How Does Your Privacy Policy Impact the Value of Your Company’s Assets?

The Business Advisor

December 2, 2011
Chances are your company website collects data from its visitors. This data can include the users’ locations, names, and email addresses. Normally, the use of this data, generally called personally identifiable information, or PII, is governed by the website’s privacy policy. Depending on the site, the privacy policy may be restrictive or permissive, as there are few government standards, at least in the United States, that prohibit data collection.

Though you may not realize it, this data may be extremely valuable—for instance, Google and Facebook’s business models are built on leveraging their users’ personal information into user-targeted ads. In a real sense, these businesses could not function without PII, a fact the former CEO of Google recently expressed, saying “We cannot even answer the most basic questions because we don’t know enough about you. That is the most important aspect of Google’s expansion…The goal is to enable Google users to be able to ask the question such as ‘What shall I do tomorrow?’ and ‘What job shall I take?’”1 Cleary, PII has value.

As more people are made aware of the privacy implications of their online habits, many users are beginning to pay closer attention to privacy policies. Facebook’s never-ending privacy battles, and On-Star’s (abandoned) attempt to track former On-Star users are just some of the recent headlines, along with increased European Union and state level regulations, that have forced companies to reconsider how they go about collecting PII. In response, companies are moving to more restrictive uses of PII which has the unintended result of decreasing its value.

If you were to check your wallet right now, chances are you have at least one “shopper reward” card (whether it be from your supermarket, drug store, or bookstore) or credit card that you have authorized to track PII. The PII of the customers who participate in these programs is worth millions of dollars to the right buyer. Yet some companies ignore the value of this asset by imposing ultra-restrictive privacy policies or constantly changing those policies, which in turn seriously impedes their ability to transfer that asset.

In the recent Borders bankruptcy case, creditors learned the price of such ultra-restrictive policies. Borders filed a bankruptcy petition in February 2011. Though Borders sought to reorganize and emerge as an electronic-book retailer, these plans failed when a buyer could not be found. As a result, just a few short months after the case was filed, the company liquidated.

As part of its liquidation, Borders sought to sell the PII of its Borders Rewards program members. The Bankruptcy Code requires that anytime a debtor proposes to transfer its PII, a “Consumer Privacy Ombudsman,” or “CPO,” must be appointed by the government. The CPO is tasked with assisting the bankruptcy court in the consideration of any sale or lease of PII. Pursuant to this provision of the Bankruptcy Code, a CPO was appointed to evaluate the proposed sale of Borders’ members PII.

Prior to the auction, PC Mall, Inc., an internet and mail order catalog retailer of computer equipment and software, agreed to serve as the initial, or stalking horse, bidder at the auction and made an initial bid of $3.5 million for the 48 million names in Borders’ customer database. This bid, from a business in what is essentially an unrelated industry, amply illustrates the potential value of PII. Ultimately, Borders agreed to sell its customers’ PII to its direct competitor, Barnes and Noble, for $13.9 million.

Borders, however, prior to its bankruptcy filing, had several privacy policies in place that severely restricted their ability to transfer PII to third parties. Three different policies were in effect at various times, none of which provided for retroactive modification of the policy, and some of which completely prevented the transfer of PII. When the CPO issued his report regarding the sale of PII to Barnes and Noble, these problems were exposed.

The CPO recommended that the Court disallow the sale of any PII collected prior to May 2008, when a very restrictive policy was in place, unless the individual customers consented to the transfer of their PII. PII collected after May 2008 could be transferred as permitted by the later privacy policy. Barnes and Noble, well aware that most users would not bother to opt-in to the sale even if they had no objection, quickly objected to the CPO’s recommendation, as the restrictions on the transfer would threaten to destroy the sale. Eventually, the Court ordered a compromise in which all Borders customers were offered the opportunity to opt-out their PII from the transfer, although the CPO and Barnes and Noble locked horns over the language of the opt-out notice.

While this is all fine and well in the bankruptcy context, few executives and corporate board members envision themselves leading a company into bankruptcy. But that risk, even for the largest and most successful companies, cannot be placed at zero over the long term. Understanding the value of PII as an asset, and the views of the business’s core customers on how their PII should be treated, is an important element of how the company’s officers and directors should go about discharging their fiduciary duties as they strive to maximize shareholder value.

These issues also regularly arise in the mergers and acquisition context. While there is no CPO when a company undertakes a merger or an acquisition, many of the same issues underlying the CPO’s role are implicated, and both the Federal Trade Commission and the Offices of State Attorneys General will evaluate the transaction in the context of unfair trade competition laws and Federal Trade Commission Act. As many companies have learned, any sale of PII that could be prohibited by a privacy policy can be challenged. As a result, companies should stay on top of changes to privacy law and always seek a balance between protecting their users’ PII and maximizing the value of this significant asset, with the understanding that decisions made today could prevent them from obtaining maximum value for this asset should the need arise in the future.