When a bankrupt company’s most valuable assets include consumer information, a tension arises between bankruptcy policy aimed at maximizing asset value, on the one hand, and privacy laws designed to protect consumers’ personal information, on the other. Such tension played out recently in the Chapter 11 bankruptcy case of RadioShack, where the bankrupt retailer’s attempt to sell customer data invoked objections from 38 state attorneys general, the Federal Trade Commission (FTC) and others who claimed the sale would violate RadioShack’s stated privacy policy of never selling customers’ personal information. These issues are not new.
Consumer Data in Dot Com Era—Toysmart
Back in the dot-com era, online toy retailer Toysmart sought bankruptcy court approval to sell customer data. Toysmart’s privacy policy expressly told customers that they could “rest assured” that their information would “never be shared with a third party.” Nevertheless, once it ceased operations and entered bankruptcy in May 2000, Toysmart solicited bids for the sale of such personal information, including its customers’ names, addresses, billing information, shopping preferences and family profile information. The FTC opposed the sale, arguing that the breaking of the promise to never share information would be deceptive, in violation of Section 5 of the FTC Act.
The FTC and Toysmart reached a deal that, along with other restrictions, would limit the sale of customer data to a family-friendly company that would agree to be bound by Toysmart’s privacy policy. Even so, 46 states objected to such a resolution, arguing that any sale of customer data that did not provide an opt-out for customers would violate Toysmart’s privacy policy and, as such, would constitute an unfair or deceptive business practice, in violation of state “little FTC Acts.” Ultimately, Toysmart withdrew the customer information from the auction and destroyed it.
RadioShack—Following the Toysmart Example
RadioShack’s sale process replayed several of the Toysmart themes and similarly met a negotiated—not judicially determined—resolution. Following the sale of its 1,743 store leases this spring to General Wireless, an affiliate of hedge fund Standard General, RadioShack initiated an auction process for the sale of its intellectual property, including the RadioShack name and a collection of customer information.
During the course of its long tenure as a consumer electronics retailer, RadioShack collected names, email addresses, physical addresses, telephone numbers, credit card numbers and purchase history data for over 117 million customers. All such information had been collected under a privacy policy that promised RadioShack would “not sell or rent your personally identifiable information to anyone at any time.” Indeed, in a privacy policy on display in RadioShack’s retail stores, the company noted: “We pride ourselves on not selling our private mailing list.”
RadioShack’s customer information, however, is a valuable asset. Accordingly, as part of the bankruptcy process, the RadioShack trustee sought court approval to sell a subset of such information in its database, including 67 million complete customer names and physical addresses, and around 8.3 million email addresses, to General Wireless for $26.2 million dollars.
The proposed sale drew objections from state attorneys general, the FTC and companies such as AT&T and Verizon. Fundamentally, the FTC and state objectors argued that the sale would contradict RadioShack’s privacy policy and, as such, would constitute a deceptive business practice. AT&T, Verizon and others asserted that the sale would violate the agreements signed between RadioShack and each of the objectors, as well as RadioShack’s own privacy policy.
The debtor and various objectors mediated these issues and ultimately reached a deal modeled on the Toysmart approach. In the end, Bankruptcy Court Judge Brendan L. Shannon approved the parties’ settlement, authorizing the sale subject to certain conditions, including that General Wireless must:
- Send emails to all included email addresses notifying customers of the purchase and offering them seven days to opt-out of the transfer of their personal information;
- Mail those customers for whom it has a physical address, but no e-mail address, a notification that it has purchased the assets of RadioShack and offering such customers 30 days to opt-out of the transfer of their information;
- Provide a notice on the RadioShack website, with both an online opt-out option and a toll-free telephone number to call to exercise the option; and
- Agree to be bound by the existing RadioShack privacy policy with regard to purchased customer information.
Furthermore, the deal prohibits RadioShack from transferring sensitive information, such as debit or credit card numbers, dates of birth, Social Security numbers or other government-issued identification numbers.
Commentary
In the intervening 15 years since the Toysmart brouhaha, very little legal guidance has developed to define the contours of pre-bankruptcy privacy promises in bankruptcy sales. As in the Toysmart situation, the privacy-related objections raised to the RadioShack sale were consensually resolved, leaving parties without a judicial resolution to these issues. Nevertheless, certain themes are emerging.
First, by virtue of settling, the FTC and states seem to recognize that consumer privacy rights are not absolute—they must be balanced with the best interests of a debtor’s estate and creditors in bankruptcy.
Second, a theme in both settlements is honoring consumers’ original expectations—that is, requiring the purchaser to adopt the privacy policy in place at the time the information was collected.
Third, the ability for customers to opt-out of the transfer of their personal information seems to be key. This was a sticking point in the Toysmart matter, leading to the ongoing controversy even after resolution with the FTC.
More broadly, however, perhaps the main lesson from RadioShack is this: Privacy policies ideally should anticipate bankruptcy scenarios and alert consumers that their information may be sold in bankruptcy or other divestitures. Such a direct acknowledgement would serve consumers by advising them of the possible fate of their personal information, thereby allowing them to make an informed decision about what information to volunteer. It would also serve the eventual debtor and its creditors, simplifying the sale process and maximizing the sale value of collected information.