Handling Customer Data in Bankruptcy Mergers and Acquisitions Coping with the Consumer Privacy Ombudsman Provisions of BAPCPA

Handling Customer Data in Bankruptcy Mergers and Acquisitions Coping with the Consumer Privacy Ombudsman Provisions of BAPCPA

Journal Issue: 
Column Name: 
Journal Article: 
Imagine that your client is purchasing a local air carrier from a bankrupt airline operator. It's a perfect fit. The debtor needs quick cash, and acquiring the local carrier, which operated mostly in the Southeast, will allow your client to quickly add a large number of additional routes to Florida in time for the winter vacation season. The fit is so good and the sale process has gone so quickly that no competitors have emerged. You walk into the sale hearing prepared to figuratively scoop up a bargain for your client.

The sale hearing goes smoothly. The debtor, creditors' committee and bondholders all support the sale. The judge seems pleased. She just has one last question. It's a minor one about how the debtor's customers purchased their airline tickets. "The customers that purchased their tickets online—was there a privacy policy?"

After Oct. 17, 2005,2 that question just might stop your sale in its tracks. BAPCPA includes changes to 11 U.S.C. §363(b) that will, in some circumstances, limit a debtor's ability to sell or lease consumer information. In short, when a debtor with a privacy policy has collected personal information about consumers, the debtor can only sell or lease the information in compliance with applicable nonbankruptcy law and if either (a) the sale is consistent with the privacy policy terms or (b) the court approves the sale after the appointment of a consumer privacy ombudsman.3

The History Behind the Consumer Privacy Ombudsman

The Consumer Privacy Ombudsman provisions found their genesis in The Leahy-Hatch Amendment to Senate Bill 420, the Bankruptcy Reform Act of 2001. That amendment was inspired by the Toysmart and Living.com cases and how they addressed bankruptcy sales of consumer information collected pursuant to a privacy policy.

At the beginning of the Internet boom, companies moving online had to cope with consumer distrust of the Internet. In particular, consumers, as well as groups dedicated to protecting consumer rights, were concerned about how businesses would use the information consumers provided online. To address these concerns, online businesses adopted self-regulation and voluntary disclosure of how they would use collected data: "privacy policies." A privacy policy discloses an online business's data-collection and use practices.4 Online privacy policies became ubiquitous, both in regulated industries and in other contexts where their use was voluntary. These privacy policies were, if not legally enforceable contracts, at least representations to consumers about how their information would be used.

In re Toysmart.com LLC5 was the first bankruptcy case to illustrate the potential danger of a debtor ignoring a privacy policy. The case involved an actual sale of customer data. Toysmart operated an online toy store that ran into financial trouble and ceased operations in May 2000. Toysmart had in 1999 adopted a privacy policy, which stated that Toysmart would not share its customers' data with third parties. After its creditors filed an involuntary chapter 11 case against it, Toysmart filed a motion to conduct a public auction of several assets, including its customer data. On learning about the proposed sale of personal information, the Federal Trade Commission (FTC) sued Toysmart in federal district court, alleging that the sale of data was an unfair or deceptive business practice violating the FTC Act, and requesting that the court enjoin the sale.6 The FTC also asserted that some of the customer data was collected from children in violation of COPPA.7 The FTC's action forced the company to limit its sale options in order to settle the complaint. The company agreed to sell the information only to a family-oriented buyer that agreed to abide by Toysmart's privacy policy, and the company filed a motion seeking bankruptcy court approval of the settlement.

That settlement did not resolve the problem. Several state attorney generals objected to the proposed auction. Their objection asserted that the sale, even if conducted subject to the conditions of the FTC settlement, constituted an unfair or deceptive business practice in violation of the states' consumer protection statutes. Faced with only one bid, by Disney Corp., and active opposition from the state attorney generals, the debtor withdrew the customer data from the auction.8

In Living.com Inc., an online furniture retailer filed a chapter 11 case in 2000.9 Living.com had a privacy policy that stated "living.com does not sell, trade or rent your personal information to others without your consent." The Texas attorney general raised concerns over the company's treatment of customer data and, even though no sale of the data was pending, threatened legal action to protect consumers from any possible violation of their rights. Rather than litigate, Living.com entered into a settlement agreement with the Texas attorney general.

The Toysmart and Living.com cases illustrate the problems raised by the sale of customer data in a bankruptcy case. To address these issues, the Leahy-Hatch Amendment was added to the Senate version of The Bankruptcy Reform Act of 2001. Its provisions, with some changes, remained as §§231 and 232 of the Bankruptcy Abuse Prevention and Consumer Protection Act (BAPCPA).

