On Thursday, a bankruptcy judge granted final approval of the sale of RadioShack Corporation (“RadioShack”) assets to General Wireless Operations Inc. (“General Wireless”), which included customers’ personal information. In the order, the Delaware bankruptcy judge stated “ . . . no showing was made that the sale of personally identifiable information (the “PII”)(as defined in Section 101(41A) of the Bankruptcy Code), subject to the terms of this Order, would violate applicable nonbankruptcy law.” During the bankruptcy proceeding, the sale of personal information was a contentious issue with the Federal Trade Commission Consumer Protection Director Jessica Rich, multiple states’ Attorneys General, and certain corporations raising concerns. This serves as a reminder for companies big or small, starting up or established, and acquiring or being acquired, that consumers’ personal information has value. In order to protect that value, companies should consider privacy in all stages of business and technological development.

This customer information issue arose after RadioShack filed for bankruptcy earlier this year. Among its assets were approximately 117 million customer records. These records included customer’s names, physical mailing addresses, email addresses and phone numbers. RadioShack’s sale of customer records met with opposition from Texas and many other states which voiced concerns about the sale of personal information.

In addition, Federal Trade Commission (“FTC”) Consumer Protection Director Jessica Rich sent a letter to the court-appointed consumer privacy ombudsman in the bankruptcy case recommending conditions the court could place on the sale of consumers’ personal information to protect the consumers’ privacy. This is not a new issue for the FTC. 15 years ago the FTC settled with the retailer Toysmart.com (“Toysmart“) under allegations that Toysmart violated Section 5 of the FTC Act.   In that case, the FTC claimed that the online retailer misrepresented to consumers that personal information would never be shared with third parties, but then Toysmart disclosed, sold, or offered the personal information for sale. The FTC said that this was a violation of Toysmart’s own privacy statement.

As Rich explains in the May 16 letter, she had “similar concerns about the potential deceptive nature of the transfer of customer information in this case.” RadioShack made extensive privacy promises to consumers, such as to not to sell consumers’ information or its mailing lists. The letter quoted one of RadioShack’s online privacy policies as an example (emphasis added):

Information sharing and disclosure

Agents, employees and contractors of RadioShack who have access to personally identifiable information are required to protect this information in a manner that is consistent with this Privacy Policy and the high standards of the corporation.

  • Information about you specifically will not be used for any purpose other than to carry out the services you requested from RadioShack and its affiliates. All of our affiliates have agreed to maintain the security and confidentiality of the information we provide to them.
  • We will not sell or rent your personally identifiable information to anyone at any time.
  • We will not use any personal information beyond what is necessary to assist us in delivering to you the services you have requested.
  • We may send personally identifiable information about you to other organizations when:
    • We have your consent to share the information (you will be provided the opportunity to opt-out if you desire). For example, if you opt-in for emails we will share this information with our marketing provider.
    • We need to share your information in order to provide the product or service you have requested. For example, we need to share information with credit card providers and shippers to bill and ship the product you requested.
    • We are required to do so by law, for example, in response to a court order or subpoena.”

Rich was not the only one who interjected into the RadioShack bankruptcy proceeding due to concern over consumer information. Apple Inc. (“Apple”) and AT&T Mobility, LLC (together with AT&T Corp. and its affiliates, “AT&T”) objected to the sale of certain customer information associated with the sale of their products/services at RadioShack. In its filed objection, Apple said that a reseller agreement it had with RadioShack prohibits the sale of Apple customer information. AT&T claimed that RadioShack did not own the AT&T customer information in RadioShack’s database and, thus, could not sell the customer information.  The order filed on June 4 requires that General Wireless must abide by the terms of the Apple reseller agreement with respect to customer information and the judge stated that RadioShack will ensure that AT&T customer information would not be sold to General Wireless.

As for the objections from the Attorneys General, RadioShack, General Wireless and the Attorneys General came to an agreement regarding the consumer information after the parties participated in a mediation, which was approved by the court on May, 20, 2015. As part of the agreement, RadioShack will not sell customer’s telephone numbers and will limit the sale of email addresses to those customers who were active within the prior two years.

This case serves as an important reminder that companies must think about these types of issues on a regular basis as they conduct business. And companies must carefully consider the promises they make to consumers, particularly promises that may be overbroad and short sided or, at worst, untrue. Moreover, companies acquiring or investing in other companies should carefully consider the privacy issues surrounding consumer data, particularly if consumer data is a key asset in the deal.

In order to avoid these issues, it is important that companies accurately disclose how the company currently collects, uses and stores consumer’s information. Furthermore, companies should ensure that they clearly state whether they will transfer consumer information as part of a company sale, merger or bankruptcy.

The RadioShack bankruptcy also brought to light the importance of being clear in agreements with service providers, vendors and other companies that have access to end user information, including with regard to who has rights to the that information. In the RadioShack case, the sale of consumer information was objected to by Apple and AT&T because of agreements and relationships the companies had with RadioShack.