153 comments

[ 2.6 ms ] story [ 211 ms ] thread
I can't say this is a big surprise. My first job was at a chicagoland radioshack so I have followed their news and watched their fall with mixed feelings.

It felt very odd in 2001 to try and sell electricians that would come in the store at opening to buy 10-11 fuses if they wanted a cell phone, and bother people just getting batteries for their first and last name so they could 'return their item'. We got dinged for each person who refused us. So there is potentially a LOT of data this company is getting.

You just triggered my earliest Radio Shack memories of being annoyed at a company for asking for my personal information when making small purchases.

Radio Shack was definitely in the vanguard of data collection.

These occasions are never-miss for my alter egos to shine through and dazzle my interlocutors :)
Indeed. They were the first company I ever gave a fake name to.
At least at my store, Johnny Cash made a LOT of battery purchases in 2001-2002. A close second was Jonny Cash and one employee used Jony Cash for women.
The last CEO cancelled that policy as their first act. So for some years, that data was not collected. I wonder what data they had to sell?

Anyway, this is a warning to all of us. No matter what promises that honest startup gives you, the minute they are sold (and most sell in the end) the new owners are free to do whatever they like with your 'private' information. In fact it will be hawked in the marketplace like a chicken.

> Anyway, this is a warning to all of us. No matter what promises that honest startup gives you, the minute they are sold (and most sell in the end) the new owners are free to do whatever they like with your 'private' information. In fact it will be hawked in the marketplace like a chicken.

Is that really the case in the US? In Germany, I don’t see why simply transferring ownership of the data should not also transfer ownership of the agreements bound to that data. If I agree to let company X use my data for purpose A under terms T and company Y buys company X, in my view company Y would still be bound to stick to terms T and purpose A. Otherwise any leaked/stolen and subsequently published personal data could be used by anyone for anything…

pretty much any agreement by major companies comes with a wonderful disclaimer of something like this:

We reserve the right to revise, amend, or modify this Agreement and any other policies and agreements at any time and in any manner. We may modify this Agreement by placing a notice of such modification on our website, and User's continued use of the Service following notice of such modification shall be deemed to be User's acceptance of any such modification. User agrees to check this on-line area regularly to determine whether this Agreement has been modified. If User does not agree to any modification of this Agreement, User must immediately stop using the Service.

Still if you actually stop using the service (aka not longer subscribing or logging in) that shouldn't grant them any more rights on data from the past.

However IANAL so I might be wrong here.

If I had a duplicate me, it would be spending time campaigning for a change in exactly this type of disclaimer.

The default setting of anything like this should opt you out and seek re-confirmation.

volcanic erupts

So if you bought a battery and never visited a Radio Shack store or website again, you would not - in fact - have made any express or implied agreement to accept the modification, and the original agreement would apply.

This sounds like something an aggressive lawyer could have some fun with.

The ability of the company to modify the agreement without your approval or knowledge is written into the agreement. It basically does nothing at all from a legal perspective.
I would hesitate to call that an agreement then...
So would I. Basically all you're doing in 99% of these things is signing away any rights to have a say in what happens to your data.
This clause would be invalid in Germany. It even could void the contract entirely making any use of the customer data illegal.

Changing contracts needs explicitly expressed consent here.

its no so much what new owners want to do its that bankruptcy courts discharge more than debt, the discharge liability, prior agreements, and more.
The US has a different notion of who owns personal data than Germany or Europe in general. In the US, the collector of your personal data owns it, more or less.

Notice that in this case, the FTC is attempting to use the court's approval of the sale of Radio Shack's assets in order to force restrictions on the use of the personal data. That's because they couldn't use virtually non-existent personal data protection laws.

Are US companies going to respect German laws?
No, which is why one should prefer not to have business relations with US companies.
Hard to avoid gmail though. Even if your email is with someone else roughly half of what one ends up sending goes to an @gmail address...
That raises an important question: why aren't those promises legally binding?
Where's the consideration (money changing hands). Its not a contract.

From

http://comingsoon.radioshack.com/privacy-policy/privacy.html

"If we decide to change our Privacy Policy, we will post those changes to this privacy statement, the homepage, and other places we deem appropriate so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If however, we are going to use users' personally identifiable information in a manner different from that stated at the time of collection we will notify users by posting a notice on our web site for 30 days."