The Privacy Ombudsman Provisions of BAPCPA

BAPCPA makes three changes to the Bankruptcy Code that together create a new process for selling or leasing customer information using 11 U.S.C. §363. First, a new §101(41A) defines the term "personally identifiable information." Second, amendments to §363 limit the debtor's ability to sell or lease personally identifiable information. Third, a new §332 controls appointment of consumer privacy ombudsmen and defines their role in the sale process.

Although the Ombudsman provisions' definition of "personally identifiable information" is quite lengthy, the concept is simple enough. Basically, personally identifiable information is information obtained from a purchaser of consumer goods or services that is specific to that individual and would, by itself, allow identification of the individual.

The definition embodies two concepts —first, that the information must have been provided to the debtor in the context of the sale of consumer goods or services by the debtor, and second, that the information is personally identifiable. The first concept has importance because of what it excludes as much as because of what it includes. The information must be provided "in connection with obtaining a product or a service." In short, the information must be provided in connection with a transaction of some sort. The definition appears to exclude, by omission, information collected solely for marketing or advertising purposes.

The information must be provided to and the product or service obtained from "the debtor." This qualification would appear to exclude from the rule personal information collected when a party other than the debtor provides the goods or services. For example, suppose an insurance company obtained personal information from a bank about the bank's customers. The Ombudsman provisions would appear to restrict the bank's ability to sell or lease the information, but not the insurance company's.

Finally, the product or service must be obtained "primarily for personal, family or household purposes." In other words, the transaction must be a consumer transaction. The Ombudsman provisions will not affect the transfer of information about business customers.

The types of information that qualify as personally identifiable fall into two categories. The first category includes specific types of information that would allow actual identification or contacting of an individual, including the individual's first name (or initials) and last name, physical home address, e-mail address, home telephone number, Social Security number and credit card account number.

The second category includes less-specific types of information, such as birth date, birth certificate number, place of birth or any other information concerning the individual that, if disclosed, will result in the physical or electronic contacting or identification of the individual. Information in the second category, however, will only count as personally identifiable information when associated with one or more items of information in the first group.

The second Ombudsman provision amends §363(b) to restrict the debtor's ability to sell or lease the personally identifiable information outside of the ordinary course of business:

(b)(1) The trustee, after notice and a hearing, may use, sell or lease, other than in the ordinary course of business, property of the estate, except that if the debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case, then the trustee may not sell or lease personally identifiable information to any person unless—
(A) such sale or such lease is consistent with such policy; or
(B) after appointment of a consumer privacy ombudsman in accordance with §332, and after notice and a hearing, the court approves such sale or such lease—
(i) giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and
(ii) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

This change only affects sales and leases outside of the ordinary course of business. Transactions inside of the ordinary course of business are authorized by 11 U.S.C. §363(a), which remains unchanged. Thus, a company that ordinarily leases customer lists can continue to do so, subject only to any applicable nonbankruptcy limitations on its data usage.

The Ombudsman provisions don't affect all sales of personally identifiable information; three pre-conditions must be in place. First, the debtor must have disclosed a privacy policy to the individual in connection with offering the good or service. Second, the privacy policy must prohibit the transfer of the personally identifiable information to non-affiliate parties. Third, the privacy policy must be in effect on the date of the commencement of the bankruptcy case.

[A] pre-bankruptcy change designed to strip promised rights from consumers...might be an unfair or deceptive business practice in violation of the FTC Act.

The first pre-condition may greatly limit the scope of information affected by the Ombudsman provisions. It requires that the privacy policy be disclosed in connection with offering the goods or services. In most industries, the business only discloses the privacy policy in connection with transactions conducted over the Internet. Even then, the debtor may not be the entity disclosing the privacy policy.10

The second pre-condition requires that the privacy policy actually prohibit the transfer of information to parties not affiliated with the debtor. Thus, information is not, by default, nontransferable. Either the privacy policy must contain some explicit promise not to sell the personally identifiable information, or applicable nonbankruptcy law must prohibit a transfer of information based on a lack of disclosure in the privacy policy. Many privacy policies do not contain such limitations. Common clauses used in privacy policies will, in fact, allow the transfer of customer information in a merger or a bankruptcy sale.

The third pre-condition is that the privacy policy be in effect on the date the bankruptcy petition is filed. This pre-condition prevents a sale from being held up by the provisions of a privacy policy that was abrogated pre-petition. It also allows the debtor to limit the number of privacy policies that need to be examined in connection with a proposed sale. On the other hand, it prevents a business from changing its privacy policy post-petition in order to limit application of the Ombudsman provisions.

