Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
The union of the Internet and commerce has lead to increases in productivity, convenience, and access for consumers everywhere. At the same time, it has spawned tremendous privacy concerns. It is not uncommon these days to hear of businesses inadvertently publicizing consumers' personal data, or worse, hackers obtaining personal financial information.
Concerns over these privacy issues have at last reached our industry, as evidenced by the various privacy related provisions incorporated in the Bankruptcy Abuse Prevention and Consumer Protection Act (BAPCPA). In particular, the BAPCPA incorporated the Leahy-Hatch Amendment, also known as The Privacy Policy Enforcement in Bankruptcy Act of 2001 (PPEBA), which I had the honor of drafting. In particular, the PPEBA, in order to address certain privacy concerns, amended Bankruptcy Code Section 363(b)(1) and added pre-conditions to the sale or use of consumer data, added a new Section 332 creating the 'privacy ombudsman,' and defined 'personally identifiable data' in Section 101(41A). This article reviews the development of these amendments, and analyze their potential impact for practitioners.
Toysmart: The PPEBA's Poster Child
To understand the PPEBA amendments, it is important to understand the context in which they arose. Think back, then, to early 2000, just about the time most folks were beginning to realize that their dotcom stocks were never going to bounce back. It was about that time that dotcoms began turning to dotbombs, going out of business at an alarming rate.
This bubble-burst coincided with increasing interest by the Federal government ' especially the Federal Trade Commission (FTC) ' in privacy issues and the Internet. As a matter of fact, it was little more than a year earlier that Congress enacted the Child Online Privacy Protection Act (COPPA), which sought to curb some of the personal data abuses with respect to the net's youngest consumers. The timing was ripe, therefore, for a test-case on bankruptcy and privacy. Toysmart.com rose ' or perhaps, fell ' to the occasion.
Toysmart, as the name implies, was an online seller of children's educational toys. Toysmart's privacy policy, as set forth on its website, unequivocally provided that the company would never share its customers' data with any third party. But it ran into financial difficulties and was forced into Chapter 11. It then attempted, despite its professed policy, to generate a recovery for creditors by selling one of its potentially most valuable 'assets' ' the personal and financial data voluntarily provided by its customers.
The FTC pounced. Notwithstanding the bankruptcy, it filed a complaint in Federal District Court to enjoin the sale because Toysmart violated its written privacy policy, which constituted a 'deceptive practice' under Section 5 of the FTC Act. Perhaps worse, the proposed sale would violate the newly enacted COPPA. Toysmart was forced to relent, and, rather than an outright auction of these data, it consented to a more complicated sales procedure sought by the FTC, that, among other things, would require an opt-in procedure for affected consumers. In the end, even that procedure was scuttled by continuing objections by many state attorneys general, each of which sought to stop the sale of this data on consumer protection grounds. Finally, Disney, an investor in Toysmart, agreed to purchase the data for $50,000 and then destroy it. This Toysmart issue ' the ability of insolvent dotcoms to sell consumer data ' continued to rear its ugly head in subsequent dotcom cases, such as Living.com, Craftshop.com, and others.
The Birth of the PPEBA
As that old saw about laws and sausages suggests, it is probably best if the exact way the PPEBA came about be left for another day. Suffice it to say, however, that in preparing a draft of PPEBA for sponsorship by Senator Leahy, the FTC's proposed settlement with Toysmart became my model. As a result, here are the law's ' and now the Bankruptcy Code's ' key data privacy provisions.
Defining 'Personally Identifiable Data'
It is perhaps best to review the amendments by starting with the basics ' the type of information at issue. New Section 101(41A) defines 'Personally Identifiable Information' as data that allows an individual to be specifically identified ' including name, address, email, telephone number, social security number, any birth-date information, credit card account information, or any other information which, if disclosed, would result in contacting or identifying an individual physically or electronically. A critical part of the definition, however, is that this 'private' information must have been provided by an individual to the debtor in connection with obtaining a product or a service from the debtor primarily for personal, family or household purposes. Presumably, then, information obtained via other means or for other purposes is wholly unaffected by the PPEBA.