It appears they've done none of this; then again it amounts to accomplishing nothing other than a PR show, so not much has been lost.

Their policy doesn't seem to have considered in its design, "what if we go bankrupt fire everyone and someone else buys us".

I wonder how far back the records go. Could they give me a copy of my Dad's purchase receipt from 1980 for our TRS-80 model III? For 16K of 4116 dram for about $300 or whatever it was back in '81 or '82? On the other hand, given the decline of the company in recent years, if they only have records going back 5 years I probably don't even show up in them.

In the case of Radio Shack, you typically handed over information as part of a purchase, so money definitely changed hands. For startups following the model of "we'll give the product away for free and make it up in volume" it's less clear, but giving info in exchange for access to a service seems like it could be consideration.
(comment deleted)
Many promises are legally binding, see for example the notion of estoppel, so sue them.
Because Radio Shack no longer exists. No contract.
Radio Shack still existed in some form at the time of the sale. The assets which were sold were transferred from Radio Shack to the buyer. If Radio Shack had a binding contract that disallowed such a sale then the sale shouldn't be allowed.
Speculation. The quoted terms were just about what Radio Shack would do; were there any about not selling? Even so, the seller was likely a liquidator, not Radio Shack?
Radio Shack made many legally binding contracts. They promised that they would pay back their creditors. The promised suppliers sales volume. Radio Shack is in bankruptcy and all those contracts are (or have been) torn up. It's not just a privacy contract that has been torn up.

And for all the wailing and nashing of teeth I can go down to Acxiom and get far more data about people than radio shack has.

The data is still valuable as a point-in-time snapshot. Remember, marketers are as interested in your past as your present, because there's still value in knowing that you lived in California in 2004 and that you now live in Chicago.

And this is why privacy is dead: so long as there is a financial incentive to having this data, it will be bought and sold like any other commodity.

This is very anecdotal, but I swear that the minute I gave my email address to Radio Shack, I started to receive heavy spam.
I bought one <$10 item. Once.

http://i.imgur.com/4ztWmxW.png

I got those, but I meant as in unrelated spam, viagra ads, etc.

This was a new email account I was trying out made for when I got asked what my email account is by retailers, and I swear that the spam started once I gave the address to them.

I'm sure they have no choice but to sell assets with value.

But is the original privacy policy equivalent to a license (that we consumers grant Radio Shack)? If it isn't, maybe this will be a chance to set a precedent for this to be the case.

Wow, this really sucks for whoever has the phone number that I had in 1991.
And for whatever numbers they typed in when I refused to even make up one myself.
When I visit the hair cutting place, they refuse to serve you without a phone number. So I always give them the standard TV placeholder: xxx-555-1212.

The stylist is often confused why there are 20 people with that phone number.

At one point that number was universally owned by TellMe/Microsoft iirc.
Hmm, it looks like the number is used for directory assistance [0] in North America at least.

>Throughout North America, 1-XXX-555-1212 will connect to directory assistance for the specified XXX area code

I wasn't able to find a link between that number and TellMe/MS. They appear to have had the 1-800-555-TELL (8355) [1] number but no mention of the 1212 number.

Though a google for the number +"Microsoft" reveals they appear to use that number in a couple of their SQL server books [2]

[0] http://en.wikipedia.org/wiki/555_%28telephone_number%29#Real...

[1] http://en.wikipedia.org/wiki/Tellme_Networks

[2] https://books.google.com/books?id=8OxGcCJViU4C&pg=PA68&lpg=P...

I must have been thinking of 8355.
If the other person is young enough, you can almost always get away with 867-5309.
I used to use this at the grocery store/kmart/wherever and just tell them to pick the top name off the list of 50 or so that came up per area code, (woohoo key constraints!) but eventually they caught on.

Poor Jenny can't get a rewards card anywhere these days.

Jenny's doing just fine at CVS; she's earned a bunch of rewards
I wonder what they would do if you told them you didn't have a phone.
probably try to sell you one (with a $14.99 insurance policy)
> When I visit the hair cutting place, they refuse to serve you without a phone number

There is no way I'd not walk out the door and get my hair cut at one of the other 12 places within a 2 mile radius...