The third pre-condition might allow a company to change its privacy policy immediately before it files its bankruptcy petition to resolve a potential problem. Many privacy policies contain "bankruptcy exceptions"—language that allows the company to sell its data freely in the event of a bankruptcy filing. Almost all privacy policies also have language allowing the company to revise the policy at will, and without providing any notice other than by posting the new policy on its web site. Thus, some leeway may exist for a company contemplating a bankruptcy filing to "fix" its privacy policy pre-petition. On the other hand, a pre-bankruptcy change designed to strip promised rights from consumers in contemplation of a bankruptcy filing might be an unfair or deceptive business practice in violation of the FTC Act.11

When all three of these pre-conditions apply, the estate representative can only sell or lease the personally identifiable information in two circumstances: first, when the sale or lease is consistent with the privacy policy, or second, when the court allows the sale after appointment of an ombudsman.12

When the three pre-conditions are met and the proponent is not relying on the "consistent test," the court must order an ombudsman appointed and, after receiving the ombudsman's report, review the sale "giving due consideration to the facts, circumstances and conditions of such sale or such lease." The court must give the ombudsman at least five days to prepare his or her report.

The Ombudsman provisions do not define what is meant by "the facts, circumstances and conditions" of the sale. However, it must mean more than just whether or not the sale complies with the privacy policy and applicable law. As pointed out earlier, an ombudsman is not required when the sale is consistent with the privacy policy. This implies that the court has authority to approve a sale inconsistent with the terms of the privacy policy. On the other hand, even if the court, after considering the "facts, circumstances and conditions," wants to approve the sale, it cannot approve it if a "showing was made that such sale or such lease would violate applicable nonbankruptcy law."

In fact, a significant number of statutes, such as COPPA,13 the Gramm-Leach-Bliley Act of 1999 (GLB),14 the Health Insurance Portability and Accountability Act of 1996 (HIPAA)15 and the European Union Privacy Directive of 1995,16 restrict transfers of personally identifiable information. In addition to these statutes specifically addressing the use of customer data, a sale must also comply with §5(a) of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce."17

The ombudsman's role in the sale process is far from clear given the statute's language. The fact patterns requiring the ombudsman's involvement seem to fall in between those where the sale is consistent with the privacy policy and those where the sale is illegal. However, ombudsmen will likely be appointed in a broader range of situations and can lend value outside the narrow scope defined by the statute. The consumer privacy ombudsman's report may help the court understand why a particular sale is consistent with the privacy policy—or violates applicable nonbankruptcy law. The ombudsman might also assist the court in evaluating claims that a particular sale is "unfair or deceptive." A consumer privacy ombudsman should help the court understand the effect of the sale on customers and help the parties restructure the sale if necessary so it is fair to customers. In most cases, the debtor can conduct a sale in a manner that maximizes sale proceeds and respects, or even benefits, customers.

A new §332 describes the process for appointing the consumer privacy ombudsman and defines his or her role in the sale process.

When 11 U.S.C. §363(b) requires a consumer privacy ombudsman, the court shall order the appointment. The U.S. Trustee makes the actual appointment. The ombudsman must be a disinterested person other than the U.S. Trustee. Hypothetically, the ombudsman could be an FTC commissioner or state attorney general, although it remains to be seen whether they could satisfy the disinterested requirement.18 The ombudsman will have a right to appear and be heard at the sale hearing,19 shall maintain as confidential any "personally identifiable information" he receives20 and shall be compensated in the same manner as an examiner.21 The statute is not clear as to whether the ombudsman can employ his own professionals.22

The ombudsman's role is not explicitly to represent consumers, but to provide the court information to assist the court in deciding whether to allow a nonconforming sale or lease of "personally identifiable information." The statute does not dictate what information the ombudsman must provide the court, but suggests that the information might include a presentation of the applicable privacy policy, potential losses or gains of privacy to consumers if the sale or lease is approved, potential costs or benefits to consumers of the sale or lease, and potential alternatives to the sale that would mitigate potential privacy losses or potential costs to consumers.23 In short, the ombudsman appears to be more of an expert commentator than a consumer advocate, but the act implies that the ombudsman's role is to ensure consumer protection.

How the ombudsman will accomplish this task is another question. The ombudsman's job will require completion of three steps: collecting data, analyzing the relevant legal and business issues and submitting a report to the court. In addition, the ombudsman's role contemplates that he or she communicate with the sale proponents prior to the sale hearing to attempt to resolve any problems. Such communication will allow the ombudsman to facilitate an asset sale that respects the rights of consumers instead of simply acting as an impediment to a sale.

