Famous last words. How many times has a company told you they would never sell your personal information, in order to get you to sign up, give them your name, your email, your phone number? It sounds great. Hey, I can trust those guys, they will protect my information. And the company is probably sincere when it says that to you.
The problem is that we live in the age of Big Data. For many companies, the most valuable asset they own is their database about their customers. Would Facebook have any value at all without all that information about you and your Facebook friends? Promises not to share or sell customer information can come back to bite your company in the ass. Don’t take my word for it. Just ask Radio Shack.
Radio Shack recently filed for bankruptcy, closing hundreds of stores nationwide. When it filed its bankruptcy petition, Radio Shack stated that it intended to sell customer records, along with other assets, to raise money to pay off its creditors. The Texas Attorney General filed an objection, and then a bunch of other state attorneys general and the Federal Trade Commission filed similar objections. They claimed that selling customer data would violate Radio Shack’s privacy policy, which contained a provision that consumers’ personally identifiable information would not be sold. To sell customer data, therefore, would violate the Texas Deceptive Trade Practices Act (and many similar state and federal laws), which prohibits false or deceptive practices in the conduct of trade or commerce.
The result of all this was that Radio Shack had to enter into an agreement with a number of parties, substantially limiting its ability to sell 117 million customer records. That’s 117,000,000 customer records. Instead of being able to sell the entire set of data, which would include credit and debit card information, transaction history, phone numbers, mailing addresses, and email addresses, Radio Shack has to destroy most of the data and can sell only a subset of the email addresses. And that subset of email addresses is also subject to various restrictions. Consequently, the data asset is of far less value to Radio Shack than originally anticipated.
This problem doesn’t just arise in bankruptcy cases. It could happen with a merger or acquisition, where a company’s database of customer information is an asset being transferred to a new owner. A poorly thought-out promise in the company’s privacy policy could substantially reduce the sale price, or even kill the sale outright.
The bottom line is, don’t make promises you may not want to keep. When creating a privacy policy, it’s important to preserve some room to include customer data as an asset being transferred in connection with the sale or change of ownership of the business. Failing to do so could substantially lower the value of your business, as well as open you up to lawsuits.