On July 10, 2000, the Federal Trade Commission (“FTC”) filed suit in the U.S. District Court for the District of Massachusetts against Toysmart.com alleging that its offer to sell customer information in violation of the privacy policy was an unfair and deceptive trade practice that should be enjoined.
II. The Federal Trade Commission And Privacy Policies
The Federal Trade Commission Act (“FTC Act”) grants the Commission authority to investigate and prosecute corporations for violations of the FTC Act.[FOOTNOTE 2] Violations of the FTC Act include unfair or deceptive acts or practices in or affecting commerce.[FOOTNOTE 3] The definition of “commerce” under the FTC Act is a company’s course of business, which includes business conducted on the Internet.[FOOTNOTE 4] Therefore, the FTC Act gives the Commission authority over the collection and dissemination of personal data collected online.[FOOTNOTE 5] An Internet company’s failure to comply with its stated privacy policy may constitute an actionable violation of the FTC Act if it is a deceptive business practice. [FOOTNOTE 6] In California, an Internet company could also face an action under Business & Professions Code section 17200 for unfair business practices. Many other states have similar consumer protection laws.
III. Fair Information Practice Principles
Currently, no statute requires the placement of privacy policies on Internet Web sites other than the Children’s Online Privacy Protection Act of 1998 (“COPPA”), which is only applicable to Web sites collecting information from children who are younger than 13 years old.[FOOTNOTE 7] In addition, there is no legislation that regulates the content of posted privacy policies for Internet companies. However, the FTC has established fair information practice principles that act as a guideline for evaluating Web site privacy policies.[FOOTNOTE 8] Fair information practice principles were additionally used as a framework in drafting COPPA, and they are currently being recommended as guidelines for drafting legislation to regulate web sites not governed by COPPA.[FOOTNOTE 9] In 2000, the FTC submitted a report to Congress concerning the results of a survey performed on heavily trafficked web sites and advocating legislation based on the following fair information practice principles:
1. Notice — Web sites should be required to provide customers with clear and conspicuous notice of their information practice, including what information they collect, how they collect it, how they use it, and how they provide Choice, Access, and Security to consumers.
2. Choice — Web sites should offer consumers choices as to how their personal identifying information is used beyond the use for which the information was provided.
3. Access — Web sites should be required to offer consumers reasonable access to the information a Web site has collected about them, including a reasonable opportunity to review the information and to correct inaccuracies or delete information.
4. Security — Web sites should take reasonable steps to protect the security of the information the collect for consumers.[FOOTNOTE 10]
Although fair information practice principles have not been disseminated to all Internet companies via legislation, the principles have influenced the industry in a variety of ways. TRUSTe, a non-profit privacy seal organization, uses the fair information practice principles as a standard for approving Internet company privacy policies. In addition, the FTC uses fair information practice principles as a framework for developing privacy policies in settlements when the Commission has filed complaints against Internet companies for engaging in deceptive business practices.
