Due to the COVID-19 pandemic, some businesses are considering potential liquidation or restructuring through bankruptcy. Companies in this situation should keep privacy concerns in mind, because the handling of personal data in bankruptcy proceedings poses some unique challenges.
The issue of whether or not personally identifiable information (PII) can be sold (and under what terms) is a common way privacy issues come into play during liquidation and reorganization proceedings. As further discussed below, there are many factors to consider to ensure that data does not lose its value as part of the bankruptcy process.
The Bankruptcy Code, GDPR and CCPA
Bankruptcy sales in the new digital age have become increasingly complicated by privacy laws that require a more stringent level of protection of users’ data. Under the European Union General Data Protection Regulation (GDPR), companies are now required to have privacy policies that include information regarding the recipients of customers’ personal data, whether there is intent to transfer such data, the right to withdraw consent to the processing of such data, and more. Under the California Consumer Privacy Act (CCPA), companies are required to have privacy policies that include a description of the customers’ rights under the new privacy law and information about the business purposes for which the customers’ data are being collected.
In response to the GDPR and the CCPA, many companies are updating their privacy policies. Drafters should keep a few considerations in mind as they update privacy policies to comply with new laws, maximize the value of data assets, and ensure there is minimal disruption to the bankruptcy process in the event that the company finds itself going down this road.
Lessons from the Toysmart, Borders and RadioShack Bankruptcies
With the CCPA enacted, restrictions on data transfer during bankruptcy is bound to become even more complicated. Under the CCPA, a “sale” of personal information is defined broadly to include “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” such information to another business or third party “for monetary or other valuable consideration.” CCPA, Section 1798.140(t)(1). However, a transfer of personal information during bankruptcy is largely excluded from being regarded as a sale. See CCPA, Section 1798.140(t)(2)(D). Additional restrictions may depend on each individual exercising their right to access, delete, obtain information about a sale/transfer of, and opt-out of a sale of PII under the CCPA.
When businesses receive requests to exercise individual rights under CCPA, they must verify the requests and comply with them within 45 days of the request. CCPA, Section 1798.130(a)(2). Therefore, what was mandated by the FTC and State Attorneys General in the bankruptcy proceedings mentioned above is somewhat individualized under the CCPA, but could lead to the same result – stripping data of its value. This may have a serious effect on bankruptcy proceedings during present times where, for many companies, data is the most valuable asset.
Additionally, to cover all bases, companies should analyze the privacy policies and disclosures of companies targeted for acquisition as a result of bankruptcy to determine if the acquiring entity may freely use the PII as expected. Companies should also assess their obligation to notify customers of any changes to the use or sharing of their PII.