Facing objections from the Federal Trade Commission and the Attorneys General of 23 states, RadioShack in its bankruptcy filing, has agreed to destroy the bulk of the personal customer information maintained in its files.
As part of its Chapter 11 petition, the company offered all of its assets for sale—including data on roughly 117 million customers, such as e-mail addresses, telephone numbers, and credit and debit card information.
But almost two dozen state AGs filed an objection, arguing that the sale constituted a violation of state consumer protection laws as well as the company’s own privacy policies. The policies assured consumers that RadioShack would “not sell or rent your personally identifiable information [PII] to anyone at any time.” By offering such data for sale, the company sought to do the opposite of what it promised and engaged in unfair and deceptive practices, the AGs told the bankruptcy court.
The FTC also weighed in and wrote a letter to the court-appointed consumer privacy ombudsman in the bankruptcy case to recommend that certain conditions be placed upon the sale of PII to protect RadioShack’s former customers. Possible considerations ranged from a sale of the information only to another entity in substantially the same line of business as RadioShack, to an agreement from the buyer to remain bound by the RadioShack privacy policies in place when the customers’ data was collected.
With a sale in the balance and state and federal regulators breathing down its neck, RadioShack and purchaser General Wireless Operations, Inc. entered into a mediation to resolve the objections.
Pursuant to the deal, General Wireless will only purchase two categories of PII: (1) customer e-mail addresses that were active within the two-year period before RadioShack filed for bankruptcy; and (2) transaction data for the prior five-year period limited to seven fields (store number, ticket date/time, SKU number, SKU description, SKU selling price, tender type, and tender amount).
Any other customer information—older e-mail addresses, telephone numbers, and 14 other transaction fields, for example—will be destroyed.
Before the transfer of the PII to General Wireless, RadioShack will send an e-mail to affected customers advising them of the purchase and providing them with an opportunity to opt out. Recipients will have seven days to exercise the option not to have their PII transferred.
To read the settlement agreement in In re RadioShack Corp., click here.
Why it matters: Privacy is a top-of-mind concern for both state and federal regulators. The FTC has intervened in multiple bankruptcy cases in recent years, from high-profile cases involving Borders, the national bookstore, to the personal bankruptcy of the owner of a gay teens magazine. RadioShack’s bankruptcy problems provide an important reminder that companies must consider the implications of a future bankruptcy when drafting privacy policies or face complications down the road.