United States: Can Customer Information Be Sold? Carefully, Very Carefully

The Radio Shack bankruptcy case raised a fundamental question regarding the sale of personally identifiable customer information: Can it be done? The answer is "Probably". (You expected anything else?)

When Radio Shack filed for bankruptcy protection, it had collected personally identifiable customer information respecting 117 million individual customers. Radio Shack had promised customers in its privacy policy that it would not "rent or sell" their personally identifiable information to any third party. In the bankruptcy proceedings, the customer information was identified as an asset. Radio Shack proposed to sell this asset for the benefit of creditors. The FTC, many state attorneys general, Verizon and AT&T objected to the proposed sale. A privacy ombudsman, permitted by the Bankruptcy Code, was also appointed by the Court.

The Bankruptcy Court ordered all parties to mediate the dispute. In mediation, a deal was reached permitting customer information to be sold. However, a number of conditions were attached to the sale. First, the buyer had to agree to be bound by Radio Shack's privacy policy. Second, customers had to be given notice of the sale and an opportunity to "opt-out" either via email or mail, depending upon whether Radio Shack had a valid email address for the customer. Third, opt-out information had to be "prominently" posted on the Radio Shack website. Finally, the buyer was prohibited from the use of "sensitive" information, including debit/credit card information, date of birth and government IDs such as Social Security numbers.

The Radio Shack settlement provides a number of takeaways respecting the sale of personally identifiable customer information, in and out of bankruptcy:

• Even government actors such as the FTC and state AGs appear to recognize that privacy rights are not absolute and need to be balanced against the interest driving a sale.
• A bedrock principle is the need to honor the promises made by the company that collected the information.
• Government regulators require an "opt-out" process.
• Company privacy policies and disclosures should make it explicitly clear that information collected from customers may be sold and/or provided to a successor or buyer company, including if such information is sold in the context of bankruptcy.
• Don't ignore HIPPA, which will always apply to medical information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.