When Wal-Mart (WMT) agreed to purchase online retailer Jet.com for $3.3 billion recently, it marked not only the largest acquisition of an e-commerce company, but also a momentous transfer of consumer data. As companies, like Wal-Mart, take over businesses, and as corporations sell the user databases at dizzying rates, you might ask a very sobering question: “Who has my data?”
“Consumers hardly have any control over sharing, flow and usage of their data,” says Paul Kubler, a digital forensics and cyber security examiner at LIFARS, a digital forensics and cybersecurity intelligence firm in New York City.
RATE SEARCH: Get your credit report and score today, free and with no obligation, at myBankrate.
Even though most people safeguard their passports, lock up their Social Security cards and shred old credit cards, their data is out there in the internet world — and in many cases — in places they’d never anticipate.
What Happens With Your Data
In acquisitions and mergers, while data is usually integrated into the purchasing company’s already existing systems, according to Kubler, what actually happens differs based on what the acquiring company’s plans are.
“While sensitive, personally identifiable data is supposed to be protected (like credit card numbers or passport information), often in merger and acquisitions, it takes some time before the data is — if ever — truly integrated into the secure infrastructure,” Kubler says. “In many cases, data migration happens after a merger or acquisition is completed.”
Most of the time, consumers cannot opt out of their data being transferred by the acquiring company, Kubler says, noting most companies put clauses in their terms and conditions of use, which states that they can give your data to an acquiring company.
That fact is displayed in the fine print — the type often glossed over or skipped completely by consumers.
If you want to opt out of your data being transferred, things can get a bit tricky and, often, are a major headache for consumers.
“If no such legal statement is in place, (a) motion for opt-out from data transfer can be documented as a request to take down the information.