• The Dangers of Overly Broad Privacy Policies
  • September 30, 2010 | Authors: Benjamin Gastel; John P. Hutchins
  • Law Firm: Troutman Sanders LLP - Atlanta Office
  • Earlier this year, the founder and editor of a leading online teen magazine - XY.com - filed for personal bankruptcy and listed as one of his personal assets the mailing list of the magazine’s subscribers, including names, addresses, and email addresses for close to a million people. The case raised heightened privacy concerns because XY’s target audience is gay, male teenagers, and XY had solicited subscribers based, in part, on the promise of anonymity. In fact, XY had an unusually simple and straightforward privacy policy, stating that “we never share your information with anybody.” Because of the sensitive nature of the mailing list, the bankruptcy proceeding triggered one of the most interesting features of the 2005 Amendments to the Bankruptcy Code, although perhaps not a feature that is known to many outside of the bankruptcy bar.

    The 2005 Amendments specifically provide for restrictions on sale of “personally identifiable information,” which is defined to include all personal information about individual consumers that may be held by a debtor in a bankruptcy proceeding. Specifically the definition encompasses “any...information concerning an identified individual that, if disclosed, will result in contacting or identifying such individual physically or electronically.” XY’s customer list falls squarely under this definition.

    Accordingly, XY’s bankruptcy triggered the bankruptcy code’s new restrictions on the sale of this information. The code now prevents the sale of customer lists if such sale or transfer is inconsistent with a privacy policy that was in effect on the date of the bankruptcy petition. The 2005 Amendments also provide for a Consumer Privacy Ombudsman to be appointed to assist the court in its consideration of the facts, circumstances and conditions of the proposed sale of consumers’ personally identifiable information.

    Additionally, in XY’s case, the FTC got involved once the founder’s business partner stated he was interested in purchasing the customer list solely for the purpose of re-launching the online magazine at the same domain name, XY.com. The FTC’s position was that a sale or transfer to the business partner solely for this purpose would still be a violation of XY.com’s original privacy policy because this use was not contemplated by XY’s original subscribers, who expected that their information wouldn’t be shared - period.

    As a result, based on the recommendations of both the Consumer Privacy Ombudsman and the FTC, the entire subscriber list in XY’s case was deleted, with certain limited exceptions, effectively destroying the most lucrative and valuable asset involved in the bankruptcy proceeding.

    This case obviously highlights the dangers involved in crafting overly broad privacy policies. It is always difficult to plan for the unexpected, and very few companies plan ahead for bankruptcy, but consumer privacy policies should be crafted to ensure that a business’s valuable assets remain liquid and transferrable whenever such a transfer may need to take place in the best interest of the company and its shareholders.