IAPP-GDPR Web Banners-300x250-FINAL

By Luis Salazar

Business bankruptcy filings rose 59.7 percent over a 12-month period ending March 31, 2009. According to the Administrative Office of the U.S. Courts, more than 49,000 businesses filed for bankruptcy during that period. But when it came to satisfying creditors, not all of these businesses’ assets were up for grabs. Data assets garner special attention in bankruptcy court. Here, Luis Salazar explains how sensitive information and valuable customer data is handled when a business goes bust, and the role of the Consumer Privacy Ombudsman in bankruptcy proceedings.

It’s hard enough to manage and secure data on a day-to-day basis, but just imagine trying to accomplish that same task with no money, no staff, and under intense public scrutiny. Some—the cynics among you—are already thinking “I do that everyday.” But even our usual challenges pale in comparison to managing data privacy and security at that most dangerous intersection—where it meets bankruptcy.

Financially troubled companies present unique challenges. First, the lack of resources and chaotic environment often leads to data escaping out the door through increasingly lax security or by employees seeking some “self-help” to cover their losses. Second, businesses do a poor job disposing of records containing confidential information—what might be referred to as the “dumpster syndrome.” Finally, even if those hurdles are overcome, there is still the perhaps more central challenge of maximizing the value of customer data—a potential source of recovery for creditors.

It’s in response to that last challenge that the Congress passed the Privacy Policy Enforcement in Bankruptcy Act, better known as the Consumer Privacy Ombudsman provisions of the 2005 Bankruptcy Code amendments. A first for both bankruptcy and privacy law, the Consumer Privacy Ombudsman was created to advise bankruptcy courts of the privacy implications surrounding certain data sales and, indirectly, protect consumer data privacy. Although noble in its intentions, bankruptcy practitioners expressed concern that the Consumer Privacy Ombudsman would delay or scuttle critical sales by recommending that data not be transferred as part of the bankruptcy court sale.
But in fact the track record thus far shows that Consumer Privacy Ombudsmen repeatedly have met often challenging deadlines to produce reports, and their recommendations have been supportive of data sales while providing practical suggestions to protect consumers’ data privacy expectations. Rather than disrupt the process, these ombudsmen have, in a very real sense, served to validate the propriety of data transfers to benefit creditors while protecting consumer privacy

This article surveys some of the ombudsman reports filed thus far and analyzes the Tweeter Home Entertainment report in greater detail.

The consumer privacy provisions

By now, most practitioners are aware of the consumer privacy provisions and have some idea of their origins. In short, the provisions were sparked by the Federal Trade Commission’s actions in In re Toysmart. There, a bankrupt Internet toy company sought to sell consumer data in direct contradiction to its privacy policy, which promised that it would “never” share consumer information with third parties. The FTC sought to enjoin Toysmart from that sale and the violation of its privacy policy. Ultimately, the FTC reached a settlement with Toysmart, allowing the transfer of personal data under certain conditions, including notice and an opportunity for consumers to opt out.

The amendment to Bankruptcy Code Section 363 and the creation of Section 332 spring from the Toysmart dispute. Bankruptcy Code Section 363(b)(1) now limits the use, sale, or lease of personally identifiable information “if a debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case.”  
If a debtor intends to pursue such a non-consistent sale, the court must appoint a Consumer Privacy Ombudsman pursuant to Section 332. The ombudsman’s duties are limited to advising and assisting the court in digesting the considerable facts and applicable privacy law that may come to play in any 363 sale of consumer data. The section specifically provides that the ombudsman may advise the court on four key factors: (1) the debtor’s privacy policy; (2) the potential losses or gains of privacy to consumers if such sale or lease is approved by the court; (3) the potential cost or benefit to consumers if the transaction is approved; and (4) any potential alternatives that would mitigate potential privacy losses or potential costs to consumers.

