“We share your personal data only in the ways described in this policy,”
“We care about our customers and we will never sell or share your personal data.”
Most companies include these statements to highlight their promise not to capitalize on a consumer’s data by selling to third party marketers. However, many companies do not realize that statements such as these could also severely restrict the company’s ability to sell data as a corporate asset in a company sale, merger, bankruptcy, or similar corporate transaction, unless there is also a clear statement within the policy which permits data to be transferred during the course of such events.
Enforcement actions for violations of privacy policies
The FTC and state attorneys general can investigate and bring enforcement actions against companies that engage in unfair or deceptive acts and practices, and routinely use this power to investigate whether companies act contrary to the promises made in their privacy policies. Citing breaches of company privacy policies, the FTC has initiated enforcement actions alleging deceptive acts and practices against Google, Snapchat, and MySpace, among others. When regulators prevail in their enforcement actions, they may impose a range of penalties upon companies, including injunctions against proposed data use or the deletion of improperly obtained data, customer redress in the event of customer harm, the imposition of a government-written data privacy and security program, recordkeeping requirements, and bi-annual third party audit and reporting requirements for up to 20 years.
Enforcement actions involving data sales
The Toysmart.com bankruptcy precedent
RadioShack’s sale under Section 363 of the Bankruptcy Code
As RadioShack recently discovered when it attempted to sell its customers’ data in Chapter 11, Section 363 of the Bankruptcy Code can pose significant challenges to debtors who fail to exercise foresight when drafting their privacy policies.
“We will not sell or rent your personally identifiable information to any one at any time,”
“Information about you specifically will not be used for any purpose other than to carry out the services you requested from RadioShack and its affiliates. All of our affiliates have agreed to maintain the security and confidentiality of the information we provide to them.”
To make matters worse, RadioShack displayed signs in its brick-and-mortar stores declaring:
“We respect your privacy”
“We do not sell mailing lists”
To prevent any such violation, the FTC proposed restrictions on the sale similar to those applied in the Toysmart.com case. After months of collateral litigation, the consumer privacy ombudsman recommended that the sale go forward under limited conditions. The ombudsman recommended that the sale:
- include seven data points, as opposed to the 170 data points originally contemplated,
- not include customers’ credit or debit card numbers, Social Security numbers, telephone numbers, or dates of birth,
- only include email addresses from customers active within two years prior to the sale,
- provide an opt-out option to consumers prior to transfer, and
While the sale was ultimately consummated based on the terms set forth above, the majority of the data was destroyed, stripping away much of the data’s value to the purchaser.
Quirky’s attempts to sell data assets in bankruptcy