Privacy Policies and the Value of Data in Bankruptcy Sales

The last few years have seen unprecedented changes in the legal landscape concerning data protection and privacy. The European Union General Data Protection Regulation (GDPR) became enforceable in May 2018. In July 2018, the California Consumer Privacy Act (CCPA) was enacted, and it became effective January 1, 2020.

In response to the GDPR and the CCPA, many businesses are updating their privacy policies to comply with these laws. While crafting these updates, drafters should be cognizant of the effect such policies could have not only in the short term, but also down the road. For example, in the bankruptcy context, the content of a company’s privacy policy is important. If a privacy policy does not inform customers that their data may be sold in a bankruptcy proceeding, courts are likely to impose restrictions on the sale of that data. These restrictions can significantly decrease the value of such assets. Because of this reality, drafters should keep a few considerations in mind as they update privacy policies to comply with new laws and maximize the value of data assets.

Data in Bankruptcy Proceedings

Section 363(b)(1) of the U.S. Bankruptcy Code provides that a company can sell its customers’ data if its privacy policy clearly permits such a sale. However, if the privacy policy does not authorize the sale of customers’ data, a consumer privacy ombudsman (CPO) must be appointed to review the facts of the sale and applicable non-bankruptcy law. Based on this review, the CPO makes a recommendation to the bankruptcy court whether the proposed transaction should be approved.

For most large companies, the list of applicable non-bankruptcy laws includes the GDPR and the CCPA. Beginning in May 2018, the GDPR imposed a number of new requirements on U.S. companies processing the data of EU citizens. For example, the GDPR now requires that companies’ privacy policies provide customers with information regarding the recipients of personal data, the fact that a company intends to transfer such data, the right to withdraw consent to the processing of such data, and more. Similarly, since the CCPA came into effect on January 1, 2020, privacy policies, among other requirements, must include a description of customers’ rights under the new privacy law and information about the business purposes for which customers’ data are being collected.

Like the GDPR and the CCPA, bankruptcy courts and regulators take a dim view of data-asset sales that are inconsistent with a company’s privacy policy. For example, in RadioShack’s 2015 bankruptcy, the company’s privacy policy contained a promise to not sell or transfer its customers’ information. When RadioShack proposed a sale of its customers’ data in connection with a bankruptcy proceeding, regulators objected. According to regulators, the proposed sale broke the promise made to consumers in the company’s privacy policy, and that broken promise constituted an unfair business practice in violation of federal and state laws.

To address these objections, regulators and other stakeholders in the RadioShack case negotiated a settlement. That settlement allowed the sale of RadioShack’s customers’ data to proceed, albeit pursuant to several restrictions. The restrictions included strict parameters on the type (e.g., no telephone numbers) and scope (e.g., only email addresses active in the past two years) of customers’ data to be sold. Because the settlement reduced the data points available for purchasers’ business purposes (e.g., marketing to consumers via email or the telephone), it stripped the data of significant value.

Lessons Learned

One lesson from the RadioShack case is that bankruptcy courts and regulators will balance consumers’ privacy rights with the interest of debtors and creditors. Even if non-bankruptcy law prohibits a sale of data that contradicts a company’s privacy policy, courts may in some cases permit such a sale to proceed pursuant to negotiated resolutions, which include proposals to address privacy concerns or reduce privacy harms. It is hard to predict whether courts will be as willing to permit such sales given the more explicit requirements regarding transfers of personal data under the GDPR and CCPA.

A second lesson from the RadioShack case is that privacy policies can be drafted to mitigate the risk of losing value in a sale of distressed data assets. If RadioShack’s privacy policy had informed its customers that their data may be transferred in a bankruptcy asset sale, the company likely could have retained more value in those assets.

The foregoing discussion illustrates how the GDPR and the CCPA provide an opportunity to reflect on the importance of drafting privacy policies with an eye toward selling customers’ data in a bankruptcy sale. An express provision in a privacy policy authorizing such a sale will reduce the risk that bankruptcy courts and regulators will impose value-diminishing restrictions on the sale of such data. As companies review and revise their privacy policies to comply with the CCPA and the GDPR, it is important for drafters to keep these considerations about the possibility of a bankruptcy sale at the forefront of their minds.

Image Source: Deposit Photos
Image ID: 19723759
Copyright: maxkabakov