Companies that are looking to sell, transfer or buy personally identifiable information (“PII”) via bankruptcy asset sales would be wise to confirm that such a transfer is consistent with the debtor’s privacy policy. If it is not, the Federal Trade Commission may seek to block the sale until the debtor agrees to comply with the policy, or the bankruptcy court appoints a consumer privacy ombudsman to advise the court on the privacy implications of the sale.
The consumer privacy ombudsman was added to the Bankruptcy Code in the Bankruptcy Abuse and Consumer Protection Act of 2005 to assist the court in cases involving the proposed transfer of PII. The need for a consumer privacy ombudsman arises when a debtor or trustee is attempting to sell or lease PII under terms that would be prohibited by a debtor’s privacy policy. In such cases, the court is required to appoint the ombudsman to assist the court in considering “the facts, circumstances, and conditions of the proposed sale or lease of personally identifiable information.” 11 U.S.C. § 332(b). The legitimate privacy interests of customers whose PII is the subject of the asset sale may otherwise be given little, if any, consideration, particularly when both the debtor and the acquiring party are focused on quickly closing the deal with minimal collateral costs.
A recent example of the FTC’s activity in this area is found in the bankruptcy proceeding involving ConnectEDU, a college and career advising startup. As part of the bankruptcy proceeding, the company proposed selling virtually all its assets to a third party, including the names, contact information, birthdays and academic histories on some 20 million students. The FTC asserted that the sale was in violation of ConnectEDU’s own privacy policy, which promised to alert users to a sale and allow them the opportunity to remove the data from the site. No such notice had been given.
In its May 22, 2014 letter to the bankruptcy court, the FTC noted that it “has brought many cases alleging that the failure to adhere to promises about information privacy constitute a deceptive practice under the FTC Act.” The FTC noted that if ConnectEDU did not agree to comply with its privacy policy, then the court should appoint a consumer privacy ombudsman to review the proposed transfer and advise the court on the privacy implications of the sale. Ultimately, the court ordered the purchaser to segregate any PII that was being transferred and to notify the customers of the proposed transfer of their PII so that the customers could remove their PII if they chose to do so. Subject to that provision, the proposed asset sale was approved by the court.
ConnectEDU is certainly not the first bankruptcy sale that the FTC sought to block over consumer privacy issues. It previously involved itself in bankruptcy proceedings including XY Magazine in 2010 and Borders Group in 2011.
The takeaway? When it comes to privacy policies, companies need to “say what they do, and do what they say.” In other words, accurately describe how they gather, store and use PII, and then reliably follow that policy in actual practice. Otherwise, the FTC might assert a deceptive trade practice claim.
