FTC Seeks Protection for Personal Customer Information in Borders Bankruptcy Proceeding

As part of the Federal Trade Commission’s ongoing efforts to protect consumer privacy, the Director of the FTC Bureau of Consumer Protection sent a letter advocating protection of personal customer information held by Borders Group, which is currently in bankruptcy. BCP Director David Vladeck’s letter, addressed to the consumer privacy ombudsman appointed by the court overseeing the Borders bankruptcy, noted that Borders collected substantial amounts of information from customers, including records of books and videos purchased, and that Borders had promised its customers that it would not share that information without consent. The letter recommended that any transfer of personal information in connection with a bankruptcy sale take place only with consent of Border’s customers or with significant restrictions on the transfer and use of the information.

###

Office of the Director
Bureau of Consumer Protection

                                                                                                            September 14, 2011

Michael St. Patrick Baxter, Esq.
Yaron Dori, Esq.
Covington & Burling LLP
1201 Pennsylvania Avenue, N.W.
Washington, D.C. 20004-2401

Dear Messrs. Baxter and Dori:

This letter responds to your request, in your role as Consumer Privacy Ombudsman (“CPO”), that we provide a written description of our concerns regarding the possible sale as part of a bankruptcy proceeding of certain consumer personal information currently in the possession of Borders Group, Inc. (“Borders”)¹. It is our understanding that this information is scheduled to be auctioned on September 14, 2011. We request that you consider these comments when drafting the CPO Report due before the sale hearing on September 20, 2011². We also request that you attach this letter to your report when you submit it to the court.

Borders and Its Privacy Policies

Borders sold books, DVDs, CDs, and other merchandise through brick-and-mortar stores, kiosks, and online. In the course of conducting its business, Borders collected substantial amounts of personal information, including purchase history and email addresses, from over 20 million customers. Purchase history includes the merchandise purchased (e.g., books and videos), the location of the purchase (store, kiosk, or internet), Borders Rewards number, and, in some cases, credit card information³. Borders represents that its current database contains consumer information collected since May 2005.

Borders collected this information under one of at least three different privacy policies it has disclosed to us⁴. The first policy Borders has provided, published around February 21, 2006, states in relevant part:

Borders, Inc., Walden Book Company, Inc., and their related companies believe that your personal information – including your purchase history, phone number(s), and credit card data – belongs to you. We collect this type of information to serve you better when you provide it to us, but we do not rent or sell your information to third parties. From time to time, we may ask if you are interested in receiving information from third parties whose services or information we think would be of value to you. In those instances, we will only disclose your email address or other personal information to third parties if you expressly consent to such disclosure. (Emphasis in original).

Borders’ second privacy policy, adopted around April 12, 2007, contained the same privacy language as the 2006 policy, with no substantive changes. The third policy, adopted May 27, 2008, contained the same language restricting the sale or rental of personal information, but also included information towards the end of the privacy policy describing circumstances under which Borders might disclose personal information:

Circumstances may arise where for strategic or other business reasons, Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal or other information to prospective or actual purchasers, or receiving it from sellers. It is Borders’ practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.

For the period covered by these privacy policies, Borders clearly and expressly represented that customer information would not be rented or sold to third parties except in limited circumstances and then only with the express consent of its customers. The May 2008 policy contains additional language suggesting a transfer of customer information could occur if Borders decided to sell, buy, merge or otherwise reorganize its businesses. We view this provision as applying to business transactions that would allow Borders to continue operating as a going concern and not to the dissolution of the company and piecemeal sale of assets in bankruptcy. Even if the provision were to apply in the event of a sale or divestiture of assets through bankruptcy, Borders represented that it would “seek appropriate protection” for such information.

The representations Borders made to its customers about the privacy of their information, including email addresses and purchase history, would likely be considered very important to many customers. In particular, information about the types of books and videos customers have purchased would be considered personal to many customers⁵. Consumers who bought such items would likely be very concerned if their information were to be transferred without restriction to an unknown purchaser for unknown uses.

Potential Sale or Transfer of Personal Information

We understand that Borders’ customer information constitutes a potentially valuable estate asset. We are concerned, however, that any sale or transfer of the personal information of Borders’ customers (“PI”) would contravene Borders’ express promise not to disclose such information and could constitute a deceptive or unfair practice.

The Commission has brought many cases alleging that the failure to adhere to promises about information privacy constitute a deceptive practice under the FTC Act⁶. These cases include FTC v. Toysmart, in which the Commission sued an online toy retailer which had filed for bankruptcy and sought to auction the personal information it collected from its customers. The Commission alleged that the sharing of PI in connection with an offer for sale constituted a deceptive practice because the company had represented in its privacy policy that such information would never be shared with third parties.

We have similar concerns about the transfer of customer information in this case. In light of the promises Borders made to its customers, we believe it would be appropriate for Borders to obtain express consent from its customers, specifying the potential purchaser, before it transfers the data. The consent process would allow customers to make their own determination as to whether a transfer of their information would be acceptable to them. For consumers who did not consent, their data would be purged.

