Database sales

by
Brian Carroll
Ph.D. student
School of Journalism and Mass Communication
University of North Carolina at Chapel Hill

Published in the Journal of Interactive Marketing 16 (3)
(Cambridge, Mass.: John Wiley & Sons, 2002)

Abstract:
This paper analyzed whether bankrupt Internet companies can sell consumer database information in their attempts to pay off creditors as mandated by Chapter 7 and Chapter 11 bankruptcy protection law. Such sales are in conflict with most companies’ own posted privacy policies and, therefore, have been contested. The question pits the commercial interests of creditors, which have as their advocates bankruptcy court judges, against the privacy interests of consumers, who have found allies in state attorneys general, privacy groups and foundations, and the Federal Trade Commission. With no clear law preventing them, bankruptcy trustees have attempted to sell the databases. Ultimately they agreed not to sell by settling claims filed by the FTC and attorneys general. There is no law specifically prohibiting such sales, and until specific legislation is passed, bankruptcy court judges will continue to be left to rule on a case-by-case, even a motion-by-motion basis, interpreting the United States Code to the best of their ability. Their options are outlined and discussed.
End of abstract

One of the more colorful metaphors for the explosive growth of Internet e-commerce is that of the 1849 gold rush.[1] For Internet merchants, it’s been boom or bust, much as it was for the famous 49ers. In another parallel, those selling the high-tech pickaxes and panning plates – the e-commerce software tools – are perhaps the biggest winners.[2] In the bust column, many Internet companies once swimming in venture capital and sailing toward initial public offerings are simply shutting down. From January 2000 through the first half of November, 130 Internet companies closed, eliminating approximately 8,000 jobs.[3] The fallout hasn’t been gradual. As a result, law firms are rapidly and significantly staffing up their bankruptcy groups.[4]

While the vast majority of failed Internet companies simply unplugged and shut down, two high-profile e-retailers instead filed for bankruptcy protection. At the time of this paper, living.com[5] and Toysmart.com[6] were still negotiating their Chapter 11 liquidations in federal bankruptcy courts. Both companies were pure-play e-retailers, meaning they had no brick-and-mortar stores and sold only online on the Internet’s World Wide Web.[7] The ante was raised in March this year when political portal Voter.com shut down and announced it, too, would sell its database of personally identifiable information, including individuals’ party affiliations and political interests.[8] In conducting business via the Internet, these companies collected vast amounts of information on individuals, most of it voluntarily provided. What makes these three bankruptcy cases additionally unique is each defunct entity’s plan to sell as an asset its database of customer information to the highest bidder in its effort to pay off creditors.[9] Other Internet companies have filed for bankruptcy protection, but only these three published their intent to sell their customer database information to the highest bidders, realizing that the databases could very well be “the most significant asset in the bankruptcy cases.”[10]

The purpose of this paper is to analyze whether bankrupt Internet companies can legally sell during liquidation the personally identifiable information they collect about their customers and constituents when such sales would violate the companies’ own posted privacy policies. In both the living.com and Toysmart.com cases, the bankruptcy trustees proposing the sales were challenged. In Austin, Texas, living.com’s database sale was halted by the state’s attorney general, who sued under the Texas’ Deceptive Trade Practices Act.[11] The case was quickly settled, with living.com’s trustee agreeing not to sell. In Massachusetts, Toysmart.com’s plans to sell consumer information sparked the first enforcement action by the Federal Trade Commission under the Children’s Online Privacy Protection Act (COPPA).[12] The action won agreement from Toysmart.com and its trustee not to sell its consumer database information, even though the database is considered Toysmart.com’s most valuable asset.[13]

This paper will examine the competing interests in these cases, the interests of the bankruptcy court judges, privacy advocates, regulatory agencies such as the FTC, Congress, and, of course, the consumers who daily provide information online, information that is in many cases private and sensitive. In the Toysmart.com case, for example, personally identifiable information included children’s special education needs and, in some cases, information regarding disabilities.[14] A look at pending privacy legislation addressing personally identifiable information will be included since Congress has repeatedly pledged to address protection of consumers’ privacy online.[15] Finally, this paper will include a discussion of potential solutions for the problems of the “unsettled world where Internet companies and their creditors and customers meet the bankruptcy process.”[16] Possible resolutions will be applicable both to bankrupt and operational e-retailers, since, as Texas Attorney General Jim Cornyn said, “It’s important that Internet companies respect peoples’ privacy rights, regardless of whether the company is in the black or in the red.”[17]

There is no comprehensive set of U.S. privacy law or regulations that addresses storage, transmission, use, or sale of personal information by the private sector.[18] And there are few rules about how personally identifiable information can be used, or to whom it can be sold.[19] State law on this issue is inconsistent and for many states nonexistent. Many states have little or no broad-based electronic privacy legislation. New York, for example, according to one attorney, “prohibits little more than electronic eavesdropping.”[20] What has evolved is a piecemeal approach to privacy that focuses on the uses of personal information rather than its collection, storage, mining, or publication.[21] Congress has elected to enact laws that apply to specific industries and address specific practices. Examples include:

This piecemeal approach is in contrast to the European Union, New Zealand, Canada, Hong Kong, and Australia, which all have passed “omnibus data protection laws covering the full spectrum of uses of personally identifiable information.”[28] The result of the sectoral approach in the United States has been predictable: confusion among consumers and an inconsistent approach to privacy protection in the commercial sector. The Privacy Rights Clearinghouse based in San Diego, for example, published 22 guides and a 300-page book detailing for consumers where they do and do not have protection.[29]

