Borders Bust Means B&N May Get Your Shopping History

coondoggie writes "To perhaps no one's surprise, Borders bookstore collected a ton of consumer information — such as personal data, including records of particular book and video sales — during its normal course of business. Such personal information Borders promised never to share without consumer consent. But now that the company is being sold off as part of its bankruptcy filing, all privacy promises are off. Reuters wrote this week that Barnes & Noble, which paid almost $14 million for Borders' intellectual assets (including customer information) at auction last week, said it should not have to comply with certain customer-privacy standards recommended by a third-party ombudsman."

Re:Glad I never bought from them.

[mjwx]

Hope this never happens to Amazon...

What difference would it make?

Amazon UK has been spamming me with the same book I bought a month and a half ago. Would it matter if B&N does it too?

how is this legal?

[ILongForDarkness]

Information is an asset I'll admit. But the access to the information was clearly bounded by Border's privacy policy. I really don't understand why the courts are even considering the possibility of allowing it to be sold. If the privacy policy said only Borders would access the data then when Borders ceases to exist than so should the data. B&N can just ask you to give them the info if you choose to under their privacy agreement. The fact that the company would even try to purchase information covered under a privacy agreement with another company puts them on my no-buy list.

Re:how is this legal?

[0123456]

If the privacy policy said only Borders would access the data then when Borders ceases to exist than so should the data.

Data doesn't disappear just because the company does. This is why anyone who's interested in privacy should be ensuring that no-one else has their data in the first place.

A 'privacy policy' is not a legally-binding agreement, and even if it was there's no guarantee that it would apply in bankruptcy.

Re:how is this legal?

[ColdWetDog]

No, no it's much worse than that.

Corporations can't be killed. They can be consumed by another corporation but the bits and pieces (especially bits these days) never dies. New corporations feed off the rotting entrails of older ones but they grow up to be functionally all the same.

Much worse than a Zombie infection. Sort of like a rootkit. Reboot all you like, it's still there.

Re:how is this legal?

[ILongForDarkness]

I think the article mentions a "deceptive business practice" clause that could cover this kind of thing. The fact that the information was supplied to you for a specific purpose should bind you to only use it for that purpose. I know I'm being naive but it does seem a rather unethical thing to do. What if for example the courts decide to license out the info from Borders rather than just sell it to one company (or the buying company does it)? Say they see you bought books about animals and the next thing you know you have door to door gypsies showing up with trained circus monkeys :-)

Re:how is this legal?

[TemporalBeing]

I think part of this is legal - B&N doesn't want to find itself ensnared by legal complications resulting from deficiencies in Borders' data collection or handling practices.

While IANAL, From my limited understanding of Bankruptcy law, the courts can basically dissolve nearly any contract in place. So as far as the Bankruptcy court is concerned the Private Policy doesn't exist, and they can sell the information off regardless of what the Private Policy said. The Privacy Policy only protects against what Borders itself can do with the data in the course of their own business, but once you get to Bankruptcy court then all bets are off. That is the problem with Privacy Policies.

Now, if another company simply bought Borders then the Privacy Policy would still be in effect. The issue only comes into play when a company goes through Bankruptcy. Privacy Policies might even survive restructuring under Chapter 11 Bankruptcy; but it won't likely survive Chapter 7 Bankruptcy.

That said, I think this is one area that Congress should address and fix - so the Bankruptcy courts are not so free to break the Privacy Policies, however restrictive the company may have made them.

Re:how is this legal?

[sabt-pestnu]

I wonder if you could use the theory that the information isn't Borders', it's yours - and by breaking the contract under which it was provided, Borders no longer has a right to it.

Re:how is this legal?

[mlts]

This exact issue is also affects cloud computing as a whole.

Take a cloud provider goes out of business. Another entity buys up all their servers, and now has free and complete access to the former clients' data. All data can be sold to the highest bidder (even if it is in a hostile country), or just slap it on a 20TB BitTorrent off of thepiratebay? Easily done, and there is not one thing legally that can be done about it.

Until the bankruptcy code addresses this with a stipulation that all data is either erased (with certificates of destruction of data or physical media), one needs to assume any and all "privacy policies" are "we will give any info to any and all we please."