On July 10, 2000, the FTC sued Toysmart.com for allegedly engaging in deceptive business practices by promising to customers that their personal information would never be disclosed, and then offering that information to the highest bidder.[FOOTNOTE 11] The FTC’s complaint requested a permanent injunction preventing the sale of customer information.[FOOTNOTE 12] After several weeks of negotiations, the FTC reached a settlement with Toysmart.com. In the settlement, the FTC tried to follow fair information practice principles as well as satisfy the business needs of a troubled company.[FOOTNOTE 13] Toysmart.com was allowed to sell its customer list but only as part of the company’s goodwill, not as a stand-alone asset.[FOOTNOTE 14] In addition, the FTC required a family commerce corporation buyer who expressly agreed to succeed-in-interest Toysmart.com’s customer list. The buyer of the list was obligated to abide by the terms of the Toysmart.com privacy policy. If the buyer wished to make material amendments to the policy, it had to post a notice on the Web site and each of Toysmart.com’s customers must provide affirmative consent (“opt-in”) to their previously collected information being governed by the new policy. Without the affirmative consent of the customer, the information would instead be governed by the old privacy policy.[FOOTNOTE 15] Due to the lack of qualified buyers for Toysmart’s assets, and the objections of a number of state attorneys general, the Bankruptcy Court did not approve the FTC settlement. Later, however, the Bankruptcy Court approved a proposal by Disney, one of Toysmart.com’s investors, to pay $50,000 and to have the customer list destroyed.[FOOTNOTE 16]
While Toysmart.com was able to resolve the FTC’s claims, the issue of selling a customer list as part of the sale of assets is not fully resolved. In the settlement, certain Commissioners recommended that Toysmart.com give notice and choice to its customers before transferring their information to a corporate successor as a matter of good will and good business practice.[FOOTNOTE 17] In addition, Commissioner Swindle dissented and argued that the FTC should not have allowed the sale.[FOOTNOTE 18]
In addition to the FTC, state attorneys general have been particularly active on the privacy issue, relying on state unfair or deceptive business practices and other consumer protection laws. In addition to objecting to the Toysmart.com sale, the Texas Attorney General took a lead role in objecting to the sale of customer information in the recent Living.com bankruptcy in Texas. Living.com had been an e-tailer of home furnishings. Under a settlement with the Texas Attorney General, Living.com agreed to destroy its customer personal financial information but was permitted to transfer non-financial information only if customers did not opt-out after receiving a notice via e-mail of a proposed transfer.[FOOTNOTE 19]
Another Internet company, Craftshop.com, www.craftshop.com, filed Chapter 11 bankruptcy in the District of Delaware in May 2000. Craftshop.com listed its 16,000 name customer list as an asset with an “uncertain” value in its schedules. Initially, Craftshop.com offered the customer list for sale. Craftshop.com’s posted privacy policy, however, had stated:
When you register with CraftShop.com, you will be asked for information that you consider private. Unless you specifically give us permission, CraftShop.com will never disclose any of the information you share with us. Ever. We will hold your secure online shopping information in the strictest confidence. We will never release it to any person or any company for any purpose. We do not sell, rent, or lend any part of our mailing list.
Following the FTC’s actions against Toysmart.com, however, Craftshop.com announced to prospective purchasers that the customer list was no longer for sale.
IV. Avoiding FTC And Attorneys General Action
The FTC’s primary interest is in preventing deceptive business practices by enforcing a company’s privacy policy. Therefore, if a privacy policy alerts customers to the possibility of the transfer of information in the case of a sale of assets, or a successor in interest, the FTC and state attorneys general probably will not view such a sale as a violation of the FTC Act or similar state laws as was alleged in the Toysmart.com case.
Simply revising a privacy policy to permit the sale of customer information, however, will not resolve the potential problem. Following fair information principles means that the customer information gathered under the older strict privacy policy should still be governed by that original policy. Any new customer information gathered under a new privacy policy that allows the transfer of customer personal information for certain types of transfers to third parties would likely be governed by the new privacy policy. If a company wants the old customer information to be governed by its new privacy policy, it may be required to alert each customer of the change, and give the customer the opportunity to choose whether or not they want their information governed by the new privacy policy.[FOOTNOTE 20] Customer information may also have to be segregated according to the privacy policy in force at the time the information was provided. This could impose additional expenses on an Internet company.
V. The Bankruptcy Reform Act And Other Legislation
The Toysmart.com case prompted at least two bills to be introduced in the prior, 106th Congress that would have precluded customer lists from being sold in bankruptcy, in addition to one that had already been introduced. As discussed in detail below, the Senate version of the Bankruptcy Reform Act of 2001 also includes specific privacy — related provisions.