After notice, a hearing, and input from the ombudsman, the court may approve the use, sale, or lease of the data after: (i) giving due consideration to the facts, circumstances, and conditions of such sale; and (ii) finding that no showing was made and such sale or such lease would violate applicable non-bankruptcy law

The reports thus far

It appears that there have been as many as 20 cases thus far where a consumer privacy ombudsman has been appointed and filed a report, including: (i) In re Refco, Inc., et al., Case No. 05-60006 (RDD) (Bankr. S.D.N.Y. 2007); (ii) In re Storehouse, Inc., Case No. 06-11144-SSM-Bankr. (E.D.Va. 2007); (iii) In re Tweeter Home Entertainment Group, Inc. et al., Case No. 07-10787(PJW) (Bankr. D. Del. 2007); (iv) In re R.J. Gators, Inc., et al., Case No. 07-14954 (Bankr. S.D. Gla. 2007); (v) In re Foxtons, Inc., Case No. 07-24496 (Bankr. D.N.J. 2007); (vi) JS Marketing and Communications, Inc., Case No. 05-65426-11 (Bankr. D. Mont. 2007); (vii) In re Engaging and Empowering Citizenship, Inc., Case No. 02-BKC-28175-CGC (Bankr. D. Ariz. 2006); (viii) In re Three A’s Holdings, LLC, et al., Case No. 06-10886 (BLS) (Bankr. D. Del. 2006); (ix) In re Bodies in Motion, Inc., Case No. 06-10931
(Bankr. C.D. Cal. 2006); and (x) In re Western Medical, Inc., Case. No. 06-01784 (Bankr. D. Ariz. 2006); and (xi) In re Circuit City Stores, Inc., Case No. 08-35653 (Bankr. E.D.Va. 2008).

In general, these ombudsmen encountered similar sets of facts—debtors seeking to sell PII in the face of privacy policies that did not explicitly allow or were silent as to such transfers. In broad terms, each of these ombudsmen have supported the proposed sales, provided certain conditions were met, such as requiring that: (i) the sales be made to qualified purchasers (those in the same business or that would operate the same business as the Debtor); (ii) the purchaser would serve as a successor-in-interest to the Debtor’s security and privacy policies; (iii) and customers be provided an opportunity to opt in or opt out of the proposed transfer

The Tweeter case

These conditions are perhaps more clearly understood in the context of a real case—In re Tweeter Home Entertainment, Inc., et al. Based upon the ombudsman’s investigation, it appeared that Tweeter collected PII from consumers at retail, call center, and online points of contact, each under similar privacy policies.

Retail. At the retail level, Tweeter collected consumers’ names, addresses, e-mail addresses, and telephone numbers, generally for warranty and marketing purposes. This was so even when customers paid in cash. If a customer applied for or used a credit card, that additional credit card information was also maintained by Tweeter.

Although Tweeter did not appear to have a written privacy policy for retail-level transactions, Tweeter’s CIO confirmed that retail store customers, if asked, were advised that the information collected was kept confidential and was used solely for marketing and customer service purposes.

Telephone orders. Tweeter also allowed purchases by telephone—customers could call a toll-free number and place their orders with a live operator. The call center used the same point-of-sale system as the retail stores, and the same information was collected and routed in the same manner. Likewise, although there appeared to be no written privacy policy for telephone transactions, customers were advised that the information collected was kept confidential and used solely for marketing and customer service purposes.

Online orders. Finally, Tweeter also operated a Web site that provided general information about the company, along with online shopping. The Web site used a typical shopping cart system, where consumers could fill their cart with items and “check out” online. A customer was required to input PII, including credit card information, in order complete the purchase. The Web site offered electronic equipment, as well as DVDs for sale.

The online privacy policy. Tweeter posted its privacy policy prominently on its Web site. The privacy policy was limited to “Personal information collected via this Web site, and not through any other activities of Tweeter or its affiliates or business partners,” and made clear that Tweeter collected PII about customers “like your name, address, e-mail address, phone number, or credit card information, and that is not otherwise publicly available.” Nonetheless, Tweeter also represented that “You have the right to know how your personal information may be used or disclosed.”  

