What Happens to Your Data When a Company You Used Is Acquired

When Instagram was acquired by Facebook in 2012, the photos, likes, and location data of 30 million users were transferred instantly—without their explicit consent. Most people had no idea it happened. That kind of data transfer is common in mergers and acquisitions, and it raises real questions about what happens to your personal data when two companies become one.

This guide breaks down what you should know, your rights, and what you can do about it.

What Actually Happens to Your Data

When a company is acquired, your personal data is usually treated as a business asset. The acquiring company takes it over as part of the deal—whether that’s an asset purchase or a full share purchase.

In most cases, you won’t be notified until after the deal closes. And even then, the notice might be buried in an email or a banner on the website. The original privacy policies often include language that allows data transfer during a merger or acquisition, so technically, the company may not be breaking any promises—even if it feels that way.

Your data—customer data, employee records, business partner information—gets folded into the new company’s systems. That includes everything that was collected, stored, and processed under the old company’s data privacy practices.

What Types of Data Are at Risk

During a merger or acquisition, the buyer typically gains access to:

• Customer personal data — names, emails, purchase history, preferences
• Sensitive personal data — health information, financial records, government IDs
• Employee data — payroll, HR records, performance reviews
• Behavioral and location data — how and where users interacted with the product

The more sensitive the data, the more important it is that both companies handle the transfer carefully. Sensitive data, such as health records, may fall under specific rules, such as the Health Insurance Portability and Accountability Act (HIPAA), which adds another layer of compliance obligations.

The Due Diligence Process and Why It Matters

Before a deal closes, the buyer undergoes due diligence. This is where they review the target company’s financial, legal, and operational information—including its data privacy practices.

The due diligence process should include a full review of:

• How personal data is collected, stored, and used
• What privacy policies are in place, and whether they’ve been followed
• Any prior data breaches or open regulatory investigations
• Compliance with applicable laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA)
• Privacy-specific representations made in the seller’s published policies

A seller’s compliance track record can be a deal-breaker. If a company has a history of privacy issues or unresolved regulatory exposure, that affects the purchase price and the buyer’s risk calculation. Identifying compliance risks early in the diligence process helps minimize problems that would otherwise surface after the deal closes.

Sharing personal data during due diligence should occur only through a secure method—typically an encrypted virtual data room—and be limited to what’s necessary to evaluate the business.

Privacy Laws That Protect You

Several privacy laws apply to what happens to your data after it is acquired. Here’s what matters most.

General Data Protection Regulation (GDPR)

If you’re based in the European Union—or if the company processes data about EU residents—the GDPR applies. Under the GDPR, companies must have a legal basis for sharing or transferring personal data. That could be consent, a legitimate interest, or the performance of a contract. The acquiring company can’t simply absorb your data without meeting that standard.

The European Commission oversees broader policy, while national data protection authorities in each EU member state enforce the rules locally. Cross-border data transfers require additional safeguards, such as Standard Contractual Clauses (SCCs).

California Privacy Rights Act (CPRA) and CCPA

For California residents, the California Privacy Rights Act (CPRA) and its predecessor, the California Consumer Privacy Act (CCPA), protect customer data during mergers or acquisitions. You have the right to know what’s being collected, to request deletion, and to opt out of the sale of your personal data.

Federal Trade Commission (FTC)

The Federal Trade Commission enforces rules against unfair or deceptive data practices under Section 5 of the FTC Act. The Toysmart case is a well-known example—the FTC intervened when a bankrupt company tried to sell customer data in violation of its own privacy policy. Bankruptcy courts don’t override privacy obligations; the original promises made to customers still hold.

Other Jurisdictions

Beyond the GDPR and U.S. law, other national laws and state-level regulations may apply depending on where data subjects are located. Attorneys general in various states have the authority to investigate and enforce privacy violations. Companies operating across borders need to be aware of this patchwork of obligations.