We recognize, however, that bankruptcy may present special circumstances, including the interest in allowing a company to get back on its feet – or alternatively, to marshal remaining assets for its creditors⁷. Toysmart is instructive on this point. There, the Commission entered into a settlement with the company allowing the transfer of customer information under certain limited circumstances: 1) the buyer had to agree not to sell customer information as a standalone asset, but instead to sell it as part of a larger group of assets, including trademarks and online content; 2) the buyer had to be an entity that concentrated its business in the family commerce market, involving the areas of education, toys, learning, home and/or instruction; 3) the buyer had to agree to treat the personal information in accordance with the terms of Toysmart’s privacy policy; and 4) the buyer had to agree to seek affirmative consent before making any changes to the policy that affected information gathered under the Toysmart policy. These conditions were designed to protect consumer interests by ensuring that the data would be used by the purchaser consistent with Toysmart’s promises⁸.

We think that, if the bankruptcy court declines to require consent to the transfer in light of other considerations, the Toysmart settlement is an appropriate model to apply here. As in Toysmart, our concerns about the transfer of customer information inconsistent with privacy promises would be greatly diminished if all the following conditions were met:

• Borders agrees not to sell the customer information as a standalone asset;
• The buyer is engaged in substantially the same lines of business as Borders;
• The buyer expressly agrees to be bound by and adhere to the terms of Borders’ privacy policy⁹; and
• The buyer agrees to obtain affirmative consent from consumers for any material changes to the policy that affect information collected under the Borders’ policy.

Thank you for this opportunity to express our concerns. We appreciate your consideration of these comments and are available to answer any questions you may have.

                                                                                                                      Sincerely,

                                                                                                                      David C. Vladeck

______________________

¹ For purposes of this letter, Borders is defined to include Borders Group. Inc. and its affiliated debtors in their jointly administered Chapter 11 bankruptcy cases, In re Borders Group, Inc., No. 11-10614-mg (Bankr. S.D.N.Y.).

² Please note that the views expressed herein do not necessarily reflect the views of the Commission or any individual Commissioner.

³ Borders has represented that credit card information in its possession is kept separate from other consumer information and, in any case, will be purged prior to sale.

⁴ Borders also has indicated that it had privacy policies in effect from the period May 2005, the date of the earliest record it has in its customer database, to February 2006. It has not yet produced those policies.

⁵ See In the Matter of MTS, Inc., d/b/a Tower Records/Books/Video, No. C-4110 (FTC 2004) (consent order), available at http://www.ftc.gov/os/caselist/0323209/0323209.shtm; Letter from Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection to Reed Freeman (Mar. 12, 2010), available at http://www.ftc.gov/os/closings/100312netflixletter.pdf; Letter from David C. Vladeck, Director, Bureau of Consumer Protection to Jane Horvath, Google, Inc. (Sept. 2, 2009) (concerning Google Books project), available at http://www.ftc.gov/os/closings/090903horvathletter.pdf.

⁶ See, e.g., FTC v. ControlScan, Inc., No. 1:10-cv-00532-JEC (N.D. Ga. 2010) (Stipulated Final J. and Order for Perm. Inj. and Other Equitable Relief), available at http://www.ftc.gov/os/caselist/0723165/index.shtm; In the Matter of Chitika, Inc., No. C-4324 (FTC 2011) (consent order), available at http://www.ftc.gov/os/caselist/1023087/110617chitikacmpt.pdf; In the Matter of Google, Inc., File No. 1023136 (FTC 2011) (proposed consent order), available at http://www.ftc.gov/os/caselist/1023136/index.shtm; In the Matter of CVS Caremark Corp., No. C-4259 (FTC 2009) (consent order), available at http://www.ftc.gov/os/caselist/0723119/index.shtm; In the Matter of Genica Corp., No. C-4252, (FTC 2009) (consent order), available at http://www.ftc.gov/os/caselist/823113/index.shtm; In the Matter of Life is good, Inc., No. C-4218 (FTC 2008) (consent order), available at http://www.ftc.gov/os/caselist/0723046/index.shtm.

⁷ Borders’ sale of its customer information is restricted by section 363(b) of the Bankruptcy Code, 11 U.S.C. § 363(b), which provides as follows:

(b) (1) The trustee, after notice and a hearing, may use, sell, or lease, other than in the ordinary course of business, property of the estate, except that if the debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case, then the trustee may not sell or lease personally identifiable information to any person unless —

(A) such sale or such lease is consistent with such policy; or

(B) after appointment of a consumer privacy ombudsman in accordance with section 332, and after notice and a hearing, the court approves such sale or such lease —

(i) giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and

(ii) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

⁸See also Letter from David C. Vladeck, Director, FTC’s Bureau of Consumer Protection to Peter Larson, et al. (July 1, 2010), available at http://www.ftc.gov/os/closings/100712xy.pdf (in case involving potential transfer of personal information in a manner inconsistent with privacy policy, staff stated that “the transfer of personal information to a new owner of the business, the use of which was strictly encumbered by the original owner’s privacy policy, might be permissible under certain limited circumstances that were consistent with the original purpose for which the data was provided.”)

⁹ We note that this condition is similar to a provision already contained in the form Asset Purchase Agreement proposed for the sale of Borders’ intellectual property assets, including customer information. Section 9.5 of the proposed Asset Purchase Agreement requires the buyer to adopt a privacy policy that “includes provisions substantially similar to those included in the written privacy policies of the Seller Group [Borders] as of the date of this Agreement.” See Debtors’ Mot. for Order With Respect to Sale of Certain IP Assets, Attach. A. In re Borders Group, Inc., ECF No. 1401.