The lack of specific legislation barring dot-com companies from selling their consumer database information, even when the same companies communicated to their customers via posted privacy policies that they would not, set the stage for the trustees for living.com and Toysmart.com to propose cash-raising database sales. Among the bankruptcy trustees’ and bankruptcy court judges’ primary concerns is paying off creditors.[30] Resolving how they do this with Internet companies is an issue is of growing importance. Technology is propelling America “toward a cashless marketplace. . . . Personal and financial information flows into an endless maze of computer databases, documenting the daily lives of almost everyone.”[31]

The shot across the bow came in early summer when Toysmart.com announced with a full page ad in the Wall Street Journal[32] that it planned to sell its customer list and customer information even though it had a privacy policy assuring consumers it would not sell the information to a third party. (There was no mention of the privacy policy in the ad.) “When you register with Toysmart.com, you can rest assured that your information will never be shared with a third party,” the failed company’s posted privacy policy stated.[33] As one attorney wrote, “the contemplated sale of the customer information is as controversial as any issue affecting the failure of dot-com companies.”[34] The proposal ultimately drew fire from 41 state attorneys general[35] and the FTC, which has been consistent in attempting to protect consumer data privacy. In addition to its action in the Toysmart.com case, in which it filed suit to prevent the database sale,[36] the FTC sued Internet auction site ReverseAuction.com for spamming a rival’s customers.[37] At the time of this paper, Voter.com still was pursuing its database sale of information on more than 170,000 individuals.[38]

What has allowed the debate to drag on through the summer and into 2001 is the absence of omnibus data privacy protection legislation. As one privacy advocate told the New York Times regarding the FTC’s suit against Toysmart.com, “the problem would go away if we had a privacy law that required all companies to treat information fairly whether they got it in a fire sale or obtained it from the customers directly.”[39] The issue is certain to grow as bankruptcy activity increases. One attorney wrote that high technology, intellectual property and privacy will remain “at the epic center of bankruptcy law for the next few years.”[40]

The issue of privacy as it relates to bankrupt companies attempting to sell personally identifiable information has received only recent attention in law reviews and other academic journals. Since the living.com and Toysmart.com cases are still in the federal bankruptcy court system, and the Voter.com case is so recent, the courts have not yet definitively spoken. Attorneys and scholars are left to advise, caution, and recommend, which is precisely what they have done.

Those scholars and law practitioners who have written on the question are unanimous in asserting that protecting citizens’ online privacy is critical. Their reasons vary, however. For privacy law scholars, the issue is how rapidly the Internet and computer use is growing, and where these trends take people in terms of controlling who has what kinds of information about them, where they live, what they buy, and where they surf. As Debra Valentine, who has written prolifically about privacy and consumer protection, stated, “The Internet is unique in its ability to compile vast amounts of information with great efficiency at low cost.”[41] As the Internet expands, so does the potential to both acquire personal information and exploit it, Valentine asserted.

This growing power (and, therefore, potential danger) of the Internet is a point of near unanimity among scholars and attorneys writing on privacy. The power of the Internet and the World Wide Web to obtain, organize, and facilitate distribution of personal information is unprecedented.[42] Each and every Web site visit generates clickstream data.[43] Depending on a Web site’s sophistication, some can identify where the user came from, and, as the New York Law Journal pointed out, “where the user departs, what was looked at and for how long … even the user’s email address.”[44] Consolidate this information with what is voluntarily provided by consumers, such as credit card numbers, addresses, and demographic information, and the resulting user profile is a valuable, marketable package. Almost without exception, journal writers warned of this unprecedented power, while urging for balance in the pursuit of privacy protection. There is a tension between a person’s desire for privacy and information necessary for a site’s basic operation and rendering of services.

For other writers, the concern for privacy protection is more a commercial one. Without proper safeguards in place, they argue, consumer confidence in the Internet will erode, thereby threatening the vibrancy of the Web and e-commerce. Corporate attorneys David B. Hamilton and Kelly J. Davidson, for example, encouraged e-commerce entities to be “proactive and develop and post privacy policies (to) bolster consumer confidence, thereby allowing businesses to take full advantage of the Internet as a global marketplace.”[45] But there is disagreement over just how much privacy protection is a good thing, at least from a commercial point of view. Kent Walker, an associate general counsel for Netscape Communications and America Online and formerly counsel to the deputy attorney general in San Francisco, argued that new and better privacy protections carry with them “implicit costs.”[46] Given Walker’s role as attorney for major browser and portal sites Netscape and AOL,[47] both of which promote community, chat, and commerce, it is not surprising that he argues for a liberal flow of personal information. A free flow fosters community and, therefore, the commercial interests of the Internet companies Walker represents.[48]

For cyberlaw attorney Jonathan Cody, the various reasons for protecting consumers’ privacy create a tension between the economic benefits of the Internet on the one hand and every citizen’s desire to keep personal information private on the other. The big question for Cody, and for many involved in observing the wrangling over the answer, is “who should be responsible for striking the balance?”[49] Beth Givens, director of the Privacy Rights Clearinghouse in San Diego, wrote that balance is up to groups like hers that educate consumers; to federal regulators like the FTC; to the industry itself, which should lead the way; and to legislation that hasn’t yet been enacted.[50] Several authors called on Congress to step in and consider legislation to achieve both privacy protection and commercial growth.[51]

