Toysmart William Frey Chuck Huff José A. Cruz-Cruz An Analogy • You visit a small village where the tribal leader is taken sick. He gives you a thousand dollars and makes you promise that you will use it to build a statue of him after his death. You take the money and make the promise. • After his death, a member of the village comes to you and asks that you use the money to buy the village children new shoes which they badly need. • What should you do? Buy the new shoes for the shoeless children or keep your promise to the village chief and build the statue? Toysmart’s Beginnings • Dot-Com (Online startup financed by venture capitalists) – Out of 10 companies funded: • Two make it big, two make it, and the rest go belly-up • Started in December 1998 • Specializing in educational toys Toysmart and Disney • Holt Educational Outlet: Brick and Mortar Toy Company in Waltham, Mass) • David Lord decides to create a dot.com. • Two choices –One Venture Capitalist offers 20 million –Disney offered 20 million in cash plus 25 million in advertising Decision Point • You are David Lord • You have two offers for start-up financing • Determine Toysmart values. – Hint: Educational Toys – Hint: Need to gain customer trust • Are Disney values compatible with Toysmart Values? What happens if these conflict “Click on your child’s potential” • Good toys – Toysmart seeks to become an outlet to quality educational toys – Places before customers some 50,000 toys • One stop shopping – Customers come, search, buy • Transactions facilitated by exchanging PII and TGI – Personal Identifying Information • Information used to identify an individual (age, job) – Transaction Generated Information • address, credit card numbers, buying preferences So What? • When you go to the grocery store, you exchange PII and TGI – People see you, how you look, how you dress, your age (roughly), and other identifying characteristics – When you buy products, the cashier notices often remembering your buying patterns, preferences, dislikes • Why does digitalizing this information and placing it in cyberspace change things? PII and TGI Create Customer Data Base • 260,000 profiles worth up to $500 each: – Name, address, billing information, shopping preferences, family profiles (including names and birthdates of children), and credit card numbers • One method of collecting customer information: a contest – Children entered contest at toysmart.com (= data input) – Parents sent e-mail informing them child had entered – Winners’ parents give address to receive prize (= data input) • Information collected from children under 13 Decision Point Two • You work for Blackstone, "an 18-person software business." • Job: – Design an attractive webpage – Advise Toysmart on privacy and data security policy – How should Toysmart balance privacy (secure customer information) and promote ease of Internet access (which requires information exchange)? Gaining Customer Trust • Potential customers stayed away for fear that their information would not be held secure • How does Toysmart gain consumer trust? – By promising strong privacy practices – By posting a web certification seal such as TRUSTe® or VeriSign® – By attesting to a strong set of core values Privacy Guarantee (Promise Number 1) • Toysmart Privacy Policy (since September 1999) – Personal information, voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party. – When you register with toysmart.com, you can rest assured that your information will never be shared with a third party. – FTC announcement of suit against Toysmart • www.ftc.gov/opa/2000/07/toysmart.htm TRUSTe Certification (Promise Number 2) • toysmart.com was licensed by TRUSTe Privacy Program • Trusted Universal Standards in electronic Transactions – “independent, non-profit privacy initiative dedicated to building user’s trust and confidence on the Internet” • Toysmart displayed TRUSTe trademark on website – In addition to guarantees that customer personal information would be safe at toysmart.com TRUSTe Guidelines for PII transfer (White Paper from 4/11/01) • Specifically, these guidelines point to the following: – “Mandated Third Party Oversight • The critical point in these guidelines is that personal information transfer requires third party oversight as an important check against the singularly focused demands imposed by creditors. In an era marked by increasing consumer vigilance over privacy, third party oversight in data transfer is mandatory to the trust equation. – Consumer Notice and Choice • TRUSTe recommends that giving customers opt-in is the best method to retain full value of a customer database and extend trust to new users. Indeed, if a company has made the promise to never share personal information, then a change in data handling and uses requires consumer opt-in. In other situations, providing both an opt-out option and public notice will be sufficient. – Privacy Policies Must Be Honored • The same promises a company makes while in business, must be honored when going out of business. Given the current sensitivities towards privacy protection, consumer are beginning to understand that third parties exist – in the form of seal programs and government bodies – to ensure the integrity of privacy promises. To that end, both parties, the buyer and the seller, have an obligation to the consumer. ” Opt-in vs. Opt-out • Out-out. – Transferring the information is the default. Your PII will be transferred unless to take positive action to prevent this. – Usually a procedure that requires you to fill out a card and send it to the information holder • Opt-in – The stronger privacy practice – Your PII will not be sent unless you expressly consent. Here not sending the information is the default. – To override you have to consent. Obligations to TRUSTe • “1. Inform TRUSTe of impending business changes as they impact customers’ personally identifiable information and privacy practices. • 2. Provide your customers and/or users with notice of the upcoming change. • 3. If you have promised never to share personally identifiable information with a third party, at a minimum you must provide an opt-in before the information is shared with that third party. • 4. If you have indicated in your privacy statement that you may share information with third parties, you should provide notice and an opt-out before sharing the personally identifiable information. • 5. If the company will be sold in total to a company in a similar line of business with the same privacy