'Privacy Theater in the Bankruptcy Courts' by Christopher Bradley in (2023) 74 Hastings Law Journal comments
The sharply resource-constrained environment of bankruptcy breeds fierce competition for the value that remains in a bankrupt firm.'Managers are tasked with maximizing the overall value of the firm, while those with individual rights in the firm's assets or claims against the firm fight to protect their interests. Businesses may seek to restructure or escape contractual obligations and other burdensome relationships in order to maximize their assets' value-a process that can seem inequitable to those who dealt with the debtor prebankruptcy. The determinations made in bankruptcy proceedings often go beyond business and financial issues and implicate public policy. For example, in recent years, debtors have sought relief from liabilities to victims of asbestosis, sexual assault, or opioid addiction.
The general bankruptcy goal of value maximization is often in tension with the interests of consumers. As a matter of policy, consumer interests may be worth protecting, but usually consumers lack individual incentive to involve themselves in the bankruptcy process. As a result, consumers can see gift card values wiped out; warranties, leases, and loans abandoned or dramatically restructured; or private data sold to the highest bidder.
The efforts of bankrupt firms to monetize consumers' private data is a prime example of how unresolved policy conflicts can end up in the bankruptcy system. Although the intersection between privacy law and the big business of consumer data has become a major focus of policymakers, scholars, the business community, and consumer advocates, the legal regime governing the commercial use of data in bankruptcy proceedings remains contested and often unclear. To the stakeholders in a financially distressed firm, consumers' private data is a resource that can be monetized. While a healthy firm might hesitate to exploit private data out of concern over reputational risk or liability, these scruples matter less to financially distressed firms.
The pressure to capitalize on data has been acute in quickly transforming industries such as retail and healthcare. Thousands of companies in these fields have experienced financial distress, closed offices and stores, and sought bankruptcy relief.' Meanwhile, the value of consumer data has continued to rise, tempting cash-strapped companies to sell this data regardless of any risk to their reputation or harm to consumers.
Recognizing this issue, Congress passed legislation to protect consumer privacy in bankruptcy proceedings in the sweeping Bankruptcy Abuse Prevention and Consumer Protection Act of 2005. Congress did so in reaction to a high-profile case in which a failing dot-com e-retailer, Toysmart, sought to sell its consumer data-including data collected from and about children-to the highest bidder, despite the company's promises never to do so. Regulators opposed the sale, the national media covered the battle, and the sale was scuttled. In response to public outcry, Congress created the regime that Senator Patrick Leahy, the law's primary legislative sponsor, pronounced would prevent future breaches of such privacy promises.
This law created a new institution and procedural rules to address the tension between bankruptcy value maximization and the protection of consumer data. When certain conditions are met, the law provides for the appointment of a "consumer privacy ombudsman" (an "ombud") to investigate a sale of consumers' private information, and to advise the court on whether the sale should be allowed. The rationale underlying this law is that by forcing the retention of an outside expert to report to the court, the process will ensure consideration of the impact of the sale on the privacy interests of consumers.
In a companion article [noted below], I summarize the contributions that ombuds have made to the law of privacy. There, I show that privacy law, as applied by ombuds, imposes some guardrails on companies' sale of consumer data, but that these restrictions leave businesses with considerable latitude to collect, use, and transact in data. In addition, privacy law in this area relies heavily on the assumption that companies will continue to uphold the privacy promises that they made to their consumers after the sale of data is complete. While the companion article deals with ombuds' impact on privacy law in general, this Article addresses the operation of the regime in actual bankruptcy proceedings. This Article provides an empirically grounded analysis of the regime that Congress established. Drawing primarily from a hand-collected dataset of every case from 2005 to 2020 where private data was offered for sale, an ombud was appointed, and a written report was submitted to a bankruptcy court, this Article presents the first comprehensive empirical study of who ombuds are, what they charge, and what they do. This Article also presents evidence of the lengths to which parties in dozens of cases have gone to avoid the appointment of ombuds.
The Article shows that the consumer privacy ombudsman regime falls far short of its promise of protecting consumers from the misuse of their data by distressed entities. Most ombuds are capable and accomplished privacy experts, and undoubtedly their work sometimes helps consumers. In the RadioShack bankruptcy, for instance, the personal information of more than 117 million individuals was put up for sale. Together with regulators, the ombud crafted a regime that protected much of the most sensitive consumer information that RadioShack was seeking to monetize. But regulators and the media are rarely as active as they were in the RadioShack case, and absent such pressure, ombuds operate within a legal and institutional system that does not equip them to energetically protect consumers' private data.
The law applies in a narrow subset of cases where consumers' private information is sold, and while the work of the ombuds has some impact in those cases, it is less than most would assume. Ombuds routinely follow a set framework derived from a prominent FTC settlement. Ombuds' analyses typically rely on neither technical knowledge nor legal expertise beyond that which most lawyers could attain with a few hours of research-particularly if, as this Article recommends, prior reports are collected and published so that future ombuds, future debtors in bankruptcy, and the public can better understand what ombuds do.
