In what may become viewed as the de facto standard for selling customer information in bankruptcies, a Delaware bankruptcy court approved, on May 20, 2015, a multi-party agreement that would substantially limit RadioShack’s ability to sell 117 million customer records. The agreement was entered into by RadioShack Corp., General Wireless Inc., and 17 state attorney generals as part of the former’s ongoing bankruptcy proceeding. Despite its original intention to sell all of its customer records, RadioShack entered into the agreement in response to filings made by 36 state attorney generals and the Federal Trade Commission (FTC) (although the FTC was not a signatory). Instead of selling the entire cache of data, which includes credit and debit information, transaction history, telephone numbers, mailing addresses, and email addresses, RadioShack will destroy the majority of the data and sell only a subset of customer email addresses to General Wireless Inc. That subset of customer data will also be subject to various restrictions.
Tennessee, Pennsylvania, and Oregon also filed formal objections with the court, similar to that of the Texas Attorney General, and regulators from 32 other states filed letters supporting these motions.
The FTC’s Director of the Bureau of Consumer Protection, Jessica Rich, also filed a letter with the court-appointed ombudsman on May 16, 2015. Citing concerns similar to the Texas Attorney General’s, Rich wrote:
The representations RadioShack made to its customers about the privacy of their information, including name, address, telephone number, email address, and purchase history, would likely be considered very important to many customers . . . Consumers who provided their personal information to RadioShack would likely be very concerned if it were to be transferred without restriction to an unknown purchaser for unknown uses.
Rich therefore expressed the FTC’s concern that “a sale or transfer of the personal information of RadioShack’s customers would contravene RadioShack’s express promise not to sell or rent such information and could constitute a deceptive or unfair practice under Section 5 of the FTC Act [15 U.S.C. § 45].”
- The customer information is not sold as a standalone asset;
- The buyer is engaged in substantially the same lines of business as RadioShack;
- The buyer expressly agrees to be bound by and adhere to the terms of RadioShack’s privacy policies as to the personal information acquired from RadioShack; and
- The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under the RadioShack policies.
In addition, Rich also recommended that RadioShack obtain affirmative consent from its customers before transferring the data. Those customers who did not consent could choose to have their information purged.
As big data analytics become an increasingly essential component of most companies’ marketing strategies, issues associated with the sale of customer data are bound to become more common. Although this is not the first time state regulators and the FTC have raised concerns about transactions such as these, the level of coordination and swift action on the part of these regulators shows they mean business when it comes to protecting consumer privacy, even in the context of major bankruptcies. Companies should therefore be sure to consider the guidance offered by the FTC and contained in the May 20 agreement when developing or revising their privacy policies with an eye towards potential sales in connection with bankruptcies or other future transactions.