Insights
Publications

Undergoing Bankruptcy Proceedings? Here’s How to Make Sure PII Maintains Its Value

December 1, 2020 Articles
Legaltech News

Due to the COVID-19 pandemic, some businesses are considering potential liquidation or restructuring through bankruptcy. Companies in this situation should keep privacy concerns in mind, because the handling of personal data in bankruptcy proceedings poses some unique challenges. 

The issue of whether or not personally identifiable information (PII) can be sold (and under what terms) is a common way privacy issues come into play during liquidation and reorganization proceedings. As further discussed below, there are many factors to consider to ensure that data does not lose its value as part of the bankruptcy process.

The Bankruptcy Code, GDPR and CCPA

When a company files for bankruptcy, it must obtain court approval to sell its assets outside of the ordinary course of business. A company may use, sell, or lease property of the estate, including customers’ data, unless its privacy policy prohibits “the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor.” U.S. Bankruptcy Code Section 363(b)(1). If the company’s privacy policy prohibits this transfer, a consumer privacy ombudsman (CPO) must be appointed to review the facts of the sale and the applicable non-bankruptcy law. Id.

Bankruptcy sales in the new digital age have become increasingly complicated by privacy laws that require a more stringent level of protection of users’ data. Under the European Union General Data Protection Regulation (GDPR), companies are now required to have privacy policies that include information regarding the recipients of customers’ personal data, whether there is intent to transfer such data, the right to withdraw consent to the processing of such data, and more. Under the California Consumer Privacy Act (CCPA), companies are required to have privacy policies that include a description of the customers’ rights under the new privacy law and information about the business purposes for which the customers’ data are being collected.

In response to the GDPR and the CCPA, many companies are updating their privacy policies. Drafters should keep a few considerations in mind as they update privacy policies to comply with new laws, maximize the value of data assets, and ensure there is minimal disruption to the bankruptcy process in the event that the company finds itself going down this road.

Lessons from the Toysmart, Borders and RadioShack Bankruptcies

In general, bankruptcy courts and regulators are unlikely to allow data-asset sales that are inconsistent with a company’s privacy policy. Toysmart faced this issue due to a privacy policy had promised that consumer data would “never be shared with third parties.” The Federal Trade Commission permitted the sale of the data, but only with significant restrictions. The State Attorneys General added an additional obligation to obtain the opt-in consent of consumers. As a result, the limitations were so burdensome that the consumer data was destroyed prior to Toysmart’s formal dissolution.

Borders Bookstore endured similar obstacles during its bankruptcy in 2011 due to a privacy policy that promised customer data would not be shared without consent. The FTC again asked the bankruptcy judge to require customer consent or impose significant restrictions on the transfer and use of that data as part of the bankruptcy estate.

RadioShack also faced this issue due to the company’s privacy policy which promised: “we will not sell or rent your personally identifiable information at any time.” The FTC and various State Attorneys General intervened to block the sale of this data as an unfair and deceptive business practice, but later negotiated a settlement allowing the sale to proceed with restrictions on the type and scope of data to be included in the transaction. These restrictions, however, stripped the data of significant value, and most of the data was destroyed prior to the sale.

With the CCPA enacted, restrictions on data transfer during bankruptcy is bound to become even more complicated. Under the CCPA, a “sale” of personal information is defined broadly to include “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” such information to another business or third party “for monetary or other valuable consideration.” CCPA, Section 1798.140(t)(1). However, a transfer of personal information during bankruptcy is largely excluded from being regarded as a sale. See CCPA, Section 1798.140(t)(2)(D). Additional restrictions may depend on each individual exercising their right to access, delete, obtain information about a sale/transfer of, and opt-out of a sale of PII under the CCPA.

When businesses receive requests to exercise individual rights under CCPA, they must verify the requests and comply with them within 45 days of the request. CCPA, Section 1798.130(a)(2). Therefore, what was mandated by the FTC and State Attorneys General in the bankruptcy proceedings mentioned above is somewhat individualized under the CCPA, but could lead to the same result – stripping data of its value. This may have a serious effect on bankruptcy proceedings during present times where, for many companies, data is the most valuable asset.

Takeaways

To comply with the GDPR and CCPA, companies looking to sell, transfer or buy personally identifiable information via bankruptcy asset sales should confirm that the transfer is consistent with the debtor’s privacy policy. If it is not consistent with the privacy policy, companies will have to provide notice of the policy change to consumers prior to the transaction. Additionally, the Federal Trade Commission and State Attorneys General may seek to block the sale until the debtor agrees to comply with the privacy policy.  Companies may also want to specifically assess their privacy policies to confirm that they provide notice to consumers of the right to transfer data in the event of a bankruptcy.

Additionally, to cover all bases, companies should analyze the privacy policies and disclosures of companies targeted for acquisition as a result of bankruptcy to determine if the acquiring entity may freely use the PII as expected. Companies should also assess their obligation to notify customers of any changes to the use or sharing of their PII.

Firm Highlights

Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More
Publication

Court Reinstates CPPA Enforcement Authority and Confirms No Delay Necessary for Enforcement of Future CCPA Regulations

A recent appellate decision has made clear that the regulations promulgated under California’s groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)), are ripe...

Read More
Publication

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More
Publication

Major Decision Affects Law of Scraping and Online Data Collection, Meta Platforms v. Bright Data

On January 23, 2024, the court in Meta Platforms Inc. v. Bright Data Ltd. , Case No. 3:23-cv-00077-EMC (N.D. Cal.), issued a summary judgment ruling with potentially wide-ranging ramifications for the law of scraping and...

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More
News

Scraping Battles: Meta Loses Legal Effort to Halt Harvesting of Personal Profiles

Alex Reese spoke to Matt Fleischer-Black of  Cybersecurity Law Report about the Meta v. Bright Data decision and its impact on U.S. scraping case law. Read the article here (paywall or trial).

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More
Publication

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Event

AI and Privacy: What Every Company Needs to Do Today

Sushila Chanana and Benjamin Buchwalter will discuss "AI and Privacy: What Every Company Needs to Do Today' at the ACC 2024 Privacy Summit.  This session will introduce basics of AI governance, such as ownership...

Read More