Image: Barneys

Why have companies been scrambling to snatch up bankrupt retailers like Forever 21, Brooks Brothers, and Barneys, and in many cases, paying tens – if not hundreds – of millions of dollars to do so? Brand recognition – which is directly linked to companies’’ intellectual property rights (namely, their trademarks) – and prime brick-and-mortar real estate is certainly a draw. As Authentic Brands Group head Jamie Salter told CNBC this week, he is on the hunt “for crippled businesses with good real estate and international recognition” to add to his swiftly growing portfolio, which consists of Barneys, Forever 21, Aeropostale, and soon Brooks Brothers, among many other fashion/retail properties. 

But real estate and intellectual property is only part of the draw. A driving force that is enticing bidders to put up cash for ailing businesses goes beyond that. In many of these big bankruptcy sales, a significant asset that changes hands is a slew of customer data points – from shoppers’ physical addresses and their email addresses to things like demographic characteristics and their purchase histories with that particular company. That is what experts say is at stake in a lot of these headline-making acquisitions. 

“Lists are not hard to get, but lists that are connected to a brand that I own, I can’t go buy that as easily,” Ramez Toubassy, brands president with Gordon Brothers, which acquired Laura Ashley in April, told NBC News. “You gain tremendous value by having conversations with customers who already have a relationship with that brand.” More specifically, “Knowing somebody has bought my product and knowing what they bought and knowing when and why they bought it puts me in a better position to sell them more products.” 

Given the value tied to such customer data, especially in light of ever-increasing reliance on e-commerce by consumers across the globe, it should not be surprising that bankruptcy bidders are focusing their attention there. “In a digital economy, information can be more valuable than tangible assets,” Covington partner Michael Baxter asserts. (According to the U.S. Chamber of Commerce, as reported by the Wall Street Journal, “Intangible assets accounted for more than 80 percent of the total $25 trillion in assets of S&P 500 companies as of 2018, with the value of intellectual property in the U.S. amounting to about $6.6 trillion).

“Personal information about consumers,” in particular, Baxter says, “is highly valued, as businesses and marketers increasingly seek ways to target consumers with specific demographics and interests.” At the same time, there is an inherent push-and-pull at play when dealing with this type of information. He notes that “when a debtor wishes to sell off the personal information it has collected from consumers,” including as part of a bankruptcy sale, “a tension is created between the debtor’s interest in maximizing the value of its assets and the consumer’s interest in privacy.” 

As for whether that tension means that companies are – or are not – able to freely sell off consumer data, the legality of the situation is not always straightforward. “When a business becomes a debtor, the sale of personal information can be problematic,” according to Céline M. Guillou, a corporate attorney at Hopkins & Carley in Palo Alto.

The legality of selling data

There are a few key ways that such a scenario could play out. In the simplest potential situation, a company’s privacy policy – which serves as the primary guide for determining whether consumer information can be legally sold – will include a provision stating that consumer information may, in fact, be sold.

As NBC’s Leticia Miranda reports, “Lord & Taylor includes a clause in its privacy policy that tells customers their information is considered a company asset and may be sold or transferred to third parties.” While the company initially sets out in its terms that it “will never sell or rent your personal information to third parties,” the caveat comes later in the company’s terms when it states that “during the normal course of our business, we may sell or purchase assets. If another entity acquires all or a part of a business owned or operated by us or [our parent company] Le Tote, information we have collected about you may be transferred to such entity.” In short: newly-bankrupt Lord & Taylor is well within its rights to take the information provided to it by its customers, and sell or transfer it to a third party (or parties) as part of an acquisition.

Moving beyond that type of case, there is a likelihood that a company’s ability to sell off consumer information is not so clear-cut. After all,  Guillou states that “while most technology companies, which are accustomed to doing business online, have been more proactive about ensuring that they have privacy notices and the proper disclosures posted to their websites, this is often not the case with [primarily] brick-and-mortar businesses, such as retailers.” 

With that in mind, there is a chance that a company’s policy contains a provision that prohibits it from selling consumer data, or that fails to explicitly reserve the right to sell such data. If that is the case, a retailer may not be entirely out of luck should it want to sell off data as part of its bankruptcy deal (and it will likely want to given that such data is playing a large part in these bankruptcy valuations). Pointing to Section 363(b) of the U.S. Bankruptcy Code, Guillou says that “ a debtor that has a privacy notice prohibiting the transfer of personally identifiable information may not use, sell or lease such information other than in the ordinary course of business unless: (1) the use, sale or lease is consistent with the terms of the privacy notice or (2) after a consumer privacy ombudsman appointed by the court finds that … the sale would not violate applicable non-bankruptcy laws.”

Additional issues when it comes to the terms set out in a company’s policy may arise in connection with how “the sale language is specifically worded, the nature of the purchaser, and, importantly, the number of prior versions of the privacy notice,” all of which could become impediments to effortlessly transferring users’ personal information in a sale, per Guillou.

The number and the content of prior versions of a company’s privacy notice becomes important if a company’s current privacy policy explicitly gives it the right to sell data, but prior versions maintained conflicting language. What then?

Baxter states that in such a scenario, “the Federal Trade Commission has made it clear that a debtor’s privacy policy on the bankruptcy petition date is not the only privacy policy that matters, [and] there are circumstances in which the personal information collected by the debtor may be subject to representations in prior privacy policies.” For example, he suggests that “if a consumer has submitted personal information [to a company] pursuant to a privacy policy that either prohibits its sale or fails to disclose that such information may be sold or transferred, the consumer’s information may not be sold unless the consumer has consented to any subsequent change in the privacy policy to permit such a sale. 

Muddy waters

The waters can still be muddied further because companies are not only bound by their own privacy policies (both current and pre-existing ones); privacy-specific laws, including the European Union’s GDPR, and the California Consumer Privacy Act of 2018 (“CCPA”), are also relevant considerations.

The CCPA, for instance, not only gives consumers the right to “ask businesses to disclose what personal information they have about them and to delete [any] personal information” they have; it also requires that data-collecting businesses alert consumers if they plan to sell that data. Under the CCPA, consumers can opt-out of having their information sold. However, it is worth noting that the CCPA enumerates certain exceptions to that opt-out, according to a Skadden note on the CCPA, including in cases when “the personal information is an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third-party assumes control of all or part of the business,” assuming, of course, that the business complies with CCPA disclosure requirements.

These are not necessarily novel issues faced by businesses. “Over a decade ago, Congress addressed the privacy of personal information in bankruptcy sales in the 2005 amendments to the Bankruptcy Code,” and imposed binding “conditions on the sale of personally identifiable information if the debtor has a privacy policy ‘in effect on the date of the commencement of the case’ that prohibits the transfer of [such] personally identifiable information,” Baxter notes. At the same time, “there are some existing decisions” – from courts and regulators, such as the Federal Trade Commission, alike – “discussing these consumer privacy protections,” per Guillou.

Nonetheless, “because privacy has only [relatively] recently become such a ‘hot topic,’ especially when compared to the last big round of corporate bankruptcies,” Guillou says that “these restrictions are now much more likely to come up in the context of bankruptcy sales.”