A company’s customer information is an asset, although it’s probably not a line item on its balance sheet. It may be sold during the sale of the business, during a merger, or in a bankruptcy proceeding. However, its sale may be limited by the company’s website privacy notice.
A website privacy notice announces to the world how your organization will collect, receive and use information provided by customers. It also may publicize your organization’s intention, present or future, to sell that customer information. And this verbiage within the website privacy notice can directly affect the sale of the information or the terms in which it can be sold.
Related video: How to profitably restore online privacy
For example, Sports Authority filed Chapter 11 bankruptcy in March and sought to sell off assets to pay creditors. One of the assets offered for sale was customer information—114 million customer records and 25 million email addresses. This information was auctioned as a standalone asset apart from the retail assets. The highest bid for this information was $15 million.
On the other hand, RadioShack filed Chapter 11 bankruptcy in February 2015 and wanted to sell off assets to pay creditors. One of the assets for sale was 67 million customer records. However, in this case, the Federal Trade Commission and 40 states objected.
Several corporations also objected, claiming that RadioShack had customer information belonging to the corporations as a result of resale of products, such as cellular phones and plans. To protect consumers’ privacy, the bankruptcy appointed a consumer privacy ombudsman to provide recommendations and conditions for the sale of personal information.
The parties reached a compromise for the sale of customer data that greatly reduced the salable assets, as well as added limitations to the sale. The purchaser could buy email addresses that were active within two years of the bankruptcy filing. Only seven out of the 170 data points could be sold. Customers had to be notified of the sale of their data and given the ability to opt their data out of the sale.
The purchaser also was bound by the RadioShack website privacy notice going forward. The limitations as set in this compromise resulted in most of the valuable customer data being destroyed and not sold. All of RadioShack’s assets were sold for $26.2 million. Because the data was not a standalone asset, it was not given a separate valuation by RadioShack and its purchaser.
The difference in these two seemingly analogous sales: the website privacy notice.
RadioShack’s website privacy notice read: “We will not sell or rent your personally identifiable information to anyone at any time.” In contrast, Sports Authority’s website privacy notice read: “We may transfer your personal information in the event of a corporate sale, merger, acquisition, dissolution or similar event.”
Customer information is a company asset. Unlike other assets, your organization must make it known, in clear and conspicuous language within your website privacy notice, that customer information collected or received by your business may be sold.
Lisa Berry-Tayman is senior privacy and information governance advisor at CyberScout.