By Cole Cribari.
A History of Protecting Customer Data
The internet age and advancements in technology have completely transformed our society over the last forty years, causing corporations to radically change their business practices. Digital advertising is king and has created some of the most valuable firms in the world. Data giants—Facebook, Amazon, Google, Microsoft, Apple—constantly collect customer information to improve customer experience, provide better services, and generate ad revenue through targeted advertising. However, this data collection phenomenon goes beyond the technology giants. Everything from basic websites to retail corporations like Borders and RadioShack also collect personally identifiable customer information in the course of conducting business.
Setting the Standards for the Sale of Customer Data
As part of the settlement with Toysmart.com, the FTC crafted guidelines for future companies attempting to sell customer data in bankruptcy. First, Toysmart’s customer lists and data could not be sold as a standalone asset. They must be sold to a “Qualified Buyer” as a package that includes the entire website. The FTC defined “Qualified Buyer” as, “an entity that is in a related market and that expressly agrees to be Toysmart’s [successor] to the customer information.” Second, the Qualified Buyer must abide by the terms of the Toysmart privacy statement. If the buyer wished to make changes to the policy, it could not use the customer information bought from Toysmart in a different way than Toysmart, unless it provided notice to consumers and obtained their affirmative consent—“opting-in.” The commissioners also encouraged companies to provide their customers with notice and an opportunity to “opt out” of their information being transferred to a purchasing company. This opportunity to opt out has become a commonly suggested measure for protecting consumers’ privacy in modern consumer privacy ombudsman advisory reports.
The Consumer Privacy Ombudsman
The Ambiguous Role of the Consumer Privacy Ombudsman
In 2018, California passed the California Consumer Privacy Act (CCPA) which “allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties with whom data was shared. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.” Enforcement of this law only began in July 2020, so we will see how this law impacts the bankruptcy process and if other states will follow suit in balancing the expediency of the bankruptcy process with protecting consumer privacy.
Interest in learning more? ASU’s own Professor Laura Napoli Coordes is publishing an illuminative article entitled “Unmasking the Consumer Privacy Ombudsman” in the Montana Law Review in Summer 2021 that can be accessed here.