Would you pay top dollar for a company that’s missing its user data? Neither would your company’s future acquirers. Data is valuable. When your company is sold, it will be worth a lot more if the sale includes your user data. But if you don’t take some easy privacy steps now to prepare for that sale, you may be creating risk that lowers the value of the deal and attracts the attention of regulators in the way that RadioShack just did. Let’s look at what the electronics chain did wrong and how others can learn from this mess.
After the company filed for bankruptcy protection in February 2015, its assets, including its 117 million customer records, went to the auction block. Regulators and privacy advocates cried foul, arguing that the sale of these records would violate the company’s earlier promises. A coalition of state attorneys general began negotiating with the troubled company and its would-be purchasers to limit the sale, and the director of the Bureau Consumer Protection of the Federal Trade Commission (“FTC”) turned up the heat with a letter to the court-appointed privacy ombudsman. The letter describes some of the FTC’s privacy objections to prior asset sales, and it summarizes two paths that the FTC has pressured companies to take in data sales that are part of such transactions:
- Option A: Ask customers for opt-in consent to the data transfer, and then only transfer the data of the customers who opt-in.
- Option B: Make the sale subject to the following conditions:
- The customer information is not sold as a standalone asset;
- The buyer is engaged in substantially the same lines of business as the original company;
- The buyer expressly agrees to be bound by and adhere to the terms of the original company’s privacy policies as to the personal information acquired from original company; and
- The buyer agrees to obtain opt-in consent from consumers for any material changes to the policy that affect information collected under the original company’s policies.
The FTC’s involvement in this case is noteworthy because RadioShack’s data was not particularly sensitive: just contact information and some mundane transaction details (for purchases of non-sensitive items such as cables and TVs). In other words, it’s data that almost every B2C company holds. The FTC’s earlier objections to bankruptcy sales have typically involved FTC arguments that the data was somehow sensitive, such as children’s data (Toysmart), the subscription list of a gay-interest magazine (XY Magazine), and book and video purchase histories (Borders). (The Borders privacy policies did have provisions indicating that personal information could be transferred in a bankruptcy or other corporate transaction, but the FTC asserted an aggressive and creative reading, arguing that the policies didn’t completely permit such sales.)