The scholars and attorneys who have looked at the issue have almost unanimously called for some combination of industry self-regulation, a regulatory watchdog function performed by the FTC, and legislation. Where the legal observers differ is in their views of how sweeping potential privacy protection legislation should be. Some authors advise little legislation and instead “a proactive stance by electronic commerce entities.”[52] Others argue for a combination of industry self-regulation and “government vigilance,” since self-regulatory efforts have the danger of becoming a vehicle for collusion.[53] At the other end of the legislative activism spectrum, some scholars believe comprehensive privacy protection law is required given the stakes and the apparent failure of self-regulation thus far. “If the Internet age is truly the wave of the future,” attorney Jonathan Cody wrote, “consumer confidence will have to lead the way. As of now, that confidence is lacking because an effective regulatory regime is lacking.”[54] In fact, a Wirthlin Worldwide public opinion survey conducted earlier this year, nearly 60% of those surveyed voiced support for legislation protecting their data privacy online versus allowing businesses to regulate themselves.[55] Cody went as far as recommending that Congress create a federal agency to deal with online privacy issues and the monitoring of companies on the Internet.[56]

For some scholars and practitioners, the United States need look no further for a legislative and regulatory model than the European Union, which in June 1998 addressed many of the privacy questions vexing U.S. companies today.[57] Marie Save de Beaurecueil, an attorney with expertise in transborder data flows, compared the European Union’s data protection policies with those in the United States and found U.S. information privacy controls the worse for the comparison.[58] But implementing legislation anything like the EU’s Data Directive would be staunchly opposed in the United States because of the time and expense associated with compliance.[59]

Finally, there exists in the literature a contingent of mostly corporate attorneys who have written that they feel the balance is already being struck by the industry itself, the living.com and Toysmart.com cases notwithstanding.[60] This group argued that although there have been indiscretions, such as Toysmart.com’s plan to auction off its consumer database, industry has done a good job. Debra Valentine, the FTC’s general counsel, for example, argued for the tandem of FTC governance and proactive industry self-regulation. The combination already has “increased privacy protection for consumers with great benefits for them and little cost to businesses.”[61] Robert Hoegle and Christopher Boam, attorneys specializing in telecommunications and new technology issues, cited Internet companies who have worked “aggressively to promote awareness of privacy issues and to develop voluntary online privacy practices.”[62] They pointed to the industry-led formation of the Electronic Commerce and Consumer Protection Group and to efforts to submit to the “audit and seal” organizations that scrutinize site privacy policies, organizations such as TRUSTe and BBBOnline.[63]

The legislative and judicial void in this area of privacy law has sparked a raft of class-action lawsuits filed by frustrated consumers.[64] This paper, too, is an attempt to address the void. It examines the pending federal legislation; the motion decisions by the bankruptcy court judges in the living.com and Toysmart.com cases; and the reports and statement papers released by the FTC on the specific issue of consumer databases, privacy policies, and bankrupt dot-com companies.

1) What law and precedent govern bankrupt Internet companies interested in selling personally identifiable information?

2) What, if anything, is Congress doing to provide legislative clarity in this area of law?

3) Based on the two cases, the FTC’s actions and statements, Congress’ legislative intentions, and the efforts of attorneys general and privacy groups, what advice is suggested for Internet companies?

This paper will utilize traditional legal research methods, looking at the bankruptcy cases themselves; FTC reports and statements; the United States Code; and pending legislation in both the House and Senate, which both have deferred action until the next congressional session in January.

The U.S. Constitution gives Congress broad authority to establish uniform laws on bankruptcy, laws that apply to all the states.[65] That authority was used to create the Bankruptcy Code, which has as one of its foundational principles that the recovery of debts owed to creditors be maximized. The Toysmart.com trustee presumably evaluated the company’s database as one of its most valuable assets and, consistent with the role of a trustee, pursued its liquidation.[66] However, after being sued by the FTC for violation of the FTC Act’s prohibition on deceptive trade, and for violating the Children’s Online Privacy Protection Act, the trustee withdrew plans for the sale. But what if the auction proposal had gone forward? Without specific law relating to online privacy policies, the bankruptcy court judge likely would have referred to the Bankruptcy Code, §§363, 365 and 105. In §363, a bankrupt company can sell anything it actually owns. The question would become, who owns the personally identifiable information – the failed company or its former customers? If the judge rules the database the asset and sole property of the bankrupt company, its trustee seemingly would be free to sell it to the highest bidder, provided notice was given affected consumers, according to the United States Code.[67] In fact, a trustee would have an obligation to sell as many assets of the estate as possible in an effort to pay creditors.

