Sports Authority’s sale of customer data raises privacy questions
When Sports Authority said “everything must go,” it meant everything – including its customers’ personal information.
The Colorado sporting goods retailer, which filed for Chapter 11 bankruptcy protection in March, this week auctioned its intellectual property, including the Sports Authority name, its e-commerce site and about 114 million customers’ files and 25 million email addresses. Dick’s Sporting Goods won with a $15 million bid.
The customer data could help Dick’s land Sports Authority customers looking for a new place to shop. “It’s extremely valuable data for companies to identify customers who are looking for a new home,” said Hemu Nigam, chief executive of SSP Blue and a cybersecurity expert.
As more companies come to understand the value of data, customer information has been auctioned in bankruptcy cases. Yet as consumers work to safeguard their data after breaches at companies such as Target and health insurer Anthem, such sales are another way customers can lose control of their personal information.
“Customer emails are stolen every day (but) they lack awareness that this is a possibility,” Nigam said. “The auction is raising awareness of another way customer data can be sold without even thinking about it.”
Businesses can legally sell consumer information as long as their privacy policies make it clear that data can be transferred or sold if the company is acquired or goes out of business.
Sports Authority posted its policy on its website: “We may transfer your personal information in the event of a corporate sale, merger, acquisition, dissolution or similar event.”
When a buyer obtains customer information through an acquisition or merger, it often allows new customers to follow the same privacy policy they had with the previous firm. But it’s not guaranteed.
Vague language in a privacy policy can allow companies to force customers to play by new rules.
As it underwent bankruptcy proceedings last year, RadioShack tried to renege on a privacy policy that promised not to sell customer information or mailing lists.
That led to intervention by the Federal Trade Commission, which advised the electronics chain to sell the information only as a package with its retail stores.
The hedge fund Standard General bought RadioShack’s business and customer data for $26.2 million.
The FTC also intervened in 2014 when ConnectEdu, an education technology company, sold personal information of high school and college students, some of whom were minors.
New buyers Graduation Alliance and Symplicity offered customers the choice of destroying their information.
Dick’s, which did not respond to requests for comment, could find many uses for the Sports Authority data.
Considering that Dick’s also spent $8 million to obtain 31 Sports Authority leases in this week’s auction, it could use the data to see if there are specific regions where customers seem particularly loyal to Sports Authority.
Experts suggest that Dick’s could use the customer logs to court shoppers who had never purchased from its stores. Or it could survey Sports Authority customers to see why they favored that business instead of Dick’s.
Still, privacy experts say any movement of personal data raises security concerns. How can customers know the new owner of their data will protect personal information as well as the last one?
“The type of company that would be most entertained by that information is most likely to exploit it,” said Jay Edelson, a Chicago privacy attorney. “Whether it’s identity theft or a scheme to defraud people by selling other things to them or reselling that list.”
Sports Authority and Hilco Streambank, which facilitated the auction, declined to comment.