Your information is somebody's asset

The Electronic Frontier Foundation published an article about the disposition of assets belonging to the defunct XY.com/XY magazine that included the personal information of their 1,000,000+ former subscribers. The parties in the XY.com case reached and agreement to destroy all personally identifiable information as suggested by the FCC.In this instance, things ended well for the former XY.com customers.  However the law is unclear on how to handle corporate assets such as customer lists.  


I recently received an email from Derek Sivers, the founder and former CEO of CDBaby. I've bought CDs and mp3s through CDBaby in the past, so my information was part of CDBaby's corporate assets. What is interesting is that Derek Sivers contacted me a couple of years after he sold CDBaby. Siver's email was a, "Hi, I wanted to tell you about my new projects." Definitely not creepy, and interesting enough for me to click through a couple of links. However, using a contact list from his former company seem incongruous. I wasn't the only one:

@sivers What's up with this email you sent out to old CDBaby members? Did you take a list of emails/purchases/credit cards when you left?  (from Jon Ursenbach)

Derek Sivers replied:

@jonursenbach I got to keep my database of clients and customers for two years, yes. Many are good friends. 

His email also mentioned the last album I bought from CDBaby, so I'm fairly sure he has access to complete database. Thanks to the Internet Archive Wayback Machine I can check on the privacy policy around the time I bought my last album from CDBaby.

So Derek Sivers is not another company, but when he sold the company he became an external party that had access to CDBaby's customer database. No being a lawyer, my best guess is that Siver's access to the customer database falls within the letter of the CDBaby's privacy policy.  Having sold a company, I'm well aware of the details and negotiations that go on during a sale. But having access to the customer database as a condition in the sale of a company strikes me as out of the ordinary. 


I do believe that the email Sivers sent was genuinely part of a friendly hello, get in touch, soft marketing campaign. However, it was unexpected and makes me just that more leery of blanket privacy policies. CDBaby continues to have a similar privacy policy:

We don’t give or sell your personal info to any other company - EVER! (Not even your email address!)

Only the musicians whose music you purchase will know who you are. If you don't even want the musician to know who you are, you can easily change your customer account settings to remain anonymous.

In contrast, Bandcamp (my current favorite place to buy music from independent musicians) has a very detailed privacy policy that specifies the conditions that determine how your personal information is shared, including the transfer of assets in the event of the sale of the company. The Bandcamp privacy policy is very clear that any information I provide becomes the property of Bandcamp. This isn't much comfort, but at least I know what I'm giving up.