Privacy Policies & Bankruptcy

In bankruptcy, the personal data you collected from users can be considered an asset. That makes user data vulnerable to being transferred to the highest bidder and leaving users feeling exposed.

This article provides an overview on how to address the issue of bankruptcy in your Privacy Policy so your user data remains protected even if your company must liquidate assets to pay debts.

How Does Bankruptcy Affect Business Assets?

In the U.S., companies normally file a Chapter 7 or Chapter 11 bankruptcy. The differences between the filings determine how assets are handled, including digital assets like personal data.

A "Chapter 7" bankruptcy ceases company operations. Assets are liquidated to pay off debts with any remaining balances forgiven at the end of the procedure. Owners, operators and partners are then free to proceed with other opportunities without the burdens of the previous one affecting them.

In a "Chapter 11" bankruptcy filing, a company admits that it has trouble with debt and requires protection while it makes new payment arrangements. Debtor companies remain in operation during the Chapter 11 as mortgages, loan payments, and past-due vendor balances are renegotiated.

Since business operations continue under "Chapter 11", there is normally never a need to sell off assets unless that becomes part of an agreement with a creditor.

It is possible for users' personal data to be considered an asset in either "Chapter 7" or "Chapter 11".

In a Chapter 7 bankruptcy, the default action by attorneys and the court is to put the information up for sale so another party can profit from it. However, in a Chapter 11 bankruptcy, the data rarely goes up for sale since the company still uses it to stay in operation.

In either instance, the bankruptcy proceeding immediately affects data protection terms in the Privacy Policy agreement.

What Clauses Address Bankruptcy in a Privacy Policy?

There are two types of clauses in a Privacy Policy that affect how bankruptcy transfers personal data:

1. The "Business Transfer" clause - This clause in a Privacy Policy gives a company the right to transfer personal data due to sale, merger, acquisition or bankruptcy. This makes it possible to sell data as an asset.
2. The "Information Sharing Limitations" clause - This clause offers consumer protection and may prevent or limit a data transfer due to bankruptcy. This kind of clause helps your business by assuring consumer confidence in your data practices, but also keeps you compliant with Federal Trade Commission (FTC) expectations regarding user data.

These provisions may present separately in different sections or be combined into one.

Let's look more at what information these clauses should contain.

Business Transfer Clause

A "Business Transfer" clause describes what happens to personal data should your company become dissolved by merger, acquisition, sale or bankruptcy. It offers liability protection should you transfer data to the new entity upon these events.

Here's how a business transfer clause can be written in a way that makes it clear that the company could expand or become a new entity. It also mentions that the new entity must respect the current Privacy Policy, unless it secures user consent:

Here's another example of how this type of information can be presented in a Privacy Policy:

Other companies place the "Business Transfer" clause language under a clause addressing information sharing.

Here's an example of the information presented as part of a larger clause:

This example shows the use of a separate heading and similar provisions for the clause:

The provisions listed as examples so far do not specifically include bankruptcy. The clauses refer to "asset sales" but perhaps due to optimism or other reasons bankruptcy is not mentioned.

However, there are companies that include "bankruptcy" in their "Business Transfer" clauses.

This provision includes a bankruptcy mention:

And this clause mentions that bankruptcy, merger or dissolution may transfer information to a new party:

"Business Transfer" clauses are diverse. They allow the transfer of data and yet, a few also contain protective provisions to keep Privacy Policies and practices in force even after a merger, acquisition or even bankruptcy.

Information Sharing Limitations Clause

There is precedent that a well-written Privacy Policy can prevent the sale of sensitive personal data.

The controlling case on this subject is FTC v. Toysmart.com. This was a short-lived venture having started in January 1999 only to be forced into involuntary bankruptcy on June 9, 2000. The only valuable asset owned by the company was its consumers' data.

However, in its Privacy Policy agreement, Toysmart contained the following provision which prohibited sharing information with third parties:

Toysmart's main consumer base was children under age 13.