There is a problem, however, in §365, which may or may not include online privacy policies under its definition of an executory contract.[68] If the policies are considered by the court to be executory contracts, the trustee could legally sell the database provided the third-party buyer abided by the stipulations of the policy under which the information was collected. This application of the code is most often used with leases and rental agreements, which are frequently reassigned by trustees to recover funds.[69] The reasoning in applying this section of the code to customer databases would be to distribute the “negative financial effects” of a bankruptcy among the affected parties, including, in the Toysmart.com and living.com cases, the two companies’ customers. The trustee might consider the benefits customers received from the goods and services from the company as justification for distributing the negative effects.[70]

Since the Bankruptcy Code does not define executory contract, the best guidance on potential application of the term comes from Congress, which has concluded that an executory contract is one “on which performance remains due to some extent on both sides.”[71] An online privacy policy, then, would cease being an executory contract once the customer supplies the requisite information since no further “performance” is due. Another critical difference between privacy policies and leases, for example, is that most privacy policies explicitly state that the company soliciting the information will not sell it to a third party.[72] Toysmart.com, for example, stated that “[p]ersonal information voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party.”[73]

Though an executory contract definition would not seem to apply, bankruptcy judges can and do invoke the very broad authority granted them by the Bankruptcy Code to make rulings necessary to carry out the provisions of the code.[74] The judge in the Toysmart.com case, for example, showed every indication that he would allow the database sale despite privacy concerns and unfair trade practice claims asserted by the FTC.[75] The judge’s intentions will never be clearly known since Toysmart.com’s trustee withdrew plans for the sale in a settlement with the FTC. In January this year, Toysmart.com’s majority owner, Disney, agreed to pay $50,000 to have the customer records destroyed.[76]

The FTC got the settlement by filing a complaint against the toy e-retailer, showing that the agency will fight bankrupt companies that attempt to sell personal information.[77] Asserting its jurisdiction in the matter, the FTC claimed that Toysmart.com’s intent to sell the information violated § 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.[78] The FTC asserted that the defendant had represented that it would never disclose, sell, or offer for sale the contested information, then proceeded to do all three. These are deceptive practices, the FTC argued.[79] And the FTC has been consistent on this point, filing complaints also against dot-coms GeoCities and ReverseAuction.com for similar practices.[80] The FTC filed its first enforcement action under the COPPA[81] against Toysmart.com, also for violating the e-retailer’s own stated privacy policy.[82]

Had the plan not been withdrawn, what precedent could have guided the bankruptcy court in allowing or prohibiting the sale and either in agreeing with the FTC or denying its claims? The short answer is none. There do not appear to be any reported decisions specifically concerning this issue. There are a number of cases, however, involving non-Internet companies filing for bankruptcy protection and seeking to sell customer, client, patient, or member information.[83] The critical difference between the three discussed here is the appearance of explicit statements in the privacy policies of the failed Internet companies pledging they would not sell or disclose the customer information. And it is this contradiction that results in deceptive trade practices, according to the FTC.

The contradiction is also viewed as a deceptive trade practice by some state attorneys general, including Texas Attorney General Jim Cornyn. When living.com announced it, too, would attempt to sell its customer database,[84] Cornyn immediately filed suit.[85] His office’s claim was that the sale violated the Texas bankruptcy code’s Deceptive Trade Practices Act.[86] The living.com trustee settled with Cornyn within hours and canceled her planned database sale.[87]

Another area of the law relevant to these bankruptcy cases concerns consumers who have banded together to file class-action suits against dot-com companies, both solvent and not, claiming that breach of a privacy policy is fraud, or a tort.[88] The court-appointed bankruptcy trustee in the living.com case said the reasons she and trustees in similar positions haven’t yet tested the law on this issue are fears of consumer-initiated litigation and a desire not to tangle with state attorneys general.[89] Perhaps the single greatest deterrent to the sales of customer databases is not the law or the courts, but fear of time-consuming, expensive litigation.

There is great room for legislative action since privacy law is a patchwork and, therefore, confusing. Many privacy groups are calling for Congress to act on and to listen to consumer concerns regarding the information companies collect about their customers.[90] Though Congress adjourned the last session without settling this critical issue, no fewer than 16 bills have been introduced and are at various stages of deliberation in the 107^th Congress. Key congressional leaders such as John McCain (R-AZ) and Patrick Leahy (D-VT), among others, have made Internet privacy a key part of their legislative agendas. Mergers like the one between America Online and Time Warner have only increased attention to this issue.[91] Taken together, the bills Congress is considering would dramatically restrict the sharing or selling of customer information.

Several bills from the last session also are in committee. The Privacy Policy Enforcement in Bankruptcy Act of 2000, sponsored by Sen. Leahy, is perhaps the most specific legislation on the issue under examination here. Introduced in July last year, this act is a proposed amendment to the Bankruptcy Code (Title 11 of the United States Code) to exclude “personally identifiable information from the assets of a debtor in bankruptcy.”[96] That is all the very tersely worded amendment proposes. If passed, the amendment would prevent database sales like the ones examined here. But removing customer databases from an estate could create new confusion. If such a database were not an asset, then neither a trustee nor the bankruptcy court would have control over it. Who would? The bill, which has been referred to the Judiciary Committee, does not indicate an answer. It might be left to the FTC to request that a bankruptcy court have the customer database destroyed, an action the court would be authorized to order under the FTC Act.[97]

If passed this year, the Online Privacy Protection Act would limit how Web sites and Internet companies collect and disseminate personally identifiable information without an individual’s consent.[98] This bill, written to supplement COPPA, would require that companies post their information use and collection policies. It would also permit individuals to opt out of personal information databases and/or their disclosure or transfer to a third party. Though the bill, if it became federal law, would preempt state laws, it would allow state attorneys general to bring suits on behalf of state residents. Though it doesn’t specifically mention bankruptcy proceedings, as with other law, the FTC could apply it to failed companies. In short, this proposed act would add little to the options already available to the FTC, state attorneys general, and bankruptcy court judges trying to weigh conflicting interests in cases like those under examination here.

