Last month, we wrote about a New Jersey case in which the former publisher of a magazine and dating website for gay youth had declared bankruptcy. He and his former business partners were fighting over ownership of various business assets of XY Magazine and XY.com, including extensive personal information about more than a million customers. XY's privacy policies, however, had promised customers that their personal information would never be given to anybody.

The Federal Trade Commission warned (pdf) that any transfer or further use of the data would not only violate the privacy promises that XY had made to consumers, but would also likely be unlawful under the Federal Trade Commission Act, which prohibits unfair and deceptive acts and practices. The Commission suggested that the data be destroyed, which we agreed would be the best course of action.

We're happy to report that this potential privacy fiasco has ended well for XY's customers. The parties reached an agreement (pdf) under which the publisher is required to destroy all personally identifiable information about XY's customers. He may keep a limited amount of data for a short time to authenticate the identities of customers who have ordered back issues of the magazine, but he may not use that information to contact or locate any customers.

While this is a good outcome, the case highlights a problem that we're likely to see again and again. Companies provide services that rely on personal information supplied by consumers. Some of those companies will be sold or go out of business. The information that they've collected from their customers is a valuable asset, and its possible sale to the highest bidder will implicate the privacy of millions of people.

XY's customers were fortunate that the parties reached an agreement to destroy their personal data, but the Bankruptcy Code itself doesn't handle this scenario very well. Companies that possess customers' personal information are likely -- through their own privacy policies -- to give themselves permission to sell that information if they go out of business or have a change in ownership. And in the rare case where a company promises its customers that their personal information will never be disclosed to anyone, a bankruptcy court can still allow the data to be leased or sold if that transfer wouldn't otherwise violate the law.

Ultimately, Congress should update the Bankruptcy Code to better protect consumers whose personal information is treated as an asset in a bankruptcy proceeding. Bankruptcy courts should enforce privacy commitments that companies have made to their customers. And where a privacy policy permits transfer of customer information, those who buy the data should be required to obtain consumer consent to the transfer, and should not be allowed to use it for purposes different from those for which it was originally collected.

Related Issues