And that is the power of a competitive market.

What of services for which that isn't possible?

For a while Meatball Shop (a New York mini-chain of, well, meatball-focused bar/restaurants) was doing this for takeout orders placed in the restaurant.

I'm not sure if they still do, but it basically meant whoever was the poor person assigned to the takeout counter that day had to spend at least half their time dealing with people saying "Why do you need my phone number? I'm right here!"

I think they said it was to track customers' ordering patterns over time, which was interesting, but also kind of overkill (and probably misleading, since they wouldn't know when the same people sat down to eat in the restaurant or at the bar).

555-1212 is directory assistance generally. There are a few other 555-xxxx numbers allocated, too.

Another trick is to use a 1 in the first nxx, so npa-1xx-xxxx. Downside is that some basic US telephone checks/regex might fail it.

"... and we deliver our frozen products gratis to your door-steps ... " beep beep beep
How so? What is Standard General going to do to them?
Apple and AT&T tried/is trying to stop them:

http://gizmodo.com/apple-sues-to-prevent-radioshack-selling-...

Apple "I-want-all-your-data" and AT&T "you-have-to-opt-out-of-tracking". Of all companies. We have to count on our enemies to protect us because we are powerless. Let's just hope they start privacy wars.
Is _Apple_ known for being "I-want-all-your-data"? Historically, they don't seem to have been terribly interested, certainly not as compared to the web-centric companies.
That's really a lazy mischaracterization of Apple. They've never been especially interested in your personal data. The only service they have where they maintain any sizeable, persistent consumer information seems to be the iTunes store, and as far as I can tell, they've never tried to monetize/share that information with anyone. I'm more curious why you would think of Apple this way - "I-want-all-your-data"? Maybe Apple "you-didn't-really-buy-your-hardware", but "I-want-all-your-data"?

If anything, I would liken Apple to a jealous and abusive boyfriend - they'll beat and abuse their customers with sometimes arbitrary controls over what they can do with their hardware, but God help you if you try to do the same to their customers. Whether you're a third-party developer, an accessory manufacturer, or anyone with a relationship with those customers, Apple will come down on you HARD if they think that you're harming their platform or exploiting their customers. From that point of view, Apple's action here - trying to interfere with RS' sale of Apple customers' personal data - is typical of Apple.

Slate puts rather a different spin on this than other articles I've read. Slate:

> The FTC is so displeased that Jessica Rich, its consumer protection director, has written to the bankruptcy court handling RadioShack’s case, asking that consumers' personal data be protected.

Ars Technica:

> The Federal Trade Commission (FTC) sent a letter to the bankruptcy court presiding over RadioShack's supervised asset sell-off suggesting a compromise that would allow RadioShack to sell its database of information from 117 million customers.

Previous coverage portrayed Apple as intervening to protect customers (although it seems to have more to do with enforcing their reseller agreement):

http://www.imore.com/apple-wades-radioshack-sale-protect-cus...

http://daringfireball.net/linked/2015/05/14/apple-radioshack...

http://arstechnica.com/tech-policy/2015/05/apple-asks-court-...

Of all the things I'm supposed to be outraged about as a consumer of news, this one rises to the whoopdie fucking so what? level. Radio shack was collecting in their best ever year maybe half a dozen data points on me. It's not like they had my DNS requests over the past ten years or my history of cell tower signals or my click history following searches for "painful rectal itch" or how long I typically watch dwarf porn before closing the browser...if I were to do such a thing.

There are big privacy issues and little ones and this is definitely the latter. How revealing the Radio Shack's data is of people's behavior should be measured by the outcome of Radio Shack during the period in which it had exclusive access...and here the context is a bankruptcy proceeding.

