By Daniel J. Solove
A recent New York Times article discusses the issue of what happens to your personal data when companies go bankrupt or are sold to other companies:
When sites and apps get acquired or go bankrupt, the consumer data they have amassed may be among the companies’ most valuable assets. And that has created an incentive for some online services to collect vast databases on people without giving them the power to decide which companies, or industries, may end up with their information.
This has long been a problem, and I’m glad to see it receiving some attention. The issue arose in one of the early FTC cases on privacy about 15 years ago.
FTC v. Toysmart
In FTC v. Toysmart.com (2000). Toysmart promised in its privacy policy that it would never share customer information with a third party. But when it went bankrupt, Toysmart’s main asset was its customer data. Any buyer would want this data as it was the most valuable thing Toysmart possessed. But selling the data to a buyer would be violating the promise not to share customer data with a third party.
The FTC issued a complaint that Toysmart was violating Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45. Breaking a promise made in a privacy policy is a deceptive practice.
Toysmart then settled with the FTC by agreeing to sell its business only to a “Qualified Buyer” that is in a similar line of business — focusing on “areas of education, toys, learning, home and/or instruction, including commerce, content, product and services.” For the data acquired from Toysmart, the buyer would have to abide by the terms of Toysmart’s privacy policy.
The FTC
Amazon.com
The Toysmart case led Amazon.com to change its privacy policy. Amazon had stated that it “does not sell, trade, or rent your personal information to others.” Amazon then added the following statement:
As we continue to develop our business, we might sell or buy stores or assets. In such transactions, customer information generally is one of the transferred business assets. Also, in the unlikely event that Amazon.com, Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.
Some criticized Amazon for retroactively changing its policy for the data it had already collected and for not allowing people to opt out. But on the positive side, Amazon was at least disclosing to consumers what might happen in the event of a sale or bankruptcy. Not many privacy policies at the time did this.
Collateralizing Privacy
In an article written more than a decade ago, Collateralizing Privacy, 78 Tulane Law Review 553 (2004), Professor Xuan-Thao Nguyen pointed out that companies were using their customer data as collateral for loans but still retaining privacy policies that promised not to share data with third parties:
Whether intentional or unintentional, many Internet companies ignore their own privacy policy statements when the companies pledge their customer database as collateral in secured financing schemes. This practice renders on-line privacy statements misleading because the statements are silent on collateralization of the company’s assets.
The interesting point in this article is that even if a company doesn’t actually go bankrupt or isn’t actually sold, its privacy policy might still be deceptive if it has used its customer data as collateral for a loan. Toysmart involved an actual bankruptcy and sale — but the mere agreement to sell customer data in the event of a bankruptcy or sale would render a privacy policy deceptive.
The FTC has not pursued a case such as this, but any company that has used its customer data as collateral and that has a privacy policy that does not state that data may be transferred in the event of a bankruptcy could find itself charged with engaging in a deceptive practice — even though it has not gone bankrupt or been put up for sale.
Not much attention was given to this issue afterwards, but it appears from the New York Times article that companies have slowly been addressing bankruptcy and sale in their privacy policies.
Privacy Policies Today
According to NYT analysis, “[o]f the 99 sites with English-language terms of service or privacy policies, 85 said they might transfer users’ information if a merger, acquisition, bankruptcy, asset sale or other transaction occurred.” Still, 15% are not including such a provision in their privacy policies (or “privacy statements” as they are often called).
However, merely having such a provision doesn’t address all of the privacy issues. The NYT article goes on to note:
Among the top 100 sites in the Times analysis, at least 17 said they would alert consumers — by, for example, posting a notice on their site — if users’ personal details changed hands. But only Etsy, the crafts e-retailer, Weather.com and a few other sites promised to allow people to opt out of having their data handed over to a third party in certain circumstances.
Additionally, some of these provisions do not ensure that the terms of the privacy policies would still be applied after the data would be transferred. Indeed, one of the privacy policies quoted in the article states that in the event of a bankruptcy or sale, “we may not be able to control how your personal information is treated, transferred, or used.”
The disclosures in many privacy policies are not very detailed and do not provide for many consumer rights or protections. Many merely state something akin to: If we go bankrupt, your data may have a new owner. But will the original terms of the privacy policy be respected? Will there be any restrictions on the use of the data? Will there be any restrictions on the type of entity that the data can be sold to?
Recommended Practices
At a minimum, I believe that companies should follow the practices below:
1. Privacy policies should disclose whether customer data would be one of the assets transferred in the event of a bankruptcy or sale. Without such a disclosure, privacy policies would likely be deceptive, especially if a company has secured a loan where customer data is used as collateral.
2. Privacy policies should disclose more details about the consequences to a consumer’s data in the event of a bankruptcy and sale. There should be a disclosure about basic consumer rights that will be maintained, restrictions on the use of the data, and restrictions on the type of entity the data can be sold to.
3. People should be able to opt out if their data is transferred in a bankruptcy or sale. Even if not provided for in the privacy policy, the FTC might be able to enforce such a requirement though the “unfairness” prong of the FTC Act, which is broader than deception. An “unfair” act or practice is one that “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and is not outweighed by countervailing benefits to consumers or competition.”
4. The terms of the privacy policy in place when the data was collected should apply to the date after it is transferred. Otherwise, the result is the functional equivalent to a retroactive change in a privacy policy, something that the FTC has enforced against as a violation of Section 5 of the FTC Act. See In the Matter of Gateway, Inc. (2004).
5. Consumers should be notified or alerted in the event their data will be sold in a bankruptcy or sale of the company or its assets. I don’t think that the FTC would find failure to notify to be a violation of Section 5, but notifying consumers would certainly be a good practice in my opinion. More companies should promise to do so.
6. If the data is transferred to a company in a different line of business, such a transfer must not contravene the interests of consumers. For example, what if a company sold your data to a porn company? Or what if a company sold data about teenagers to a fringe cult that engaged in animal sacrifice and mass suicides? From the Toysmart case, the FTC might impose restrictions on the type of company the data could be sold to. However, Toysmart was based on a privacy policy that stated there would be no sharing with third parties. Today, if a privacy policy broadly permits the sale of consumer data to any entity, without restriction, the deceptiveness theory underpinning Toysmart would not apply. But the FTC might have a basis to pursue the case as an “unfair” practice.
****
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* LinkedIn Influencer blog
* Twitter
* Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security