With respect to the PII it collected, Tweeter represented that it:

  • Does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:
  • We provide the information to trusted partners who work on behalf of or with Tweeter under confidentiality agreements. These companies may use your personal information to help Tweeter fulfill orders, process credit card payment, evaluate Tweeter.com, or communicate with you about offers from Tweeter and our marketing partners. However, these companies do not have any independent right to share this information. You may opt out of future marketing communications from Tweeter or our marketing partners at any time by e-mailing to customersupport@tweeter.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it , or calling us at 1-866-690-2370.
  • We transfer information about you if Tweeter is acquired by or merged with another company. In this event, Tweeter will notify you before information about you is transferred and becomes subject to a different privacy policy.

This last clause appeared to be most relevant to the proposed sale, but did not explicitly authorize data transfer in the context of an asset sale.

The privacy policy also contained a disclaimer that provided that it may be changed at any time and without prior notice. Nevertheless, Tweeter represented that it “will notify you about significant changes in the way we treat personal information by sending a notice to the e-mail address you have provided to us or by placing a prominent notice on Tweeter.com so that you may be aware of our actions.”  

The ombudsman recommendation

Relying on established Federal Trade Commission guidance, the ombudsman recommended that the court permit the sale, subject to certain conditions designed to protect consumers’ privacy expectations. More specifically, the Ombudsman recommended that the Tweeter sale be allowed if:

  • The sale of PII was to a “Qualified Buyer.” A “Qualified Buyer” means an entity that: (a) concentrates in the same business and market as Tweeter’s; (b) expressly agrees to be Tweeter’s successor-in-interest as to the customer information; (c) agrees to be responsible for any violation of that policy following the date of purchase; (d) would use the PII only to fulfill customer orders and to personalize customers’ experience on the Web site; and (e) shall not disclose, sell, or transfer customers’ PII to any third party in a manner inconsistent with Tweeter’s Privacy Policy;
  • The Qualified Buyer agrees to be bound and meet the standards established by Tweeter’s Privacy Policy and to maintain at least the same level of security as is presently in place;
  • Tweeter and the Qualified Buyer agree to provide notice of the proposed transfer to any consumer whose PII is being sold, including a posted notice on the Tweeter Web site and by e-mail; and
  • Tweeter and the Qualified Buyer agree to provide consumers with an opportunity to opt out as part of the notification process.

If for any reason the PII were to be sold to any other entity that would not meet the requirements of a “Qualified Buyer,” then the ombudsman recommended that the court should require that:

  • The purchaser must at a minimum agree to abide by Tweeter’s existing privacy policies;
  • Tweeter and the purchaser must provide notice of the proposed transfer to any consumer whose PII it holds by prominent posting on Tweeter’s Web site and via e-mail; and
  • As part of the notification process, Tweeter and the purchaser must provide each consumer with an opportunity to opt in to the transfer, or their information would not be transferred.

Finally, the ombudsman recommended that the order approving the sale of PII also should: (a) require any buyer to file with the court a statement under oath that it has fully complied with the procedures imposed by the court to protect the PII; (b) direct the ombudsman to file a supplemental report confirming such compliance; or (c) both.
Ultimately, the court determined that the successful bidder for Tweeter’s assets was, in fact, a “Qualified Buyer.”  That bidder then agreed to provide posted notice of the transfer and honor opt outs made via their newly acquired Tweeter Web site.


Thus, the Consumer Privacy Ombudsman has so far been easily integrated into the often lightning-quick Section 363 bankruptcy sale process. More important, the ombudsman offers a voice for consumers who typically have none. For bankruptcy practitioners, ombudsmen legitimize a process that could otherwise attract unwanted and highly disruptive attention from regulators or angry consumers. In a very real way, the ombudsman serves as a traffic cop—steering folks through the often treacherous bankruptcy and privacy intersection.

Luis Salazar is a shareholder in the Greenberg Traurig Miami office and a member of the firm’s Business Bankruptcy and Reorganization Department and Data Privacy and Security Law Task Force. He can be reached at salazarl@gtlaw.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it . He drafted the Privacy Policy Enforcement and Bankruptcy Act and has served as the Consumer Privacy Ombudsman in multiple cases, including In re Tweeter Home Entertainment Group, Inc., In re Foxtons, and Vi Corp. Restaurants.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»