Would you pay top dollar for a company that’s missing its user data? Neither would your company’s future acquirers. Data is valuable. When your company is sold, it will be worth a lot more if the sale includes your user data. But if you don’t take some easy privacy steps now to prepare for that sale, you may be creating risk that lowers the value of the deal and attracts the attention of regulators in the way that RadioShack just did. Let’s look at what the electronics chain did wrong and how others can learn from this mess.
For years, RadioShack’s privacy policy promised that the company would share its customers’ personal information in only a specific set of circumstances. It said, “We will not sell or rent your personally identifiable information to anyone at any time.” While the policy described certain disclosures (such as to service providers), it didn’t mention transfers to acquirers in mergers, acquisitions, bankruptcy proceedings or other similar corporate transactions.
After the company filed for bankruptcy protection in February 2015, its assets, including its 117 million customer records, went to the auction block. Regulators and privacy advocates cried foul, arguing that the sale of these records would violate the company’s earlier promises. A coalition of state attorneys general began negotiating with the troubled company and its would-be purchasers to limit the sale, and the director of the Bureau Consumer Protection of the Federal Trade Commission (“FTC”) turned up the heat with a letter to the court-appointed privacy ombudsman. The letter describes some of the FTC’s privacy objections to prior asset sales, and it summarizes two paths that the FTC has pressured companies to take in data sales that are part of such transactions:
- Option A: Ask customers for opt-in consent to the data transfer, and then only transfer the data of the customers who opt-in.
- Option B: Make the sale subject to the following conditions:
- The customer information is not sold as a standalone asset;
- The buyer is engaged in substantially the same lines of business as the original company;
- The buyer expressly agrees to be bound by and adhere to the terms of the original company’s privacy policies as to the personal information acquired from original company; and
- The buyer agrees to obtain opt-in consent from consumers for any material changes to the policy that affect information collected under the original company’s policies.
The FTC has made similar demands during regular mergers and acquisitions (unrelated to bankruptcy). Under this pressure, RadioShack and its potential purchasers have announced a mediated agreement with the state attorneys general in which (i) certain old data will be destroyed and not sold, (ii) customers will be contacted and given an opportunity to opt-out of the transfer, and (iii) the purchasers will adhere to the RadioShack privacy policy when handling any data that survives the opt-out process.
The FTC’s involvement in this case is noteworthy because RadioShack’s data was not particularly sensitive: just contact information and some mundane transaction details (for purchases of non-sensitive items such as cables and TVs). In other words, it’s data that almost every B2C company holds. The FTC’s earlier objections to bankruptcy sales have typically involved FTC arguments that the data was somehow sensitive, such as children’s data (Toysmart), the subscription list of a gay-interest magazine (XY Magazine), and book and video purchase histories (Borders). (The Borders privacy policies did have provisions indicating that personal information could be transferred in a bankruptcy or other corporate transaction, but the FTC asserted an aggressive and creative reading, arguing that the policies didn’t completely permit such sales.)
In light of this and the FTC’s aggressive posturing in matters such as Borders, companies may wish to consider bolstering their privacy policies against potential objections to future sales. Not all techniques are appropriate for all companies, but the menu of options for some companies includes: (1) explicitly stating that user data may be transferred in connection with some or a wide range of transactions, (2) specifying that those transactions will not be subject to opt-out or to any other conditions, such as those outlined in the FTC letter or AG settlement, and (3) ensuring that no other promise or condition in the privacy policy, Terms of Use, or other document limits the company’s ability to make the transfer. Implementing the right changes through the right process can add significant value to the company by putting potential acquirers at ease and limiting regulatory scrutiny and post-sale risks.