Whether you are the seller or the buyer, corporate privacy policies included in the companies' websites have an enormous impact on a future merger or acquisition. From the perspectives of required due diligence, warranties and even whether the transaction may proceed at all, companies must think carefully about their (or their targets') data practices at the time of collection of the personal information (PI).
1. Did the policy specifically contemplate a transfer of the user's PI in the context of a change of control? This is the primary lesson to be learned from Radio Shack. If the policy makes a blanket statement without exception that PI will not be sold, then you have a problem that needs addressing. While a policy may be revised, users must have consented to that change (see below) before placing their PI in the "transferable upon change of control" bucket.
2. Is PI a material element of the value of the deal?
3. Does the policy specifically get the user's consent to prospective changes to privacy policies? Perhaps more importantly, does the prospective policy apply with respect to the data collected at such earlier time? Data collected from the former policy cannot be "upped" without user consent.
5. Does the policy provide that continued activity or provision of PI constitutes consent?
7. If PI is material, what does the Radio Shack Accord dictate for the transaction?
8. What sort of warranties regarding seller compliance with its policy are possible and necessary?
9. What is a reasonable way to allocate in the indemnification section, the risk of private or governmental challenges to privacy practices?
10. For deals with a material non-US element, it is necessary to conduct this type of review with respect to data collection in each of the locations in which users reside.
As for the acquisition or merger agreement, typical representations and warranties include the following (which may include knowledge or materiality qualifiers and international and industry considerations):
(i) Company complies with its published privacy policies. Privacy policies need to reflect actual practice as it changes from time to time.
(ii) Company complies with privacy and data security laws and regulations. This representation includes rules applicable to specific industries (financial, health care). We are seeing unduly vague terms such as "guidance" or "industry standards" in written agreements. Exact terms and specificity should be used whenever possible..
(iii) The acquiring entity will comply with the sellers' published policy.
(iv) The Company has in place commercially reasonable (or industry standard) privacy and data security practices. This provision packs in quite a lot: encryption, firewalls, patch deployment, access restrictions, incident response preparedness, penetration testing, physical security, policies regarding use of personal devices, cyber insurance, etc. It may be preferable for both sides to address compliance with recognized standards.
(v) There has been no data breach or privacy violation resulting in regulatory action or data loss.
(vi) If PI is moving from EU to US, Company has registered for Data Shield status (or registration is pending).