Personal data is a valuable corporate asset. At times, the personal information collected from customers (such as email address, mailing address, phone number, etc.) can be a company’s most
“We share your personal data only in the ways described in this policy
“We care about our customers and we will never sell or share your personal data
Most companies include these statements to highlight their promise not to capitalize on a consumer’s data by selling to third party marketers. However, many companies do not realize that statements such as these could also severely restrict the company’s ability to sell data as a corporate asset in a company sale, merger, bankruptcy, or similar corporate transaction, unless there is also a clear statement within the policy which permits data to be transferred during the course of such events.
Enforcement actions for violations of privacy policies
to its customers.
The FTC and state attorneys general can investigate and bring enforcement actions against companies that engage in unfair or deceptive acts and practices
and routinely use this power to investigate whether companies act contrary to the promises made in their privacy policies. Citing breaches of company privacy policies, the FTC has initiated enforcement actions alleging deceptive acts and practices against Google
, and MySpace
, among others. When regulators prevail in their enforcement actions, they may impose a range of penalties upon companies, including injunctions against proposed data use or the deletion of improperly obtained data, customer redress in the event of customer harm, the imposition of a government-written data privacy and security program, recordkeeping requirements, and bi-annual third party audit and reporting requirements for up to 20 years.
Enforcement actions involving data sales
The FTC and State AGs keep an eye on companies engaged in high-profile corporate transactions to make sure consumers’ privacy rights are not trampled in the companies’ haste to consummate deals. The FTC’s letter to Facebook and WhatsApp
The Toysmart.com bankruptcy precedent
These restrictions substantially reduced the pool of potential buyers and significantly limited the ways in which the eventual purchaser could use the data. Ultimately, the restrictions proved to be too onerous, and Disney Corp., one of Toysmart’s major investors, paid the debtor $50,000 to destroy the data prior to Toysmart’s dissolution.
RadioShack’s sale under Section 363 of the Bankruptcy Code
As RadioShack recently discovered when it attempted to sell its customers’ data in Chapter 11, Section 363 of the Bankruptcy Code can pose significant challenges to debtors who fail to exercise foresight when drafting their privacy policies.
“We will not sell or rent your personally identifiable information to any one at any time
“Information about you specifically will not be used for any purpose other than to carry out the services you requested from RadioShack and its affiliates. All of our affiliates have agreed to maintain the security and confidentiality of the information we provide to them
To make matters worse, RadioShack displayed signs in its brick-and-mortar stores declaring:
“We respect your privacy
“We do not sell mailing lists
Thus, when RadioShack proposed the sale of consumer personal information in bankruptcy, state and federal regulators intervened to block the sale. The FTC warned the court-appointed consumer privacy ombudsman
To prevent any such violation, the FTC proposed restrictions on the sale similar to those applied in the Toysmart.com case. After months of collateral litigation, the consumer privacy ombudsman recommended that the sale go forward under limited conditions. The ombudsman recommended that the sale:
- include seven data points, as opposed to the 170 data points originally contemplated,
- not include customers’ credit or debit card numbers, Social Security numbers, telephone numbers, or dates of birth,
- only include email addresses from customers active within two years prior to the sale,
- provide an opt-out option to consumers prior to transfer, and
While the sale was ultimately consummated based on the terms set forth above, the majority of the data was destroyed, stripping away much of the data’s value to the purchaser.
Quirky’s attempts to sell data assets in bankruptcy
At the beginning of October 2015, a U.S. Bankruptcy Trustee objected
The FTC exercises broad jurisdiction to bring enforcement actions against companies that engage in unfair or deceptive acts or practices under Section 5 of the Federal Trade Commission Act (“FTC Act”). 15 U.S.C. § 45(a). Many states have similar consumer protection legislation, commonly known as the “Baby FTC Acts.”
 In re Toysmart, LLC
, Consent Decree, Ex. A, Stipulation & Order Establishing Conditions on Sale of Customer Information, Case No. 00-13995-CJK (July 21, 2000).https://www.ftc.gov/sites/default/files/documents/cases/toysmarttbankruptcy.1.htm
In RadioShack, the court-appointed consumer privacy ombudsman was Jessica L. Rich: the director of the FTC’s Bureau of Consumer Protection.
Objection, In re: Quirky, Inc.
, No. 15-12596 (MG) (Bankr. S.D.N.Y. 2015).