Former civil litigation attorney. Content legal strategist at TermsFeed.
On this page
In bankruptcy, the personal data you collected from users can be considered an asset. That makes user data vulnerable to being transferred to the highest bidder and leaving users feeling exposed.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Bankruptcy and business assets
In the US, companies normally file a Chapter 7 or Chapter 11 bankruptcy. The differences between the filings determine how assets are handled, including digital assets like user data.
A "Chapter 7" bankruptcy ceases company operations. Assets are liquidated to pay off debts with any remaining balances forgiven at the end of the procedure. Owners, operators and partners are then free to proceed with other opportunities without the burdens of the previous one affecting them.
In a "Chapter 11" bankruptcy filing, a company admits that it has trouble with debt and requires protection while it makes new payment arrangements. Debtor companies remain in operation during the Chapter 11 as mortgages, loan payments, and past-due vendor balances are renegotiated.
Since business operations continue under "Chapter 11", there is normally never a need to sell off assets unless that becomes part of an agreement with a creditor.
It is possible for users' personal data to be considered an asset in either "Chapter 7" or "Chapter 11".
In a Chapter 7 bankruptcy, the default action by attorneys and the court is to put the information up for sale so another party can profit from it. However, in a Chapter 11 bankruptcy, the data rarely goes up for sale since the company still uses it to stay in operation.
- The "Information Sharing Limitations" clauseThis clause offers consumer protection and may prevent or limit a data transfer due to bankruptcy. This kind of clause helps your business by assuring consumer confidence in your data practices, but also keeps you compliant with Federal Trade Commission (FTC) expectations regarding user data.
These provisions may present separately in different sections or be combined into one.
Business Transfer clause
The "Business Transfer" clause describes what happens to personal data should your company become dissolved by merger, acquisition, sale or bankruptcy. It offers liability protection should you transfer data to the new entity upon these events.
Other companies place the "Business Transfer" clause language under its provisions regarding information sharing.
500px does not bold the "Business Transfer" heading under that bullet point but it still makes the provision easy to find:
The provisions listed as examples so far do not specifically include bankruptcy. The clauses refer to "asset sales" but perhaps due to optimism or other reasons bankruptcy is not mentioned.
However, there are companies that include "bankruptcy" in their "Business Transfer" clauses.
One example is kik, a mobile app provider. It maintains its "Business Transfer" clause under "Information we share" and gives it a subheading of "Merger, financing, and sale."
This provision includes a bankruptcy mention:
Pinterest is a large successful network with a low chance of becoming bankrupt. However, it mentions that bankruptcy, merger or dissolution may transfer information to a new party.
"Business Transfer" clauses are diverse. They allow the transfer of data and yet, a few also contain protective provisions to keep Privacy Policies and practices in force even after a merger, acquisition or even bankruptcy.
Information Sharing Limitations clause
The controlling case on this subject is FTC v. Toysmart.com. This was a short-lived venture having started in January 1999 only to be forced into involuntary bankruptcy on June 9, 2000. The only valuable asset owned by the company was its consumers' data.
Toysmart's main consumer base was children under age 13.
In the end, Toysmart settled the matter with the FTC by agreeing that only a "qualified buyer" who also sold children's products and services would acquire the data and use it appropriately under the original privacy terms.
Toysmart is an early case that since defined how the FTC approaches personal data as a bankruptcy asset. Since that time, the FTC also moved to protect consumer interests in the bankruptcy proceedings of Borders bookstores and the founder of XY Magazine.
XY Magazine was a publication targeted towards gay youth. Its founder, Peter Ian Cummings stopped publishing it in 2007 and shut down the website (and dating service) in 2009. He eventually filed for personal bankruptcy protection in 2010. The personal information of XY Magazine subscribers was listed as an asset on his bankruptcy petition.
There was immediately concern about the safety of those subscribers. Many of them were teenagers at the time they became involved with the magazine and some of them wished to keep their sexual orientation hidden.
The FTC sent its letter to the attorneys and creditors of the bankruptcy proceeding to express its concerns if the information became available as an asset. XY Magazine eventually relaunched and published its 50th issue in 2016.
It could be argued that Toysmart and XY Magazine involved minors which is why the FTC was aggressive in pursuing privacy protection.
However, the Borders Bookstore matter involved information submitted by adults and children. Yet, the FTC pursued privacy protection because Borders promised it would not share information without securing user consent.
Mainly, the FTC seeks to protect personal information like names, addresses, email addresses, credit card numbers or other payment information, and even deeply personal data like sexual orientation, race, and gender identity from being turned over to the wrong people.
In all these cases, the FTC successfully enforced limitations based on original privacy terms and the vulnerability of those who submitted the data.
Best practices for Privacy Policies in case of bankruptcy
You should never dismiss the possibility of a bankruptcy filing or other possibility of your entity dissolving. Selling and transferring user data may not seem to have much effect on you, but in reality, it bruises public trust.
There is also the possibility of facing FTC sanctions, especially if you violate a privacy law like COPPA in the US.
Here are suggestions on how to go about this:
- Collect only what's necessary.Too much data can prove to be a burden in bankruptcy proceedings. Limit your data requests to only what you need to provide a product or service. This makes managing the data much easier.
Mention bankruptcy in your "Business Transfer" clause.You may not see this as a possibility now, but you never know. Besides mentioning sales, mergers, and dissolution, also explicitly include bankruptcy.
"Sales of assets" is likely too broad and it's always better to mention specifics, even if they seem unlikely.