A Moment of Privacy -- October 2011

more+
less-

And now for the question:

Q: Could my privacy policy hinder the liquidation of my company's assets?

A: Possibly, yes. Since defunct online toy store Toysmart's privacy policy precluded its liquidation sale of its customer list a decade ago, most privacy policies have included a provision that allows the sale of customer lists in the context of mergers, acquisitions, bankruptcies and other corporate restructuring. In fact, this issue has arisen in the bankruptcy context several times since the Toysmart case. However, some privacy policies still do not squarely address the circumstances in which a company is liquidating or dissolving.

A few weeks ago, the Federal Trade Commission gave us all a reason to revisit the wording we use in our privacy policies to enable the unfettered sale of information assets in bankruptcy. In the FTC's letter to the privacy ombudsman appointed in the highly publicized liquidation of Borders Group, the FTC's David Vladeck (Director of the FTC's Bureau of Consumer Protection) construed the applicable wording of Border's privacy policy as insufficient to put consumers on notice that their information could be sold in bankruptcy. (Ultimately, Barnes & Noble was allowed to purchase the information from Borders, but subject to omission of some of the information from the sale, a requirement that customer marketing preferences be honored, and a requirement that an email and public media announcement inform all customers that they have the right to opt out of the sale of their customer information. This decision by the bankruptcy court was not in keeping with Vladeck's letter, nor with the privacy ombudsman's recommendation, and at least one Senator has criticized this decision.)

The applicable wording from Border's privacy policy was:

"Circumstances may arise where for strategic or other business reasons, Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal or other information to prospective or actual purchasers, or receiving it from sellers. It is Borders' practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets."

In Vladeck's view, this wording applies to "business transactions that would allow Borders to continue operating as a going concern and not to a piecemeal sale of assets in bankruptcy."

Our takeaway from this: Add references to "liquidation" and "dissolution" to the applicable provision in your privacy policy. However, remember that making a change to your privacy policy now may not unfetter data that was collected before you make the change. To sell that information in bankruptcy, additional conditions may have to be met, such as not selling the customer information as a stand-alone asset; selecting a buyer that is engaged in substantially the same line of business as the seller; having the buyer commit to adhering to the terms of the privacy policy of the seller under which the data was collected; and having the buyer agree to obtain affirmative consent from consumers for any material changes to that privacy policy. In some cases, depending on the wording of the privacy policy under which the data was collected, it may even be required to obtain the opt-in consent of customers for their data to be sold.

Have a question? Email Kristen J. Mathews at kmathews@proskauer.com.