Remember when [company name] shut down last year? If you were a user, you probably got an email saying the service was closing and you should download your data. What that email didn’t say: your personal information was probably sold to the highest bidder as part of liquidating company assets.

This happens constantly. We trust companies with our data, they go under, and suddenly that data is an asset to be sold. The rules around this are shockingly loose.

Data Is an Asset

When a company goes bankrupt, assets get liquidated to pay creditors. Physical assets like office furniture are obvious. But digital assets count too – code, intellectual property, domain names, and user databases.

Your personal information – email address, usage patterns, purchase history, preferences – has monetary value. Not a lot per individual user, but multiply it by millions of users and suddenly the database is worth something.

Companies selling user data during bankruptcy isn’t illegal in most jurisdictions, even if their privacy policy promised they’d never sell your data. Privacy policies aren’t contracts, and bankruptcy courts prioritize creditor recovery over privacy promises.

What Gets Sold

The buyer typically gets:

• Account information: email, username, profile data
• Usage history: what you did on the platform
• Purchase history: what you bought, when, for how much
• Communication data: depends on the service, but potentially messages or posts
• Technical data: IP addresses, device info, cookies

The new owner can often use this data however they want, subject to whatever privacy laws exist in relevant jurisdictions. They might integrate it into their existing product, sell it to data brokers, or use it for marketing.

The Privacy Policy Loophole

Most privacy policies have some version of “we may transfer your information if we’re acquired or go through bankruptcy.” It’s buried in the terms you didn’t read when you signed up.

Even if the original company promised not to sell data, that promise often doesn’t survive bankruptcy. The bankruptcy court’s job is maximizing recovery for creditors, not protecting privacy commitments the company made.

Some companies have “data protection trusts” or similar structures meant to prevent this, but they’re rare and the legal protections are untested in many jurisdictions.

Real Examples

When RadioShack went bankrupt in 2015, they tried to sell their customer database containing 117 million email addresses and physical addresses. State attorneys general objected, and the sale was eventually restricted, but it shows the intent.

When Gawker Media shut down, their archives and presumably user data were sold to Univision, then later to other owners. Users weren’t asked for consent.

Numerous smaller startups have sold user databases during shutdowns. Most didn’t make headlines because they weren’t well-known enough for anyone to notice or care.

What About GDPR?

The EU’s GDPR provides stronger protections. Data can’t be used for purposes beyond what users originally consented to, even in bankruptcy. In theory, user data from EU residents should be deleted, not sold.

In practice, enforcement is challenging. If a US company goes bankrupt and sells data to another US company, what’s the EU going to do? Fine a company that no longer exists?

Australia has privacy laws that theoretically protect data during company transitions, but enforcement is limited and often reactive rather than proactive.

The Acquisition Scenario

Acquisitions are different from bankruptcy but raise similar issues. When one company buys another, they usually get the user data.

Terms of service often allow this. “We may share data with our corporate affiliates and successors” basically means “when we get bought, the buyer gets your information.”

At least in acquisitions the acquiring company usually keeps the service running and has a business incentive to maintain trust. In bankruptcy liquidation, there’s no such incentive.

What You Can Do

Read privacy policies before signing up, specifically the sections about business transfers and data disposition. It’s boring, but it matters.

Use disposable emails for services you don’t fully trust. If the company goes under and sells data, at least it’s not your primary email.

Delete accounts you’re not using. Many people have accounts on dozens of services they haven’t touched in years. Less data out there means less risk.

Export your data regularly from services you care about. Most platforms offer data export features. If they shut down suddenly, you’ll at least have your content.

Support data protection laws that restrict what can happen to personal information during bankruptcy. This is a policy problem that needs political solutions.

The Startup Risk

Startups are particularly risky because most fail. That cool new app with 500K users? Probably losing money and might not exist in two years.

Bigger, established companies are safer bets for data trust, though they have their own issues (looking at you, Facebook). At least they’re unlikely to suddenly liquidate.

Be especially cautious with:

• Health apps storing medical information
• Financial apps with transaction history
• Communication apps with private messages
• Dating apps with sensitive personal information

When these fail, the data is particularly valuable and potentially embarrassing or harmful if misused.

The Cloud Services Problem

When a cloud storage service or SaaS product shuts down, you might lose access to your data entirely. If they don’t give adequate warning or if their shutdown is abrupt, you might not get a chance to export anything.

Always have backups of critical data. Don’t rely on any single service, especially smaller ones, as your only storage location.

What Companies Should Do

Responsible companies have data disposal plans. If they shut down, they commit to deleting user data rather than selling it. This commitment should be legally binding and funded in advance.

Very few companies do this. It costs money and provides no business benefit to the current owners. But it’s the ethical thing to do.

The Bigger Picture

We’ve built a digital economy where user data is valuable and companies are incentivized to collect as much as possible. When those companies fail, that data becomes an asset to liquidate.

Until we have stronger legal protections around data disposition, this will keep happening. Users have very little recourse once it does.

The default assumption should be: any data you give to a company might eventually end up in hands you didn’t anticipate. Use services accordingly.

Sometimes the convenience is worth the risk. Sometimes it isn’t. But make that choice consciously, not because you assumed your data was protected when it really wasn’t.

Trust no company to protect your data more than they legally have to. Most won’t.