It is typical for companies to state in their privacy policies that the personal data they gather from their users will not be disclosed to third parties except in certain limited circumstances. While there is no doubt that most companies making such promises intend to honor them, a privacy pitfall the companies may not anticipate is the sale of user data to third parties during bankruptcy proceedings.
On May 22, 2014, the director of the Bureau of Consumer Protection of the Federal Trade Commission, a U.S. regulator, sent a letter to a bankruptcy judge overseeing the reorganization of ConnectEDU, an education technology company. The letter expressed concern about the potential sale of the company’s assets, which could include transferring to another company the personally identifiable user data that ConnectEDU had collected during the 12 years of its operations. The letter stated that selling user data in these circumstances could violate the U.S. Bankruptcy Code and amount to an “unfair or deceptive act or practice” under the Federal Trade Commission Act (“FTCA”).
Companies that collect personal data from their users or customers should therefore be aware of the challenges of privacy protection that bankruptcy proceedings pose. If companies wind up in bankruptcy, they should ensure that they are able to abide by their representations regarding user privacy in case a potential sale of personal data is involved.