Privacy Policies and the Value of Data in Bankruptcy Sales
The last few years have seen unprecedented changes in the legal landscape concerning data protection and privacy. The European Union General Data Protection Regulation (GDPR) became enforceable in May 2018. In July 2018, the California Consumer Privacy Act (CCPA) was enacted, and it became effective January 1, 2020.
Data in Bankruptcy Proceedings
For most large companies, the list of applicable non-bankruptcy laws includes the GDPR and the CCPA. Beginning in May 2018, the GDPR imposed a number of new requirements on U.S. companies processing the data of EU citizens. For example, the GDPR now requires that companies’ privacy policies provide customers with information regarding the recipients of personal data, the fact that a company intends to transfer such data, the right to withdraw consent to the processing of such data, and more. Similarly, since the CCPA came into effect on January 1, 2020, privacy policies, among other requirements, must include a description of customers’ rights under the new privacy law and information about the business purposes for which customers’ data are being collected.
To address these objections, regulators and other stakeholders in the RadioShack case negotiated a settlement. That settlement allowed the sale of RadioShack’s customers’ data to proceed, albeit pursuant to several restrictions. The restrictions included strict parameters on the type (e.g., no telephone numbers) and scope (e.g., only email addresses active in the past two years) of customers’ data to be sold. Because the settlement reduced the data points available for purchasers’ business purposes (e.g., marketing to consumers via email or the telephone), it stripped the data of significant value.