Customer information has become an increasingly valuable business asset. And, the volume and detail of other available information about consumers has increased along with it, well beyond mere customer names and addresses to preferences, purchasing history, and online activity. This means that when a business is sold, customer information is often sold along with it. But careful diligence is required in handling this intangible asset, and the recent settlement in the RadioShack bankruptcy case is instructive.
As part of its Chapter 11 sale of assets, RadioShack proposed a sale of portions of its customer records database, containing personally identifying information (“PII”) such as customers’ name, mailing address, email address, phone number, and 21 other types of transaction data (such as store number and tender amount), of approximately 67 million customers. The proposal quickly drew objections, most notably from the FTC and a coalition of 38 state Attorneys General led by Texas.
The problem was RadioShack’s privacy policy, which had told customers, “we will not sell or rent your personally identifiable information to anyone at any time.” Despite the promise, the Bankruptcy Code allows customer information to be sold, but only under the supervision and approval of the court and a “consumer privacy ombudsman,” which was appointed in the RadioShack proceeding.
Ultimately, a settlement was reached and the sale of customer information was approved, but in truncated form. RadioShack agreed to limit contact information to email addresses only, and only those that were active in the two years prior to the bankruptcy filing. Additionally, transaction data was reduced from 21 fields to 7. The purchaser agreed to abide by RadioShack’s privacy policies and to require affirmative assent to any material change to them. The settlement also provided that customers would receive a notice of the transfer of their information and an opportunity to opt out.
The RadioShack case demonstrates the importance of customer information, and the attention it should be given at the outset, even when crafting a customer-facing privacy policy, as well as in the M&A arena, bankruptcy, or elsewhere. Privacy policies should be crafted with possible corporate mergers, acquisitions and liquidations in mind, and M&A and bankruptcy lawyers should be attentive to possible restrictions of data sale early on in their diligence process.