Information gathering may prove the most difficult part of the ombudsman's job, especially if the ombudsman only has five days before the hearing. In addition to information about the debtor's privacy policy, the ombudsman will have to understand the nature of the personally identifiable information involved with the sale, the role that information plays in the debtor's current business, the role the information plays in the sale and the intended and possible uses the buyer has for the information. The ombudsman will have to know, in advance, what information he needs to do his job, where to find that information within a business entity and how to communicate his needs to the debtor and buyer.

Information in hand, the ombudsman will have to understand the impact the proposed sale will have on consumers. The ombudsman will have to understand data privacy principles and the various laws and rules that govern business use and transfer of customer information. However, the ombudsman's skills must extend beyond just understanding and appreciating the role safeguarding personal information plays in consumer protection. The ombudsman must also understand and appreciate how businesses use personal information and the various ways in which transferability, especially in the bankruptcy context, can actually benefit consumers. Finally, the ombudsman must understand the bankruptcy sale process.

Coping with the Consumer Privacy Ombudsman Provisions

The hypothetical outlined at the beginning of this article is not that far-fetched. For example, US Airways, currently a chapter 11 debtor, has a privacy policy that states, "US Airways will not sell, trade or rent personally identifiable information to others, except as outlined in the Dividend Miles and US Airways Golf programs." The privacy policy does not have a merger provision. US Airways does collect personally identifiable information when it sells tickets. It collects, at a minimum, the passenger's name. It would, in any sale of operating assets, want to transfer that information to the buyer. In fact, the buyer would need some of the information in order to honor previously sold tickets. The buyer would require other information to provide existing customers adequate customer service. Under BAPCPA, a §363 sale of US Airways's operating assets would require appointment of a consumer privacy ombudsman—and a resulting inability to transfer the customer information might kill the sale.

Given the new statute governing bankruptcy sales of customer data, counsel will have to examine more closely the role customer data will play in each bankruptcy case. The first issue will always be the existence and terms of a privacy policy. Did a privacy policy exist? What promises or statements were made in the privacy policy? Did the policy state that data would never be shared, or did it give the customer notice that the information might someday be transferred?

In addition to reviewing the potential impact of the privacy policy, the company should assess whether customer data was legally collected and held before attempting to sell it. Data collected or used in violation of COPPA, GLB or any of the other applicable statutes cannot be sold even in a bankruptcy case, and because of the consumer privacy ombudsman provisions, the risk of a problem arising during a §363 sale is now increased.

Debtors should recognize that the Consumer Privacy Ombudsman provisions present a potential "wild card" when selling a business that serves consumers. Without advance planning, the ombudsman may be appointed mere days before the court rules
on whether to allow the sale under §363(b)(1)(B). Keep in mind that the statute only requires five days advance notice to the consumer privacy ombudsman. Assuming it takes a day or two for the appointment to actually occur, the ombudsman needs at least one day to prepare his report, and the report needs to be filed the day before the hearing; the ombudsman really only has a day or two to obtain the information he needs and digest it. The result is obvious and inevitable: reports prepared by rote and conclusions that simply do not reflect the true relationships between the business, the sale and the customers. This produces an obvious risk to the sale.

One solution is to structure the sale so the ombudsman is not appointed immediately before the sale hearing. Assuming the parties ask the court to approve a sales procedures order, the order should address the issue of the consumer privacy ombudsman. Where possible, the parties will probably ask the court to hold that a consumer privacy ombudsman is not necessary, either by finding that no privacy policy applies or that the proposed sale structure is consistent with the privacy policy. The sale procedures order should also include a finding that the sale does not violate any applicable non-bankruptcy law. In the event the court declines to enter this order, a consumer privacy ombudsman appointment should be sought at the time of the sales procedures hearing. In addition, the §363(b)(1)(B) hearing should not be left to the day of the actual sale hearing. Instead, the §363(b)(1)(B) hearing should be a few days before the sale hearing in case the ombudsman process requires changes to the actual sale agreement.

In cases where a consumer privacy ombudsman is clearly needed, the debtor should consider requesting early appointment of an ombudsman. The ombudsman can work with the debtor to structure appropriate sale guidelines so the debtor can offer the customer data on terms it knows the ombudsman will support. The debtor does not want to propose a sale and then find out after the fact that the ombudsman's recommendations to the court don't support the sale. The ombudsman can also work with the estate to structure potential sales that will work notwithstanding last-minute changes in deal structures.

