In a July 2010 letter, the Federal Trade Commission recently warned potential purchasers of certain customer data that the transfer and use of such data could violate the seller’s own privacy policies and, therefore, constitute an unfair or deceptive act or practice in violation of the Federal Trade Commission Act. The Director of the FTC’s Bureau of Consumer Protection, David Vladeck, made this position clear in a letter written to several investors who had expressed a desire to purchase customer data collected by the now defunct XY Magazine and XY.com in a bankruptcy sales process. The letter cautions of the likelihood that sensitive personal information of customers may be used lawfully only in the transaction for which it was collected. Sellers of such customer data, including when the sale is part of a larger business combination, should make certain the sale is permitted by their privacy policies. Purchasers of such customer data need to make certain they perform proper due diligence on the seller’s privacy policies, as well as make certain their plans for using the data post-acquisition will be permissible under the FTC Act.

XY Magazine, a gay male youth publication, was published in the United States between 1996-2007, and XY.com, the affiliated website, was available until 2009. During the eleven years of production, XY Magazine and its affiliates collected personal information from subscribers and members, including names, street addresses, email addresses, and bank card account information. XY.com’s privacy policy proclaimed, “Please note our amazing privacy policy. We never give your info to anybody.” Another policy statement appearing on the website, stated: “Our privacy policy is simple: we never share your information with anybody” and the XY Magazine subscription form stated, “Amazing Privacy Policy: XY never sells its list to anybody.”

In a personal bankruptcy proceeding, the founder of XY Magazine and XY.com identified the customer lists and personal data as assets. When several investors expressed an interest in acquiring the assets for the purpose of resuming operations of the magazine and website, the FTC wrote to the investors, warning them that their actions were likely violative, and requesting that the data be destroyed. Director Vladeck wrote: “In this case the XY privacy policy is simple, explicit, and clear. Subscribers and members were told that their personal information would not be sold, shared, or given away to ‘anybody.’ . . . Therefore, any sale or transfer of the data to a new company, new owner, or other third party would directly contravene the privacy representations and could constitute a deceptive practice by the original company or its principals. Such practice also could be unfair. In addition, the receipt of such data by a third party, knowing that such receipt violated the privacy policy, could be unfair.”

In the XY letter, Director Vladeck also cautioned that the continued use of the data, even by the current owners, could violate the privacy policies because any future use would likely be inconsistent with the purpose of the original provision of data by subscribers. The FTC explained that “due to the nature of the information, the passage of time, and the closure of the magazine and website in 2007 and 2009, respectively, the continued use of the data may pose privacy risks not reasonably contemplated by subscribers when they provided the data, and not consistent with their course of dealing with the company.”

The regulatory environment regarding privacy of customer information is in the midst of fundamental change. For a brief summary of existing laws, recent developments, and anticipated policy and enforcement changes, see the Client Advisory recently published by practitioners in Alston & Bird’s Privacy & Security Practice.