Feature

Confessions of a Consumer Privacy Ombudsman

Cassandra M. Porter

©2017. Published in Landslide, Vol. 9, No. 6, July/August 2017, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.

First confession: despite earning a privacy credential and spending my days reviewing data privacy clauses, when a website asks for my consent to its privacy policy, I click “agree” and move on.1 Frankly, what’s the point otherwise? I live in the United States, and if I want to use a company’s site, the “price of admission” is my consent.

But my freewheeling consent habit occasionally gives me pause. Not so long ago, I helped financially distressed companies (and their creditors) navigate the United States Bankruptcy Code. For a solvent company, the priority is upholding applicable privacy law and maintaining good customer relations by keeping security breaches to a minimum. However, for an insolvent company, creditor repayment becomes the company’s focus by statute, and all other tasks are prioritized accordingly. Critically, customer data is often among a debtor’s most valuable assets.2

Customer Data Is a Business Asset

Customer data wasn’t always automatically for sale.3 Privacy policies regularly promised customers that the company would never sell, trade, or transfer the customer’s data. However, this practice changed after the Federal Trade Commission (FTC) intervened in the Toysmart.com chapter 11 case and similar companies’ proposed sales of customer data.4 The importance of the Toysmart.com chapter 11 case and its progeny are beyond the scope of this article (and there are many well-written articles already published about them). However, in summary, Toysmart.com sought to sell consumer data, which included data attributable to minors, in direct contradiction to its privacy policy. The FTC sought to enjoin the sale, arguing (among other things) that the company was violating the promises made to consumers under its privacy policy. Ultimately, the parties settled, and as a result, customers were provided with the option of not having their respective data transferred. After Toysmart.com, privacy policies were quickly replaced with ones notifying customers that personal data provided to a company could be transferred under various circumstances, including an asset sale.

In 2015, an article in the New York Times5 reviewed current website privacy policies’ data-transfer provisions. Among other things, the authors pointed to an alleged discrepancy in a particular privacy policy, noting that the company (for our purposes, X Co.) promised its customers that their information was not for sale. However, further in the policy, X Co. indicated that a customer’s data may be sold or transferred if X Co. is subsequently sold.6 The article’s authors asked X Co. to respond to their observation. To its credit, X Co. responded. However, X Co. did not agree with the authors’ assessment. According to an X Co. representative, its business model didn’t include selling customer lists to third parties. This is because X Co. respects its customers’ interests in maintaining the privacy of their data. However, if X Co. is sold, customer data may be included in this sale. In other words, X Co.’s customer data is a company asset just like any other asset listed on its balance sheet.

Enter the Consumer Privacy Ombudsman

As noted by the article’s authors, X Co.’s position is not unique. Most, if not all, companies treat customer data as an asset, and the reasons why are not surprising. Customer data is rarely limited solely to an individual’s contact information. A customer’s interests, social connections, and even the device he or she uses to explore and connect can all be gathered and organized.7 From this information, inferences about an individual’s preferences, politics, and religion may be inferred. For the right marketer or advertiser, large groups of organized information are a potential gold mine of intelligence. Depending on the circumstances, customer data may be more valuable than any other asset available to be liquidated.8

When a company seeks to restructure its debt, two core legal principles must be rectified: a creditor’s statutory right to be repaid versus an individual’s statutory right to receive the benefit of his or her bargain and to be free from unfair and deceptive trade practices. In today’s data-driven economy, customers may be pitted against themselves if the only asset a debtor has to liquidate is the same asset that it cannot sell absent customer consent. In these situations, a consumer privacy ombudsman (CPO) brings reason to an otherwise insane process. As a court-appointed fiduciary, the CPO’s role is to protect the rights of consumers whose data is being considered for sale while assisting the bankruptcy court with navigating nonbankruptcy law in the court’s quest to create the best outcome in a dire situation.

The CPO role is a relatively new addition to the United States Bankruptcy Code. In connection with the 2005 amendments to the Bankruptcy Code, Congress revised the code to address privacy concerns in connection with the sale of customer data when the pertinent pre-petition privacy policy forbids such a sale. Specifically, Congress amended § 363 of the Bankruptcy Code (which addresses the use, sale, or lease of property) to provide, in relevant part, that a trustee (or debtor in possession) may sell property of the estate except in situations where the debtor disclosed to an individual a policy prohibiting the transfer of personally identifiable information9 about individuals.10 However, the Bankruptcy Code does provide a practical solution for debtors and bankruptcy courts. A sale may be permitted under the Bankruptcy Code if the sale terms are consistent with the debtor’s policy.11 In the alternative, the sale may be approved after appointment of a CPO in accordance with 11 U.S.C. § 332 and if the bankruptcy court gives due consideration to the facts, circumstances, and conditions of such a sale and finds that the sale would not otherwise violate applicable nonbankruptcy law.12

