15 million reasons to have a website privacy notice

Companies must be transparent in how customer data assets can be collected, received and used

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A company’s cus­tomer infor­ma­tion is an asset, although it’s prob­a­bly not a line item on its bal­ance sheet. It may be sold dur­ing the sale of the busi­ness, dur­ing a merg­er, or in a bank­rupt­cy pro­ceed­ing. How­ev­er, its sale may be lim­it­ed by the company’s web­site pri­va­cy notice.

Ed note_IDT911_Lisa Berry-TaymanA web­site pri­va­cy notice announces to the world how your orga­ni­za­tion will col­lect, receive and use infor­ma­tion pro­vid­ed by cus­tomers. It also may pub­li­cize your organization’s inten­tion, present or future, to sell that cus­tomer infor­ma­tion. And this ver­biage with­in the web­site pri­va­cy notice can direct­ly affect the sale of the infor­ma­tion or the terms in which it can be sold.

Relat­ed video: How to prof­itably restore online privacy

For exam­ple, Sports Author­i­ty filed Chap­ter 11 bank­rupt­cy in March and sought to sell off assets to pay cred­i­tors. One of the assets offered for sale was cus­tomer information—114 mil­lion cus­tomer records and 25 mil­lion email address­es. This infor­ma­tion was auc­tioned as a stand­alone asset apart from the retail assets. The high­est bid for this infor­ma­tion was $15 million.

On the oth­er hand, RadioShack filed Chap­ter 11 bank­rupt­cy in Feb­ru­ary 2015 and want­ed to sell off assets to pay cred­i­tors. One of the assets for sale was 67 mil­lion cus­tomer records. How­ev­er, in this case, the Fed­er­al Trade Com­mis­sion and 40 states objected.

Sev­er­al cor­po­ra­tions also object­ed, claim­ing that RadioShack had cus­tomer infor­ma­tion belong­ing to the cor­po­ra­tions as a result of resale of prod­ucts, such as cel­lu­lar phones and plans. To pro­tect con­sumers’ pri­va­cy, the bank­rupt­cy appoint­ed a con­sumer pri­va­cy ombuds­man to pro­vide rec­om­men­da­tions and con­di­tions for the sale of per­son­al information.

The par­ties reached a com­pro­mise for the sale of cus­tomer data that great­ly reduced the sal­able assets, as well as added lim­i­ta­tions to the sale. The pur­chas­er could buy email address­es that were active with­in two years of the bank­rupt­cy fil­ing. Only sev­en out of the 170 data points could be sold. Cus­tomers had to be noti­fied of the sale of their data and giv­en the abil­i­ty to opt their data out of the sale.

The pur­chas­er also was bound by the RadioShack web­site pri­va­cy notice going for­ward. The lim­i­ta­tions as set in this com­pro­mise result­ed in most of the valu­able cus­tomer data being destroyed and not sold. All of RadioShack’s assets were sold for $26.2 mil­lion. Because the data was not a stand­alone asset, it was not giv­en a sep­a­rate val­u­a­tion by RadioShack and its purchaser.

The dif­fer­ence in these two seem­ing­ly anal­o­gous sales: the web­site pri­va­cy notice.

RadioShack’s web­site pri­va­cy notice read: “We will not sell or rent your per­son­al­ly iden­ti­fi­able infor­ma­tion to any­one at any time.” In con­trast, Sports Authority’s web­site pri­va­cy notice read: “We may trans­fer your per­son­al infor­ma­tion in the event of a cor­po­rate sale, merg­er, acqui­si­tion, dis­so­lu­tion or sim­i­lar event.”

Cus­tomer infor­ma­tion is a com­pa­ny asset. Unlike oth­er assets, your orga­ni­za­tion must make it known, in clear and con­spic­u­ous lan­guage with­in your web­site pri­va­cy notice, that cus­tomer infor­ma­tion col­lect­ed or received by your busi­ness may be sold.

More sto­ries relat­ed to con­sumer data privacy:
Com­pa­nies need not for­feit prof­it while respect­ing privacy
Spo­ti­fy rewrites pri­va­cy pol­i­cy after blowback
NAIC sets mod­el stan­dard for con­sumer rights, cybersecurity