Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Last month, bankrupt company RadioShack settled with a coalition of seventeen attorneys general to destroy most of the company’s customer data in its files. The agreement was part of a Bankruptcy Court-approved $26.2 million sale of RadioShack’s assets.
After filing for bankruptcy, RadioShack offered to sell data on 117 million customers. Attorneys General of Texas, Tennessee, Pennsylvania, and Oregon objected to RadioShack’s plans to sell the data, arguing that such a sale would violate the company’s privacy policies as well as state consumer protection statutes. More than thirty other state Attorneys General wrote letters supporting the effort.
RadioShack’s privacy policy provided:
"We will not sell or rent your personally identifiable information to anyone at any time."
We will not sell or rent your personally identifiable information to anyone at any time.
Jessica Rich, FTC Director of the Bureau of Consumer Protection, laid out a number of suggestions for the Bankruptcy Court Consumer Privacy Ombudsman based on the Commission’s settlement with Toysmart. The Toysmart case also involved the sale of consumer data in a bankruptcy proceeding. Specifically, Rich suggested that the Ombudsman consider requiring the buyer of the assets to expressly agree to be bound by RadioShack’s privacy policies, or, alternatively, requiring RadioShack to obtain affirmative consent from its customers before transferring the data.
Acting United States Trustee Andrew Vara also raised concerns that RadioShack had not provided enough detail on the proposed sale, hampering the consumer privacy ombudsman’s efforts.
AT&T and Apple likewise objected to the sale of their customer data in the possession of RadioShack. The companies argued that RadioShack was only given access to their customer data in order to provide the companies with specific services, but RadioShack did not own the data and could not sell it to third parties.
After a daylong mediation session in May, RadioShack struck a deal with the Attorneys General, ultimately agreeing to destroy the majority of its customer data, thereby reducing the number of data points per customer available for sale from 170 to 7. The data to be destroyed included credit and debit card information, Social Security numbers, telephone numbers, and dates of birth. RadioShack was permitted to sell email addresses of customers who had requested product information from RadioShack during the previous two years; even so, the parties agreed that consumers would have the right to opt out prior to the transfer of those emails to purchaser Standard General’s General Wireless business unit and that, once transferred, General Wireless would be prohibited from selling or sharing any of this information in the future with any third party, including its co-branded business partner, Sprint.
This recent instance of a bankrupt company being constrained in the sale of consumer data assets reflects the intense scrutiny sale of data assets in bankruptcy will receive, and the effect privacy policies will have on the disposition of data assets post-bankruptcy.
Laurie Lai, a summer associate in our Washington, D.C. office, contributed to this post.
Authored by the HL Chronicle of Data Protection Team