Issue of Data Ownership Raised in Bankrupt RadioShack’s Proposed Asset Sales
The proposed sale of customer data for 117 million RadioShack customers as part of RadioShack’s bankruptcy sale had many privacy advocates and state attorneys general calling foul, citing the wording of RadioShack’s privacy policy that said: “We will not sell or rent your personally identifiable information to anyone at any time.” RadioShack responded to those concerns by tabling plans to offer for sale the "personal identifiable information" (PII) of its customers, the Texas Office of the Attorney General said in a statement Tuesday. There's a chance RadioShack will “live up to the assurances it provided 117 million customers,” by ruling out “any such sale in the future,” Texas Attorney General Ken Paxton said, but the issue of how private a customer's information is hasn't gone away.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Before news broke about RadioShack’s proposed sale of consumer information, Online Trust Alliance President Craig Spiezle said he had engaged in a “what-if” scenario discussion with some Capitol Hill staffers about whether the data would be sold as the broader issue of data ownership has not been resolved. “It’s a wake-up call to consumers that their data may not be their data,” Spiezle said. Consumers “should think very carefully about the data they share,” he said.
RadioShack filed for bankruptcy in February (see 1502060023) and was selling its assets, including trademarks, patents, domain names and other intellectual property, including its customer database, in a sale conducted under Chapter 11 in the U.S. Bankruptcy Court for the District of Delaware, according to Hilco Streambank, an advisory firm specializing in the valuation, marketing and sale of intangible assets for businesses. RadioShack’s customer file contains more than 13 million email addresses and more than 65 million customer names and physical addresses, said Hilco Streambank, which has helped sell customer databases for other companies that have declared bankruptcy, including Bidz.com, an online jewelry retailer, and dELiA's, a teen girl fashion retailer.
Paxton filed an objection March 20 to the sale of Texas-based RadioShack's customers' PII, and said in a March 25 statement that the “protection of private, sensitive and personally identifiable information is of growing importance to the people of Texas and to people around the nation,” and that he would “vigorously fight” to protect that information. “RadioShack gave customers explicit assurances it would not sell their personal information,” and the sale of this data “would not only be a direct violation of the terms of [RadioShack’s] own privacy policies, but also a clear violation of Texas law,” Paxton said. RadioShack didn't comment.
'Unfair and Deceptive'
Paxton’s objection to the sale of PII data was supported by 35 state AGs, plus the District of Columbia. New York Attorney General Eric Schneiderman said in a statement March 25 that “when a company collects private customer data on the condition that it will not be resold, it is the company’s responsibility to uphold their end of the bargain.” He pointed to RadioShack’s privacy policy that said it would never “sell or rent” customer data, would “not use any personal information beyond what is necessary to assist us in delivering to you the services you have requested,” and would only “send personally identifiable information about you to other organizations when: We have your consent to share the information (you will be provided the opportunity to opt-out if you desire).” Schneiderman said his office would monitor RadioShack’s bankruptcy sale and is “committed to taking appropriate action to protect New York consumers.”
“It strikes me as an unfair and deceptive trade practice,” said Public Knowledge Vice President-Legal Affairs Sherwin Siy. Consumers don’t want information sold to those they don’t know, he said. An individual may trust, for example, a local dry cleaner and the store's employees to know what kinds of clothes that individual is having cleaned and what kind of stains are on the clothing, he said. But the same individual may not be comfortable with a dry cleaner's cataloging stains found on that person’s clothing into a database because that individual has no knowledge of who has access to that information and there isn’t trust there, Siy said.
