Skip to content
RadioShack prepares to sell customer data in violation of its own privacy policy
Naked Security Naked Security

RadioShack to auction off customer data, violating own privacy policy

Despite it's privacy policy, bankrupt RadioShack is putting customer names, addresses, email addresses and other data up for auction.

RadioShack logoRetail chain RadioShack is looking to cash in the information it holds on its customers as part of its bankruptcy sale.

According to Hilco Streambank, personal data including over 65 million customers’ names and physical addresses, as well as 13 million email addresses, has been made available to the highest bidder.

All this despite the fact that the company’s online privacy policy quite clearly states:

We will not sell or rent your personally identifiable information to anyone at any time. We will not use any personal information beyond what is necessary to assist us in delivering to you the services you have requested. We may send personally identifiable information about you to other organizations when: We have your consent to share the information (you will be provided the opportunity to opt-out if you desire).

According to the Washington Post, the auction for RadioShack’s assets has already been completed, with Standard General – a hedge fund and RadioShack’s largest shareholder – the winner.

But the deal is yet to be completed as a bankruptcy court will need to approve the deal and, even then, there may be more legal hurdles to overcome before RadioShack can hand over any customer data.

According to a case filed in Texas, state regulators have offered up some objections to the proposed transaction, saying the sale would breach the company’s online privacy policy as well as in-store promises not to sell personal identifying information (PII).

The court filing also notes that the sale of customer data is illegal under state laws, which prevent the selling of personal information in violation of a company’s own privacy policies, as covered by the Texas Deceptive Trade Practices Act.

Responding to the possibility that RadioShack may sell its customer data in direct conflict with its stated privacy policy, New York Attorney General Eric Schneiderman said in a statement:

When a company collects private customer data on the condition that it will not be resold, it is the company’s responsibility to uphold their end of the bargain. My office will continue to monitor Radio Shack’s bankruptcy sale and whether it includes auctioning off private customer data. We are committed to taking appropriate action to protect New York consumers.

But it’s not only the authorities that are concerned about the privacy implications of this case – AT&T wants RadioShack to destroy the data, fearing that the data may fall into the hands of its competitors and claiming that some of it was obtained through the sale of its mobile contracts and is thus not RadioShack’s property in the first place.

To further complicate matters, a previous case in Manhattan may have some bearing after authorities approved the auctioning off of personal data under some circumstances.

In 2011, the Federal Trade Commission (FTC) gave the green light to the $13.9 million sale of Borders’ intellectual property to Barnes & Noble, on condition that the same privacy policy applied, the buyer operated within the same line of business, and if the data was sold in conjunction with other assets.

With Standard General reportedly looking to keep some RadioShack stores open, it may try to argue that any use of customer data may fall into a similar situation.

So what can consumers do to protect their data?

While the RadioShack ship may have already sailed, consumers should be aware that there is no legal requirement to hand over any information to a company beyond that which is required to complete the transaction.

So, next time a business asks for additional information that is incidental to the transaction being carried out, you are well within your rights to say no.


Does the consumer have any recourse to this invasion of privacy?


I assume this sale would follow some of the precedence set in the Borders -> Barnes & Noble sale of customer data. There, customers were given a laughably short timeframe(~30 days?) to opt out of the data share. I got caught up in that sale of data and like most people didn’t realize until too late, since nothing was communicated. Of course, I figured out really quickly when B&M emails were coming into my Borders address.


Considering the fact that Radio Shack’s headquarters is in Ft.Worth, Texas it may be that Texas law would take precedence over the Borders -> Barnes & Noble case which would very well stop this sale in it’s tracks completely.


I’ve said this before: “When times get desperate (and I assume that being in bankruptcy qualifies as being desperate), the customer/consumer will get thrown under the bus.” Bad enough for RadioShack, but if Google or Facebook ever get in that position…


I feel that they are leaving themselves in for one hell of a law suite for violation of privacy laws and for that matter a class action suite may happen from it.


Often the only value a startup or even a well established business has when in fiscal peril is their customer list. That it will be sold in violation of promises is inevitable. Short of a useless class action lawsuit, there is also nothing a consumer can do to protect themselves as they voluntarily provided the information.

How many entities will survive the next decade is impossible to predict. I’m old enough to recall WordPerfect, Lotus, dBase, Borland, etc. In their prime, they seemed invincible. Today, Apple, Google, Microsoft, etc. would appear to be so well entrenched their position is sacrosanct. That said, I seriously question whether any will survive the next 50 years. I won’t either — but younger folks are going to discover to their dismay that they have been sold multiple times as the big three go down. And yes, Virginia, you can be sure Zuckerbeg, Adobe and many others will have offered your data to everyone from the government to gstring manufacturers before they slip away.


bh said “I’m old enough to recall WordPerfect, Lotus, dBase, Borland, etc. In their prime, they seemed invincible.”

i remember them too – and it is interesting to remember that what destroyed each of them was Microsoft forcing the end of MS-DOS and refusing to release the APIs for the new Windows operating system. When the new Windows 3.1 computers went on the market there were no business applications other than those from Microsoft itself that would run on the new systems. And you couldn’t buy older MS-DOS systems because Microsoft wouldn’t license it.

So all it takes to kill viable companies with superior products is to shut off their market. I guess it has always been that way.



Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!