Privacy vs. Bankruptcy: Case Lesson on When Customer Data is Not for Sale

On September 21, 2011, FTC Bureau of Consumer Protection Director David Vladeck sent a letter to the court appointed consumer privacy ombudsman in the Borders Group, Inc. (Borders) bankruptcy proceeding advising against the sale of Border’s customer information absent customer consent or significant restrictions on the transfer and use of the information. The letter was sent in response to a request from the ombudsman seeking a written description of the agency’s concerns regarding the possible sale of the customer information, which includes purchase history and email addresses from over 20 million customers. According to the FTC’s letter, the purchase history information dates back to May 2005, and includes merchandise purchased (e.g., books and videos), the location of the purchase (store, kiosk, or internet), Borders Rewards number, and, in some cases, credit card information.

As described in the letter, Border’s 2006 and 2007 privacy policies stated that it would ​“only disclose your email address or other personal information to third parties if you expressly consent to such disclosure.” (Emphasis in original). In addition, a revised policy from 2008 contained the same language restricting the sale or rental of personal information, but also included information describing circumstances under which Borders might disclose personal information, as follows:

Circumstances may arise where for strategic or other business reasons, Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal or other information to prospective or actual purchasers, or receiving it from sellers. It is Borders’ practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.

Director Vladeck’s letter explains that for the period covered by these privacy policies, ​“Borders clearly and expressly represented that customer information would not be rented or sold to third parties except in limited circumstances and then only with the express consent of its customers.” Although he acknowledges that the 2008 policy contains additional language suggesting a transfer of customer information could occur if Borders decided to sell, buy, merge or otherwise reorganize its businesses, Director Vladeck nonetheless concludes that this provision applies only to ​“business transactions that would allow Borders to continue operating as a going concern and not to the dissolution of the company and piecemeal sale of assets in bankruptcy.” For this reason, the FTC’s letter suggests that any sale or transfer of the personal information of Borders’ customers without first obtaining express consent from its customers ​“would contravene Borders’ express promise not to disclose such information and could constitute a deceptive or unfair practice.”

The letter recognizes, however, that bankruptcy may present special circumstances given the interest in allowing a company to reorganize or liquidate assets for its creditors, and refers to the FTC’s 2000 settlement with the online toy retailer, Toysmart, as setting out appropriate conditions to permit a transfer of data. These conditions include:

• Borders agrees not to sell the customer information as a standalone asset;
  • The buyer is engaged in substantially the same lines of business as Borders;
  • The buyer expressly agrees to be bound by and adhere to the terms of Borders’ privacy policy; and
  • The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under the Borders’ policy.

This guidance from the FTC underscores the importance of writing a clear and unambiguous privacy policy that explains to consumers what may happen to their information in the event of a sale, merger, acquisition, or dissolution that involves a wholesale liquidation of assets. Companies also should carefully consider whether any changes to a privacy policy constitute material changes and what type of notice to consumers and consent mechanisms are appropriate under the circumstances. The consequences of not carefully evaluating such questions could mean substantial legal restrictions on the future use and transfer of customer data, and may, as a result, significantly devalue the data as an asset.