Skip to main content

Privacy Monday - May 19, 2014 - Lessons Learned from Facebook

Promises to Keep: Lessons Learned from Facebook’s Recent Acquisitions of WhatsApp and Moves

Written by Jake Romero, CIPP/US

Mergers are never simple, but the acquisition of consumer products and technology requires the purchasing entity to consider a number of questions and issues beyond the standard concerns related to executive pay, corporate valuations and per share prices.  Will we be able to integrate our corporate cultures?  Will the service’s current users make angry reaction GIFs about us to demonstrate their disapproval?  Is this something we can fix with a rapping monkey video?  Are Beats by Dre headphones 'extraordinarily bad'?  Following a number of high profile tech acquisitions, Facebook, Inc. has learned that among the questions that must be asked, is “What promises has the target entity made to its users regarding data the target is collecting?”


In April, Facebook acquired Moves, a fitness and activity tracking mobile application.  Prior to the acquisition, Moves’ privacy policy stated that data collected from users would not be shared with third parties.  Immediately following the acquisition, Moves responded to concerns about sharing information by reassuring users on its company blog that Moves would continue to operate as a standalone app, and that there were “no plans to change that or commingle data with Facebook.”  Less than two weeks later, however, Facebook faced considerable backlash after it updated Moves’ privacy policy to provide that:

We may share information, including personally identifying information, with our Affiliates (companies that are part of our corporate groups of companies, including but not limited to Facebook) to help provide, understand, and improve our Services. 

The new language isn’t unusual; similar provisions can be found in most online privacy policies, but under the circumstances the change appeared to backtrack on a promise made to the service’s users.  As a result, Facebook found itself on the defensive.  Facebook released a statement clarifying that data from Moves would not be commingled with Facebook data, and that the purpose of sharing data was limited to providing support and services to the Moves app.  Regardless of whether that statement conforms with Facebook’s initial goal for sharing information, there is no question that the language in Facebook’s statement intended to calm users is substantially narrower than the position it took in Moves’ updated policy.


If Facebook’s experience with Moves seems familiar, that is likely because similar events occurred just a few months ago, when Facebook announced its acquisition of WhatsApp.  WhatsApp is a mobile application messaging service with hundreds of millions of users worldwide.  The $19 billion acquisition has generally been viewed as Facebook’s attempt to solidify its position in the mobile messaging market, but users immediately began to express concern over potential changes that Facebook could implement to WhatsApp’s data collection policies.  Similar to Moves, WhatsApp made a number of pre-acquisition promises to its users regarding the collection and use of data.  The WhatsApp privacy policy in effect prior to the acquisition provided, among other things, that location data and information from mobile address books (such as contact lists or addresses) would not be collected, and that mobile phone numbers and personally identifiable information would not be used or shared with third parties for marketing purposes.

In response to user concerns and rumors of policy changes, WhatsApp posted to its company blog to reassure its users that WhatsApp would continue to operate as a standalone app and had no plans to change its data collection practices.  With Facebook on the defensive following the acquisition, Mark Zuckerberg also reassured the public that WhatsApp’s policies and data storage practices would not change.

In clearing the sale, the Federal Trade Commission used the opportunity to forewarn Facebook against failing to honor those promises.  In a letter to Facebook's Chief Privacy Officer and WhatsApp's general counsel, the FTC reminded the companies of their prior statements and policies; characterizing both as “clear promises to consumers” that, if not upheld, may constitute a deceptive practice under Section 5 of the FTC Act.  The letter further clarified the FTC’s position that absent affirmative express consent from consumers, collected data cannot be used in a manner that is materially inconsistent with promises made at the time the data was collected.  In other words, even if Facebook hadn’t made the narrower statement clarifying the changes to the Moves privacy policy, it may not have had the option to commingle data Moves collected prior to the acquisition unless it obtained the affirmative consent of the affected users.

So What Have We Learned?

What can potential acquirors and technology companies learn from Facebook’s experience with Moves and WhatsApp?  Here are a few key take-aways:

  • Understand Your Limitations Before You Buy.  During the diligence phase of any acquisition, the policies of the target entity and public statements made by its representatives should be thoroughly reviewed for statements concerning use and sharing of data.  As regulations on collection of data tighten, we have seen an increase in the number of acquisitions where the collected data is as valuable, of not more so, than the acquired product.  This is particularly important in those cases where the acquisition price factors in assumptions regarding how that data will be monetized.
  • Have a Plan and Consider Ongoing Costs.  If an acquiror does want to change the use or collection practices of a target entity, it is important to understand that there will be costs associated with those changes.  From an operations standpoint, a process will need to be put in place to solicit consumer consent.  In almost every situation, express consent will not be given by 100% of current users, so a value judgment will need to be made between (a) limiting access for users who do not consent (which may not be an option at all depending on what the product or service is) and (b) segregating user data into separate pools.  The latter option will require ongoing expense to maintain and coordinate logistics between separate systems and data pools.  This process will need to be closely managed by your general counsel and/or your outside data privacy counsel.
  • Understand the Culture of Your Target.  Not every company has the kind of deeply ingrained user expectations that we’ve seen with companies like WhatsApp and Tumblr, but it is important to understand what kind of user base the target has before you purchase.  In the case of WhatsApp, concerns erupted immediately, without an indication that Facebook intended to change WhatsApp’s data policies.  Similarly, negative reactions to Yahoo’s acquisition of Tumblr began immediately on the basis of public perceptions of the companies involved.  Acquiring entities should consider whether a consumer response plan should be put in place prior to announcing the acquisition and, in some cases, whether messaging control and public response management will be required on a preemptive basis.
  • Know Whether Promises Have Been Kept.  When conducting diligence review of an entity for acquisition, take a broad perspective when assessing whether that entity has lived up to its promises on how it treats consumer data.  In addition to policies and terms of use, you may need to consider interviews, press releases and marketing materials.

As noted at the outset, mergers are never simple.  Rare are the acquisitions that will be completed without a hitch.  When it comes to user data, however, it is more important than ever for acquiring entities to take the necessary steps to ensure that they get what they pay for.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.