Does a seller of a business need to erase their customers’ details when handing over to the buyer of their business for privacy reasons?

Under Australian law, specifically the Privacy Act 1988 and the Australian Privacy Principles (APPs), businesses have obligations to protect personal information they hold. When a small business is sold under a standard 'asset sale' style arrangement:

1. Transfer of Personal Information: The seller can transfer personal information to the buyer if it's necessary for the continued operation of the business. For instance, if the business is an online store, the buyer would need customer details to fulfill existing orders and provide customer support.
2. Consent: If the personal information is being used for a purpose other than what it was originally collected for (e.g., if the buyer intends to use the email addresses for a new marketing campaign), the seller might need the consent of the individuals whose data is being transferred.
3. De-identification or Destruction: If the buyer does not require certain personal information for the business's continued operation, the seller may need to de-identify (remove personally identifiable details) or destroy that information. This ensures that personal data isn't misused or accessed without a valid reason.
4. Business Sale Agreement: The terms of the business sale agreement can also dictate how personal information is handled. Both parties can negotiate and specify terms regarding the transfer, use, or deletion of personal data.

In summary, the seller doesn't necessarily have to erase all inboxes when handing over the business. However, they must ensure that personal information is treated in line with privacy laws, which may involve obtaining consent, de-identifying data, or setting specific terms in the sale agreement.

Note that:

• if the business is sold as a 'share sale' (ie the underlying share ownership of the business changes hands) the above considerations may be simpler. Since the company (and its obligations) remains the same entity, there's typically no need to transfer personal data between entities.
• if the company is a multi-jurisdiction company with personal information of customers of other countries, additional laws may apply (e.g. the GDPR or the CCPA) which may have different erasure requirements.