COVID-19 will end, that much we know. But when will it end, and what lasting effects will it have on our society remain the pressing questions for all of us. While many questions persist, it is certain that we have yet to see the full effects this global crisis will have on the economy. Many businesses, and perhaps entire industries, will not survive this prolonged shutdown or the changes in consumer behaviors following the exit from this pandemic. That means we can expect to see bankruptcy protection filings in the months ahead, and a spike in the sale of valuable corporate assets. This will almost certainly include customer data.
With this in mind, here’s an overview of privacy lessons learned in the context of bankruptcy setting out when customer data may be sold, and the potential consequences if data is ever transferred improperly.
The Cases
Toysmart. Toysmart’s Chapter 11 bankruptcy in 2000 marked the first time the Federal Trade Commission intervened in a bankruptcy proceeding, stepping in to enjoin a debtor from selling consumer data. The FTC suit was centered on the company’s privacy policy, which promised that consumer data would “never be shared with third parties.” While the FTC eventually reached a settlement with Toysmart that did permit the sale of customer data, it was only to be sold in connection with other corporate assets, to a buyer in a related market that would continue the business, and with the provision of notice and opt-out choice to the individual consumers. What the FTC sought to prevent was the sale of consumer data as a stand-alone asset, and to limit how a purchaser could use the data. The State Attorneys General brought a collective action as well, and added a more restrictive obligation to obtain the opt-in consent of consumers. The limitations posed by the FTC and State Attorneys General became so burdensome that eventually the consumer data was destroyed prior to Toysmart’s formal dissolution. Eventually, the Toysmart case re-shaped sections of the 2005 Bankruptcy Code.
Borders Bookstore. Then in 2011, when Borders Bookstore was in bankruptcy, the FTC sent a letter advocating for the protection of personal consumer data. Borders had collected substantial volumes of consumer data, including detailed records about the types of books and videos purchased by consumers. Since Border’s privacy policy promised that customers’ data would not be shared without consent, the FTC asked the bankruptcy judge to require customer consent or impose significant restrictions on the transfer and use of that data as part of the bankruptcy estate.
RadioShack. In 2015, RadioShack, the well-known electronics retailer, found itself in bankruptcy and attempted to sell customer data. RadioShack’s own privacy policy posted online and in stores, however, broadly promised customers “we will not sell or rent your personally identifiable information at any time.” This time both the FTC and several State Attorney Generals intervened to block the sale of customer data. Each state regulator, as well as the FTC, asserted that the proposed sale would violate the company’s own privacy policy, and doing so would constitute an unfair and deceptive practice. A court-appointed consumer privacy ombudsman recommended that the sale exclude several categories of consumer data, in addition to creating an opt-out provision consumers could take advantage of. Ultimately, however, most of the data was destroyed prior to the sale.
Important Takeaways
Post-COVID, we can expect to see several commercial entities selling assets in bankruptcy, and consumer data will certainly play a role in those proceedings. Keep the following in mind.
- Regulators are watching. The cases above highlight that federal and state regulators have expressed interest in intervening in bankruptcy proceedings involving the sale of valuable consumer data, and enforce promises made in privacy policies. In the post-COVID environment, don’t be surprised if they do so again.
- What does the Bankruptcy Code say? Under section 363(b)(1) of the U.S. Bankruptcy Code, if a commercial entity has disclosed to its customers a policy prohibiting the transfer of customer data, the entity may not sell or lease the customer data in its bankruptcy unless the policy is no longer in effect on the date of its bankruptcy filing, the sale or lease is consistent with the policy, or the bankruptcy court approves the sale or lease after appointment of a consumer privacy ombudsman. As in the Radioshack case, the consumer privacy ombudsman is charged with recommending a course of action to the bankruptcy court on whether to approve or deny the sale.
- Buyer beware. Cybersecurity risks will exist long after the bankruptcy proceedings. Creditors and other parties in interest may seek swift control of databases containing consumer data as an asset, but must be mindful of maintaining the security of those systems. What if a disgruntled employee of the debtor stole copies of that data? What if the systems contain viruses or hidden code to thwart access controls? What if you are responsible for a security breach shortly after taking possession of data? All good questions to consider.
- Cross-border data transfer restrictions. Numerous privacy laws around the world (e.g., GDPR) impose restrictions on the lawful, use, access, or other transfer of personal data across country borders. Creditors and other parties in interest must, therefore, perform due diligence before purchasing databases to ensure debtor has collected and otherwise processed personal data in accordance with applicable requirements, or face potential regulatory inquiries, fines, and other enforcement actions.
- Private causes of action? In the wake of the California Consumer Privacy Act, private litigants are watching, too. While the concern to date has had a direct connection between the promises made in a published privacy policy, this could shift to individual or class action claims if the number of bankruptcies involving consumer data sharply spike.
Businesses can mitigate the risks associated with consumer data in the context of bankruptcy sales through careful vetting of privacy policies, updated notices to impacted customers, opt-out mechanisms or consents, and just-in-time review of potentially applicable laws to the data in-scope.
If you have any questions about these developments or any other privacy law, please do not hesitate to contact Debra Dandeneau, Brian Hengesbaugh, or Harry Valetk
