Law

Golden Data Law is a mission driven benefit corporation that provides legal services to the not-for-profit community and to governmental agencies.

More from Medium

Design an experience for the users to save money for common goals(say along with friends).

Designing a Fox Theatre Mobile Application

Case Study: Smart City Vigilance

Has a touch system.

UX Case Study: Fostering a Community for Creators on YouTube