The consumer privacy ombudsman (CPO) became part of the Bankruptcy Code via the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 (BAPCPA). Two decades ago, the regulatory and legal landscape was markedly different than it is today. The primary enforcer of privacy rules in 2005 was the Federal Trade Commission (FTC), which was limited to its enforcement powers under § 5 of the FTC Act of 1914 to bringing actions for unfair or deceptive acts or practices in interstate commerce.1 Absent clear rules about what constitutes a privacy violation, the FTC would hold companies accountable for violating the notice requirements when the data was collected.2 With few other protections to reference, the Code was amended as follows:

The trustee, after notice and a hearing, may use, sell, or lease, other than in the ordinary course of business, property of the estate, except that if the debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case, then the trustee may not sell or lease personally identifiable information to any person unless -

(A) such sale or such lease is consistent with such policy; or

(B) after appointment of a consumer privacy ombudsman in accordance with section 332, and after notice and a hearing, the court approves such sale or such lease -

(i) giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and

(ii) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.3

Prior to the dot-com boom and subsequent bust, companies made blanket assertions about not selling identifiable data. Now, the blanket statement that personal data will be transferred to subsequent parties-in-interest in the event of an asset sale, stock sale, change in control or pursuant to a bankruptcy proceeding is found in virtually every online privacy notice. Bankruptcy courts might construe these simple declarations that a user's data could be transferred or sold in a bankruptcy proceeding as evidence that such a sale would not violate the privacy notice...