Data Sharing in Connection with Business Transfers

What it is

If Medium is sold, merges with another company, or goes through bankruptcy, your personal data may be transferred to the new owner or successor entity as part of that transaction.

Why it matters (compliance & governance perspective)

A corporate transaction could result in your personal data being controlled by a different company with different privacy practices, and this policy gives you no opt-out right in that scenario.

Consumer impact (what this means for users)

In the event of a sale, merger, or bankruptcy involving Medium, your personal information, including account data, reading history, and payment details, may be transferred to a new entity whose privacy practices you have not reviewed or agreed to.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: Business transfer provisions implicating user data are subject to FTC oversight under the FTC Act's prohibition on unfair or deceptive practices. The FTC has historically required that user data transferred in a business sale be used only in accordance with the privacy policy under which it was collected, unless users are given an opportunity to consent to new uses. GDPR may also apply where EU personal data is involved, as a change of data controller requires notice to data subjects. GOVERNANCE EXPOSURE: Medium. This provision is standard across the industry but creates practical risk for users because the successor entity's privacy practices are unknown at the time of account creation. There is no user notification or consent mechanism specified in this clause for the transfer event itself. JURISDICTION FLAGS: EU/EEA users are protected by GDPR requirements that any new data controller operating under different purposes must provide fresh notice and, where required, obtain new consent. California users have CCPA rights that may survive a business transfer. The policy does not specify what happens to user data in a bankruptcy scenario, which may create additional legal complexity. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using Medium for corporate publishing should assess the implications of a potential business transfer on their own data obligations. If corporate employee or customer data is processed by Medium, a change of control could affect the legal basis for that processing. COMPLIANCE CONSIDERATIONS: Users who are concerned about the business transfer provision can export their data and consider whether account deletion is appropriate if a transaction is announced. Compliance teams should monitor for any announcements of corporate transactions involving Medium and assess whether notification obligations are triggered under applicable law.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Third-Party Data Sharing with Analytics and Advertising Partners medium
• International Data Transfer to the United States medium
• GDPR Rights for EU/EEA Users medium
• CCPA Rights for California Residents medium
• Payment Data Collection and Processing low
• Data Retention Without Fixed Periods medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.