Re:how is this legal?

[icebike]

While IANAL, From my limited understanding of Bankruptcy law, the courts can basically dissolve nearly any contract in place.

I don' think bankruptcy can dissolve anything other than money contracts. (IANAL either).

Physical property, like land and houses are often accompanied with "contracts" such as covenants, easements, etc.
Yet even when these assets get sold thru bankruptcy you can't then claim that the easement or covenant is no longer in force.
These are public contracts that bind all future owners.

Similarly a publicly stated privacy policy, and explicitly restrictions on revealing consumer's credit card information, are public contracts.
The policy was in place at the time B&N bid on the Borders asset.

Borders explicitly stated (since 2008) in their Privacy Policy:

Disclosures in connection with acquisitions or divestitures. Circumstances may arise where for strategic or other business reasons Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal and other information to prospective or actual purchasers, or receiving it from sellers. It is Borders' practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.

Similarly, B&N explicitly states (at least since April) in its privacy policy:

Sales, mergers, and acquisitions. If Barnes & Noble becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, personal information may be provided to the entities and advisors involved subject to a confidentiality agreement, and we will provide notice before any personal information is finally transferred and becomes subject to a different privacy policy.

So this seems to me to have been in the policy statements of Borders for a long time, most customers knew or should have known about this provision, and Borders provided an opt out link in the page referenced above. Therefore think B&N is well within their rights to use this information.

The final clause in all privacy policies

[SirGarlon]

The final clause in all privacy policies are words to the effect, "this policy is subject to change at any time, with or without notice to you." Now we have an example of what that means.

I have always regarded that a license to defraud the consumer, as they can initially offer privacy terms that are acceptable, then collect your data, then revoke the privacy protections without giving you a chance to change or delete your data.

Re:The final clause in all privacy policies

[icebike]

this policy is subject to change at any time, with or without notice to you.

Borders' Privacy Policy is still available. It doesn't quite seem to say that.

Exactly.

Further, Borders provided an opt-out link on their page.

And their policy statement EXPLICITLY states (since at least 2008) that if they are sold, your info is among the assets that would be transferred.
B&N is doing nothing wrong here.

bankruptcy creditors

[Skapare]

This kind of decision would turn every (former) Border's customer into a potential creditor in the bankruptcy proceeding, since it becomes a cost and damage to that customer if the privacy terms already agreed to are changed. Imagine if even 1 person of Border's (former) customer were to file a petition with the bankruptcy court to enter as a creditor.

That's awesome!

[Ardeaem]

So, if I buy a harddrive from someone, and it has some software installed on it, that means that I can do whatever I want with it because I didn't agree to the ToS! Right...?

Not have to comply?

[C_Kode]

Not have to comply? They should be legally bind to it.

Re:Not have to comply?

[silas_moeckel]

It's bankruptcy, judges can get rid of contract classes as they see fit. Want it fixed you need a federal law (or patchwork of state laws) precluding the sale, lease or otherwise transfer of all personally identifying information without the consent of that person at the time of transfer (aka no fine print you allow this forever BS). Might want to tack on a company must expunge that same info opon request, or after n years of inactivity.

Re:R.I.P. Borders

[93+Escort+Wagon]

It's a troubling sign of the times, I don't like seeing brick 'n' mortar book stores going belly up, I loved to spend a few hours on Saturday afternoons looking around.

An easy problem to solve.
1) Download several of these
2) Set one of those photos as your computer's desktop image
3) Glance at your desktop background occasionally while you do your shopping at Amazon.com

Re:No Borders Rewards Card

[Skapare]

Borders went out of business because they were too pushy with the Rewards Card. I just wish now that I had not turned it down so I would have standing to file a petition to enter the bankruptcy proceeding as a defrauded creditor.

Re:Glad I never bought from them.

[maxume]

Does Amazon actually send you stuff you don't want? All I get from them are order and shipping confirmations, perhaps I clicked something about not sending me advertisements.

