Privacy Lessons Learned From the Borders Group Bankruptcy
The privacy implications of the sale of the bankrupt Borders Group’s consumer database to Barnes & Noble have been a focus of the Federal Trade Commission (“FTC”), state Attorneys General, and lawmakers, and the transaction highlights the need for companies to carefully draft and periodically review their privacy notices to consumers.
Privacy notices should not only accurately reflect current practices regarding the collection, use, sharing, and security of personal information, but also cover possible future transactions, such as a dissolution, merger, or sale of assets or the sharing of personal information with service providers.
In an e-mail sent to Borders customers and a notice on the Barnes & Noble website, customers were advised that they can opt-out of having their contact information (which includes names, addresses, and e-mail addresses) and purchasing history shared with Barnes & Noble. This came about because Borders reportedly had at least three different privacy policies since 2006 that limited how personal information collected from customers could be shared; earlier policies stated that Borders would not share information without express consent, and a later policy indicated that information could be transferred if Borders was sold, merged, or reorganized, but the company would seek appropriate protections in such cases. The FTC questioned whether the later policy covered dissolution and the sale of assets in bankruptcy, and the later policy only applied to information collected after the date it was adopted, so customers’ consent to the transfer was required.