In a July 2010 letter, the Federal Trade Commission recently warned potential purchasers of certain customer data that the transfer and use of such data could violate the seller’s own privacy policies and, therefore, constitute an unfair or deceptive act or practice in violation of the Federal Trade Commission Act. The Director of the FTC’s Bureau of Consumer Protection, David Vladeck, made this position clear in a letter written to several investors who had expressed a desire to purchase customer data collected by the now defunct XY Magazine and XY.com in a bankruptcy sales process. The letter cautions of the likelihood that sensitive personal information of customers may be used lawfully only in the transaction for which it was collected. Sellers of such customer data, including when the sale is part of a larger business combination, should make certain the sale is permitted by their privacy policies. Purchasers of such customer data need to make certain they perform proper due diligence on the seller’s privacy policies, as well as make certain their plans for using the data post-acquisition will be permissible under the FTC Act.
In the XY letter, Director Vladeck also cautioned that the continued use of the data, even by the current owners, could violate the privacy policies because any future use would likely be inconsistent with the purpose of the original provision of data by subscribers. The FTC explained that “due to the nature of the information, the passage of time, and the closure of the magazine and website in 2007 and 2009, respectively, the continued use of the data may pose privacy risks not reasonably contemplated by subscribers when they provided the data, and not consistent with their course of dealing with the company.”
The regulatory environment regarding privacy of customer information is in the midst of fundamental change. For a brief summary of existing laws, recent developments, and anticipated policy and enforcement changes, see the Client Advisory recently published by practitioners in Alston & Bird’s Privacy & Security Practice.