Deals increasingly involve big, valuable sets of data.  In fact, these data sets have become a keystone in mergers and acquisitions, as business models across industries increasingly identify personal data as major corporate assets and intellectual property.  As a result, companies on both sides of any transaction must understand — and predict — what promises, legal limits and risks apply to the large data sets at issue in the deal.

Privacy risks may come into play in transactions in several ways.  For example, laws or contractual obligations may require an entity to obtain consent to transfer data it collected.  Moreover, in the U.S., that transfer may constitute a “material change” to a privacy policy for any personal data the acquired entity previously collected.  The Federal Trade Commission (and a California statute) have established that material changes to privacy policies require affirmative consent from affected individuals.  While most privacy policies already include provisions allowing for the transfer of data in a sale of assets or change of control, the lack of that provision in the privacy policy would be a red flag in due diligence.  In addition, for international transactions, counsel must understand not only the applicable privacy policies, but also the data protection and privacy laws that apply to the acquiring entity.  Prior consent from affected individuals may be required in certain jurisdictions.

The same consent requirements also may apply to how previously collected data may be used and shared by the acquiring company.  If, for instance, the acquired company’s privacy policy promises that any consumer data it collected would not be shared with third parties, but the acquirer wants to share that previously collected personal data with others, the acquiring company would need to obtain affirmative consent from each consumer before sharing the data it acquired with its third-party advertisers.  The costs and difficulty of obtaining such consent sometimes preclude the acquiring company from realizing the value of previously collected data.  For these reasons, it is critical to analyze the privacy implications of a deal, as these may significantly modify a transaction’s terms in ways that a traditional due diligence review may not reveal.

While a review of the acquired company’s public statements is the first step to privacy due diligence, it should not be the last.  Acquirers should review of any public-facing websites and mobile applications to make sure they accurately reflect the companies’ privacy promises, and that there is no data leakage or inappropriate disclosure of information.

The acquired entity’s consumer privacy policies and public-facing activities are not all that the acquiring entity should examine.  Employee privacy policies and handbooks, information security policies, and incident response plans also may pertain to an entity’s data practices and compliance with legal obligations and industry standards.  Reviewing those policies for potential red flags, holes or inconsistencies is also critical. This may be especially true for transactions involving employee and human resources information and systems.  Employee privacy policies or employee handbooks often include bring-your-own-device programs, employee monitoring practices, and whistleblower hotlines.  Each of these practices may trigger various laws and obligations across both U.S. state and international lines, and harmonizing these approaches with the acquiring company’s own policies and practices will be an essential step after the deal closes.

In addition, special sets of data may raise further compliance concerns.  For example, data regarding an individual’s health or medical care must be evaluated to determine whether the Health Insurance Portability and Accountability Act applies, and online services directed to children under 13 may trigger the Children’s Online Privacy Protection Act.  Diligence must therefore include questions about the mechanisms and tools the acquired company uses to comply with all applicable privacy laws.

Companies considering international transactions must conduct a similar analysis for any personal data — including data about individual employees — governed by the local laws in the relevant international jurisdictions.  The acquiring entity must determine the value and potential uses of any personal data that is subject to transfer in light of (1) how the acquired entity has complied with relevant international data protection laws, and (2) any additional restrictions triggered by the transaction and transfer of data. Valuation of any international transaction without reference to both of these privacy concerns may misrepresent — and most likely underestimate — the costs of compliance.

The European Court of Justice’s (ECJ) October 2015 decision invalidating the U.S./EU Safe Harbor mechanism for transferring personal data from the EU to the U.S. provides a compelling example.  As a result of the ECJ’s decision, over 4,000 U.S.-based companies that were certified under the Safe Harbor program must now reassess how they can continue to lawfully transfer personal data from the EU to the U.S., undoubtedly impacting any potential corporate transactions with entities based in the EU.  This decision illustrates not only the significant impact data protection laws can have on M&A, but also the necessity of understanding — through thorough privacy due diligence — the various data implicated in the potential transaction.

Furthermore, the ECJ’s decision demonstrates the challenging reality companies face in determining the costs of compliance in an ever-shifting legal landscape.  Acquiring companies cannot afford to ignore the risks and costs of compliance inherent not only in the value of the acquisition, but also in successfully integrating the newly acquired assets into their current systems.  Developing and implementing a thoughtful integration program for electronic systems and data flows is essential to maintaining privacy compliance — especially across borders as the international data privacy landscape continues to develop.

Despite the growing importance of privacy and cybersecurity concerns, the traditional due diligence process often treats privacy and cybersecurity questions as a secondary consideration.  These risks may be under-emphasized because privacy and cybersecurity analyses require a different skill set than do typical transactions.  In our experience, thorough privacy and cybersecurity analysis has materially modified transactions’ terms, due to identified deficiencies that may not have been discovered in traditional due diligence. 

Companies should incorporate corporate privacy and cybersecurity assessments proactively into the transaction and due diligence process to avoid these pitfalls, taking into account current standards for commercial reasonableness.  In this way, sophisticated companies and their privacy counsel will be able to understand the privacy risks and their potential costs, bringing the diligence and the deal to a successful close.