When Selling Business Assets Privacy Must Be Upheld

James Chiodo, Certified Information Privacy Professional CIPP/US

Many websites start out with an altruistic view of how they safeguard personal and confidential information you provide to them. Internet companies want to project an image that your information is safe, and that they will only release your information with your consent, or at the very least give you some sort of notification that your data may be released to a third party. How a company handles your information is usually stated in the company’s privacy policy.

The truth is, however, that when an Internet company is sold or liquidated through a bankruptcy proceeding, the assets largely consist of personal information, which is sometimes freely transferred to a third party without you even knowing it, much less with your consent. If a company sells your collected information without consent or knowledge contrary to their privacy policy, the company may be found to be engaging in a deceptive trade practice in regard to your protected data.

Break Your Privacy Policy Promise and You May Hear From the FTC

To protect consumer’s information from businesses that do not obey their own privacy policies, the Federal Trade Commission or FTC will enforce Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices.

Apart from the big teeth of the FTC, other laws may be enforced by other regulatory agencies. In a recent case involving the bankruptcy of ConnectEDU, wherein over a period of 12 years ConnectEDU collected data from high school and college students, the FTC reminded the Court that ConnectEDU must comply with Section 363(b)(1)(A) of the Bankruptcy Code which states that personally identifiable information cannot be sold to a third party unless the sale of the data is consistent with the debtor’s privacy policy.

Here, ConnectEDU was attempting to sell its assets to a third party without properly notifying the consumer and therefore, give the customer an opportunity to delete their information. The FTC offered some guidance from its heavy hand and suggested that ConnectEDU provide users with a notice of the sale of their personal information and opportunity to remove their data should a consumer feel uneasy about the final destination of their personal information.

The FTC also suggested destroying the personal information, but that seems counterintuitive since that is what a third party is buying – the information of the students has value, and destroying it would reduce the value of the sale. The FTC isn’t concerned with how much money is lost, so long as the laws are being enforced. In the alternative, the FTC suggested the Court could appoint a privacy ombudsman to ensure the privacy interests of ConnectEDU’s customers are protected.

Heeding the Warning

An Internet company that gathers protected and personal information could safeguard itself by getting an insurance policy that covers actions brought against it by the FTC or other regulatory agencies. Having a cyber-insurance policy just makes good business sense, but better yet a great company will respect your information by obeying its own privacy policy, whether it stands to gain from the sale of the information or not.

New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More