RadioShack has reached agreement with U.S. states over the sale of customer data, by consenting to limit the number of email addresses to be sold, and giving customers the opportunity to be removed from the list.
A coalition of 38 U.S. states, led by Texas, objected to the sale of personally identifiable information by the bankrupt electronics retailer, citing its online and in-store privacy policies. The customer data, which was withdrawn from an earlier sale of assets that included RadioShack stores, was included in a second auction this month.
The bulk of the consumer data will be destroyed, and no credit or debit card account numbers, social security numbers, dates of birth or phone numbers will be transferred to General Wireless Operations, the winner of both auctions, said Texas Attorney General Ken Paxton in a statement Wednesday.
RadioShack also filed in court on Wednesday the result of the mediation talks that started on May 14, in which the states, the prospective buyer and the retailer participated.
RadioShack's databases contained about 117 million customer records, including of consumer and commercial customers. The company offered for sale what it considered to be the most relevant data, which consisted of 67 million complete customer names and physical address files, of which around 8.3 million records also included an e-mail address, according to the filing. Some 200,000 email addresses that were not associated with a physical mailing address were also part of the offer.
Customers with emails will be given an opportunity to opt out from having their information transferred to General Wireless within one week from being served a notice. Opt-out options will also be provided to customers whose email addresses are not available.
The agreement also removes 14 data fields from the transaction information that RadioShack proposed to sell. The information on a transaction to be sold will be limited to seven fields, including store number, ticket date and time, stock keeping unit (SKU) number, description and selling price, tender type and amount.
The Federal Trade Commission in a letter over the weekend to a court-appointed privacy ombudsman had said that the agency's concerns about the transfer of customer data, "would be greatly diminished" if certain conditions were met, including that the data was not sold standalone, and if the buyer is engaged in substantially the same lines of business as RadioShack, and expressly agrees to be bound by and adhere to the privacy policies.
This requirement appears to have been met by General Wireless. The acquirer has obtained approval from a bankruptcy court in Delaware to purchase RadioShack's entire e-commerce business, intellectual property and remaining assets, including the customer data under the settlement, Paxton said.
New York's Attorney General Eric T. Schneiderman described the settlement a victory for consumers' privacy nationwide, which could serve as a model for future bankruptcies. The RadioShack dispute brought into sharp focus the need to protect, in the event of a bankruptcy, the large troves of personal data collected by large online and offline companies.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.