363(b)(1): Use, Sale, or Lease of Data
Next, amended Section 363(b)(1) limits the out-of-the-ordinary use, sale, or lease of personally identifiable information 'if a debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.' If such a privacy policy is in effect, then the data can only be used, sold, or leased if such use, sale, or lease is consistent with the established privacy policy.
Alternatively, the section allows the court to appoint a 'Privacy Ombudsman' pursuant to new Section 332. After notice and a hearing with the ombudsman's input, the Court may approve the use, sale, or lease of the data after: 1) giving due consideration to the facts, circumstances, and conditions of such sale; and 2) finding that no showing was made that such sale or such lease would violate non-applicable bankruptcy law.
Note the preconditions to this section's application ' the sale or lease must be outside the ordinary course, the information must have been obtained in connection with the offering of a product or service, the policy must prohibit the transfer of the information to third parties, and, finally, the policy must be in effect on the filing date. These preconditions will limit this Section's applicability. Indeed, merely discontinuing the policy before the filing could be enough to avoid the statute. Further, these consumer data provisions are contained in ' 363, and not in ' 1123. Transferring this type of asset pursuant to a plan, then, would appear to be another means of circumventing these restrictions.
Finally, as a more practical matter, this restriction hinges on the terms of the debtor's privacy policy. As evidenced by Toysmart, these policies may be quite restrictive. But, because of the impact of Toysmart and other cases, many privacy policies now incorporate provisions that allow for sales or liquidation in the insolvency context. In fact, clients should be counseled to modify there privacy policies to permit such use, whenever possible.
The Consumer Privacy Ombudsman
If a hearing is required under ' 363(b)(1), then the Bankruptcy Court must order the United States Trustee to appoint a 'consumer privacy ombudsman.' Other than being a 'disinterested person' and not the trustee, the Section contains no other restrictions on who may serve as ombudsman. Given this flexibility, in the right cases, an appropriate FTC representative, an attorney general, or other government official could conceivably serve in that role. The appointed Ombudsman apparently may retain other professionals and all are eligible for compensation pursuant to ' 330(a)(1)(A).
Once retained, the ombudsman's role is certainly skewed toward protecting consumer privacy, but overall is limited to informing the court on certain issues. In order to assist the court in its consideration of the facts, circumstances, and conditions of the proposed sale or lease of personally identifiable data, the ombudsman may inform the court of: 1) the debtor's privacy policy; 2) the potential losses or gains of privacy to consumers if such sale or such lease is approved by the court; 3) the potential cost or benefits to consumers if the transaction is approved; and 4) any potential alternatives that would mitigate potential privacy losses or potential costs to consumers.
The ombudsman's role is not an entirely enviable one. The statute requires that he be appointed no less than 5 days before the scheduled 363(b)(1) hearing, but that hardly seems like enough time to gather the necessary information, and prepare an adequate report. In a litigious environment, one suspects that the court's order of appointment will have to incorporate some mechanism to compel the debtor and buyer's cooperation.
Conclusion
The enacted PPEBA provisions are hardly a comprehensive response to the problem of protecting privacy in distressed situations. Indeed, these provisions are really directed at protecting consumers who provided information in reliance upon a business' expressed privacy policy. But given the growing concern for preserving privacy and the attention that this area of law is attracting, it is simply inevitable that bankruptcy and privacy will continue to intersect. Even where the PPEBA provisions don't apply, practitioners can still expect the FTC or state attorneys general to inject themselves into cases to protect privacy, where circumstances warrant. Our information age has propelled privacy concerns to the forefront, and the PPEBA enactment is certainly but a sign of things to come.
Luis Salazar is a shareholder and member of Greenberg Traurig's National Business Reorganization and Bankruptcy Department. He is based in the firm's Miami office.