From the privacy policy

You have to scroll way down to find this, but this is part of the Borders privacy policy:

Disclosures in connection with acquisitions or divestitures.
Circumstances may arise where for strategic or other business reasons Borders decides to sell, buy, merge or otherwise reorganize its own or other businesses. Such a transaction may involve the disclosure of personal and other information to prospective or actual purchasers, or receiving it from sellers. It is Borders' practice to seek appropriate protection for information in these types of transactions. In the event that Borders or all of its assets are acquired in such a transaction, customer information would be one of the transferred assets.

what this really could mean.

[Nadaka]

If the company buying the data at auction is not held to the same privacy standards as the original, this means that shell companies can be formed to gather information under strict nondisclosure, then intentionally fold and provide the information without restriction and in violation of the original disclosure agreement.

Re:Glad I never bought from them.

[dadioflex]

Right at the bottom of every marketing message from Amazon is a link to take you to your account page. Don't click on it. Instead open your browser and manually enter the link and enter your account. You can adjust exactly what email they send you from there.

"This feature is temporarily unavailable."

[whovian]

Just tried to poison my account info. The response was "We're sorry. This feature is temporarily unavailable. Please try again later." It may be too late :/

Unfortunately, ample precedent...

[sirwired]

This became a well-settled area of law when lawsuits by Scientology drove the Cult Awareness Network into bankruptcy. The Scientologists were able to get a hold of CAN's confidential files in the BK, despite strenuous objections by many parties.

If those files can't be protected, I don't see your book purchasing habits at Borders being particularly sarconsact.

Re:No Borders Rewards Card

[Desler]

You do realize that you'd be at the bottom of the list and never get any attention, right?

Re:Glad I never bought from them.

[rtb61]

The real question is whose asset is your information. Consider that your information is on loan, subject to conditions of contract being fulfilled, at any time you are entitled to recall your private data and in turn the company is no longer required to provide you will value based upon the loan of that data.

The company has gone bankrupt and as such is no longer able to fulfil the conditions of contract the were the basis of the loan of your private data, failure to adhere to the conditions of contract means your private data must be returned to you ie. deleted.

You private data can not be transferred upon bankruptcy under new conditions, because the bankrupt company now owes you a debt, your privacy because it no longer can provide contracted services.

Sellective buying

[mwvdlee]

B&N: Hi, we'd like to buy some parts of Borders.
Executor: Sure, which parts would you like?
B&N: Everything except the legal obligations, please.

The Elephant In The Room

[martin-boundary]

A 'privacy policy' is not a legally-binding agreement, and even if it was there's no guarantee that it would apply in bankruptcy.

If so, then let me point out the elephant in the room:

When are Google and Facebook going into bankruptcy and who's going to buy them?

Re:Yes the book you bought is the valueable info

[Nom+du+Keyboard]

Just the list of valid e-mail addresses and credit card info is next to priceless in the wrong hands...

One is left to wonder how long until some large enough criminal organization buys up this information at the bankruptcy auction.

Re:Glad I never bought from them.

[hairyfeet]

Tell me about misinfo! I had to deal with it for about two years because of my "doppelganger" as I called him. The guy lived on the other side of town, but he had the same first, last name and middle name (his middle was spelled differently but was the same name) , he had a sister with the same name as mine, and both of his parents had the same names as mine, only they were a couple of years younger than my parents.

I found out it was ending when my landlady used her key to get into my apt one morning and I got woke up in bed with "OMG thank goodness you aren't dead!" needless to say sitting there in my boxers i thought the sweet old lady had flipped her lid, but she told me that "I" had died in a car wreck that night and it had been reported that morning. when she heard it she rushed over to see if it was true and hopefully find a number for my family. Reading an obit for "yourself" was more than a little unnerving.

But you would think businesses would go by more than name, but I got his bank statements (and he got mine), CC reports and offers for him (and I'm sure ditto for him and my data) it just went on and on. I finally had to leave my bank because they thought sure I had to be "pulling something" to have two accounts under personal with two different addresses and contact numbers until finally in frustration i called the guy up (because i didn't want to have them close HIS account too) and had him show up and we both whipped out our IDs.

It was strange as hell though to have someone who was the polar opposite of me (he was a little guy and a hillbilly, and i'm a 6 foot biker type) running around with MY name and so damned many similar details.