The privacy implications of the sale of the bankrupt Borders Group’s consumer database to Barnes & Noble have been a focus of the Federal Trade Commission (“FTC”), state Attorneys General, and lawmakers, and the transaction highlights the need for companies to carefully draft and periodically review their privacy notices to consumers.
Privacy notices should not only accurately reflect current practices regarding the collection, use, sharing, and security of personal information, but also cover possible future transactions, such as a dissolution, merger, or sale of assets or the sharing of personal information with service providers.
In an e-mail sent to Borders customers and a notice on the Barnes & Noble website, customers were advised that they can opt-out of having their contact information (which includes names, addresses, and e-mail addresses) and purchasing history shared with Barnes & Noble. This came about because Borders reportedly had at least three different privacy policies since 2006 that limited how personal information collected from customers could be shared; earlier policies stated that Borders would not share information without express consent, and a later policy indicated that information could be transferred if Borders was sold, merged, or reorganized, but the company would seek appropriate protections in such cases. The FTC questioned whether the later policy covered dissolution and the sale of assets in bankruptcy, and the later policy only applied to information collected after the date it was adopted, so customers’ consent to the transfer was required.
Recent privacy enforcement actions by the FTC and lawsuits have focused on companies’ deceptive or unfair practices in failing to adhere to their stated privacy policies, applying a material change in a privacy policy to personal information collected under a prior policy without an affected individual’s consent, and failing to adequately secure personal information. In light of this, it is important to ensure that privacy policies accurately describe the company’s current practices and are comprehensive enough to cover possible future transactions involving personal information. In addition, personal information collected from consumers should always be appropriately secured from unauthorized acquisition or use.