The union of the Internet and commerce has lead to increases in productivity, convenience, and access for consumers everywhere. At the same time, it has spawned tremendous privacy concerns. It is not uncommon these days to hear of businesses inadvertently publicizing consumers' personal data, or worse, hackers obtaining personal financial information.
Concerns over these privacy issues have at last reached our industry, as evidenced by the various privacy related provisions incorporated in the Bankruptcy Abuse Prevention and Consumer Protection Act (BAPCPA). In particular, the BAPCPA incorporated the Leahy-Hatch Amendment, also known as The Privacy Policy Enforcement in Bankruptcy Act of 2001 (PPEBA), which I had the honor of drafting. In particular, the PPEBA, in order to address certain privacy concerns, amended Bankruptcy Code Section 363(b)(1) and added pre-conditions to the sale or use of consumer data, added a new Section 332 creating the 'privacy ombudsman,' and defined 'personally identifiable data' in Section 101(41A). This article reviews the development of these amendments, and analyze their potential impact for practitioners.
Toysmart: The PPEBA's Poster Child
To understand the PPEBA amendments, it is important to understand the context in which they arose. Think back, then, to early 2000, just about the time most folks were beginning to realize that their dotcom stocks were never going to bounce back. It was about that time that dotcoms began turning to dotbombs, going out of business at an alarming rate.
This bubble-burst coincided with increasing interest by the Federal government ' especially the Federal Trade Commission (FTC) ' in privacy issues and the Internet. As a matter of fact, it was little more than a year earlier that Congress enacted the Child Online Privacy Protection Act (COPPA), which sought to curb some of the personal data abuses with respect to the net's youngest consumers. The timing was ripe, therefore, for a test-case on bankruptcy and privacy. Toysmart.com rose ' or perhaps, fell ' to the occasion.
Toysmart, as the name implies, was an online seller of children's educational toys. Toysmart's privacy policy, as set forth on its website, unequivocally provided that the company would never share its customers' data with any third party. But it ran into financial difficulties and was forced into Chapter 11. It then attempted, despite its professed policy, to generate a recovery for creditors by selling one of its potentially most valuable 'assets' ' the personal and financial data voluntarily provided by its customers.
The FTC pounced. Notwithstanding the bankruptcy, it filed a complaint in Federal District Court to enjoin the sale because Toysmart violated its written privacy policy, which constituted a 'deceptive practice' under Section 5 of the FTC Act. Perhaps worse, the proposed sale would violate the newly enacted COPPA. Toysmart was forced to relent, and, rather than an outright auction of these data, it consented to a more complicated sales procedure sought by the FTC, that, among other things, would require an opt-in procedure for affected consumers. In the end, even that procedure was scuttled by continuing objections by many state attorneys general, each of which sought to stop the sale of this data on consumer protection grounds. Finally, Disney, an investor in Toysmart, agreed to purchase the data for $50,000 and then destroy it. This Toysmart issue ' the ability of insolvent dotcoms to sell consumer data ' continued to rear its ugly head in subsequent dotcom cases, such as Living.com, Craftshop.com, and others.
The Birth of the PPEBA
As that old saw about laws and sausages suggests, it is probably best if the exact way the PPEBA came about be left for another day. Suffice it to say, however, that in preparing a draft of PPEBA for sponsorship by Senator Leahy, the FTC's proposed settlement with Toysmart became my model. As a result, here are the law's ' and now the Bankruptcy Code's ' key data privacy provisions.
Defining 'Personally Identifiable Data'
It is perhaps best to review the amendments by starting with the basics ' the type of information at issue. New Section 101(41A) defines 'Personally Identifiable Information' as data that allows an individual to be specifically identified ' including name, address, email, telephone number, social security number, any birth-date information, credit card account information, or any other information which, if disclosed, would result in contacting or identifying an individual physically or electronically. A critical part of the definition, however, is that this 'private' information must have been provided by an individual to the debtor in connection with obtaining a product or a service from the debtor primarily for personal, family or household purposes. Presumably, then, information obtained via other means or for other purposes is wholly unaffected by the PPEBA.