What Changes After the Deal Closes

Once the acquisition is complete, the new company takes control. Here’s what that can mean for you:

Privacy policies may change. The acquiring company may update its data processing practices. If the new owner plans to use your data in ways not covered by the original privacy policy, they must notify you and give you a chance to opt out.

The original promises still apply. A change in ownership doesn’t erase the privacy commitments made when your data was collected. The buyer inherits those obligations.

Your rights stay intact. Under most privacy laws, you still have the right to access, correct, delete, or port your data—even after an acquisition.

Data sharing may expand. Post-acquisition, the acquiring company might share your data with new third parties or use it for new purposes, like marketing analytics. Watch for updates to subprocessor lists and privacy documentation.

Large-Scale Data Migration: What It Involves

Moving company data from one organization’s systems to another is a complex process. Large-scale data migration during a merger or acquisition typically involves:

1. Planning — Mapping out what data exists, where it’s stored, and how it will transfer
2. Legal review — Confirming the legal basis for transferring personal data into shared systems
3. Execution — Using secure tools to migrate data without exposing it to unauthorized access
4. Evaluation — Verifying that workflows and compliance controls still work in the new environment

Privacy teams from both companies should be involved early. Communication with employees about potential disruptions is also important—especially when access to systems and records changes during the transition.

Real Risks for Users

Acquisitions can introduce real privacy risks, even when both companies have good intentions. Common issues include:

• Data breaches — System integration can create new security vulnerabilities if access controls aren’t updated properly
• Unauthorized data sharing — Data may end up being used for purposes it was never collected for
• Inadequate third-party risk management — Subprocessors used by the acquired company may not meet the buyer’s security standards
• Compliance gaps — If the target company had unresolved privacy issues, those would become the buyer’s problems

What You Can Do

You’re not powerless. Here are practical steps to protect yourself when a company you use is acquired.

Review the acquisition announcement carefully. Look for details on how your data will be handled, what will change, and your options.

Check the updated privacy policy. Compare it to the original. If the new processing purposes are materially different, you may have a right to object or opt out.

Submit a data subject request. Under GDPR, CPRA, and other privacy laws, you can request access to your data, ask for a copy, or request deletion. File early—request volume tends to spike during acquisitions, and processing times can slow down.

Update or revoke consent. If you gave consent for specific uses and those uses are changing, check whether your consent still applies or whether you need to re-consent under the new terms.

Monitor legal notices. Companies are generally required to notify users of material changes. Set up alerts or check your email for communications from the acquiring company.

Contact data protection authorities if needed. If you believe your data has been mishandled, you can report it to the relevant authority—a national data protection authority in the EU, or the FTC and relevant attorneys general in the U.S.

For Companies Going Through a Merger or Acquisition

If you’re on the business side, here’s what to keep in mind.

Start privacy due diligence early. Privacy-specific representations should be part of the standard diligence process, not an afterthought. Unresolved compliance issues can affect the purchase price and delay closing.

Use a data protection agreement. Before sharing personal data during due diligence, enter into a formal data protection agreement with the other party. Pair it with a nondisclosure agreement.

Confirm the legal basis before transferring data. Don’t assume that data collected under one legal basis can be freely migrated into new systems post-acquisition. Privacy teams need to verify this before the large-scale data migration begins.

Harmonize privacy policies post-close. After the deal, the combined organization needs unified privacy policies and compliance processes. Duplicating systems and maintaining two separate frameworks creates unnecessary risk.

Prepare for increased data subject requests. DSR volume tends to spike around acquisitions. Make sure you have the resources and tools to handle requests within the legally required timeframes.

The Bottom Line

Most personal data collected before an acquisition doesn’t disappear—it gets transferred to the new company. Whether that’s handled well or poorly depends on both organizations’ privacy practices and the applicable legal frameworks.

As a user, your rights don’t go away when a company changes hands. Know what data has been collected about you, stay alert to policy changes, and don’t hesitate to exercise your rights under applicable laws. The burden is on companies to ensure compliance—but staying informed gives you the best chance of catching problems early.