In the end, all that's required to cope with the Consumer Privacy Ombudsman provisions is proper planning and an appreciation for customer rights. The Consumer Privacy Ombudsman provisions will help address the issues raised in the Toysmart and Living.com cases by providing a workable framework that lets the courts balance the rights of creditors and customers. Thus, while selling customer data will require greater attention in future cases, practitioners should be able to avoid the kind of controversy that erupted in the Toysmart case.


1 Former chair of the ABA's E-Commerce and Insolvency Subcommittee and the Boston Bar Association's Computer and Internet Law Committee, Mr. Agin is the author of Bankruptcy and Secured Lending in Cyberspace, 3rd Ed. (West Group, 2005). Return to article

2 The effective date for most provisions of The Bankruptcy Abuse Prevention and Consumer Protection Act of 2005, hereafter referred to as "BAPCPA." Return to article

3 11 U.S.C. §§332, 363(b) (2005). Return to article

4 Agin, Warren E., Bankruptcy and Secured Lending in Cyberspace, 3rd Ed., §8:4 (West Group, 2005); Nimmer, Raymond P., Information Law, §8.79 (West Group, 2005). Return to article

5 In re Toysmart.com LLC, Case no. 00-13995-CJK, in the U.S. Bankruptcy Court for the District of Massachusetts. Return to article

6 FTC v. Toysmart.com LLC, civil case no. 00-11341-RGS (D. Mass., filed 7/10/00). Return to article

7 The Children's Online Privacy Protection Act of 1998 (COPPA), 15 U.S.C. §6501 et seq.; FTC v. Toysmart.com LLC, civil case no. 00-11341-RGS (D. Mass., filed 7/10/00). Return to article

8 In the end, one of Toysmart's major investors, Disney Corp., paid the debtor $50,000 for the debtor to destroy the customer data, rather than transfer it. Return to article

9 In re Living.com Inc., Case. 00-12522, U.S. Bankruptcy Court for the Western District of Texas. Return to article

10 For example, consider the purchase of an airline ticket. The ticket can be purchased from your travel agent over the telephone, through an online service such as Travelocity or Orbitz or from the airline's web site. When you purchase the ticket from your travel agent over the telephone, no privacy policy is presented. When you purchase the ticket from Orbitz, the Orbitz web site presents you with its privacy policy—not the airline's. Only when you order from the airline's web site are you presented with the terms of the airline's privacy policy. If the airline then files a chapter 11 petition, the Consumer Privacy Ombudsman provisions arguably only affect the information collected in connection with the sale of tickets through the airline's own web site. Return to article

11 15 U.S.C. §45(a). Return to article

12 As a practical matter, the "consistent test" will have limited usefulness because of timing issues. If the sale proponent asks the court for a determination that the sale is consistent with the privacy policy terms, someone objects and the court holds that the sale is not consistent, then a Consumer Privacy Ombudsman must be appointed and given five days to provide a report. In other words, the "consistent test" is useful only when an objection is unlikely or can be dealt with well before a sale hearing. Return to article

13 COPPA, 15 U.S.C. §6501 et seq. (Title XIII, Omnibus Consolidated and Emergency Supplemental Appropriations Act, 1998); implementing regulations at 16 C.F.R. Part 312 et seq. Return to article

14 16 U.S.C. §§6801, et seq. (1999). Return to article

15 42 U.S.C. §1320d (1996); final regulations at 65 Fed. Reg. 82462. Return to article

16 Council Directive 95/46, 1995 O.J. (L 281) 31. The Directive can be found at http://europa.eu.int/eur-lex/en/lif/dat/1995/en_395L0046.html. Return to article

17 15 U.S.C. §45(a). Return to article

18 11 U.S.C. §332(a) (2005) requires the U.S. Trustee to appoint "one disinterested person" to serve as the consumer privacy ombudsman. The term "disinterested" is defined by 11 U.S.C. §101(14). A creditor, equity security-holder, insider or any person with an interest materially adverse to the estate is, by definition, not disinterested. Return to article

19 11 U.S.C. §332(b) (2005). Return to article

20 11 U.S.C. §332(c) (2005). Return to article

21 11 U.S.C. §330(a)(1) (2005). The court may award the consumer privacy ombudsman reasonable compensation based on the actual, necessary services provided. However, §330(a)(3), which identifies factors for the court to consider when awarding fees to other professionals, might not apply to Consumer Privacy Ombudsman fee awards. Return to article

22 11 U.S.C. §328 appears to limit this right to trustees (and, by extension, debtors-in-possession) and official committees. Return to article

23 11 U.S.C. §332(b) (2005). Return to article

Bankruptcy Code: 
Journal Date: 
Friday, July 1, 2005