By Cole Cribari.
A History of Protecting Customer Data
The internet age and advancements in technology have completely transformed our society over the last forty years, causing corporations to radically change their business practices. Digital advertising is king and has created some of the most valuable firms in the world. Data giants—Facebook, Amazon, Google, Microsoft, Apple—constantly collect customer information to improve customer experience, provide better services, and generate ad revenue through targeted advertising. However, this data collection phenomenon goes beyond the technology giants. Everything from basic websites to retail corporations like Borders and RadioShack also collect personally identifiable customer information in the course of conducting business.
At the beginning of the internet era, companies placated consumers’ fears of giving their information out over the internet through self-policing in the form of “privacy policies.” Many of these privacy policies assured customers that their data would never be shared with third parties. Even if not legally enforceable contracts, these privacy policies made representations to customers that gave a sense of how their data would be handled. However, the recognition of the value of customer data has nurtured an environment where privacy policies are ignored or circumvented, thereby increasing value. In the bankruptcy space, privacy policy violations have become particularly relevant because data tends to be many companies’ most valuable asset and companies are trying to maximize their value as much as possible for a potential buyer. In 2000, this issue culminated in the Federal Trade Commission (“FTC”) filing a lawsuit against the now-defunct Toysmart.com LLC when they attempted to auction off their customer data in chapter 11 bankruptcy. This settlement set the stage for the 2005 Bankruptcy Abuse Prevention and Consumer Protection Act (“BAPCA”) and the modern watchdog known as a consumer privacy ombudsman.
Setting the Standards for the Sale of Customer Data
As part of the settlement with Toysmart.com, the FTC crafted guidelines for future companies attempting to sell customer data in bankruptcy. First, Toysmart’s customer lists and data could not be sold as a standalone asset. They must be sold to a “Qualified Buyer” as a package that includes the entire website. The FTC defined “Qualified Buyer” as, “an entity that is in a related market and that expressly agrees to be Toysmart’s [successor] to the customer information.” Second, the Qualified Buyer must abide by the terms of the Toysmart privacy statement. If the buyer wished to make changes to the policy, it could not use the customer information bought from Toysmart in a different way than Toysmart, unless it provided notice to consumers and obtained their affirmative consent—“opting-in.” The commissioners also encouraged companies to provide their customers with notice and an opportunity to “opt out” of their information being transferred to a purchasing company. This opportunity to opt out has become a commonly suggested measure for protecting consumers’ privacy in modern consumer privacy ombudsman advisory reports.
The Consumer Privacy Ombudsman
BAPCPA revised multiple different aspects of the chapter 11 bankruptcy process. Importantly, the new provisions essentially revise the Toysmart settlement by stating that a debtor may not sell personally identifiable information in express violation of their stated privacy policy unless the court approves the sale after the U.S. trustee has appointed a “disinterested person,” also known as a consumer privacy ombudsman (“CPO”). The CPO advises the debtor as well as the court on how to best protect the privacy of consumers as consumer data is transferred to a seller. However, the statute doesn’t clearly define the role of the CPO. The role has been somewhat self-directed with some guidance from bankruptcy experts. Expert Warren E. Agin wrote in the American Bankruptcy Institute Journal, “[t]he ombudsman’s role in the sale process is far from clear given the statute’s language. The fact patterns requiring the ombudsman’s involvement seem to fall in between those where the sale is consistent with the privacy policy and those where the sale is illegal.” However, he does state an overarching goal for the CPO: “A consumer privacy ombudsman should help the court understand the effect of the sale on customers and help the parties restructure the sale if necessary, so it is fair to customers.”
The Ambiguous Role of the Consumer Privacy Ombudsman
Since the introduction of the CPO in 2005, CPOs have implemented protection measures like giving customers an ability to opt out of their data being sold to new companies. Some ombudsmen have required companies to request that their customers opt in to having their data transferred to a purchasing company. However, the opt-out” framework is more often used. Further, the FTC issued guidelines in the high profile 2015 bankruptcy for RadioShack. The conditions given by the FTC for the sale of RadioShack were: (1) customer data could not be sold as a standalone asset; (2) the buyer would need to be involved in substantially the same lines of business as RadioShack; (3) the buyer would need to expressly agree to and be bound by RadioShack’s privacy policy; and (4) the buyer would need to obtain affirmative consent from the customers for any material changes to the privacy policy. The consumer privacy ombudsman in that case also required RadioShack to create an “opt-out” option for its customers. Although CPOs have significantly improved consumer privacy protections since the days of Toysmart, there is a question over whether these measures go far enough to properly protect consumer data.
Beyond BAPCA
In 2018, California passed the California Consumer Privacy Act (CCPA) which “allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties with whom data was shared. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.” Enforcement of this law only began in July 2020, so we will see how this law impacts the bankruptcy process and if other states will follow suit in balancing the expediency of the bankruptcy process with protecting consumer privacy.
Interest in learning more? ASU’s own Professor Laura Napoli Coordes is publishing an illuminative article entitled “Unmasking the Consumer Privacy Ombudsman” in the Montana Law Review in Summer 2021 that can be accessed here.
