Last week the Federal Trade Commission announced a privacy and data security enforcement action against the online retail platform CafePress. The allegations in the FTC’s complaint read like a list of worst practices, including lax safeguards to protect consumers’ sensitive information, knowing failures to timely notify consumers affected by a security breach, and deceptive statements to consumers in the platform’s privacy policy. But aside from showing what NOT to do from a data security, incident response, and privacy standpoint, the case is notable for who was on the receiving end of the FTC’s enforcement efforts.

As one would expect, the FTC took action against the company, now known as Residual Pumpkin Entity, LLC, that owned and operated the CafePress business when all of the alleged violations were committed.

But the FTC also targeted the company that bought the CafePress business and assets from Residual Pumpkin after all of the conduct alleged in the FTC’s complaint occurred. And to resolve the case that company, called PlanetArt, LLC—which from all appearances had nothing to do with the violations committed by Residual Pumpkin—also had to agree to a proposed settlement that imposes several wide-ranging compliance, assessment, and reporting obligations on the company.

This post explores the FTC’s complaint against, and proposed settlement with, PlanetArt, and the lessons the case teaches about privacy and data security risk in corporate transactions.

CafePress’s Security and Privacy Failures

According to the FTC’s complaint, Residual Pumpkin engaged in several practices that amounted to unfair and deceptive conduct under Section 5 of the FTC Act while it was running the CafePress business. Those practices included, for example:

• failing to provide reasonable security for the sensitive personal information of customers and sellers that used its platform;
• failing to properly respond to a 2019 breach of its network that resulted in the personal information of millions of its users being exfiltrated by a hacker, and knowingly failing to timely notify those users of the incident; and
• making deceptive statements in the CafePress privacy policy, including about the purposes for which customers’ contact information would be used, the company’s adherence to the EU-US and Swiss-US Privacy Shield Principles, and EU and Swiss residents’ ability to obtain deletion of their personal data.

To resolve the FTC’s allegations Residual Pumpkin has agreed to a proposed consent order that will require the company to implement a comprehensive information security program, submit to annual third-party information security assessments, and pay $500,000 in redress to individuals affected by the 2019 security breach.

Planet Art’s Purchase of the CafePress Business: More than it Bargained For?

PlanetArt purchased all or substantially all the assets of the CafePress business from Residual Pumpkin in September 2020. That purchase occurred well after the events that prompted the FTC’s complaint took place, and a year after CafePress finally notified customers of the 2019 security breach.

Although nearly all of the factual allegations in the FTC’s complaint mention only Residual Pumpkin’s conduct, the complaint also alleges that following its purchase of the CafePress Assets, “PlanetArt has run the [CafePress] website from the same building, with the same servers, using many of the same vendor accounts, in the same line of business, with many of the same personnel as its predecessor, Residual Pumpkin.” And each of the counts charging violations of the FTC Act are levied against both Residual Pumpkin and PlanetArt.

To resolve the FTC’s charges, PlanetArt has agreed to its own proposed consent order. That consent order does not require PlanetArt to make any monetary payments, but it does include several detailed and onerous forward-looking requirements. To that end, the consent order requires PlanetArt, and any business that PlanetArt controls, directly or indirectly, to:

• implement and maintain a comprehensive information security program that meets several and detailed requirements that include annual risk assessments, regular vulnerability and penetration testing, reporting to the board of directors, and the implementation of several specific safeguards to protect sensitive personal information;
• implement policies and procedures to minimize data collection, storage, and retention;
• for the next 20 years, undergo bi-annual assessments of their information security programs by an independent third-party assessor, and provide the results to the FTC; and
• report to the FTC any information security incident that requires PlanetArt to notify any federal, state, or local government entity, within 30 days of discovery.

The consent order will thus put PlanetArt’s privacy and data security practices—both with respect to CafePress and any other business that PlanetArt controls—under the FTC’s microscope for years to come.

Key Takeaways

The FTC’s case against PlanetArt teaches some important lessons for parties involved in corporate acquisitions.

• Thorough Privacy and Data Security Due Diligence is Critical.

First, the case confirms the importance of thorough privacy and data security due diligence in corporate acquisitions. Given that PlanetArt’s purchase of the CafePress assets occurred well after the events that prompted the FTC’s complaint, one assumes PlanetArt knew that the deal involved some privacy and data security risk. But the case nevertheless shows how important it is to get a clear and comprehensive picture of a target company’s information security and privacy compliance programs, and a detailed understanding of any incidents experienced by the company and how the company responded.

• Pre-sale Privacy and Data Security Failures of a Target Can Bring Unwanted Regulatory Scrutiny to an Otherwise Innocent Purchaser.

Second, in a phenomenon we’ve noted before, the case shows that a seller’s privacy and data security shortcomings can serve as a new source of regulatory scrutiny and enforcement risk for a purchaser who bears no responsibility for those shortcomings.

And that’s true even if the transaction is structured as an asset sale. As the FTC’s complaint against PlanetArt shows, when the purchaser continues to operate the purchased business from the same location, with the same personnel, and in the same line of business, that purchaser can face some of the same regulatory enforcement consequences that the seller would face for the seller’s pre-sale privacy and data security failures. And as PlanetArt learned, those consequences can even apply to other parts of the purchaser’s business that are unrelated to the purchased assets.

• Recent Regulatory Emphasis on Data Minimization Makes Data Hoarding Targets Especially Risky.

Finally, the case is notable for its focus on data minimization. In its complaint the FTC specifically alleged that Residual Pumpkin “created unnecessary risks to Personal Information by storing it indefinitely on its network without a business need.” And the proposed settlement with PlanetArt requires the company to implement policies and procedures to “minimize data collection, storage, and retention, including data deletion or retention policies and procedures.”

Those elements of the CafePress case reflect a recent emphasis by regulators on data minimization as a means of protecting consumer privacy, as also demonstrated in an October 2021 speech by FTC Commissioner Rebecca Slaughter, and by the California Privacy Rights Act’s storage limitation requirement. That trend should of course be of interest to privacy professionals, but it should also be a consideration for parties involved in corporate acquisitions: the more personal information a target collects and retains unnecessarily, the more unnecessary privacy and data security risk the target can create for the purchaser.