The FTC hasn't commented on RadioShack’s case, but in 2011 David Vladeck, then-director of the agency’s Bureau of Consumer Protection, wrote a letter outlining his concerns with the proposed sale of consumer information that bookstore Borders had garnered since May 2005. Information in that database included purchase history and email addresses for more than 20 million customers, Vladeck said. “Purchase history” heading information included merchandise purchased, location of the purchase, any Borders Rewards number and in some instances credit card information. Borders' privacy policy published in February 2006 said the company wouldn't rent or sell consumer information to third parties, and would share information only if a consumer gave the company consent to do so, Vladeck said. A later privacy policy adopted in May 2008 included the addition of circumstances in which the bookstore may disclose personal information such as if Borders decided to sell, buy, merge or otherwise reorganize its own or other businesses, Vladeck said.
The FTC has “brought many cases alleging that the failure to adhere to promises about information privacy constitute[s] a deceptive practice under the FTC Act,” Vladeck said. The commission recognizes “bankruptcy may present special circumstances,” Vladeck said, which is why the agency settled its lawsuit against Toysmart in 2000. Toysmart attempted to sell customer information as part of its assets in bankruptcy court, he said. In its settlement with the FTC, Toysmart promised to not sell customer information as a stand-alone asset; the information had to be sold to a buyer with a business similar to Toysmart; the buyer had to agree to treat the personal information in accordance with Toysmart’s privacy policy; and the buyer would have to obtain affirmative consent before making changes to the policy affecting Toysmart customers, Vladeck said. “We think that, if the bankruptcy court declines to require consent to the transfer in light of other considerations, the Toysmart settlement is an appropriate model to apply” to the Borders case, Vladeck said.
The FTC has said in the past that companies need to honor privacy policies, said Director of the Center for Democracy & Technology's Consumer Privacy Project Justin Brookman. If an entity goes back on a promise made in a privacy policy, there’s “no question the consumer was deceived,” he said. Many privacy policies address the possible sale or merger of data in privacy policies today, because companies want people to trust them, Brookman said.
Role of Bankruptcy Court
When it comes to books, an individual’s preference can be very personal or embarrassing, Spiezle said, because book choice may indicate a medical or personal lifestyle matter. In the Borders case, the court decided customers could opt out of the list being sold, he said. But in today's data-driven economy, data is a major asset, Spiezle said. The rules surrounding data are not very clear, he said. Based on his self-described “limited understanding” of bankruptcy courts, Spiezle said even if a company includes in its privacy policy that customer information would not be sold or rented even in the event the organization were sold or transferred ownership, a bankruptcy court may be able to override that, he said.
Bankruptcy statute 11 U.S.C. § 363(b)(1), “basically” says that “the trustee, who takes on control of the debtors assets upon a confirmation of a bankruptcy plan, can deal with the assets of the bankruptcy estate, except that the trustee must abide by the terms of the debtors policy regarding use of personally identifiable information,” attorney John Whitehead, president of the Rutherford Institute said in an emailed statement. There are some exceptions, he said. “The sale/lease of personally identifiable information (PII) can be done by the trustee if (1) consistent with the debtor’s privacy policy or (2) after a consumer privacy ombudsman is appointed to evaluate any proposed sale/lease of PII and a hearing is held, the court approves the sale/lease ‘giving due consideration to the facts, circumstances, and conditions of such sale or such lease,’” Whitehead said.
“As a caveat, bankruptcy statutes are extremely complicated and there are various kinds of bankruptcies (liquidation, reorganization), and it is possible that this statute does not apply to some types of bankruptcies,” Whitehead said. “That does not appear to be the case; this statute is part of a general rule involving administration of the estate, but these statutes are very intricate,” he said. “Even so, as with most of these issues, individuals who really want to ensure their data is protected would ultimately have to go to court to make their request, but most don’t have the resources to jump through such bureaucratic hoops.”
The objective for bankruptcy courts is to pay off creditors, including employees, Spiezle said. They don’t exist to protect privacy, but this case is a wake-up call for the courts and organizations on data practices, he said. If it can be proven the sale of consumer data would cause harm to consumers, the bankruptcy court may not approve the sale, he said. But if one company expresses concern about the sale of consumer data, saying it would affect its business interests, that may be harder to prove, Spiezle said.