The bankruptcy clause: what happens to student data when a platform folds

Nearly every privacy policy contains a business-transfer clause: in a merger, acquisition, or bankruptcy, student records can transfer to the new owner, who is free to adopt different rules. When the college-planning platform ConnectEDU went bankrupt in 2014, the personal information of more than 20 million students was listed among the assets for sale.

Reviewed July 2026

A privacy policy makes promises about how a company treats your data today. Those promises assume the company stays the company you signed up with. Platforms get acquired, merge with another business, or fold into bankruptcy, and nearly every privacy policy contains a clause that anticipates exactly that.

The business-transfer clause

Almost every policy in this space includes language like this, pattern-composite phrasing rather than a quote from any one vendor: "in the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction." The clause is not unusual and is not, by itself, evidence of anyone's bad intent. It covers an ordinary business event: companies get bought or wind down, and something has to happen to the records they hold.

What the clause does not promise is that a successor operates under the same rules you relied on when you agreed to the original policy. A new owner can adopt a new privacy policy, a new business model, and new practices, and the records travel with the company into that new arrangement. Sometimes the data a clause like this covers is a meaningful part of why the acquirer wanted the deal at all, since a base of students, families, and schools already using a platform has value beyond the software itself.

When the FTC stepped in: ConnectEDU

In 2014, ConnectEDU, an education technology platform that helped high school and college students, along with their parents and school counselors, with career and college planning, filed for bankruptcy and proposed selling substantially all of its assets, including the personal information of more than 20 million students. The FTC's Bureau of Consumer Protection sent a letter to the bankruptcy court arguing that a sale without notice to users and a chance to delete their data would be inconsistent with ConnectEDU's own privacy policy, which had promised users that kind of notice and choice before any transfer of the company.

The FTC's letter asked the court to require notice and a deletion opportunity, or destruction of the data, or the appointment of a privacy ombudsman, an independent reviewer a court can appoint to look after users' privacy interests in a sale. What decided the default outcome, before any regulator got involved, was the language already sitting in ConnectEDU's own policy. Regulators have intervened visibly in situations like this one, but nothing in a policy entitles a family to that intervention, and you should not count on it happening for any given deal.

What to ask

Two questions get at what a business-transfer clause actually promises, given how thin most versions of it are.

Does the policy promise notice and a deletion window before a transfer, or does it only say data "may be transferred"? The first version gives a family a chance to act before records move. The second does not, and most policies default to the second.

Does the policy bind a successor to the same terms, or does it leave a new owner free to adopt different ones? "Any purchaser will abide by this policy" is a materially different promise than silence on the question, and silence is the more common answer.

The clause decides which door the records pass through A box labeled Policy, your promises, holding student records, connects by an arrow labeled acquisition or bankruptcy sale to a small clause scroll. The scroll sits at a fork between two doors: one labeled bound to same terms, drawn as a solid closed door, and one labeled new rules, no promise, drawn as a dashed door with a question mark. Both doors lead into a second box labeled New owner, new rules question mark, showing that the clause, not a regulator, decides by default which path the records take. The clause decides the default path Policy: your promises student records name, school, essays scores, notes, forms acquisition / bankruptcy sale the clause bound to same terms new rules, no promise ? New owner: new rules? by default, the clause decides; a regulator stepping in is the exception

The practical takeaway

A business-transfer clause is one of the most common clauses in a privacy policy, and one of the least examined. It quietly decides what happens to a family's records if the platform holding them is ever bought, merged, or shut down, and most versions of it promise very little beyond the possibility of transfer itself.

Before you upload anything to a platform, look for whether its policy promises notice and a deletion window before a sale, and whether it binds a successor to the same terms. The checklist walks through this question alongside the rest. Two related reads: how free platforms make money from student data in the first place, and the real difference between deleting and de-identifying and retaining a record once you ask a vendor to remove it.


Evaluating a platform this week? Bring the one-page checklist to the demo: the checklist.

Platform type: CRM and practice management platforms, Essay and application platforms, Assessment and survey tools