While RS had no real data on me, what this story points out is that companies will do this in bankruptcy, maybe even after carrying a no-share/no-sell policy for years. The wider issue it illuminates is that there seem to be few general protections for these cases, where having your data sold wasn't part of the bargain you were asked to make, until they changed the deal.
(comment deleted)
This is the quaint 1990s kind of privacy concern - when the privacy experts of the day warned us we would receive a lot of junk mail and credit card offers if we weren't careful with our data.
This case can be used to test how binding a privacy statement can be. If Radio Shack is allowed to sell the data to a third party over AT&T & Apple's objections, basically every privacy policy is worthless. There are always increasing amounts of data collected with increasingly invasive means, but this can make bulk data collection less intrinsically valuable.
It's harming other businesses too because people are much more likely to put in false data in order to avoid this situation.
Other than violating social norms, would there be any problem with purposefully making the data socially poisonous (not Bobby Tables, more like saying your name is Mao or Stalin and you on 101 Legalize Murder Avenue... and this is a tame example compared to what the internet could come up with)?
Since it would be nearly impossible to universally "poison" your footprint the most like scenario would end up being that Lawton Fogle is tied to an alias of Hitler Manson that lives on Sodomy Lane and has a fake social security number with strangle biblical references. Not a good way to stay off somebody's radar.
Imagine that appearing on your credit report one day.
Yeah, getting on those happy happy fun fun lists would be one concern.
Only if you choose that. Who's to say I'm not Sunshine McBunny who lives on Unicorn Lane in Hobbiton?
Typically it's hard to do that when companies check against registered billing addresses for cards, or indeed card holder names, etc etc.

In general I've started just saying "No". I mean, I went to get my eyes tested and three different people tried to get my email/mobile for their records. I'm not even that bothered about surveillance it's just i'm sick to death of twats phoning me at work to claim compensation/buy something/ give feedback.

I've adopted the same method of dealing with this. Let me provide another anecdote: I went to a new dentist a few weeks ago and greatly confused the staff when I requested they didn't take a picture of me to attach to a personal file. They were equally confused when I told them I didn't want to watch anything on the TV during my appointment and would prefer instead that they turned it off.

I wasn't trying to be difficult or prove a point, I just really didn't want/feel comfortable with either of those things. As they did not impact the office's ability to perform their dentistry, it seemed perfectly reasonable for me to opt-out of them. The strangest part was, based on their confused reactions, it seems I may have been one of the first to deny one or both of those options.

It depends on who you ask.

For the consumer, it's a pain to have to manage several identities just to have a shred of privacy when using the internet.

For the company, they always want the most accurate data, so that it can be cross-referenced and properly analyzed (specific aged males like X product better than Y).

I assume that most customer data is accurate, at some companies I've done some verification of customer databases just to identify the "95% accurate" verses the "mostly inaccurate or unverifiable" data, so that it can be excluded in certain instances.

Me personally, I have a wide variety of methods of obscuring data and confusing LexisNexis type companies, I'm not sure how fruitful it is, but it would be foolish to not at least try.

Many places required a verifiable address, which can be difficult to obscure (UPS store works for many things).

If you see a random form online, don't enter your real info dummy. If you see a website offering to lookup someones information, don't give that site your information and credit-card info (I've seen it happen many times).

You also don't want to make it obvious that you are using false data. Using an alternative version of your name and slightly different numbers will do more to confuse data-correlation efforts.

Just for the record, US national security is a completely different issue and I do not support attempting to provide misleading data to those relevant organizations. I've always been on the fence about the data-privacy topic. Humans can do bad things, 7+ billion humans with increasing influence and power slightly worries me. If you order lots of a uncoated fertilizer and do not have a garden or any land, then yes, in my opinion it is acceptable to build a system that raises a red flag on that person to be subject to an unbiased and transparent investigation.

Haven't people already been doing that for years? Am I just unusually paranoid? I always lie to companies I'm buying from when I can find some way to pollute their database.
Those policies are already worthless. Trust is dead to anyone paying attention. The entire notion of contracts between large corporations and individuals leaves me feeling dirty because I was raised being taught that consent is meaningless in a vast power difference, where a vast power difference is magnitudes smaller than the difference in these cases.

Perhaps I'm too cynical, but when the only recourse is through lawsuits that most can't afford, and even that has been taken away by biased arbitration, we are at a point where most keep their eyes down and hope they don't become a victim of the system.