363(b)(1): Use, Sale, or Lease of Data
Next, amended Section 363(b)(1) limits the out-of-the-ordinary use, sale, or lease of personally identifiable information 'if a debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.' If such a privacy policy is in effect, then the data can only be used, sold, or leased if such use, sale, or lease is consistent with the established privacy policy.
Alternatively, the section allows the court to appoint a 'Privacy Ombudsman' pursuant to new Section 332. After notice and a hearing with the ombudsman's input, the Court may approve the use, sale, or lease of the data after: 1) giving due consideration to the facts, circumstances, and conditions of such sale; and 2) finding that no showing was made that such sale or such lease would violate non-applicable bankruptcy law.
Note the preconditions to this section's application ' the sale or lease must be outside the ordinary course, the information must have been obtained in connection with the offering of a product or service, the policy must prohibit the transfer of the information to third parties, and, finally, the policy must be in effect on the filing date. These preconditions will limit this Section's applicability. Indeed, merely discontinuing the policy before the filing could be enough to avoid the statute. Further, these consumer data provisions are contained in ' 363, and not in ' 1123. Transferring this type of asset pursuant to a plan, then, would appear to be another means of circumventing these restrictions.
Finally, as a more practical matter, this restriction hinges on the terms of the debtor's privacy policy. As evidenced by Toysmart, these policies may be quite restrictive. But, because of the impact of Toysmart and other cases, many privacy policies now incorporate provisions that allow for sales or liquidation in the insolvency context. In fact, clients should be counseled to modify there privacy policies to permit such use, whenever possible.
The Consumer Privacy Ombudsman
If a hearing is required under ' 363(b)(1), then the Bankruptcy Court must order the United States Trustee to appoint a 'consumer privacy ombudsman.' Other than being a 'disinterested person' and not the trustee, the Section contains no other restrictions on who may serve as ombudsman. Given this flexibility, in the right cases, an appropriate FTC representative, an attorney general, or other government official could conceivably serve in that role. The appointed Ombudsman apparently may retain other professionals and all are eligible for compensation pursuant to ' 330(a)(1)(A).
Once retained, the ombudsman's role is certainly skewed toward protecting consumer privacy, but overall is limited to informing the court on certain issues. In order to assist the court in its consideration of the facts, circumstances, and conditions of the proposed sale or lease of personally identifiable data, the ombudsman may inform the court of: 1) the debtor's privacy policy; 2) the potential losses or gains of privacy to consumers if such sale or such lease is approved by the court; 3) the potential cost or benefits to consumers if the transaction is approved; and 4) any potential alternatives that would mitigate potential privacy losses or potential costs to consumers.
The ombudsman's role is not an entirely enviable one. The statute requires that he be appointed no less than 5 days before the scheduled 363(b)(1) hearing, but that hardly seems like enough time to gather the necessary information, and prepare an adequate report. In a litigious environment, one suspects that the court's order of appointment will have to incorporate some mechanism to compel the debtor and buyer's cooperation.
Conclusion
The enacted PPEBA provisions are hardly a comprehensive response to the problem of protecting privacy in distressed situations. Indeed, these provisions are really directed at protecting consumers who provided information in reliance upon a business' expressed privacy policy. But given the growing concern for preserving privacy and the attention that this area of law is attracting, it is simply inevitable that bankruptcy and privacy will continue to intersect. Even where the PPEBA provisions don't apply, practitioners can still expect the FTC or state attorneys general to inject themselves into cases to protect privacy, where circumstances warrant. Our information age has propelled privacy concerns to the forefront, and the PPEBA enactment is certainly but a sign of things to come.
Luis Salazar is a shareholder and member of
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.