Section 332 outlines when a CPO must be appointed13 and the CPO’s responsibilities in assisting the bankruptcy court with making a determination under § 363(b)(1)(B).14 As provided in the Bankruptcy Code, a CPO should consider the debtor’s relevant privacy policy (or policies), any potential losses or gains of privacy to consumers if the sale is approved, and the potential costs or benefits to consumers. Further, a CPO should consider any potential alternatives to the proposed sale that would mitigate potential privacy losses or costs for consumers.15

As a matter of practice, most CPOs prepare a report for the bankruptcy court’s consideration that is filed openly on the case docket. In the report, the CPO summarizes his or her investigation and outlines recommendations for the court’s consideration. Further, as required by the case circumstances, a CPO will engage in discussions with proposed purchasers. These discussions usually include an extensive review of the buyer’s intentions for a debtor’s data after the transfer occurs, the buyer’s ability to protect the data in an industry-directed and statutorily appropriate manner, and a procedure for destroying unused data and providing confirmation that the destruction occurred.

Putting Theory into Practice

Congress’s directions to debtors and courts seem simple enough. However, how the directions are interpreted and enforced are critical to ensuring consumer interests are protected. For example, in In re Golfsmith International Holdings Inc., the debtors sought approval to sell substantially all of their assets, including just under 10 million unique customer records, to Dick’s Sporting Goods Inc. and its affiliates.16 During the CPO’s investigation in the Golfsmith matter, she learned that the debtors’ assets included retail stores17 and years of customer data, potentially dating back to its early days as a golf club repair shop and catalog business.18 The debtors also operated a website that processed retail orders and had approximately 29 million unique site visits annually.19 The debtors collected information from customers through its website, retail stores, catalog business, and related call centers, including personally identifiable information such as a customer’s name, birthday, gender, and physical/mailing address. The debtors also collected customer e-mail addresses through its website and stores, and in connection to purchases made through its website, catalog, and stores. Further, the debtors obtained customer e-mail addresses in connection with calls received at its call center and through its gift card program, warranty program, and company branded credit card.20

The debtors’ privacy policy indicated that a customer’s phone number would not be made “available to other companies or organizations.”21 Further, e-mail addresses supplied to the debtors would remain in the “sole possession” of the company.22 Moreover, the debtors’ prior privacy policies also contained explicit restrictions on the debtors’ ability to sell or transfer their customer data.23

Given that the debtors’ privacy policies did not readily permit the transfer of customer data to a third party, the Golfsmith CPO and buyer engaged in extensive discussions with respect to the buyer’s proposed use of customer data. At the conclusion of these discussions, the Golfsmith CPO recommended that the bankruptcy court approve the sale subject to several conditions designed to protect customer interests in their data by providing them with notice of the transaction and an opportunity to opt-out of their data being transferred.24 Ultimately, the sale was approved by the bankruptcy court, subject to the Golfsmith CPO’s recommended conditions, in time for the buyer to take over the debtors’ operations prior to the holiday retail season.

Second confession: I was the Golfsmith CPO. My role in the Golfsmith chapter 11 matters is a good example of how a CPO can efficiently25 validate the propriety of data transfers while protecting consumers’ interests in their data privacy in an efficient streamlined process.26 The data transfer process ensured that customers’ data privacy was protected on an individual level and for customers as a group in two ways. First, individual Golfsmith customers received notice of the sale along with information as to their respective rights in connection with the proposed data transfer. Second, Golfsmith customers’ data privacy was protected as a whole because the buyer agreed to safeguard these records in a manner consistent with industry standard data protections as a condition of the Golfsmith sale.

When CPOs were first introduced into the restructuring process, some predicted that they would create more expenses for the estates and further clutter an already chaotic process. In practice, the opposite has occurred. CPOs as a whole have found ways to protect the rights of millions of individual consumers while helping to preserve the viability of an estate’s assets. Final confession: that’s the best part of being a CPO.

As for my freewheeling privacy policy acceptance practices, I am not overly concerned. I am confident that my fellow CPOs (and their counsel) are working just as diligently to protect consumer interests. After all, we’re all consumers first.

Endnotes

1. Depending on the website, I may skim the policy; and if it is well drafted, I will read it more thoroughly. However, I engage in the exercise for no other reason than curiosity over what a potential competitor has created.