There was no provision for notifying parents of this information collection and the company faced violations of the Children's Online Privacy Protection Act (COPPA) among its other issues. In addition to following the original Privacy Policy, there was also the issue of handling this extremely sensitive data.

In the end, Toysmart settled the matter with the FTC by agreeing that only a "qualified buyer" who also sold children's products and services would acquire the data and use it appropriately under the original privacy terms.

Toysmart is an early case that since defined how the FTC approaches personal data as a bankruptcy asset. Since that time, the FTC also moved to protect consumer interests in the bankruptcy proceedings of Borders bookstores and the founder of XY Magazine.

XY Magazine was a publication targeted towards gay youth. Its founder, Peter Ian Cummings stopped publishing it in 2007 and shut down the website (and dating service) in 2009. He eventually filed for personal bankruptcy protection in 2010. The personal information of XY Magazine subscribers was listed as an asset on his bankruptcy petition.

There was immediately concern about the safety of those subscribers. Many of them were teenagers at the time they became involved with the magazine and some of them wished to keep their sexual orientation hidden.

The FTC sent its letter to the attorneys and creditors of the bankruptcy proceeding to express its concerns if the information became available as an asset. XY Magazine eventually relaunched and published its 50th issue in 2016.

It could be argued that Toysmart and XY Magazine involved minors which is why the FTC was aggressive in pursuing privacy protection.

However, the Borders matter involved information submitted by adults and children. Yet, the FTC pursued privacy protection because Borders promised it would not share information without securing user consent.

Mainly, the FTC seeks to protect personal information like names, addresses, email addresses, credit card numbers or other payment information, and even deeply personal data like sexual orientation, race, and gender identity from being turned over to the wrong people.

In all these cases, the FTC successfully enforced limitations based on original privacy terms and the vulnerability of those who submitted the data.

Best Practices for Privacy Policies in Case of Bankruptcy

You should never dismiss the possibility of a bankruptcy filing or other possibility of your entity dissolving. Selling and transferring user data may not seem to have much effect on you, but in reality, it bruises public trust.

There is also the possibility of facing FTC sanctions, especially if you violate a privacy law like COPPA in the United States.

That is why you want a "Business Transfer" clause in your Privacy Policy that allows flexibility in case of good or bad developments, but you should also include consumer protections.

Here are suggestions on how to go about this:

• Collect only what's necessary.Too much data can prove to be a burden in bankruptcy proceedings. Limit your data requests to only what you need to provide a product or service. This makes managing the data much easier.

• Mention bankruptcy in your "Business Transfer" clause.You may not see this as a possibility now, but you never know. Besides mentioning sales, mergers, and dissolution, also explicitly include bankruptcy.

  "Sales of assets" is likely too broad and it's always better to mention specifics, even if they seem unlikely.

• Limit disclosure of sensitive personal data. If you collect sensitive data, place a limit in your Privacy Policy that prohibits disclosure of sensitive information to third parties or at least limits it to "appropriate buyers" who are unlikely to misuse the information.
• Bind successors to Privacy Policy.There's a good record of the FTC forcing entities to follow the original Privacy Policy when they secure another party's sensitive data. In your "Business Transfer" or "Information Sharing" clauses, make this promise to your users so it can be enforced later.

With the FTC paying close attention to data transfers after bankruptcy, it's a good time to review your Privacy Policy and practices to see how it protects users and their data if this situation arises.

Summary

When drafting your Privacy Policy, make sure to include clauses that address what will happen if your business has the unfortunate outcome of having to file for bankruptcy.

Include information that makes it clear that in the case of a business transfer or similar situation, all the personal information will go with the sale. Also note that you limit sharing of data in general circumstances.

Make sure to follow general best practices when it comes to privacy, such as only collecting data you actually need. This will help make a bankruptcy more easily managed, since the data involved will be limited.