Agreed, if they allow the sale then they are pretty much saying that you can put in all the protections you want in a PP and then turn around and sell your company making all previous agreements near-null-and-void.
(comment deleted)
To be fair, contractual obligations are pretty worthless in bankruptcy. That's the whole point.
is this still true if you bought a mobile phone from them in the early-mid 2000s? I seem to remember a form with lots of sensitive info.
This is a company that famously required people to give a phone number to buy batteries.
If we were in opposite sides in a court case, and I were to receive Radio shack data regarding you, your lawyer, all the witnesses, the judge, and all members of the jury, would you be fine with that?

If the answer is no, then how can trading such information ever be acceptable when you don't know who in what context that information will be used?

Battery Card Club, you've turned against me.
This is exactly why you should never give your data to someone unless it's absolutely necessary. If someone asks for your contact info just so you can buy batteries just say no.
Maybe with new AR devices coming out soon, maybe you can quickly do a picture to social media lookup, and then use that to see if the employee has their address/phone number online. The look on their face as you give them their own personal info would be priceless.

The investigation for stalking, not so much.

I see this kind of thing all too frequently. Our clients are retailers. From time to time, one goes pop, and goes into administration. The liquidators look at all of their assets - initially, at things like stock and other physical assets - but then look at their other less tangible assets, like user data, as selling it can be the difference between settling with creditors or not.

Typically, when you license your data to a company you accept that they can sell that data as part of the sale of the business, in the event of administration or liquidation, and a variety of other situations in which you don't want to have to ask the permission of your N million users to go ahead with a merger or other essential business activity.

Further to this, we've also seen client service agencies who are processors of data seizing user data as an asset if a client goes into administration and leaves their service providers as unsecured creditors (i.e. "you're up the creek, we'll pay you £0.000001 for every £ we owe, your £80,000 is now £0.80"), as they also have a responsibility to mitigate their own losses, and again, contracts usually allow for the seizing of assets in the case of default.

So, long story short, this is not even slightly abnormal, and something consumers should consider before providing their data to anyone.

The "we will never sell your data to anyone" in a Privacy Policy effectively means nothing at all.

Why are there not consumer protection laws in place to prevent this? In my opinion, in order to sell customer data you should have to go to court and have a judge look over the data to determine what can be sold.

This is an instance where a judge can create a consumer protection common law.
I've little faith that any judge would do anything other than "ah. This is something... computer. don't know. Yes?". It's the same "shutters coming down with a bang!" phenomenon as one sees with most non-technical folks the moment they think something technical might be coming their way.

Either way, this is a very grey area, as if you tie up corporate affairs with every single one of your customers, it would make your business unsaleable, and make liquidation impossible, so while consumer protection is desirable, there also have to be measures that allow businesses to operate without the explicit consent of each and every one of their customers for any action.

I see your point about businesses being unsellable.

What's the difference in Facebook acquiring WhatsApp's customer database via purchasing the entire company and it being sold numerous times during a hypothetical WhatsApp liquidation sale? None really, and whatever WhatsApp's (and all other companies) Privacy Policy said about protecting user data is somewhat meaningless.

Yup, nail on head.

Increasingly the value in a business is the customer base, and therefore their data - this will only continue as the service economy grows and brand continues to be king.

There's actually a whole section[1] of the bankruptcy code that requires precisely that. The court can even appoint a special consumer privacy ombudsman as it determines what data may be transferred.

[1]https://www.law.cornell.edu/uscode/text/11/332

well, "your" data in perhaps some rhetorical sense. "data about you" would be more intellectually honest, but slate is nothing is not manipulative. it's okay, they know they're promoting correct opinions so little tiny manipulations in service of that is okay.
> well, "your" data in perhaps some rhetorical sense.

In this context, "your data" is 100% of the time used to indicate data you've provided to someone else about you. Have you ever seen an article saying "Facebook to target ads based on their photos" or "Google using their data to make money"?

I think you've overshot with the Facebook photos. They are, in fact, not their photos and remain the property of the uploader.
Well yes, as I indicated, the author is using a phrase in a rhetorical sense to frame the narrative emotionally. I'm sorry if I wasn't clear that I understand what the technique is accomplishing. I am merely pointing out the essential dishonesty in its use.
But if everyone uses the phrase that way, then it's not dishonest for this person to do it too. That's how language works. If I tell my student, "the early bird gets the worm", it's idiotic to call me stupid because I confused a human with a bird. I didn't in fact do that. I used a common idiom in the language that we all understand. The fact that you can recognize there's a literal meaning that wasn't accurate is pointless. I'm not dishonest or a liar either. I used language in a non-literal way, just like all of us do hundreds of times every day.