policy, give notice to the customer.” The Disappointing Christmas • Toysmart expected sales of 20 million fizzle out at 6 million. (December 1999) • Disney withdraws support • Will Toysmart follow other dot.com companies to bankruptcy? – This was the period of the dot.com bust. Toysmart goes bankrupt • May 22, 2000: – FTC: Toysmart “announced that it was closing its operations and selling its assets” – Lets go of 170 employees – Consults with The Recovery Group on evaluating assets • Toysmart’s creditors filed involuntary bankruptcy petition on June 9, 2000 • Toysmart files assent to bankruptcy petition June 23, 2000 (Chapter 11) Steps for Bankruptcies • “Review the privacy statement to determine the promises made to Web site customers and users. The privacy statement will indicate the restrictions that will apply to the transfer of the personally identifiable information. • Inform TRUSTe of the company’s upcoming changes before filing for bankruptcy. • Companies selling customer information as part of the asset portfolio must give all consumers a reasonable opportunity to prevent the sale of their personally identifiable information, if: – The PII will be used or disclosed by the buyer for a purpose not outlined in the TRUSTe approved privacy statement, – The PII will be used for a purpose unrelated to the primary purpose for which it was collected, or – The company promised not to sell, rent, or share the personally identifiable information. • Once a buyer of the database is identified, you must contact TRUSTe to determine the necessary level of notice and choice. ” More Steps for Bankruptcies • “TRUSTe will need the following information to determine the required levels of notice and obtaining choice. – the name of the company purchasing the assets, – the effective date of the merger, – how the new company intends to use the personally identifiable information in the customer database, – whether the new company will be adopting the privacy policies of the licensee, or if it will have different privacy policies, and – whether the new company intends to maintain a relationship with TRUSTe, (if not, you should follow the termination procedures of section 5 of License Agreement 6.0). • Once you and your TRUSTe account manager determine how customers and/or users will be given notice and/or choice, provide TRUSTe with documentation of the notice and choice you intend to send to your customers prior to sending it.” Procedure on filing bankruptcy • Receive Creditors’ Committee Solicitation Form from Office of United States Trustee (OUST) – Form creditors’ committee • Evaluate Assets • Creditors’ committee has a fiduciary duty to creditors (duty of trust or loyalty) – Maximize value of debtor’s assets Decision Point • You work for PAN Communications and have been providing advertising services for Toysmart. • Because of your knowledge of bankruptcy and accounting procedures, you have been asked to represent your company on this committee. • Toysmart’s most valuable asset is its customer data base. The 260,000 profiles could be sold for up to $500 a piece. • But Toysmart has promised not to exchange this information with third parties. It is also bound by the strong privacy standards of web certification company, TRUSTe. • How should you work to balance customer concerns about privacy , Toysmart promises, and the rights of creditors to recover their money through the bankruptcy process? Toysmart’s Assets • Bankruptcy Schedules – 10.5 million in assets – 29 million in liabilities • The Crown Jewells: Toysmart’s customer data base – 260,000 customers – Each customer worth “up to” $500 • In June 9, 2000, Disney places an ad in the Wall Street Journal offering Toysmart’s databases and customer lists for sale • FTC alerted to problem by TRUSTe • Warning issued late June 2000 Data Base for Sale • Toysmart creditors place ads in the Wall Street Journal and Boston Globe announcing the sale of its customer data base. FTC Files Complaint • July 10, 2000 • “seeking injunctive and declaratory relief to prevent the sale of confidential, personal customer information” • Toysmart “has violated Section 5 of the FTC Act by misrepresenting to customers that personal information would never be shared with third parties, then disclosing, selling, or offering that information for sale” Framework for FTC • GeoCities Consent Order – notice of the web site’s privacy policy; – consumer choice regarding the use of the information collected; – consumer access to correct and update information; – safeguards securing the data; – parental control when children’s information is involved; and – some enforcement mechanism Results of FTC Legal Proceedings • Late July 2000 – FTC and Toysmart reach settlement – Toysmart must “file an order in the bankruptcy court prohibiting the sale of its customer data as a “stand-alone asset.” – Toysmart creditors “can sell electronic assets only if the purchasing company abided by the same privacy policy” • On August 17, 2000, the federal bankruptcy court declines to accept the Toysmart/FTC settlement – Wait for buyers to come forward Criticisms of Resolution • Amendment to Bankruptcy law has problems – Ultimately prevents dot-coms from selling off their most valuable assets, information • The FTC settlement appears as value integrative – Sells off data base as asset – But includes consumer consent including opt out procedures – And commits buyer to privacy policy of original collector The Final Curtain • Disney Subsidiary, Buena Vista Toy Company buys data base for $50,000. • Toysmart does not transfer information but destroys it. • Provides affidavit to this effect. Thought Experiment • Should creditors of bankrupt companies be subject to the privacy policies/promises of the bankrupt company? • In other words, do you take the money of the village chief and buy shoes or build the statue as you originally promised? Group Work • Person Profiles: For each of the following participants identify the role each plays and key values at stake: – David Lord (Toysmart directors/managers); Disney (as a venture capitalist); TRUSTe (see slide 11); Toysmart creditors (Pan Communications: see table in module); FTC (government agency); Toysmart Customers • Toysmart’s customer data base – Should Toysmart creditors be allowed to sell the data base to third parties despite Toysmart’s promise? – Assume that the data base can be sold if Toysmart customers consent. How (=what procedure) should this consent be obtained and documented?