In bankruptcy, the personal data you collected from users can be considered an asset. That makes user data vulnerable to being transferred to the highest bidder and leaving users feeling exposed.
This article is an overview on how to address the issue of bankruptcy in your Privacy Policy so your user data remains protected even if your company must liquidate assets to pay debts.
Bankruptcy and business assets
In the US, companies normally file a Chapter 7 or Chapter 11 bankruptcy. The differences between the filings determine how assets are handled, including digital assets like user data.
A "Chapter 7" bankruptcy ceases company operations. Assets are liquidated to pay off debts with any remaining balances forgiven at the end of the procedure. Owners, operators and partners are then free to proceed with other opportunities without the burdens of the previous one affecting them.
In a "Chapter 11" bankruptcy filing, a company admits that it has trouble with debt and requires protection while it makes new payment arrangements. Debtor companies remain in operation during the Chapter 11 as mortgages, loan payments, and past-due vendor balances are renegotiated.
Since business operations continue under "Chapter 11", there is normally never a need to sell off assets unless that becomes part of an agreement with a creditor.
It is possible for users' personal data to be considered an asset in either "Chapter 7" or "Chapter 11".
In a Chapter 7 bankruptcy, the default action by attorneys and the court is to put the information up for sale so another party can profit from it. However, in a Chapter 11 bankruptcy, the data rarely goes up for sale since the company still uses it to stay in operation.
In either instance, the bankruptcy proceeding immediately affects data protection terms in the Privacy Policy agreement.
Clauses for Privacy Policy
There are two types of clauses in a Privacy Policy that affect how bankruptcy transfers personal data:
- The "Business Transfer" clauseThis clause in a Privacy Policy gives a company the right to transfer personal data due to sale, merger, acquisition or bankruptcy. This makes it possible to sell data as an asset.
- The "Information Sharing Limitations" clauseThis clause offers consumer protection and may prevent or limit a data transfer due to bankruptcy. This kind of clause helps your business by assuring consumer confidence in your data practices, but also keeps you compliant with Federal Trade Commission (FTC) expectations regarding user data.
These provisions may present separately in different sections or be combined into one.
Business Transfer clause
The "Business Transfer" clause describes what happens to personal data should your company become dissolved by merger, acquisition, sale or bankruptcy. It offers liability protection should you transfer data to the new entity upon these events.
CreateSpace, a platform for self-publishing writers, collects personal information like names and payment information. In its Privacy Policy agreement, it makes it clear that it could expand or become a new entity.
However, it also mentions that the new entity must respect the current Privacy Policy, unless it secures user consent:
Seedrs takes the same approach of simultaneously allowing transfer but requiring new entities to stay in line with the Privacy Policy:
Other companies place the "Business Transfer" clause language under its provisions regarding information sharing.
500px does not bold the "Business Transfer" heading under that bullet point but it still makes the provision easy to find:
Niantic Labs and its Privacy Policy for the Pokemon GO game creates a separate heading and similar provisions for the "Business Transfer" clause:
The provisions listed as examples so far do not specifically include bankruptcy. The clauses refer to "asset sales" but perhaps due to optimism or other reasons bankruptcy is not mentioned.
However, there are companies that include "bankruptcy" in their "Business Transfer" clauses.
One example is kik, a mobile app provider. It maintains its "Business Transfer" clause under "Information we share" and gives it a subheading of "Merger, financing, and sale."
This provision includes a bankruptcy mention:
Pinterest is a large successful network with a low chance of becoming bankrupt. However, it mentions that bankruptcy, merger or dissolution may transfer information to a new party.
Its Privacy Policy places this under information sharing provisions:
"Business Transfer" clauses are diverse. They allow the transfer of data and yet, a few also contain protective provisions to keep Privacy Policies and practices in force even after a merger, acquisition or even bankruptcy.
Information Sharing Limitations clause
There is precedent that a well-written Privacy Policy can prevent the sale of sensitive data.
The controlling case on this subject is FTC v. Toysmart.com. This was a short-lived venture having started in January 1999 only to be forced into involuntary bankruptcy on June 9, 2000. The only valuable asset owned by the company was its consumers' data.
However, in its Privacy Policy agreement, Toysmart contained the following provision which prohibited sharing information with third parties:
Toysmart's main consumer base was children under age 13.
There was no provision for notifying parents of this information collection and the company faced violations of the Children's Online Privacy Protection Act (COPPA) among its other issues. In addition to following the original Privacy Policy, there was also the issue of handling this extremely sensitive data.
In the end, Toysmart settled the matter with the FTC by agreeing that only a "qualified buyer" who also sold children's products and services would acquire the data and use it appropriately under the original privacy terms.
Toysmart is an early case that since defined how the FTC approaches personal data as a bankruptcy asset. Since that time, the FTC also moved to protect consumer interests in the bankruptcy proceedings of Borders bookstores and the founder of XY Magazine.
XY Magazine was a publication targeted towards gay youth. Its founder, Peter Ian Cummings stopped publishing it in 2007 and shut down the website (and dating service) in 2009. He eventually filed for personal bankruptcy protection in 2010. The personal information of XY Magazine subscribers was listed as an asset on his bankruptcy petition.
There was immediately concern about the safety of those subscribers. Many of them were teenagers at the time they became involved with the magazine and some of them wished to keep their sexual orientation hidden.
The FTC sent its letter to the attorneys and creditors of the bankruptcy proceeding to express its concerns if the information became available as an asset. XY Magazine eventually relaunched and published its 50th issue in 2016.
It could be argued that Toysmart and XY Magazine involved minors which is why the FTC was aggressive in pursuing privacy protection.
However, the Borders Bookstore matter involved information submitted by adults and children. Yet, the FTC pursued privacy protection because Borders promised it would not share information without securing user consent.
Mainly, the FTC seeks to protect personal information like names, addresses, email addresses, credit card numbers or other payment information, and even deeply personal data like sexual orientation, race, and gender identity from being turned over to the wrong people.
In all these cases, the FTC successfully enforced limitations based on original privacy terms and the vulnerability of those who submitted the data.
Best practices for Privacy Policies in case of bankruptcy
You should never dismiss the possibility of a bankruptcy filing or other possibility of your entity dissolving. Selling and transferring user data may not seem to have much effect on you, but in reality, it bruises public trust.
There is also the possibility of facing FTC sanctions, especially if you violate a privacy law like COPPA in the US.
That is why you want a "Business Transfer" clause in your Privacy Policy that allows flexibility in case of good or bad developments, but you should also include consumer protections.
Here are suggestions on how to go about this:
- Collect only what's necessary.Too much data can prove to be a burden in bankruptcy proceedings. Limit your data requests to only what you need to provide a product or service. This makes managing the data much easier.
- Mention bankruptcy in your "Business Transfer" clause.You may not see this as a possibility now, but you never know. Besides mentioning sales, mergers, and dissolution, also explicitly include bankruptcy.
"Sales of assets" is likely too broad and it's always better to mention specifics, even if they seem unlikely.
- Limit disclosure of sensitive data.If you collect sensitive data, place a limit in your Privacy Policy that prohibits disclosure of sensitive information to third parties or at least limits it to "appropriate buyers" who are unlikely to misuse the information.
- Bind successors to Privacy Policy.There's a good record of the FTC forcing entities to follow the original Privacy Policy when they secure another party's sensitive data. In your "Business Transfer" or "Information Sharing" clauses, make this promise to your users so it can be enforced later.
With the FTC paying close attention to data transfers after bankruptcy, it's a good time to review your Privacy Policy and practices to see how it protects users and their data if this situation arises.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.