Barnes & Noble Will Have Only One Day To Let Borders' Loyalty Customers Opt Out

Here's a quick little IT project during the run-up to Black Friday: After spending $13.9 million for Borders' CRM data, Barnes & Noble will have a single business day to send E-mails to 43 million Borders loyalty customers offering them the chance to opt-out of joining B&N's own customer list—and only 20 days to purge the data of any customer who wants out.

That's the upshot of the deal cut in bankruptcy court after the Federal Trade Commission and a special court-appointed Consumer Privacy Ombudsman pushed for an opt-in requirement for Borders loyalty customers, while B&N wanted to offer them nothing more than its own privacy policy. Ironically, either of those two choices would have made life relatively easy for B&N's IT shop. Instead, the privacy compromise could require furious IT activity in the weeks after the sale closes on Friday (Sept. 30).

B&N won the auction for Borders' CRM data, Web site and brand (but not its IP addresses) in an auction this month. But bankruptcy court Judge Martin Glenn blocked the deal when the privacy ombudsman recommended requiring "affirmative consent" from each former Borders customer before adding the name to B&N's loyalty program. B&N called that requirement "completely unrealistic" and said it put the whole deal at risk.

The ombudsman's recommendation echoed a letter the FTC wrote to the court last month. "In light of the promises Borders made to its customers, we believe it would be appropriate for Borders to obtain express consent from its customers, specifying the potential purchaser, before it transfers the data. The consent process would allow customers to make their own determination as to whether a transfer of their information would be acceptable to them. For consumers who did not consent, their data would be purged," the FTC wrote.

In the end, the FTC and B&N split the difference: B&N won't use the Borders CRM data except to immediately notify Borders loyalty customers that they can opt out, and data for any customer who opts out will be purged. But that opt-out period is on a very aggressive schedule—customers must be notified "on or within one business day after the closing date" of the sale, according to the court order, and data on customers who opt out must be purged no later than 20 days after that.

B&N wouldn't comment on exactly what hoops customers will have to jump through to opt out. But let's assume it's simple: Customer gets an E-mail with a "click if you want to opt out" link that includes a customer number; a customer who clicks sees his name and Borders number, and can click again to opt out; after that second click, the customer's data is marked for deletion. (B&N will probably add some sales pitches and maybe an "are you sure you want to lose the benefits of being a special Barnes & Noble customer?" plea. The court says they can do that.)

That's a relatively simple site to set up if you're dealing with a small number of customers—but for dealing with millions, it's a nightmare.That's a relatively simple site to set up if you're dealing with a small number of customers. For dealing with potentially millions of customers, all of whom will be notified at the same time and who will be hammering on a database that's new to the B&N IT staff, it's a nightmare. In fact, just sending out 40-million-plus E-mails in a 24-hour period could get B&N flagged as a spammer by some E-mail systems.

Unfortunately, the Borders/B&N compromise may be a model for future handling of CRM data when big retailers go bankrupt. The data is too big an asset for bankruptcy courts to ignore, but bankruptcy law now includes specific provisions for protecting customer privacy, including appointing a Consumer Privacy Ombudsman. And the FTC will continue to push for opt-in, which CRM data buyers and bankruptcy judges are likely to reject as impractical.

On the other side, if the company buying the CRM data has its own strong and consistent privacy policy, that's likely to sway bankruptcy judges in the direction of easing opt-in or opt-out requirements at least a little. The stronger the privacy policy—especially if the company buying the CRM data has a stronger policy than the bankrupt seller—the more likely a judge, ombudsman and even the FTC will be to trust the safety of the data. And the less that policy has changed, the more likely they'll believe it will keep protecting acquired CRM data.

But going forward, quick-turnaround requirements for dealing with that CRM data are likely to be the rule, not the exception. If you're on the acquiring end, that means you'll want to clear the path as much as you can in advance.

Chances are that you won't officially get your hands on that customer data until the deal closes. To send out millions of E-mails within one business day after that, it helps to know everything you can about the data you're acquiring in advance. You're not likely to get much help from the bankrupt company—its best database people will be long gone. But even knowing whether it's an Oracle or DB2 or some more obscure database will help you plan. Full schema? That may be too much to hope for, but it's not too much to ask for.

Getting that information in advance requires that you start the wheels turning as quickly as possible when you get an inkling that your company is buying a bankrupt competitor's CRM data. You won't know the state of that CRM data, its format, how well maintained it is or what tricky gimmicks are buried in a database that was never designed to be handed off to anyone else.

But one thing you can be sure of: Lawyers generally don't know IT, so they'll negotiate last-minute deals that solve their problems, but leave IT with the job of fulfilling the agreements they've made—like, say, a promise that 43 million customers in an unknown database will get E-mails offering a way for them to opt out overnight.