Currently working on a side-project that aims to be a competitor to Facebook Events for personal celebrations . We’d like to claim that we’ll never sell personally identifiable information to third parties, but are at a loss how to (contractually) enforce this claim so our users can trust their data is safe.
Is there some way to strictly forbid this today as well as in the future? Ideally, if Facebook buys the entire company they still wouldn’t be able to sell your data.
 wherat.com its goal is to simplify throwing a birthday party to such a degree, that you'll never consider skipping organizing one again.
It seems the simplest solution would be to never collect the data in the first place. Can't sell what you don't have.
Although interesting in theory, certain data is necessary for some of the features we have in mind.
Example: allergy/diet profile of guests to suggest snacks that hosts should buy that fit their dietary profiles.
I'm working on solving this problem. May I ping you when I enter beta? Is anyone interested in this?
Put it into the contract/TOS, Company will not sell data, user data is owned by the user and licensed for use by Company, with the condition that Company cannot sell data to third parties. To make it even more explicit you could add a checkbox to the registration that user does NOT grant consent to user data being sold to 3rd parties.
It's very easy to alter contracts and TOS, though.
Even Google had a clause in their original TOS that they wouldn't do anything with user-level data: https://www.nytimes.com/interactive/2019/07/10/opinion/googl...
Something stronger is necessary imo.
A clickwrap contract is generally considered legally binding. If your ToS is written such that the terms can’t be changed for previously-collected data and that changes of control and asset transfers will also contain this clause, if the company or an acquirer did so, users would sue. If you wanted to give users more litigation power, explicitly state that class actions are permitted.
Now, if an acquirer changed the ToS for data collected after the acquisition, that’s a totally different story, but it wouldn’t be retroactive to data collected under the prior ToS.
Finally, if your concern is that commercial contracts aren’t enforceable, that’s a much tougher problem to solve.
Companies are like people, they have the freedom to change their mind and there is no legal strategy that would cover "indefinitely" as far as I know.
Really the best you can do is write a good ToS, hope people notice when it changes if things go bad.
Beyond that and while you can affect change gather as little data possible... give the users a conspicuous way to manage/delete their data and hope if things go bad that the users notice when that feature disappears.
Let the user download an archive of the event for some period of time, then delete it.
I quite like this idea of making sure the user always maintains control of his data, and can choose to delete it at any time. Will reflect more upon this.
You deleting it prevents your successor from going through years or decades of accumulated data, whereas user options to delete data ensures it will generally accumulate. Once it accumulates you can't do anything to stop the next person from exploiting it. If it accumulates enough it will become the distinguishing value of your product or company.
Under GDPR that's a legal obligation you'd have to fulfill regardless.