2. A string of recent bankruptcies demonstrates this issue. See, e.g., In re Aéropostale, Inc., No. 16-11275 (SHL) (Bankr. S.D.N.Y. 2016) [D.I. 758]; In re Hancock Fabrics, Inc., No. 16-10296 (BLS) (Bankr. D. Del. 2016) [D.I. 948]; In re Adinath Corp., No. 15-16885 (LMI) (Bankr. S.D. Fla. 2015) [D.I. 427]; In re RadioShack Corp., No. 15-10197 (BLS) (Bankr. D. Del. 2015) [D.I. 2148]; In re Deb Stores Holdings, LLC, No. 14-12676 (KG) (Bankr. D. Del. 2014) [D.I. 272]; In re dELiA*s, Inc., No. 14-23678 (RDD) (Bankr. S.D.N.Y. 2014) [D.I. 557]; In re Coldwater Creek, Inc., No. 14-10867 (BLS) (Bankr. D. Del. 2014) [D.I. 339, 425]; In re Crumbs Bake Shop, Inc., No. 14-24287 (MBK) (Bankr. D.N.J. 2014) [D.I. 174]; In re Kid Brands, Inc., No. 14-22582 (DHS) (Bankr. D.N.J. 2014) [D.I. 280]; In re Dots, LLC, No. 14-11016 (DHS) (Bankr. D.N.J. 2014) [D.I. 624]; In re Loehmann’s Holdings Inc., No. 13-14050 (MG) (Bankr. S.D.N.Y. 2013) [D.I. 196]; In re Real Mex Rests., Inc., No. 11-13122 (BLS) (Bankr. D. Del. 2011) [D.I. 877]; In re Borders Grp., Inc., No. 11-10614 (MG) (Bankr. S.D.N.Y. 2011) [D.I. 1830].

3. For an overview of early customer data sale issues, see Susan Stellin, Technology; Dot-Com Liquidations Put Consumer Data in Limbo, N.Y. Times, Dec. 4, 2000, http://www.nytimes.com/2000/12/04/business/technology-dot-com-liquidations-put-consumer-data-in-limbo.html; and Paul Davidson, Dying Dot-Coms’ Customers Coveted, USA Today, Feb. 6, 2002, http://usatoday30.usatoday.com/tech/news/2001-01-30-dying-dot-coms.htm.

4. For details about the Toysmart.com chapter 11 case, including a copy of the respective pleadings, see https://www.ftc.gov/enforcement/cases-proceedings/x000075/toysmartcom-llc-toysmartcom-inc (last updated July 21, 2000).

5. Natasha Singer & Jeremy B. Merrill, When a Company Is Put Up for Sale, in Many Cases, Your Personal Data Is, Too, N.Y. Times, June 28, 2015, https://www.nytimes.com/2015/06/29/technology/when-a-company-goes-up-for-sale-in-many-cases-so-does-your-personal-data.html?_r=0.

6. Id.

7. See Timothy Morey et al., Customer Data: Designing for Transparency and Trust, 93 Harv. Bus. Rev. 96 (2015), available at https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust.

8. Another confession: I am both horrified and thrilled by the idea of “big data.” My reasons why are best saved for another article. But let’s just say that if The Graduate were remade today, Mr. McGuire would advise Ben to peruse “Big Data.”

9. Under 11 U.S.C. § 101(41A), personally identifiable information includes an individual’s first name and last name, residential address, electronic address (including e-mail), telephone number, Social Security account number, credit card account number, birth date or place of birth, and other information that if disclosed could identify an individual.

10. See 11 U.S.C. § 363(b)(1).

11. Id. § 363(b)(1)(A).

12. Id. § 363(b)(1)(B).

13. Id. § 332(a).

14. Id. § 332(b).

15. Id.

16. See Report of Consumer Privacy Ombudsman at 1, 12, In re Golfsmith Int’l Holdings Inc., No. 16-12033 (LSS) (Bankr. D. Del. Oct. 28, 2016) [D.I. 412] (hereinafter Ombudsman Report).

17. Moreover, through the course of her investigation, the CPO also learned that no other purchaser was interested in acquiring the debtor’s assets, which included dozens of fully staffed retail stores prepared for end-of-the-year holiday sales.

18. Ombudsman Report, supra note 16, at 8.

19. Id. at 9.

20. Id. at 11–12.

21. Id. at 13.

22. Id.

23. Id. at 14.

24. Id. at 1–5.

25. As in many retail chapter 11 matters, efficiency was particularly critical in the Golfsmith cases given the number of employees and unsecured creditors who depended on a buyer taking over the debtors’ operations quickly and seamlessly. Moreover, the cost of enforcing a process to protect customer data is also an important consideration. If a process is too costly or overly burdensome, a potential buyer may decide to forgo the purchase. As a result, unless the bankruptcy estate has sufficient liquidity, customer data may inadvertently become unprotected as the debtor loses staff and attends to other matters.

26. See Luis Salazar, The Most Dangerous Intersection—Bankruptcy and Consumer Privacy, Privacy Advisor (June 1, 2009), https://iapp.org/news/a/2009-06-bankruptcy-and-consumer-privacy.

Cassandra M. Porter

Cassandra M. Porter, CIPP/US was appointed to the Consumer Privacy Ombudsman Panel for the Third Circuit in 2016. She recently joined the privacy law team of a Fortune 500 company and spends her days putting theory into practice. Feel free to connect with her on LinkedIn. All statements made in this article are her own and do not reflect the opinions of her current or former employers. The author wishes to thank Mary Hildebrand of Lowenstein Sandler LLP, who served as counsel to the Golfsmith CPO.