Last month, bankrupt company RadioShack settled with a coalition of seventeen attorneys general to destroy most of the company’s customer data in its files. The agreement was part of a Bankruptcy Court-approved $26.2 million sale of RadioShack’s assets.

After filing for bankruptcy, RadioShack offered to sell data on 117 million customers.  Attorneys General of Texas, Tennessee, Pennsylvania, and Oregon objected to RadioShack’s plans to sell the data, arguing that such a sale would violate the company’s privacy policies as well as state consumer protection statutes.  More than thirty other state Attorneys General wrote letters supporting the effort.

RadioShack’s privacy policy provided:

Information sharing and disclosure

Agents, employees and contractors of RadioShack who have access to personally identifiable information are required to protect this information in a manner that is consistent with this Privacy Policy and the high standards of the corporation.

Information about you specifically will not be used for any purpose other than to carry out the services you requested from RadioShack and its affiliates. All of our affiliates have agreed to maintain the security and confidentiality of the information we provide to them.

We will not sell or rent your personally identifiable information to anyone at any time. We will not use any personal information beyond what is necessary to assist us in delivering to you the services you have requested. We may send personally identifiable information about you to other organizations when: We have your consent to share the information (you will be provided the opportunity to opt-out if you desire). For example, if you opt-in for emails we will share this information with our marketing provider. We need to share your information in order to provide the product or service you have requested. For example, we need to share information with credit card providers and shippers to bill and ship the product you requested. We are required to do so by law, for example, in response to a court order or subpoena

Jessica Rich, FTC Director of the Bureau of Consumer Protection, laid out a number of suggestions for the Bankruptcy Court Consumer Privacy Ombudsman based on the Commission’s settlement with Toysmart.  The Toysmart case also involved the sale of consumer data in a bankruptcy proceeding. Specifically, Rich suggested that the Ombudsman consider requiring the buyer of the assets to expressly agree to be bound by RadioShack’s privacy policies, or, alternatively, requiring RadioShack to obtain affirmative consent from its customers before transferring the data.

Acting United States Trustee Andrew Vara also raised concerns that RadioShack had not provided enough detail on the proposed sale, hampering the consumer privacy ombudsman’s efforts.

AT&T and Apple likewise objected to the sale of their customer data in the possession of RadioShack. The companies argued that RadioShack was only given access to their customer data in order to provide the companies with specific services, but RadioShack did not own the data and could not sell it to third parties.

After a daylong mediation session in May, RadioShack struck a deal with the Attorneys General, ultimately agreeing to destroy the majority of its customer data, thereby reducing the number of data points per customer available for sale from 170 to 7. The data to be destroyed included credit and debit card information, Social Security numbers, telephone numbers, and dates of birth. RadioShack was permitted to sell email addresses of customers who had requested product information from RadioShack during the previous two years; even so, the parties agreed that consumers would have the right to opt out prior to the transfer of those emails to purchaser Standard General’s General Wireless business unit and that, once transferred, General Wireless would be prohibited from selling or sharing any of this information in the future with any third party, including its co-branded business partner, Sprint.

This recent instance of a bankrupt company being constrained in the sale of consumer data assets reflects the intense scrutiny sale of data assets in bankruptcy will receive, and the effect privacy policies will have on the disposition of data assets post-bankruptcy.