Sen. Conrad Burns (R-MT) introduced the bill in April 1999, when it was referred to the Senate Commerce Committee. Since then, hearings on the bill have been held in the subcommittee on communications and, in October, in the Senate Committee on Commerce, Science, and Transportation. No action has been taken.[99]

Though the most recently introduced, the Consumer Internet Privacy Enhancement Act is redundant of provisions in other, previously introduced bills. The main purpose of Sen. McCain’s proposal is to require Web sites to provide notice of

This bill, too, does not specifically mention bankruptcy. And it does not restrict the sale of customer database information, only that individuals receive notice. But, the bill does stipulate that “the opportunity provided to users to limit use and disclosure of personally identifiable information shall be easy to use, easily accessible, and shall be available online.”[101] If a database went up for sale, individuals would have legal recourse to easily remove information about them from the database. Civil penalties are set at $22,000 per violation per day of a continuing violation.[102]

The House is considering seven Internet privacy protection acts. Key bills include the Consumer Internet Privacy Protection Act of 1999, which recommends regulation of the use by interactive computer services of personally identifiable information provided by subscribers.[103] The bill also would give individuals the right to learn what information is being kept about them. Specific to the Toysmart.com and living.com cases, the bill would prohibit disclosure “to a third party any personally identifiable information” without permission from the individuals concerned. But the bill only proposes to cover interactive computer services, or “any information service that provides computer access to multiple users via modem to the Internet.”[104] It would only come into play when such a service provider is the bankrupt company or was used by the bankrupt company in its information collection. Introduced in January 2000 by Rep. Bruce Vento (D-MN), the bill was referred to the House Commerce Committee and then to the subcommittee on telecommunications, trade, and consumer protection, where it remains.

Another bill that would require commercial Web sites to provide notice of their data policies is the Internet Growth and Development Act introduced by Rep. Rick Boucher (D-VA) in May 1999.[105] The bill would require that “any person operating a commercial Internet website … clearly and conspicuously provide notice of its collection, use, and disclosure policies with regard to personally identifiable information.”[106] Unfortunately, the bill doesn’t go any further than requiring notice. It doesn’t seek to regulate what a company does with the information or how it goes about collecting it, only that it provide notice of these activities. And it doesn’t proscribe an opt-out for individuals. The bill has been referred to both the Commerce Committee and the Judiciary Committee, where preliminary hearings have been held.

The Personal Data Privacy Act of 1999, introduced in July 1999 by Rep. Maurice Hinchey ((D-NY)[107] and covering all levels of government, is an ideal template for the type of legislation that is needed in the private sector. Specifically, the bill would “prohibit Federal, State, and local agencies and private entities from transferring, selling, or disclosing personal data with respect to an individual to other agencies or entities without the express consent of the individual.”[108] The bill goes further than other proposed legislation in including a requirement that individuals receive a report once annually detailing the data collected on them, whether they request the report or not. A private sector bill with these provisions would be powerful.

Another potentially powerful piece of legislation could come out of the proposed Electronic Privacy Bill of Rights Act, which Rep. Edward Markey (D-MA) sponsored and introduced in November 1999.[109] This comprehensive bill would aim to prevent unfair and deceptive practices in the collection and use of personal information, prohibiting a long list of practices and setting up detailed regulatory procedures and punitive remedies. This proposed bill has been called “the 1000-pound gorilla of privacy bills … a techno-phobic collection of prohibited acts, regulations and punishments.”[110] But the proposed legislation deals with only solvent companies and the collection and use of data. It is silent on insolvent companies and third-party distribution of personally identifiable information. Even if passed, this bill would provide no relief to individuals included on a database contested in a bankruptcy case. It has been referred to several committees and subcommittees, including ones on commerce, banking, transportation, aviation and agriculture. No action has yet been taken.[111]

Finally, an amendment has been added to the bankruptcy reform bill that cleared the Senate on March 15 that would bar bankrupt Internet companies from selling consumer data if they had previously pledged to keep the information private. It is possible the Bankruptcy Reform Act of 2001[112] will combine with the House version of personal bankruptcy reform, the Bankruptcy Abuse Prevention and Consumer Protection Act of 2001,[113] for law on this issue sometime this year.[114] It isn’t possible to tell, however, whether the amendment protecting individuals who supplied information under the strictures of a posted privacy policy will survive the process. The amendment, Section 232 of the Senate version, requires a hearing if a trustee intends to sell or lease personally identifiable information and that an ombudsman be appointed by the court to protect consumers’ privacy.[115]

In short, none of the main privacy bills would do much to fill the void in the law that enabled companies like Toysmart.com and living.com to attempt to sell Internet customer databases. Though legislators like Leahy, McCain and Markey have taken the charge in terms of protecting privacy via the Internet, the specific issue addressed in this paper will remain unresolved from a legislative point of view. However, as bills in this area multiply, and as the issue recurs in bankruptcy court, a bankruptcy-specific piece of legislation could result in the long term. The FTC thinks so. In a complete reversal of its publicly stated position, the FTC in May of this year called on Congress to pass legislation to empower it to pass rules controlling how companies used the data they collect, allowing individuals to access and correct the data, and requiring security measures.[116] Previously, the FTC argued only for industry self-regulation and a hands-off approach from Congress.[117]

Since the database sales examined here were withdrawn under pressure and not because of rulings by either bankruptcy court judge, precisely what is legally possible when selling off a dot-com’s assets is unknown. But since the two bankruptcy judges did not rule to stop the sales after the trustees’ intentions were made known, it is possible the Court would allow them to go forward, interested mainly in the disposal of assets and that creditor debts be paid down. Precedent is of little help. And Congress in all probability will continue its patchwork approach to privacy law, at least in the short term. It is known with specificity only what the FTC finds objectionable.