On July 10, 2000, Representative Bachus introduced H.R. 4814, which would have made it an “unfair practice in or affecting commerce which violates section 5 of the Federal Trade Commission Act (15 U.S.C. 45) for a person to sell on the Internet information such person acquired with a pledge that the information would be kept private and not released or for a person to share or transfer to another such information on the Internet.” On July 12, 2000, Senators Leahy and Torricelli introduced S. 2857, the “Privacy Policy Enforcement in Bankruptcy Act of 2000 Act.” The bill provided that if the sale or disclosure of personally identifiable information would violate the privacy policy of a debtor under which it was collected, such information would be excluded from the definition of property of the estate by an addition to 11 U.S.C. � 541(b). One notable bill introduced by Senator Hollings before the Toysmart.com case was S. 2606, the “Consumer Privacy Protection Act.” In addition to addressing a wide variety of privacy issues, Section 601 of the bill provided that personally identifiable information is not property of the estate by an addition to 11 U.S.C. � 541(b), regardless of whether the applicable privacy policy disclosed that it could be sold.
By excluding personally identifiable information from the definition of “property of the estate” under all or certain circumstances, the two Senate bills from the 106th Congress could have created unanticipated problems. For example, if the customer information were not property of the estate at all, would the automatic stay apply to attempts by a secured creditor or others to obtain such a database? Moreover, could a Chapter 11 debtor-in-possession even use the customer information as part of its existing business or as part of a reorganized debtor post — confirmation? Addressing the use of customer data through amendment of Section 541(b) raises these and other significant questions, suggesting that a more direct solution to privacy concerns in bankruptcy should be considered.
The Senate-passed version of the Bankruptcy Reform Act of 2001, S. 420, contains specific provisions designed to address personally identifiable information, but does so by amending Section 363(b)(1), instead of Section 541(b) of the Bankruptcy Code. Section 231 of the bill provides as follows:
SEC. 231. PROTECTION OF NONPUBLIC PERSONAL INFORMATION.
(a) IN GENERAL — Section 363(b)(1) of title 11, United States Code, is amended by striking the period at the end and inserting the following:
‘, except that if the debtor has disclosed a policy to an individual prohibiting the transfer of personally identifiable information about the individual to unaffiliated third persons, and the policy remains in effect at the time of the bankruptcy filing, the trustee may not sell or lease such personally identifiable information to any person,
unless –
(A) the sale is consistent with such prohibition; or
(B) the court, after notice and hearing and due consideration of the facts, circumstances, and conditions of the sale or lease, approves the sale or lease.’
(b) DEFINITION — Section 101 of title 11, United States Code, is amended by inserting after paragraph (41) the following:
(41A) ‘personally identifiable information’, if provided by the individual to the debtor in connection with obtaining a product or service from the debtor primarily for personal, family, or household purposes –
(A) means –
(i) the individual’s first name (or initials) and last name, whether given at birth or adoption or legally changed;
(ii) the physical address for the individual’s home;
(iii) the individual’s e-mail address;
(iv) the individual’s home telephone number;
(v) the individual’s social security number; or
(vi) the individual’s credit card account number; and
(B) means, when identified in connection with one or more of the items of information listed in subparagraph (A) –
(i) an individual’s birth date, birth certificate number, or place of birth; or
(ii) any other information concerning an identified individual that, if disclosed, will result in the physical or electronic contacting or identification of that person;.
In Section 232 of the Senate-passed bill, the position of a Consumer Privacy Ombudsman is created. This section provides as follows:
SEC. 232. CONSUMER PRIVACY OMBUDSMAN.
(a) IN GENERAL –
(1) APPOINTMENT ON REQUEST — If the trustee intends to sell or lease personally identifiable information in a manner which requires a hearing described in section 363(b)(1)(B), the trustee shall request, and the court shall appoint, an individual to serve as ombudsman during the case not later than — –
(A) on or before the expiration of 30 days after the date of the order for relief; or
(B) 5 days prior to any hearing described in section 363(b)(1)(B) of title 11, United States Code, as amended by this Act.
