The trustee, after notice and a hearing, may use, sell, or lease, other than in the ordinary course of business, property of the estate, except that if the debtor in connection with offering a product or a service discloses to an individual a policy prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with the debtor and if such policy is in effect on the date of the commencement of the case, then the trustee may not sell or lease personally identifiable information to any person unless - (A) such sale or such lease is consistent with such policy; or (B) after appointment of a consumer privacy ombudsman in accordance with section 332, and after notice and a hearing, the court approves such sale or such lease - (i) giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and (ii) finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.3 Prior to the dot-com boom and subsequent bust, companies made blanket assertions about not selling identifiable data. Consumer Expectations and Rights Have Changed Significantly Since2005 Eleven years after the passage of BAPCPA, the EU enacted the General Data Protection Regulation (GDPR), which marked a sea change in how individuals expect their data to be handled around the world.4 U.S. laws at the time narrowly regulated specific types of data in the hands of specific types of entities, such as genetic data possessed by insurance companies under the Genetic Information Nondiscrimination Act of 2008,5 or protected health information in the hands of certain medical companies under the Health Insurance Portability and Accountability Act of 1996.6 The Bankruptcy Code limits the definition of "personally identifiable information" to an individual's name, home address, email address, home phone number, Social Security number or credit card number.7 On the other hand, the GDPR defined "personal data" as "any information relating to an identified or identifiable natural person"8 and placed strict requirements and limits on how companies could process such personal data. [...]Minnesota only provides the exemption to affiliates or subsidiaries of insurers that arc "principally engaged in financial activities, as described in United States Code, title 12, section 1843(k)," such as bank-holding companies;20 on the other hand, Connecticut, New Hampshire, Oregon, Texas and Virginia do not exempt "affiliates" at all;21 and California docs not provide an entity exemption to begin with - only exempting the "data" subject to the GLBA.22 Therefore, in at least seven states, the state comprehensive consumer-privacy laws might be enforceable against the non-GLBA affiliate. [...]consider the assistance of a CPO when the debtor has a significant volume of data.