A recent New York Times article highlights the disconnect between a company’s privacy policy and the disclosure of user data when the company is sold. According to the Times, while a company, like Hulu, declares that it “respects your privacy”, should the company go up for sale, user names, birth dates, email addresses and unique subscriber information can be made available to the highest bidder. Often it is this very information that can be of most value to a struggling or defunct company. This very issue played out recently with the bankruptcy of RadioShack, the electronics retail store founded in 1921, and the recent sale of its brand.
The now-bankrupt RadioShack reached a mediated agreement with U.S. states on May 14th over the sale of customer data, which barred the transfer of personal customer information; limited the number of emails to be included in the sale; and provided opt-out mechanisms to customers prior to transfer.
New York-based Standard General purchased 1,750 RadioShack stores and trademark and intellectual property, out of bankruptcy. The sale included personal customer information provided by customers to RadioShack over many years, including email addresses, postal addresses and phone numbers. According to coverage by the Los Angeles Times, RadioShack had provided statements on its website and in its stores claiming “We will not sell or rent your personally identifiable information to anyone at any time”; and “At RadioShack, we respect your privacy. … We pride ourselves on not selling our private mailing list.”
At issue was the sale and sharing of the customer data, which several state attorneys general claimed did not adhere to the previously stated corporate privacy policies. Thirty-eight U.S. states objected to the sale of personally identifiable information (PII) by the bankrupt company citing concerns over customer privacy. At issue were 170 fields of data, including credit card data, Social Security numbers, dates of birth, phone numbers and email addresses for 117 million customers.
The terms of the mediation agreement prevented Standard General from receiving RadioShack’s complete set of user data without honoring the use limitations RadioShack had previously promised. The mediation terms will result in Standard General receiving names and addresses for 67 million customers. The company will also receive email addresses of customers who specifically requested product information in the last two years, though it must provide consumers with notice and obtain their affirmative consent before the information transfer is complete. All other customer data is to be destroyed.
Some privacy advocates have touted the mediation agreement as a success for consumer privacy. Through its purchase of a bankrupt RadioShack, Standard General did not receive whole-sale the full data of 117M customers that was amassed over decades. Instead it received a smaller subset of data for 67M RadioShack customers. While an improvement, it serves as a stark reminder. When an individual provides a company with personal data, regardless of the policies in place at the time, that data may be transferred or sold at a later date, and there is no guarantee that the privacy commitments made at collection will transfer to whomever holds the information in the future. Ultimately, information amassed over years can be potentially sold to the highest bidder and put to uses never agreed to by the customer.
