The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Borders’s Sale of Personal Information Approved by Bankruptcy Court

The Wall Street Journal reported this week that Judge Martin Glenn of the U.S. Bankruptcy Court in Manhattan approved on September 26th the $13.9 million sale of Borders’s intellectual property to Barnes & Noble. Intellectual property assets include personal information (PI) that Borders collected from 48 million customers. This PI includes customer’s email addresses, but also records of books and videos they have purchased.

The issue of the privacy rights of Border’s customers was debated during the process. At a September 22 hearing, Judge Glenn had hesitated to approve the sale over concerns about customer’s privacy. The two sides, working with the Consumer Privacy Ombudsman (CPO) appointed by the court overseeing the Borders bankruptcy, agreed to email Border’s customers within a day of the sale’s closing to ask them if they wish to opt out of Barnes & Noble’s email list. Records about specific titles bought in the past at Border’s won’t be included in the sale.

The CPO had contacted the Federal Trade Commission (FTC) requesting it to provide a written description of its concerns regarding the possible sale of the PI collected by Borders during bankruptcy proceeding.

Bureau of Consumer Protection Director David Vladeck answered in a letter to the CPO on September 14, which was submitted to the court.

Borders and Its Privacy Policies

Selling PI during bankruptcy is regulated by section 363(b) of the Bankruptcy Code, 11 U.S.C. § 363(b), which provides that:  (our emphasis)

(b) (1) The trustee, after notice and a hearing, may use, sell, or lease, other than in the ordinary course of business, property of the estate, except that if the debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case, then the trustee may not sell or lease personally identifiable information to any person unless —

(A) such sale or such lease is consistent with such policy; or

(B) after appointment of a consumer privacy ombudsman in accordance with section 332, and after notice and a hearing, the court approves such sale or such lease —

(i) giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and

(ii) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

Border’s 2006 and 2007 privacy policies had promised customers that the retailer would only disclose to third parties a customer’s email address or other PI if the customer “expressly consents to such disclosure.” The 2008 privacy policy, however, stated that:

Circumstances may arise where for strategic or other business reasons, Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal or other information to prospective or actual purchasers, or receiving it from sellers. It is Borders’ practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.”

However, Mr. Vladeck wrote that the FTC “views this provision as applying to business transactions that would allow Borders to continue operating as a going concern and not to the dissolution of the company and piecemeal sale of assets in bankruptcy” and that “[e]ven if the provision were to apply in the event of a sale or divestiture of assets through bankruptcy, Borders represented that it would “seek appropriate protection” for such information.”

Privacy Policies and Unfair Practice

Mr. Vladeck wrote that the FTC was concerned that any sale or transfer of the PI of Borders’ customers “would contravene Borders’ express promise not to disclose such information and could constitute a deceptive or unfair practice.”

Mr. Vladeck ‘s letter noted that the FTC brought cases in the past where it alleged that the failure to adhere to a privacy policy is a deceptive practice under the FTC Act. In one of these cases, FTC v. Toysmart, an online retailer had filed for bankruptcy and then tried to sell its customer’s PI. The FTC alleged that the sharing of PI in connection with an offer for sale violated section 5 of the FTC Act, as the retailer had represented in its privacy policy that such information would never be shared with third parties.

Mr. Vladeck wrote that the “Toysmart settlement is an appropriate model to apply” in the Border’s case. The FTC entered a settlement with Toysmart allowing the transfer of customer information under certain limited circumstances:

1) the buyer had to agree not to sell customer information as a standalone asset, but instead to sell it as part of a larger group of assets, including trademarks and online content;

 2) the buyer had to be an entity that concentrated its business in the family commerce market, involving the areas of education, toys, learning, home and/or instruction;

3) the buyer had to agree to treat the personal information in accordance with the terms of Toysmart’s privacy policy; and

 4) the buyer had to agree to seek affirmative consent before making any changes to the policy that affected information gathered under the Toysmart policy.

Mr. Vladeck concluded his letter by offering these guidelines:

          Borders agrees not to sell the customer information as a standalone asset;

          The buyer is engaged in substantially the same lines of business as Borders;

          The buyer expressly agrees to be bound by and adhere to the terms of Borders’ privacy policy; and

          The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under the Borders’ policy.”

It seems that Mr. Vladeck’ s letter had a significant impact on the ruling.  Curiously, only a small percentage of customers understand the value their PI may have for a company, even though PI may be sold as assets.


Leave a comment

FTC’s Data Privacy Staff Report – Comments Due Jan. 31

Last week, the Federal Trade Commission released its long-awaited privacy report.  Called “Protecting Consumer Privacy in an Era of Rapid Change”, the 79-page preliminary staff report outlines a framework for consumer privacy based on three principles: (1) Privacy By Design; (2) Simplified Choice; and (3) Transparency. 
 
