During these particularly trying times resulting from the COVID-19 pandemic, businesses of all sizes have been concerned about the future. As a result, considering potential liquidation or restructuring through bankruptcy is inevitably starting to become a reality for some. Companies in this situation should keep privacy concerns in mind, because the handling of personal data in bankruptcy proceedings poses some unique challenges.

By taking proactive measures, a business can transform the personal data it holds from a reorganization liability into an asset. However, the issue of whether or not personally identifiable information (PII) can be sold (and under what terms) is a common way privacy issues come into play during liquidation and reorganization proceedings. As further discussed below, the GDPR and the CCPA, along with the prior positions taken by the FTC and various State Attorneys General, are all factors for companies to consider to ensure that data does not lose its value as part of the bankruptcy process.

The Bankruptcy Code, GDPR and CCPA

When a company files for bankruptcy, it must obtain court approval to sell its assets outside of the ordinary course of business. A company may use, sell, or lease property of the estate, including customers’ data, unless its privacy policy prohibits “the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor.” U.S. Bankruptcy Code Section 363(b)(1). If the company’s privacy policy prohibits this transfer, a consumer privacy ombudsman (CPO) must be appointed to review the facts of the sale and the applicable non-bankruptcy law. Id.

Bankruptcy sales in the new digital age have become increasingly complicated by privacy laws and complications due to privacy concerns. Recently, the legal landscape concerning data protection and privacy has shifted, largely toward a more stringent level of protection of users’ data. The European Union General Data Protection Regulation (GDPR) has been enforceable since May 2018. Under the GDPR, companies are now required to have privacy policies that include information regarding the recipients of customers’ personal data, whether there is intent to transfer such data, the right to withdraw consent to the processing of such data, and more.

In July 2018, the California Consumer Privacy Act (CCPA) was enacted, and has been enforceable since January 1, 2020. Under the CCPA, companies are required to have privacy policies that include a description of the customers’ rights under the new privacy law and information about the business purposes for which the customers’ data are being collected.

In response to the GDPR and the CCPA, many companies are updating their privacy policies. When drafting or revising these policies, companies should be cognizant of both the short term and long term consequences. In the bankruptcy context, if a privacy policy does not inform customers that their data may be sold in a bankruptcy proceeding, courts are likely to impose restrictions on the sale of that data. These restrictions may significantly decrease the value of such assets. Because of this reality, drafters should keep a few considerations in mind as they update privacy policies to comply with new laws and maximize the value of data assets.

Lessons from the Toysmart, Borders and RadioShack Bankruptcies 

In general, bankruptcy courts and regulators are unlikely to allow data-asset sales that are inconsistent with a company’s privacy policy. Toysmart faced this issue during its bankruptcy in 2000 when the Federal Trade Commission intervened to enjoin the debtor from selling consumer data. The company’s privacy policy had promised that consumer data would “never be shared with third parties.” The FTC eventually reached a settlement with Toysmart that permitted the sale of customer data, but not as a stand-alone asset. The data was only to be sold in connection with other corporate assets to a buyer in a related market that would continue the business and, additionally, with a provision of notice and ability for individual consumers to opt out. The State Attorneys General then brought a collective action as well, and added an additional obligation to obtain the opt-in consent of consumers. As a result, the limitations posed by the FTC and State Attorneys General were so burdensome that the consumer data was destroyed prior to Toysmart’s formal dissolution.

Similarly, in 2011, Borders Bookstore endured similar obstacles during its bankruptcy. This began when the FTC sent Borders a letter advocating for the protection of personal consumer data. Borders also had a privacy policy that promised customer data would not be shared without consent. Borders had collected a substantial amount of consumer data such as detailed records about the types of books and videos consumers purchased. The FTC again asked the bankruptcy judge to require customer consent or impose significant restrictions on the transfer and use of that data as part of the bankruptcy estate.

RadioShack also faced this issue during bankruptcy in 2015. RadioShack had proposed a sale of customer data while the company’s privacy policy had contained a promise stating: “we will not sell or rent your personally identifiable information at any time.” Both the FTC and State Attorneys General intervened to block the sale of this data as an unfair and deceptive business practice, but later negotiated a settlement allowing the sale to proceed with restrictions on the type and scope of data to be included in the transaction. Specifically, the court-appointed ombudsman recommended that the sale exclude several categories of consumer data, and to create an opt-out provision for consumers. These restrictions, however, stripped the data of significant value, and most of the data was destroyed prior to the sale.

With the CCPA enacted, restrictions on the transfer of data during bankruptcy is bound to become even more complicated. Under the CCPA, a “sale” of personal information is defined broadly to include the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” to another business or third party “for monetary or other valuable consideration.” CCPA, Section 1798.140(t)(1). However, a transfer during bankruptcy is largely excluded from being regarded as a sale. As stated in the CCPA:

Consumer personal information may be part of business assets transferred to a third party in the course of a merger, acquisition, or bankruptcy when the third party assumes control of all or part of the business. In general, this type of transfer will not constitute a sale of personal information for the purposes of the CCPA. But, if the third party materially alters how it uses or discloses the consumer’s personal information and that use or disclosure is materially inconsistent with the notice provided to the consumer at the time of collection, the third party must provide the consumer with prior notice of the changed practices. Parties to the transaction should consider whether to address this issue in the purchase agreement. CCPA, Section 1798. 140(t)(2)(D) (emphasis added).

Because this the transfer of assets during bankruptcy generally does not constitute a sale under the CCPA, the heightened restraints applicable to the sale of data under this provision do not apply. However, the CCPA does seem to solidify in law the restriction that had been imposed by the FTC and State Attorneys General in the aforementioned cases by requiring customers receive notice of any policy change. Some additional restrictions may depend on each individual exercising the full extent of their rights under the CCPA. Under the CCPA, individuals have the right to access, delete, obtain information about a sale/transfer of, and opt-out of a sale of PII.

When businesses receive requests to exercise individual rights under CCPA, they must verify the requests and comply with them within 45 days of the request. CCPA, Section 1798.130(a)(2). Therefore, what was mandated by the FTC and State Attorneys General in the bankruptcy proceedings mentioned above, is somewhat individualized under the CCPA, but could lead to the same result – stripping data of its value. This may have a serious effect on bankruptcy proceedings during present times where, for many companies, data is the most valuable asset.

Takeaways

To comply with the GDPR and CCPA, companies looking to sell, transfer or buy personally identifiable information via bankruptcy asset sales should confirm that the transfer is consistent with the debtor’s privacy policy. If it is not consistent with the privacy policy, companies will have to provide notice of the policy change to consumers prior to the transaction. Additionally, the Federal Trade Commission and State Attorneys General may seek to block the sale until the debtor agrees to comply with the privacy policy. Companies may also want to specifically assess their privacy policies to confirm that they provide notice to consumers of the right to transfer data in the event of a bankruptcy.

Additionally, to cover all bases, companies should analyze the privacy policies and disclosures of companies targeted for acquisition as a result of bankruptcy to determine if the acquiring entity may freely use the PII as expected. Companies should also assess their obligation to notify customers of any changes to the use or sharing of their PII.