Ultimately, the consumer privacy ombudsman regime is best understood as a form of "privacy theater," intended to reassure the public that their data is safe by giving an exaggerated sense of protection. As privacy law scholar Paul Schwartz articulates, "privacy theater . .. seeks to heighten a feeling of privacy protection without actually accomplishing anything substantive in this regard." A legal regime that functions as privacy theater is "largely ritualistic," used to "create a myth of oversight," and used to sustain that myth while obscuring the darker realities. The consumer privacy ombudsman regime mobilizes public trust in experts and courts to "create a myth of oversight" while adding little "substantive" protection.
While there are good reasons to enhance consumer privacy protections when companies are financially stressed, the current system does not do the job. Instead, appointments are rarely made, and when they are, these appointments provide relatively minimal protection. This Article presents a series of proposals to reform the law and the institutions governing commerce in consumers' private data. It further suggests that ombuds' role could be played by U.S. Trustees' lawyers, or could be shaped into a more traditional form where the proponents of a sale present necessary proofs to the judge to decide on the sale's compliance with the law.
In addition, the Bankruptcy Code could be changed to make its privacy protections more meaningful. Most obviously, the many gaps in the current law could be fixed so that all sales of private information comply with governing law, and that the burden of demonstrating compliance with the law lies more clearly with the proponents of the sale. In addition, lawmakers could shift ombuds from the relatively neutral role they have generally played and instruct them to serve as protectors of consumers' interests, investigate proposed sales more actively, and advocate more directly for consumers.
Changes beyond the bankruptcy system should also be considered. Because financially distressed businesses present special risks regardless of whether they are in bankruptcy, and because there is no workable way to identify and target distressed businesses for additional privacy scrutiny, commercial privacy law reforms arguably should apply to all business transactions involving consumers' private information. Distress should be merely one factor for regulators or courts to consider as they weigh the propriety of a transfer of private data or the need for data protection. Some potential reforms involve requiring regulatory preclearance of transactions in data, or requiring advance notification of such transactions so that consumers, regulators, and others can act if necessary to protect consumer privacy.
Part I summarizes the existing consumer privacy ombudsman regime and the broader context of the law of privacy the regime operates in. This Part discusses the public concern over the protection of data from misuse by distressed entities, which led to the creation of the ombudsman regime, and surveys the significant limitations of that regime. Part II explores how this regime is implemented in practice. It shows that many sales of private data take place without the appointment of an ombud, and that even when ombuds are appointed, they show keen awareness of the limits of their statutory responsibilities. Part III surveys possible reforms to the consumer privacy ombudsman regime. It begins with potential changes to the bankruptcy system, and then suggests more sweeping changes to transactions in private data by businesses outside of bankruptcy as well.
Bradley's 'Privacy for Sale: The Law of Transactions in Consumers’ Private Data' in (2023) 40(1) Yale Journal of Regulation states
Lawmakers, regulators, consumer advocates, and the business community have focused increasing attention on the policy issues that arise at the intersection of privacy, technology, and commerce. Yet the law governing what businesses can do with consumer data remains unsettled and unclear. The United States has no dedicated and comprehensive privacy law, relying instead on a patchwork of general consumer protection laws and industry-specific regulations like HIPAA. The FTC has created what scholars have called a “common law of privacy” through its enforcement actions and published guidance, but how privacy law applies to business practices often remains uncertain.
This Article uncovers a large new trove of privacy law, elaborating the jurisprudence of privacy with reports submitted to courts in which hundreds of millions of consumers’ private information has been put up for sale. A unique provision of bankruptcy law requires the appointment of a privacy expert when consumer information is put up for sale, to report on the sale’s legality. These expert reports constitute an unrecognized but substantial body of privacy law. The Article presents and analyzes reports submitted from 2005 to 2020—a hand-collected dataset gathered from 141 court dockets. The reports dramatically increase what is known about how the “common law of privacy” applies in practice to sales of consumer data in a legal forum, and what the future of privacy law may hold.
The reports generally advocate a pro-transactional view and permit sales to proceed in spite of existing privacy promises so long as the purchasers’ use of consumer data will be roughly consistent with the sellers’. They rely on aspects of the traditional “notice and choice” regime that has guided privacy law, but they also include substantive consideration of the reasonable expectations that consumers may have formed or of the sensitivity of the information to be transferred. Thus, the reports reflect privacy law’s shift beyond strictly consent-based contractarian models and toward more substantive and context-based approaches.
The reports also speak to the institutional context of regulation of commerce in consumer information. On the one hand, the reports impose significant limits on companies selling private data, which suggests that expert oversight and supervision mechanisms, such as the legal regime that generated these reports, can play an important role in privacy regulation on the ground. But the reports are, on the whole, timid and formulaic, hewing closely to existing precedent and showing little inclination to adapt or develop it even when novel circumstances might justify a change in course. This hesitancy indicates that privacy law’s continuing development requires leadership from federal and state policymakers.