(2) DUTIES OF OMBUDSMAN — It shall be the duty of the ombudsman to provide the court information to assist the court in its consideration of the facts, circumstances, and conditions of the sale or lease under section 363(b)(1)(B) of title 11, United States Code, as amended by this Act. Such information may include a presentation of the debtor’s privacy policy in effect, potential losses or gains of privacy to consumers if the sale or lease is approved, potential costs or benefits to consumers if the sale or lease is approved, and potential alternatives which mitigate potential privacy losses or potential costs to consumers.
(3) NOTICE TO OMBUDSMAN — The ombudsman shall receive notice of, and shall have a right to appear and be heard, at any hearing described in section 363b(1)(B) of title 11, United States Code, as amended by this Act.
(4) CONFIDENTIALITY — The ombudsman shall maintain any personally identifiable information obtained by the ombudsman under this title as confidential information.
(b) APPOINTMENT — If the court orders the appointment of an ombudsman under this section, the United States Trustee shall appoint 1 disinterested person, other than the United States trustee, to serve as the ombudsman.
(c) COMPENSATION OF CONSUMER PRIVACY OMBUDSMAN — Section 330(a)(1) of title 11, United States Code, is amended in the matter preceding subparagraph (A), by inserting �an ombudsman appointed under section 332,’ before �an examiner’.
If these provisions become law, sales of customers lists likely will be difficult to have approved over objection by an appointed Consumer Privacy Ombudsman. While the court can approve a sale if it believes the facts, circumstances, and conditions of the sale or lease justify it, most sales contrary to the debtor’s pre-bankruptcy privacy policy will probably be rejected. One interesting issue is raised by the bill’s use of the phrase “and the policy remains in effect at the time of the bankruptcy filing,” with regard to a pre-petition privacy policy. Could a debtor, as part of pre-petition bankruptcy planning, simply revoke its privacy policy and evade these provisions? Such a move would likely draw the ire of the FTC and state attorneys general, but may be an area of litigation under the new bill if it becomes law.
VI. What About Creditors?
Arguably lost in the rush to enforce privacy policies in bankruptcy is the interest of creditors. A Web site’s customer list in many cases may be the single most valuable asset owned by an Internet company. With other Internet companies having paid millions of dollars to acquire customers through marketing campaigns, a failing company could probably generate substantial value if it could sell a customer list, either as an independent asset or as part of a sale of substantially all of the dot-com’s assets. As noted, an “old economy” company could easily sell customer data to a third party, and consumers for years have allowed companies to collect this information without any privacy policy or restrictions on its use. The FTC’s Toysmart.com settlement would have permitted the sale of the customer information to another family-oriented site that would agree, among other things, to honor the privacy policy. Many consumers presumably would find such a solution acceptable. Creditors therefore may wonder whether it is appropriate to eliminate entirely this valuable asset from an Internet company’s bankruptcy estate.
Depending upon the terms of its privacy policy, a Web site unable to sell the list might still be able to generate some value from it by sending e-mails, for a fee, to its customers advertising another company’s Web site with an embedded hypertext link to that other site. This e-mail campaign could be accomplished without ever disclosing the customer’s information to a third party. Unfortunately, however, this effort would likely be priced more like other forms of e-mail advertising, which often generate little “click-through” interest. Another alternative would be to send out an e-mail to customers notifying them of a proposed sale but giving an opportunity to opt out or opt in, with the price paid by the purchaser dependent on the number of customers agreeing to the transfer. Given the current atmosphere surrounding privacy policies, even these uses of a customer list could draw opposition.
VII. CONCLUSION
An Internet company’s privacy policy — and its promises regarding the use or sale of personally identifiable information — can have a significant impact on the value of a customer list in any bankruptcy or other liquidation. The FTC and state attorneys general have shown their intention to require Internet companies to adhere to their privacy policies, and legislation pending before Congress would prohibit many such sales. Given the uncertainties in this developing area of law, and the potential for litigation, it may not be surprising if an Internet company in bankruptcy has trouble deciding whether to schedule its customer list as an “asset” or a “liability.”
� Copyright 2001 Robert L. Eisenbach III. All rights reserved.