When someone says "company X is using your data", there's a common understanding in play. We all know what they mean. They mean "data they've collected about you". If you want to call everyone names because, taken literally, it's incorrect, then go ahead, but you're beating a dead horse here. And I'm not actually accusing you of pummeling the carcass of an equine. I'm saying you're spending your energy on a pointless task, but doing so in a way that relies on you understanding that the meaning of a sentence isn't strictly determined by the meaning and order of the individual words in it.

I hope the FTC wins its case and establishes precedent that consumer data is non transferable and most importantly not a good to be bought and sold unregulated. I understand there are circumstances when data has to shared, transferred etc. (health networks, but this regulated) But consumer data needs to be well regulated and not treated as a commodity and "asset", that's not a desirable incentive.

Consumer data should be one of those things which most companies consider something toxic but necessary so they handle it with care and use the least amount possible rather than collect as much as possible and worry about things later.

RadioShack may not have the reams of data an ISP has, but still need a precedent for future data handling and ownership resolution. It'd be great to see this kind of data devolve back to the consumer, i.e. destroyed, once its original user is no longer there to use it in support of ongoing business operations and should not be a mainline of business per se.

(comment deleted)
I thought user data was one of the most valuable assets of a business.

When I worked at Company X, one of our competitors was failing and offered us to buy them out. The most expensive part of the buyout was calculated basically by #users*<some price>. And really that's all we wanted, was their userbase, since we already had the product they wanted. We could absorb their users and immediately grow our business.

I think there's a difference between we'll sell you all this data we have on our users, some of which is related to conducting business with them, and here are our paying customers who you can acquire and continue to provide goods and services to.
Can you better explain the difference please?
Amazon buying Newegg customer data from Newegg,

vs

Amazon buying Newegg and rerouting the Newegg website backend through its own network.

I understand the two sides, but what's the difference to the consumer who has a Newegg account but does not want Amazon to have their personal data?

In the end, Amazon would end up with the consumers data, so to the consumer there is no difference. Are you saying that there is a difference? That's what I wanted clarification on, what that difference was.

To continue with the analogy above the difference arises if Newegg says "We don't share your data with third parties" and does #1. That would breach customer expectations because they are outright lying. The #2 case seems much less clear cut because Newegg wouldn't exist as a standalone entity anymore, and most people's reasonable expectation is Amazon would then have access to Newegg's data. It depends on each person's answer to the question: Is Amazon a third party in the second example?
You are assuming that a Privacy Policy is legally binding, it's generally accepted as not being.

In the example, Amazon can do whatever it wants with the data.

Data submitted to almost anyone online (maybe with the exception of large companies or companies specifically designed to not track data) should be considered public unfortunately.

I have seen some states recently put in place laws to protect this data from being made public or sold carelessly, but for the most part it is unregulated as far as I can tell.

While I agree that it's probably not legally binding (I beleive even the standard "Click and connect" contracts have been thrown out of courts in the past), do you have any references to share?
In a discussion about policy, you should never use terms like "generally accepted" and "should be considered" to refer to the reality that is already under question. It's extremely confusing.

The fact that your data isn't protected can't be used as an argument that it shouldn't be. Just because something is legal doesn't make it right, either.

> You are assuming that a Privacy Policy is legally binding, it's generally accepted as not being.

I'm not claiming privacy policies are legally binding, just that they can be an indicator of trustworthiness and integrity. That's what I really meant when I said "[Option #1] would breach customer expectations because they are outright lying."

The way I read mc32's "I think there's a difference" is moral difference, because I share the same sentiment as him or her ("I hope the FTC wins its case...") which would turn that moral difference into a legally binding one.

I think it's more of the following:

NewEgg selling customer data to Amazon, AND EBay, AND LinkedIn, AND Joe Schmoe's Tech Emporium. Each have their own data sharing policies.

vs.

NewEgg selling the entire business and assets to Amazon (and only Amazon). In this case, everything; hardware, product stock, servers, and data too.

The second case is different, and less directly harmful, but still bad for the "free market".