Suggestions to Internet companies

As one legal reporter put it, “as new as the concepts of e-retailing and on-line privacy are to many lawyers, even newer is the unsettled world where Internet companies and their creditors and customers meet.”[118] Based on the findings on the first two questions, what advice can be offered to Internet companies, especially bankrupt ones, regarding what to do with their customer databases? After all, creditors want their money. In the Toysmart.com case, creditors are owed approximately $25 million,[119] and in the living.com case they are due more than $42 million.[120] But on the other side of the issue, supported by attorneys general, the FTC, and online privacy monitoring groups, consumers do not want information about them disclosed or sold, especially since they provided the information with the assurances of posted privacy policies that such disclosures would not occur. In the middle are trustees, charged with recovering as much money as possible, and bankruptcy court judges, who attempt to resolve the competing interests before them.

The best advice for Internet companies, whether solvent or not, would be to abide by their own posted privacy policies, or simply to have no privacy policy at all. (Of course, if a company wants to inspire confidence in potential customers, there is great incentive in protecting their privacy.) As some of the Internet’s founders themselves wrote, “The (Internet) can flourish only if all participants respect information privacy. Information privacy is an individual’s claim to control the terms under which personal information … is acquired, disclosed, and used.”[121] The founders recommended to those collecting personal information that they state clearly why they are collecting it; what it will be used for; what steps are being taken to protect confidentiality, integrity and quality; the consequences of withholding information; and rights of redress.[122] Privacy policies, which shouldn’t be buried behind a hyperlink in 8-point type, need to say what they mean and mean what they say. If the database must be sold, the original policy stipulations should remain in place, and individuals represented in the database should be given an immediate opportunity to opt out. As the Internet’s early developers wrote, the company or organization collecting the personal information should not use it “in ways that are incompatible with the individual’s understanding of how it will be used,” and if it does, “the user must first notify the individual and obtain his or her … consent.”[123] The advice, disseminated as part of a treatise more than five years ago, when the Internet’s commercialization was just beginning, still holds true today.

[1] Denise Caruso, Digital Commerce: Personal Information Is Like Gold in the Internet Economy, N.Y. Times, Mar. 1, 1999, at C4. Caruso wrote: “Personal information, user habits and preferences and data amounts to gold in Internet currency, and the rush to get it has been on for a few years.”

[2] Jo Fleischer, Putting the pieces together: Propel to create new B2C software platform, Ecommerce Business Mag., May 1, 2000, at 47. U.S. spending on e-commerce software projected to grow from $3.1 billion in 1999 to $7.8 billion in 2000. U.S. spending on application integration, e-commerce package implementation and custom development projected to grow to $20.0 billion in 2001, a 63% increase over 2000’s projected $12.3 billion. Numbers attributed to Forrester Research, Cambridge, Mass.

[3] Katie Motta, Dot-com Flop Tracker, The Standard Online (2000), at http://www.thestandard.com/article/display/0,1151,15970,00.html#Q3_2000.

[4] David Kuney, Dot-Com and High-Technology Companies: Nuclear Waste and Chapter 11?, 17 COMPUTER LAWYER 8, 25, 25-28 (2000).

[5] In re living.com, Inc., Chapter 11 Case No. 00-12522 (Bankr. W.D. Tex., Aug. 29, 2000).

[6] In re Toysmart.com LLC, Chapter 11 Case No. 00-13995-CJK (Bankr. N.D., Mass. June 9, 2000).

[7] Ian Winship & Alison McNab, Student’s Guide to the Internet 145-151 (2^nd ed. 1998). According to the GUIDE, the Web refers to that part of the Internet consisting of hypermedia and requiring a browser to view its pages. A browser is software to view Web pages and documents. Examples are Netscape Navigator and MicroSoft Internet Explorer.

[9] Matt Richtel, FTC Moves to Halt Sale of Database at Toysmart, N.Y. Times Online, July 10, 2000, at http://www.nytimes.com/2000/07/11/technology/11toysmart.html.

[10] Larren M. Nashelsky, On-Line Privacy Collides with Bankruptcy Creditors, 224 New York L.J., Aug. 28, 2000, at S1.

[11] Jim Cornyn, Cornyn Announces Privacy Settlement with Living.com, Press Release (Sept. 25, 2000), at http://www.oag.state.tx.us/newspubs/releases/2000/20000925living.com.htm (accessed Oct. 18, 2000). Cronyn cited Tex. Bus. Com[m]. Code Ann. [ ] § 17 (Deceptive Trade Practices – Consumer Protection Act enacted Acts 1973, 73d Leg., Ch. 143, § 1, at 322.

[12] FTC Files First Enforcement Action Under New Child Privacy Law, 17 Computer & Online Ind. Litigation R., Aug. 1, 2000, at 9. FTC cited 15 U.S.C. § 6501-6505. (FTC rules implementing COPPA apply to Web sites directed at children that collect personal information. They require the sites to prominently and repeatedly post their information policies; to list a contact; to detail the kinds of information collected, how it is to be used, and whether it will be disclosed to third parties and under what conditions.)

