On March 20, The Walt Disney Company completed its purchase of 21st Century Fox. The acquisition added huge properties like The Simpsons and National Geographic as well as film blockbuster franchises to Disney’s star-studded stable that includes Star Wars, Marvel Comics, Pixar, the Muppets, and a decades-long catalog of major intellectual properties.
While major acquisitions and mergers often give rise to anti-trust issues–and this one was no exception, the transfer of properties with complex privacy policies, and how that works going forward has not been a big topic of discussion.
Corralling such a massive amount of children’s and family-friendly entertainment under one roof may seem, at least on the surface, like a world-friendly move, but to quote a song from Disney’s 1995 direct-to-video sequel, “Pocahontas 2”–“things aren’t always what they appear.”
While Disney’s acquisition lacks the dark mirror quality of Amazon’s ever-expanding home networking business or Google’s inescapable array of services (all of them tracking users with mindboggling granularity), there is considerable consumer data tied to the properties that just changed hands, all of it governed by the privacy policies attached to them, which also changed hands but cannot be changed without user consent. This is not about whatever privacy fail we might expect next from Facebook. It’s about the potential privacy conflicts caused by Disney’s acquisition of Fox.
It Was All Started by a Mouse
Walt Disney liked to remind people that his company started humbly, “by a mouse.” Today, we are also dealing with something mouse-related: Our data.
Few of us ever read the privacy policies we agree to when we download software or an app–the exception here being those among us who are in the business of selling data. Privacy policies are binding. When a company changes hands, the data in its possession is governed by the privacy policy that was in place when the user accepted its terms, and that remains the case even after it’s transferred to its new owner. They can be changed, with user consent, which is usually given by users who are not studying the new terms of engagement.
Disney of course pre-dates the era of a surveillance economy, but it has invested aggressively in data analytics and customer tracking. Strategic data deployment has been central to Disney’s increased profits in recent years, both at its theme parks and brick-and-mortar stores. While RFID tracking for customers, facial recognition, personalized offers based on prior purchases and behavior can all vastly improve customer experience, we’ve seen far too many instance of companies abusing their privileged access to consumer data.
The “Don’t Be Evil” Option
Companies can start with good intentions (see Google’s recently retired “Don’t Be Evil” motto) and eventually expand their data mining practices to Orwellian dimensions. It’s a matter of grave concern.
When a disproportionate number of the customers being tracked are children, this should be even greater cause for concern. That’s the red button aspect of prime interest in the Disney-Fox deal.
Case in point, the 2017 lawsuit filed against Disney and still pending in court that claims the company was tracking children through at least 42 of its mobile apps via unique device fingerprints to “detect a child’s activity across multiple apps and platforms… across different devices, effectively providing a full chronology of the child’s actions.”
Disney denies these allegations, but they did cop to generating “anonymous reporting” from specific user activity through “persistent identifiers,” and that the information was collected by a laundry list of third party providers, many of which are ad tracking platforms.
The company is by no means alone in this practice. A 2018 study found that 3,337 family- and child- oriented apps available on the Google Play store were improperly tracking children under the age of 13. It’s not hard to see why. If consumer data is valuable, starting the process of collecting data associated with an individual as early as possible can provide marketing companies with extremely deep data about their target’s preferences and habits long before they have a disposable income. The U.S. Children’s Online Privacy Protection Rule (“COPPA”) was created to stop this from happening. But as we’ve seen from companies like TikTok, it’s often skirted or flouted outright and the penalties are often laughable compared to profits.
The collection of data on kids is a problem. Enter Disney, the sheer scale of that empire making its data position comparable to that held by Facebook or Google. It is similar with Fox properties, though to a lesser extent. The upshot: An immense amount of data just changed hands and no one is talking about it–and they should be.
Changing Privacy Policies
While privacy policies are easy to find, they are not so much fun to read. They are not all alike. But without engaging in a tale of the tape regarding Disney and Fox policies, there is still reason for concern.
The problem from a privacy standpoint is a side-effect of Disney’s aggressive expansion. Those of us who love Marvel Comics, and who signed up for related sites or apps before 2009 or Star Wars before 2012, or who subscribed to National Geographic before this year, all belong to Disney’s data holdings now. We have no way of knowing how our data is being used, or whether the privacy policy we agreed to is the one governing the current use of our data. Disney announced changes to each of its new properties’ privacy policies on its main website and updated them accordingly, but is that enough?
Companies can reserve the right to change their privacy policies, and if we don’t like it we can always opt out. Things become murkier when data is purchased by a third party; this can happen with acquisitions, or when major retailers go belly up. It happened when Radio Shack went out of business, and its entire customer database was suddenly put up for sale to the highest bidder.
The creation of meaningful standards for consumer privacy is a moving target, but it should be a legislatively mandated consideration for large scale mergers and acquisitions. Once a customer’s information is sold, there’s no way to get it back. An effective stopgap might be to demand a data transfer “opt out” button when we’re giving consent to privacy policies. When it comes to children, we might even consider legislating automatic “opt out” for anyone under a certain age. Where safeguarding children’s data is concerned, there’s still much work to be done.
This article originally appeared on Inc.com.