Some of its key proposals include: a “Do Not Track” browser add-on and other changes to consumer privacy choices; broadening the scope “to all commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers;” and looking at whether COPPA-style consent requirements should apply to teenagers. The FTC is requesting comments on the report by January 31, 2011, and plans to issue a final report later in 2011. Annexed to the report are six pages of questions to which the FTC seeks comments.
 
The first half of the report discusses the principles of “notice and choice” and “harm” that have formed the basis for the FTC’s privacy-related policy work, educational efforts, and enforcement actions. It also summarizes the FTC’s activities and provides an overview of key issues raised during several years of roundtable discussions involving consumer advocacy groups, businesses, academicians and others. The second half of the report expands on the new principles, which appear to simply consolidate and expand upon the earlier principles – “notice” becomes “transparency”, “choice” becomes “simplified choice”, and “harm” becomes “privacy by design”:
  • Privacy by Design – Companies are urged to “incorporate substantive privacy and security protections into their everyday business practices and consider privacy issues systemically, at all stages of the design and development of their products and services.” Companies are urged to collect information only for a specific purpose, limit the amount of time that data is stored, use reasonable safeguards, and develop comprehensive, company-wide privacy programs. However, the FTC staff also recognizes that these measures need to be tailored to each company’s data practices – companies that collect limited amounts of non-sensitive data need not implement the same types of programs required by a company that sells large amounts of sensitive personal data.
  • Simplified Choice – Companies should “describe consumer choices clearly and concisely, and offer easy-to-use choice mechanisms . . .at a time and in a context in which the consumer is making a decision about his or her data.”  The FTC is proposing a new “laundry list” approach to determine whether or not companies need to provide choice to consumers. For example, defined “commonly accepted practices” generally will not require choice, whereas other practices may require either (1) some type of choice mechanism; (2) enhanced choice mechanism; or (3) even more restrictions than enhanced consent. As this is designed for both online and offline behaviors, categorizing each company’s practices as “commonly accepted” or not could be a daunting task.  A chart below outlines the basics of simplified choice.  
    • Do-Not-Track: The day after the report issued, the Commerce Department’s NTIA testified to Congress that it would be convening industry and consumer groups to discuss the “achieving voluntary agreements” on Do-Not-Track.   The FTC would then “ensure compliance with these voluntary agreements, as appropriate.” 
    • ABA Antitrust Section Members note: Companies in markets with limited competition may be subject to “Enhanced Privacy protections” and/or “Additional Enhanced Privacy Protections.” 
  • Greater Transparency – Companies should “make their data practices more transparent to consumers”. The FTC suggests developing a standardized policy like the notice templates currently developed for financial companies complying with Gramm-Leach-Bliley. The FTC is also considering whether increase the transparency of data broker activities and proposes allowing consumers to access (but not necessarily change) profiles compiled about them from many sources.
Two Commissioners issued concurring statements to the proposed framework. Commissioner Kovacic called some of the recommendations “premature” – including the Do-Not-Track proposal. He also pointed out the report lacked consideration of the existing federal and state oversight of privacy concerns. Commissioner Rauch issued a concurring statement that applauds the report as a useful “horatory exercise”, but criticizes the new approach. He states that it could be overstepping the FTC’s bounds to consider “reputational harm” and “other intangible privacy interests” if no deception is involved.
 
Stay tuned – there are many privacy developments on the horizon. In remarks delivered with the report, Chairman Liebowitz declared that “despite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for Americans consumers.” He signaled that the FTC will be bringing more cases in the coming months – and that cases involving children are of particular interest.  In addition, the Commerce Department’s “green paper” on Commercial Data Privacy is expected soon.
 
                                                            Table – Simplified Choice
 
Choice Not Required
Choice Mechanism REQUIRED
Choice Not Required
No choice, but Additional Transparency (Notice)
(Unspecified – presumably Company Discretion; also Do Not Track)
Enhanced Consent (Affirmative Express Consent)
“Even more heightened restrictions” than Enhanced Consent
Do Not Track
1. “Commonly Accepted Practices” 
Laundry list of practices, report suggests: first party marketing (FTC seeks comment on scope); internal operations, legal compliance, fraud prevention.
 
1. Technically Difficult/not feasible to provide choice mechanism: e.g. Data Brokers? (comment sought)
2.“Enhancement?” – compiling data from several sources to profile consumers (comment sought re: whether choice should be provided about these practices?) 
1. Not “Commonly Accepted Practices” and not “Technically Difficult” e.g. Data Brokers (comment sought).
1. Sensitive Information for online behavioral advertising; information about children, financial & medical information, precise geolocation data.
2. Sensitive Users: Children: Teenagers (staff seeks comment); Users who lack meaningful choice (lack of competition in market) (Staff seeks comment).
3. Changing specific purpose: Use of data in materially different manner than claimed when data was posted, collected, or otherwise obtained.
1. Lack of alternative consumer choices through Industry factors (competition): Broadband ISP deep packet inspection.
2, Others?
 
1. Online Behavioral Advertisers.
2. Others?