You end up in a situation where you have a few huge companies that have shitty expensive products and huge amounts of money. If anyone ever does better, they use some of the money to acquire the customers. No one ends up with something better or more cost effective; the 800lb gorilla just pays a tax to remain the only choice, and that cost is easily passed right back to the customers.

>but still bad for the "free market".

Yet another case whereby a natural consequence of a free market is "bad" for the free market.

In reality it's only bad for the consumer, and certainly not the businesses.

And that second case really annoys me, but I'd still rather not take the alternative to a free market, which is that idiots and douchebags decide what's good for me, and leave me with even less choice.
"Acquiring the customers" seems to be a business strategy with a high failure rate, else we'd be yahooing instead of googling or facebooking. It's hard to predict what competitors are going to blow up, and as soon as they get traction the price goes high - Facebook may have bought WhatsApp, but apparently SnapChat is holding out for more.

I actually think the "free market" works pretty well at this, even if it's not perfect. Nothing is.

That's a good point. I suppose this thing is a natural driver of the recent focus on user-traction over profitability.
"data" is a valuable asset, however, in many jurisdictions 'user' data is considered property of the user, not the agency that collected it.

Think of it like software, your data is not the property of Facebook, but rather, they have a license to use it.

Well sure, but when the license is perpetual and royalty-free, what's the difference?

> For content that is covered by intellectual property rights, like photos and videos (IP content), you [...] grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License).

https://www.facebook.com/legal/terms

The main difference is that "non-exclusive" part: you retain the right to license it out to other entities, or to use it for your own purposes.
Not sure if you meant "you" or "they" there, but the "you" case is more interesting.

No, "you" generally do not effectively retain the right to license your data collected by a third party out to other entities, because (as far as I know) there are no laws which require that third party to provide you with the data they've collected.

Examples here would be 23andMe vs. Fitbit.

23andMe is in the business of collecting data from you (in essence), then providing it to you and using it for their own purposes.

Fitbit is in the business of collecting data from you, then processing it and performing a number of black box calculations, then providing you summarized results. (Caveat: yes, I am aware that most activity trackers have API / export functionality. However, in all the instances I looked at that's limited and generally crap compared to the raw take the main party has access to)

>Well sure, but when the license is perpetual and royalty-free, what's the difference?

There would be a difference if the license is non-transferable. Then Facebook wouldn't be able to give or sell that data to 3rd parties as part of a bankruptcy sale.

Edit: in the case of RadioShack's user data, I doubt that they got customers' agreement for a transferable license to the data.

> expensive part of the buyout was calculated basically by #users<some price>

I bet this had nothing to do with user data, but with user acquisition cost.

if company spends $10 on marketing and $15 on R&D per new user every quarter, then paying #users$10 when buying a dying competitor is a bargain.

I do agree but there are some huge flaws with this that need to be worked out first.

How would you sell one company to another? There isn't much difference between a company being sold because it's being acquired and a company's assets being sold because it's bankrupt and needs to pay creditors.

Perh a start would be strict ToS inheritance and much richer consumer data regulation. Any change on tos after an acquisition would have to be opted into by the user. So if Verizon buys experia, they don't suddenly do all kinds of things with that data I didn't expect.
> Consumer data should be one of those things which most companies consider something toxic but necessary so they handle it with care and use the least amount possible ….

This is a beautiful slogan. I think that it is far from something by which that businesses will ever abide, or laws will ever try to force them to abide, but I would love to live in a world in which it was true.

Ha. If data is an asset then bankruptcy court gets to decide if the owner of the data is bankrupt. FTC has no standing.
Even if the FTC wins, this case will not establish a general precedent that consumer data is not transferable.

The issue here is whether RadioShack may sell the consumer data when its privacy policy said it would never do so.

Whatever the result of this case, it won't apply where the privacy policy permits transfer in bankruptcy (as most now do).

Suppose one company buys another company outright. Should that company keep its customer list (effectively transferring it to the new owner), or throw it away, ditch all its customers, and start from square 1? Would you be happy as a customer if you were told that because your cellphone company had been bought, your contract is cancelled and they can't offer you another one, you have to go to the store and start over? Would you be happy as an employee of this company being bought?

