Unmasking the Consumer Privacy Ombudsman

Many companies enter bankruptcy proceedings seeking to sell their assets. Customer data—such as consumer names, birth dates, purchasing preferences, and contact information—can be among a company’s most valuable assets. Indeed, purchasers seeking to carry on a company’s business may want or need to have this data in order to continue interacting with a company’s customers. Although the sale of a company’s customer data can be lucrative, it may also violate the company’s own privacy policy, in addition to other laws and regulations.

In order to protect a company’s customers during a bankruptcy asset sale, the United States Congress amended the US Bankruptcy Code in 2005 to provide for the appointment of a ‘consumer privacy ombudsman’ (CPO) in certain bankruptcy cases involving customer data sales. Today, CPOs can play a significant role in a bankruptcy case. They can advise the court and the parties on how to proceed with a sale of customer data in a way that protects customer privacy interests. Bankruptcy courts may depend on the report the CPO produces to help them decide whether a customer data sale can proceed. 

Although some scholars have discussed and debated the CPO’s role in a bankruptcy case, no one has taken an in-depth look at who CPOs are and who they should be. Similarly, the Bankruptcy Code itself provides only a singular qualification for the CPO position: CPOs must be ‘disinterested’ and cannot have a connection to the debtor such that they would have an interest adverse to any party in the bankruptcy.

In ‘Unmasking the Consumer Privacy Ombudsman’, I examine the identities and qualifications of CPOs in significant cases involving the sale of customer data. This study reveals two distinct themes involving CPO appointments. First, CPOs tend to be repeat players, in the sense that one CPO is often appointed in multiple bankruptcy cases. And second, many, though not all, CPOs hold a certification or designation as a privacy specialist. Despite these general patterns, however, there is an overall unevenness in the CPO appointments to date: some appointees are bankruptcy experts, while others are privacy specialists; some have significant experience as a CPO in prior cases, while others have little to none.

The article then makes suggestions for the development of publicly available qualifications for CPOs beyond disinterestedness. Expanding the qualifications for CPOs—and having a transparent process for CPO selection—makes sense, because the appointment of a qualified CPO is critical to the proper functioning of the Bankruptcy Code and crucial for the protection of consumer data in bankruptcy asset sales. CPOs often work on tight timelines, assessing massive amounts of information relating to a proposed sale of data in a short period of time. They must apply both bankruptcy and privacy laws to assess the consumer protections needed in a proposed data transfer. And because bankruptcy courts rely on the CPO’s report to help them assess a proposed data sale, that sale can be altered or even upended by what the CPO concludes.

Of course, more work remains to be done to protect customer data and privacy interests in a bankruptcy asset sale. Nevertheless, the proposals in this paper represent a key step toward better protection for customers’ personal information in a bankruptcy sale. In combination with other proposals, such as increasing the number of cases in which a CPO is appointed, more qualifications and transparency for CPO appointments can help to comprehensively protect consumer privacy interest in US bankruptcy cases.

Laura N. Coordes is Associate Professor of Law at the Sandra Day O'Connor College of Law, Arizona State University.