by Celine Guillou and Monique Jewett-Brewster
As we move closer to a global recession caused by the current pandemic, some companies will find themselves in the unfortunate position of having to seek bankruptcy relief. This may have some important and often overlooked privacy implications. There is no question that in this day and age, one of a business’ most valuable assets is the personal information that it has collected from its customers and/or end-users – often more so than any of its tangible assets. Increasingly, as business shifts online, this is true not only of technology companies, but also of “brick and mortar” companies.
However, when a business becomes a debtor, the sale of personal information can be problematic. Section 363(b) of the US Bankruptcy Code provides that a debtor that has a privacy notice prohibiting the transfer of personally identifiable information (“personal information”) may not use, sell or lease such information other than in the ordinary course of business unless (1) the use, sale or lease is consistent with the terms of the privacy notice or (2) after the appointment of a consumer privacy ombudsman (“CPO”) the court finds, after giving due consideration to the facts, circumstances, and conditions, that the sale or lease would not violate applicable non-bankruptcy law. These restrictions only apply if the debtor disclosed to its customers a privacy notice prohibiting the transfer of personal information to persons not affiliated with the debtor and the policy was in effect on the date of the bankruptcy filing.
While there are some existing decisions discussing these consumer privacy protections, because privacy has only recently become such a “hot topic” – certainly as compared to the last big round of corporate bankruptcies – these restrictions are now much more likely to come up in the context of bankruptcy sales in this next round. Organizations contemplating bankruptcy proceedings should therefore be aware of these restrictions in connection with a Section 363(b) sale motion. Although most technology companies, accustomed to doing business online, have been more proactive about ensuring that they have privacy notices and the proper disclosures posted to their websites, this is often not the case with “brick and mortar” businesses, such as retailers and restaurant groups. Additionally, while many privacy notices do already address sales of information, including in bankruptcy, how the sale language is specifically worded, the nature of the purchaser, and, importantly, the number of prior versions of the privacy notice could become impediments to effortlessly transferring users’ personal information. One question likely to be debated is whether the failure to disclose that personal information may be sold in a bankruptcy sale or otherwise remaining silent on the issue – rather than an outright preclusion – is tantamount to a prohibition on the transfer of personal information under those circumstances – an argument likely to be made by consumer privacy advocates.
Indeed, broad disclosures typically made in privacy notices will certainly garner much attention. In a not-so-recent yet very relevant 2010 case involving a debtor magazine, the bankruptcy trustee sought to transfer the debtor’s subscribers’ personal information that had been collected over the course of 11 years. However, the FTC became aware of the negotiations and notified the parties that any sale, transfer or use of the information would potentially violate the Federal Trade Commission Act’s prohibition against unfair or deceptive acts or practices. In sum, because the debtor’s “simple, explicit, and clear” privacy notice advised subscribers that their personal information “would not be sold, shared, or given away to anybody” – even stating upon sign-up “[p]lease note our amazing privacy policy” – the sale or transfer of the data would potentially constitute an unfair or deceptive trade practice by the debtor. You can read the FTC’s full letter here. This case actually dates back to 2010. Since then, the FTC has stepped up its review of privacy practices outside of the bankruptcy context for unfair or deceptive acts or practices under Section 5 of the FTC Act, especially as companies continue to make overbroad promises (e.g., “we will never sell your information”) or deceptive statements when it comes to their privacy practices – certainly in an attempt to reassure consumers who have become increasingly savvy about their privacy rights. As such, one can only imagine that in this next round of bankruptcies, consumer information is unlikely to go “unnoticed” in the event of a sale.
With respect to how the issue is handled in bankruptcy court, outcomes will differ. A bankruptcy court may approve a debtor’s proposed sale of personal information even where its privacy notice prohibits the transfer of personal information. In the event that a CPO is appointed in the bankruptcy case, the CPO’s task will be to educate the court about the personal information and the privacy implications. As an initial step, the CPO will identify personal information in the debtor’s custody or control and where it is located. As we all know, personal information may be stored in several locations, including company devices, personal devices, a cloud-based platform and on-premise servers, which means taking stock of all personal information that is collected and where it is stored. The CPO will then advise the court about the debtor’s privacy notice, evaluate the sensitivity of the personal information, and possibly recommend limits on the sale to protect consumer privacy. In some cases, a debtor may avoid the need for the appointment of a CPO if the proposed buyer is materially in the same line of business of the debtor and agrees to use the personal information for the same purpose specified in the debtor’s privacy notice – as well as comply with that privacy notice. No matter the outcome, the appointment of a CPO, if required, can substantially delay the process and possibly reduce the value of a debtor’s assets.
Leaving aside the US Bankruptcy Code, specific privacy laws such as the GDPR may further impact the conditions under which personal information may be transferred to a purchaser. This could further impact sales of personal information where the company is handling the personal data of individuals located in the European Economic Area. As such, it’s important to review existing privacy notices and assess applicable data protection laws prior to filing, particularly if customer personal information is your organization’s most prized asset.