Now, suppose the purchasing company isn't buying the entire business, but (say) half of it? What's changed? (This is roughly what is being proposed here)

Nothing has changed. In both cases, you should be able to continue using that customer data to provide a service they've asked you to provide (not what is being proposed here). You should not, in either case, be allowed to sell that data to marketers who will turn around and use it to either build profiles on people, or to spam/harass them with unwanted advertising(what IS being proposed here).

There is no gray area here.

This is why Google's "Don't be evil" mantra freaks me out. Yeah they're not evil now, but who knows in 15 years? That mantra is gonna be like a slap in the face.
> Yeah they're not evil now

Oh come on, I was drinking coffee when I read that :(

It's possible Google has always been evil. What better motto for an evil entity to have?
It is one thing for private corporation to sell their sales data.

Some people don't have a problem with that, though I think they should.

You might be outraged however to discover that your state DMV will happily sell your license/cartag data to corporations.

It is standard in bankruptcies to dissolve existing contracts (after all, the point of bankruptcy is that you can't fulfil all of your existing contractual obligations). So it's not surprising on face that privacy policies would be included in this.

(This is distinct from "selling / buying the company" which usually means assuming all obligations).

For a class of contractual obligation to be "special" in the context of bankruptcy you typically need some kind of legislative protection (some states have rules about "outstanding payroll gets paid first", student loans are nondischargable, etc). Or some kind of bankruptcy cour ruling that liquidating the assets in this way would be somehow inefficient or against the public interest, which looks like how the FTC is approaching it. But in a circumstance where a huge portion of the business's assets were "private information", I could see a bankruptcy court ruling the other way - this doesn't necessarily establish binding precedent.

In Australia, we have a set of clear privacy principles outlined in law. These are called the Australian Privacy Principles, and there are 13 of them.

The first principle is "Australian Privacy Principle 1 — open and transparent management of personal information", and it states that every organisation must publish a privacy policy and it must state "the purposes for which the entity collects, holds, uses and discloses personal information".

That's legally binding. If the company violates it, there are massive fines and the Privacy Commisdioner can investigate.

I don't know the case's specifics, but doesn't typically the bankruptcy court decide what assets are to be sold? The former management and staff (what we are thinking of when slate.com writes "RadioShack Sold...") has no influence over this and should not be blamed. The bankruptcy court is the new management, they can do what they want and must according to law to satisfy creditors, blame them.
They collected and stored data unnecessarily, so former management absolutely shares blame.
I have worked a company where this has happened, and it wasn't even the company themselves really.

They went into administration, and the administrators came in and wanted to see if they had anything of value.

Data is of value, so they sold it to a rival company. Not a lot you can do about it really, apart from not store the data in the first place.

The answer is: Do not have a privacy policy.

If you have a privacy policy and you violate it, the FTC comes after you. No policy? No harassment from FTC.

Aside that fact, it's not like they really matter. Right?

The laws of many jurisdictions require you to have a privacy policy if you are going to collect personally identifiable information from residents of that jurisdiction. See, for example, the California Online Privacy Protection Act.
SO that's why I just got a random call from Michigan selling me a security system.
The question comes down to is the private equity group a successor organization.

If Best Buy had swooped in and bought Radio Shack, maintaining it as an ongoing concern I don't think anyone would have objected to them getting the data and honoring Radio Shack's original agreement. That is, they are not a third party, they are the successor to the party of the first part, viz Radio Shack.

Also had a private equity group come in and bought Radio Shack and taken them private, few would have objected to the now private Radio Shack under new management, maintaining the data and the agreements they held.

But by dragging Radio Shack through bankruptcy, they begin to lose the appearance of a successor organization, and begin to look more like a third party.

It's pretty hilarious this is being 'reported' on a site that won't let you read the article unless you give them your personal information.
Did they sell the data or the company? I'd be curious to know if the new owner is still obligated to follow the same privacy statement? In either case, I'm not going to lose any sleep over this.
Isn't everyone doing this in some form?
And people wonder why I am less exercised about government snooping than most, when it arguably has much less impact on most people's lives. (This is not the same as saying that it's OK; I just don't think it's the #1 tech-social problem).
Just makes you wonder, what if Google, Apple or Facebook go broke tomorrow?