Expect the unexpected from your Web site privacy policy. In a handful of cases, including two which were recently decided, companies have been thwarted in various, unexpected ways by the commitments made in their online privacy policies.

Are your intellectual property litigators reading your privacy policy?

In FenF, LLC v. Healio Health, Inc., No. 5:08-CV-404 (N.D. OH July 8, 2010), the court held that a provision from a settlement agreement entered into by FenF, LLC (“FenF”), the plaintiff, and Healio Health, Inc. (“Healio”), the defendant, which required Healio to transfer certain customer information to FenF was unenforceable because doing so would result in a violation of Healio’s privacy policy. The settlement agreement FenF was trying to enforce against Healio arose from Healio’s alleged infringement of FenF’s intellectual property. As a part of the settlement agreement, Healio agreed to transfer to FenF certain customer lists containing customer information. However, Healio promised in its privacy policy that it would not share its customers’ information with third parties. The court reasoned that “[a]llowing Plaintiff to obtain that information without any type of notice to the customers would result in manifest unfairness to those customers, who are not a party to this action and may very well have conditioned their purchases from Healio Health on that company’s promise to keep their customer information confidential.” Id. at 5.

When you wrote your privacy policy, were you thinking about “the end”?

XY

Recently, the Federal Trade Commission (“FTC”) intervened in a bankruptcy case in which purchasers were attempting to acquire the personal information of subscribers of XY, which, before filing for bankruptcy, operated a magazine and website that targeted young gay men. When it was operating, XY collected sensitive data from anywhere between 500,000 to 1 million subscribers. XY promised its subscribers that their information was safe by stating on its website, “Our privacy policy is simple: we never share your information with anybody.”

The FTC wrote in its letter, dated July 1, 2010, to the counsel of the purchasers that the acquisition of such information would violate the FTC Act, because XY’s sale of subscriber information after XY explicitly promised not to share such information would be an unfair and deceptive act or practice. The FTC requested that XY destroy the subscriber information at issue due to the highly sensitive nature the information. On August 3, 2010, in response to the FTC’s concerns, the U.S. Bankruptcy Court for the District of New Jersey approved the parties’ settlement agreement which stipulated that the information at issue would be destroyed.

Toysmart.com

The XY bankruptcy was not the first time that the sale of customer lists of a company in bankruptcy was thwarted due to promises made in its privacy policy. In 2000, Toysmart.com, LLC (“Toysmart”), an electronic toy retailer, announced that it was going out of business and sought offers for its customer lists which contained personally identifiable information of its customers. The FTC opposed such a sale and brought suit against Toysmart based on Toysmart’s promise in its privacy policy that it would not share its customers' personally identifiable information with third parties. Federal Trade Comm'n v. Toysmart.com, LLC, 2000 WL 34016434 (D. Mass. July 21, 2000) (Unreported). A group of state attorneys general took similar actions to prevent the sale of the lists. Ultimately, Disney, the majority owner of Toysmart, agreed to purchase and destroy Toysmart's customer lists.

Verified Identity Pass

Years after the Toysmart case, Verified Identity Pass, Inc. (“VIP”) encountered a similar situation. VIP was a company that allowed airport travelers to expeditiously pass through security checkpoints. The company filed for bankruptcy on December 1, 2009. VIP sought an acquirer, but the U.S. District Court for the Southern District of New York issued an injunction preventing VIP from selling or otherwise disclosing personal information from its database because VIP promised in its membership agreement and related privacy policy that it would not sell or distribute such information. On May 4, 2010, VIP was acquired by Alclear, LLC. The U.S. Bankruptcy Court for the Southern District of New York appointed a consumer privacy ombudsman to oversee the transfer of the personally identifiable information. VIP was forced to amend its Privacy Policy to reflect the fact that it would now be transferring its customers’ personal information to third parties. In addition, VIP had to send notice of the changes to its privacy policy to each affected customer and had to give each affected customer the option to opt-out of the transfer by electing to have his or her information destroyed.

The Bankruptcy Code

The Bankruptcy Code was amended in 2005 to specifically address the sale of a debtor company’s customer information as part of its liquidation. Now, under section 363(b)(1) of Chapter 11 of the Bankruptcy Code, the appointed trustee may sell the property of an estate; however, if the debtor has a privacy policy prohibiting the transfer of personally identifiable information to persons not affiliated with the debtor and that policy is in effect on the date of the commencement of the case, then the trustee may not sell such information. A sale of such information may nevertheless occur in the following circumstances: if the sale is consistent with the privacy policy (e.g., there is a carve-out in the privacy policy for a sale of the personally identifiable information), or if a court appoints a consumer privacy ombudsman in accordance with § 332 of the bankruptcy code and the court provokes the sale.