[13] Michael Brick, Judge Overturns Deal on Sale of Online Customer Information, N.Y. Times, Aug. 18, 2000, at http://www.nytimes.com /2000/08/18/technology/18toys.html.

[14] See Toysmart.com LLC, Chapter 11 Case No. 00-13995-CJK (Bankr. N.D., Mass. June 9, 2000).

[15] Heather Fleming Phillips, Key legislators vow to handle Net privacy, The News & Observer, Oct. 10, 2000, at 1D.

[18] Robert M. Finkel & Tucker McCrady, Facing the Web’s phantom menace: understanding online privacy fears, and how e-businesses can respond, 3 J. of Internet Law 9-12 (2000).

[21] Seth Safier, Between Big Brother and the Bottom Line: Privacy in Cyberspace, 5 Va. J.L. & Tech. , at http://www.vjolt.net/vol5/issue 2/v5i2a6-Safier.html (2000).

[22] 15 U.S.C. §1681. (Regulates collection and use of personal information by consumer reporting agencies.)

[23] 5 U.S.C. §552. (Broad restriction on the use of information by government agencies.)

[24] 47 U.S.C. § 551 (Requires cable TV companies to provide annual notification to subscribers regarding the use and disclosure of their personal information).

[25] 18 U.S.C. §2510. (Wiretap restrictions extended to digital media; prohibits disclosure of transmitted information to government).

[26] Pub. L. No. 105-277, 112 Stat. 2681-2736 (1998). (Requires parental consent before a Web site can request from a child under 12 years of age any information that could identify or locate the child.)

[27] 15 U.S.C. §45 (Gives FTC authority to police unfair or deceptive acts or practices in commerce).

[28] Beth Givens, Privacy in the New Millennium: A Practical Exploration of the Internet and its Impact on Privacy, 16 Santa Clara Computer & High Tech. L. J. 348, 348-355 (2000).

[30] Telephone interview with Lisa Poulin, attorney with PricewaterhouseCoopers and bankruptcy trustee for living.com (Oct. 2, 2000).

[31] Bryan Schultz, Electronic money, Internet commerce, and the right to financial privacy: a call for new federal guidelines, 63 U. Cin. L.R. 779, 797-808 (Spring 1999).

[33] Jane K. Winn & James R. Wrathall, Bankruptcy Law: Internet customer databases, 23 The National Law Journal 4, Sept. 18, 2000, at B8.

[36] FTC Files First Enforcement Action Under New Child Privacy Law, 17 Computer & Online Ind. Litigation R., Aug. 1, 2000, at 9.

[37] Debra Valentine, Privacy on the Internet: the evolving legal landscape, 16 Santa Clara Computer & High Tech. L.J., 401, 407-408. ReverseAuction.com registered as a user on the rival eBay site, then sent spam (Winship & McNab, supra note 7, at 150, defines spam as the “Internet version of junk mail”). ReverseAuction.com then used eBay user emails to market its own auction site. The “spamming” violated eBay’s user agreement and privacy policy. ReverseAuction.com settled with the FTC and agreed to cease the practice and comply with eBay’s and other companies’ posted policies.

[41] Debra Valentine, About Privacy: Protecting the Consumer on the Global Information Infrastructure, 1 Yale Symp. l. & tech. 1, 1-16, at http://lawtech.law.yale.edu/symposium/98/speech_valentine.htm (1999).

[43] Clickstream data include paths a user takes navigating the Web, or the pages and sites a user views, the length of time pages and sites are viewed, and the sequence in which pages and sites are viewed.

[45] David B. Hamilton & Kelly J. Davidson, Congress, e-businesses focus on privacy issues; self regulation may be key to ensuring privacy online – and to keeping out the feds, 22 National L.J., Dec. 10, 1999, at B10. (The authors’ point is underlined by a recent Forrester Research survey of 400 Web shoppers that showed that “the more satisfied Web buyers are with a site’s privacy policy, the more comfortable they will be when they shop at that site,” according to Christopher Kelly, a Forrester analyst quoted in the Oct. 12, 2000, edition of eCommerceBusiness magazine daily accessed same day at http://www.ecommercebusinessdaily.com.)

[46] Kent Walker, Where Everybody Knows Your Name: Balancing Community, Commerce, and Freedom in Information Exchange, Stanford L.R. Working Paper (2000) at http://stlr.stanford.edu/STLR/Working_Papers/00_walker_1/index.htm.

[49] Jonathan Cody, Protecting privacy over the Internet: has the time come to abandon self-regulation?, 48 Cath. u. l. Rev. 1183, 1183-1188 (Summer 1999).

[55] The Wirthlin Report, January 2001, Wirthlin Worldwide, McLean, Va. Results of the National Quorum public opinion survey conducted by telephone Jan. 9-22, 2001.

[57]Commission Says U.S. Data Protection Is Adequate for E.U., Agence France-Presse, July 27, 2000, at http://www.nytimes.com/pages-technology/index.html. (EU’s Data Protection Directive provides that personal data can only be transferred to third countries that provide data protection equal to or better than the sending and receiving countries).

[58] Marie Save de Beaurecueil, Regulating information privacy: a comparative study of data protection policy in the United States and the European Union, 3 J. of Internet L. 21, 21-33 (Dec. 1999).

[59] Eric Sinrod & Barak Jolish, Controlling Chaos: Emerging Area of Privacy Speech and Cyberspace 1 Stan. Tech. L.R. (2000), at http://www.stlr.standord.edu/STLR/Articles/99_STLR_1.

