An all-cash bid by
The merger, which is being reviewed by the Department of Justice, would boost Netflix’s collection of user data including search history, viewing activity, and location by tens of millions of more viewers. While the deal is far from finalized and competitors including Paramount Skydance Corp. are lobbying the administration to approve a rival bid, attorneys say privacy practices at Netflix and Warner Bros. privacy would play a role in evaluating consumer risks posed by the merger.
Enforcers and lawmakers have widened the scope of their concerns about mergers in recent years from pricing and competition to the protection of consumer data. For instance, in the acquisition of defunct genetic testing company 23andMe’s data, a bankruptcy judge appointed a privacy ombudsman to review how the transfer would impact consumers. Lawmakers also raised concerns about the privacy of sensitive health data in a blocked acquisition of grocery chain Albertsons by Kroger and a bankruptcy sale of Rite Aid’s pharmacy customer data.
Regulators need to pay attention to what customers originally consented to when they shared their data and if the acquiring company will use the data with the same protections, said Erin Prest, partner at McCarter & English. “That’s where regulators seem to pay attention,” she said.
For instance, after Amazon acquired One Medical, the Federal Trade Commission in 2023 issued a statement warning the acquiring company that misrepresentations about how data would be used by Amazon could constitute violations of the FTC Act. However, the FTC and Justice Department have not cited data privacy as a reason to block a merger
Warner Bros.’ privacy policy explicitly allows for data transfer “in the event of an actual or potential business transaction.” Still, regulators may look at how acquiring companies protect new data, so an acquiring company would need need to worry about data security, said Lisa Sotto, partner at Hunton Andrews Kurth LLP.
“To the extent that systems are being integrated, the acquiring company is going to need to assure that appropriate security is being provided with regards to the integrated systems,” Sotto said. “The acquiring company doesn’t necessarily know what protections are in place now.”
Regulators have dinged Netflix over its privacy policy before. In 2024, the Dutch data protection authority fined Netflix approximately $5 million for failing to adequately inform consumers about how the company used consumer data between 2018 and 2020. Netflix updated its privacy policy with more information but denied wrongdoing.
Both Netflix and Warner Bros. have been subject to civil litigation under the Video Privacy Protection Act, a federal law protecting viewing records. Warner Bros. recently faced a lawsuit last year citing VPPA violations. That lawsuit was voluntarily dismissed.
Both Warner Bros. and Netflix did not respond to a request for comment.
What might make the management of data transfers more straightforward is an increase of state privacy laws that require companies to have more uniform practices , said Sotto. For instance, both of the California-based companies are subject to the California Consumer Privacy Act.
Still, when it comes to the nitty gritty of how parties evaluate user privacy in mergers, the companies’ privacy policies are “the bible,” she said.
For the Netflix deal, which involves sensitive data valuable to advertisers, the acquiring company will “have to look at what’s happening to that information,” said Prest. “People might not want their viewing habits out there.”
To contact the reporter on this story:
To contact the editors responsible for this story: