A coalition of 38 state Attorneys General, led by Texas, and supported by a separate effort by the Federal Trade Commission, opposed the sale of Radio Shack consumer data by the bankruptcy court. Pursuant to an agreement reached on May 20, 2015, after mediation, Radio Shack and its successor will (largely) be required to comply with Radio Shack’s privacy policy. Most of the consumer data collected by Radio Shack will be destroyed, including all credit and debit card account numbers, social security numbers, dates of birth and phone numbers, and General Wireless, Inc., the purchaser of defunct Radio Shack assets -- principally the trademarks and consumer data -- will be required to permit consumers to opt-out of the transfer of the remaining consumer data (email addresses of those who specifically requested product information in the last two years).

Concerns arose when RadioShack proposed to include 67 million customer contacts (a subset of the 117 million customer contacts it had amassed) in its asset sale to General Wireless. In its initial proposal, RadioShack offered to sell the customers’ (a) first and last name, (b) physical mailing address, (c) email address and (d) phone number, together with 21 other types of transaction data.

The state Attorneys General quickly objected, claiming that the proposed sale would violate RadioShack’s privacy policy and state consumer protection laws. RadioShack’s online policy told its customers, “we will not sell or rent your personally identifiable information to anyone at any time,” and signs at its brick-and-mortar locations had similar language, stating, “We do not Sell Our Mailing List. The information you give us is treated with discretion and respect.”

The FTC raised concerns that, because the deal would likely violate RadioShack’s express promise to customers not to rent or sell their information, it could constitute an unfair or deceptive practice under Section 5 of the Federal Trade Commission Act. Specifically, the FTC reasoned that companies that collect private customer data on the condition that it will not be resold have the responsibility to uphold their obligation and protect that information even if the company ceases to exist through a sale or bankruptcy.

In response to these concerns, the agreed-upon deal significantly reduces the amount of customer data to be transferred to General Wireless. The deal also requires General Wireless to comply with RadioShack’s existing privacy policy and prohibits General Wireless from selling or sharing any of the transferred customer information in the future with any other entity.

Consumer data is a significant business asset. Businesses are advised to confirm their privacy policies are clear and permit the business to operate as it currently operates and as it may operate in the future, including expressly permitting transfers in connection with a sale of assets, merger or change of control. This is not the first time the FTC and state regulators have raised objections to the sale of customer data, but is a reminder consumer data and privacy is an increasing focus of state Attorneys General.