[60] See Hamilton & Davidson, supra note 43; Walker, supra note 47; Valentine, supra note 42; and Robert L. Hoegle & Christopher Boam, Putting a premium on privacy protection policies: Web businesses and lawmakers address consumer concerns about use of personal data, 22 Nat’l L.J., Aug. 21, 2000, at C8.

[64] Brenda Sandburg, Class action lawyers take aim at privacy policies of dot-coms: several plaintiffs’ firms, including two in New York, lead the charge, 223 N.Y.L.J., June 29, 2000, at 2.

[66] See Toysmart.com LLC, Chapter 11 Case No. 00-13995-CJK (Bankr. N.D., Mass. June 9, 2000).

[68] Black’s Law Dictionary 261 (7^th ed. 1999). An “executory contract” in bankruptcy is one “under which debtor and nondebtor each have unperformed obligations and the debtor, if it ceased further performance, would have no right to the other party’s continued performance.”

[72] See Furniture.com’s privacy policy, at http://www.furniture.com. Prior to company shutting down, online policy stated, “We do not sell, rent, share, trade or give away any of the information you provide to us except to the financial institutions processing your payment or your financing application and the manufacturers/shippers that produce and/or deliver your order.”

[76] D. Ian Hopper, Settlement made in Toysmart case to protect customer names. digitalMass.com, Jan. 11, 2001, at <http://www.digitalmass.boston.com/news/daily/01/011001/toysmart_update.htm>.

[79] See FTC v. Toysmart.com, Case No. 00-11341-RGS (Count 1, Nos. 14., 15., 16.) (Bankr. D. Ma. 2000).

[80] See FTC v. GeoCities, Case No. C-3849 (Final Order Feb. 12, 1999) and FTC v. ReverseAuction.com, Case No. 000032 (D.D.C.).

[81][81] FTC answers FAQs about COPPA at http://www.ftc.gov/privacy/coppafaqs.htm#enforce.

[82] FTC v. Toysmart.com LLC and Toysmart.com, Inc., Civil Action No. 00-11341-RGS (Count II) (Bankr. D. Ma. 2000). FTC claimed violation of COPPA, 15 U.S.C. § 6501 by collecting personal information from children under age 13 without obtaining the consent of the children’s parents.

[84] See living.com, Inc., Chapter 11 Case No. 00-12522 (Bankr. W.D. Tex., Aug. 29, 2000).

[85] Jim Cornyn, Cornyn Announces Privacy Settlement With Living.com, Press Release (Sept. 25, 2000), at http://www.oag.state.tx.us/newspubs/releases/2000/20000925living.com.htm.

[86] Tex. Bus. Com[m]. Code Ann. [ ] § 17 (Deceptive Trade Practices – Consumer Protection Act enacted Acts 1973, 73d Leg., Ch. 143, § 1, at 322.)

[87] Brian Carroll, Living.com agrees not to sell consumer data, Furniture/Today, Oct. 2, 2000, at 73.

[88] Associated Press, Toy Site Sued Over Privacy Concerns, N.Y. Times, Aug. 4, 2000, at http://www.nytimes.com. (Class-action suit filed by customers against Toys R Us for disclosing consumer information to market researchers in violation of its posted privacy policy.)

[90] See mission statements for and white papers by organizations such as Privacy.Net (at http://www.privacy.net), The Electronic Privacy Information Center (at http://www.epic.org), and The Privacy Page (http://www.privacy.org).

[91] In response, AOL Time Warner, Intel, and other large companies have endorsed requiring Web sites to post their privacy policies and give consumers a chance to opt out of data collection. (Edmund Sanders, Firms Renew Assault on Privacy Rules; Legislation: ConsumerData Protections, Which Once Seemed Inevitable, Now Are Under Fresh Attack by Lobbyists. The Los Angeles Times, March 27, 2001, at C1.

[96] Privacy Policy Enforcement in Bankruptcy Act of 2000, S. 2857, 106^th Cong. (2000). Personally identifiable information in Leahy’s bill is defined as “any compilation or record in electronic or any other form of such information, including a first and last name … a home or other physical address … an e-mail address; a telephone number; a Social Security account number; a credit card number; a birth date … or any other identifier that permits the physical or electronic contacting of a specific individual.”

[97] See § 13(b) of the FTC Act, 15 U.S.C. § 53(b), which authorizes the court to grant injunctive and other ancillary relief, to prevent and remedy any violations of any provision of law enforced by the Commission.

[110] Tech Law Journal, Oct. 9, 2000, at http://www.techlawjournal.com/cong106/privacy/Default.htm.

[116] Privacy Online: Fair Information Practices in the Electronic Marketplace: FTC Rep. to Cong., Oct. 9, 2000, at http://www.ftc.org/os/2000/2005/pt052300.htm.

[117] Self-Regulation and Privacy Online: Hearing Before House Subcomm. on Telecomm., Trade, and Cons. Prot., Comm. of Commerce, 106^th Cong. (2000) (prepared statement of FTC), at http://www.ftc.org/os/1999/9907/pt071399.htm.

[121] Privacy Working Group, National Information Infrastructure Task Force Report on Personal Privacy, Sect. I. A. 2. (1995), accessed at http://ntiaunix1.ntia.doc.gov:70/0/papers/documents/niiprivprin_final.html.