Part 1: Risks Associated with the Target’s Pre-Closing Privacy-Related Liabilities

One aspect of mergers and acquisitions that is receiving growing attention is the relevance of privacy issues[1] under U.S. and European Union (“EU”) laws as well as the laws of a growing number of other jurisdictions.[2]  This two-part blog post discusses the principal M&A-related privacy risks and highlights certain “traps” that are often overlooked.  In this Part 1 of the post, we discuss risks associated with a target’s pre-closing privacy-related liabilities and consider ways to mitigate these risks through adequate diligence and representations in M&A agreements.  In Part 2, we will discuss the risks associated with transferring or disclosing personally-identifiable information (“personal data”) of an M&A target (or a seller) to a purchaser (or prospective purchaser) and those associated with the purchaser’s post-acquisition use of such personal data.

1. Risks Associated with the Target’s Pre-Closing Privacy-Related Liabilities

In M&A transactions, purchasers often assume the liabilities of the target, including for past noncompliance with privacy laws, which may result in fines, damages arising from private actions, significant harm to a company’s goodwill and, in some cases, criminal liability.[3]  Yet privacy-related diligence and related representations often just skim the surface.

A. Privacy Due Diligence: Key Areas of Inquiry

As part of the due diligence process, it is important to consider all applicable laws, the target’s privacy policies and contractual commitments, the existing privacy standards in the target’s industry and, most importantly, the target’s actual practices (and its compliance with all of the foregoing).

i. Identifying the Applicable Laws. The first step in privacy diligence is ascertaining which federal, state and non-U.S. laws may apply to the target’s business.  This requires an in-depth understanding of the business of the target and knowledge of the relevant laws.  While many countries have enacted privacy laws, U.S. state and federal laws and EU laws, including the EU’s restrictions on cross-border transfer of personal data, are most often implicated in cross-border M&A deals.

The U.S. legislative privacy framework is fragmented – no comprehensive federal legislation exists.  Section 5 of the Federal Trade Commission (“FTC”) Act, which prohibits unfair or deceptive acts or practices, has been enforced against companies that failed to safeguard personal data or comply with posted privacy policies; various other federal laws apply to select industries or particular categories of information (and empower various federal agencies to promulgate regulations).  In addition, states have passed their own privacy laws applicable to entities that operate in their states or collect personal data about individuals residing in the state.  Thus, in the U.S., the mere task of ascertaining the law applicable to a particular target may be a complicated endeavor.  There are also industry standards and guidelines issued by industry groups, which are not legally enforceable but are considered “best practices.”

EU law may apply where the target is established outside of the EU but its processing makes use of equipment situated within the EU.  Additionally, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), which will come into force on May 25, 2018, will also apply to non-EU targets who process personal data of EU-based individuals (“data subjects”), irrespective of where they are established or where the related equipment is situated.[4]

  • TrapAn M&A target will often be subject to privacy laws in jurisdictions beyond those where the target and its subsidiaries are incorporated.  A purchaser should check in which jurisdictions the target has branches or sales offices, and in which it collects or stores (in local servers) personal data.  Within each jurisdiction, more than one set of privacy-related laws may apply, depending on the target’s business. 

ii. Published Privacy Policies. An important component of privacy due diligence under U.S. law involves establishing whether the target has put in place adequate privacy policies and/or terms of use, and investigating whether it is in full compliance with such published policies (whether posted online or otherwise provided to customers).  The FTC is the key U.S. agency regulating privacy and data security practices, and its rulings, interpretations and opinions must be examined to understand the requirements and restrictions.  The FTC has made clear that companies must make publicly available their policies describing their practices with respect to personal data and that it views failure to comply with such policies as a violation of Section 5 of the FTC Act.[5]

EU law stipulates certain minimum information which must be provided to data subjects in order for the processing of such data to be deemed fair and lawful.  Such information is often supplied by companies through a privacy policy.  The data protection authorities (“DPAs”) of each EU member state (“Member State”) are tasked with monitoring compliance with EU law, including the principles of fair and lawful processing.  The UK’s DPA, the Information Commissioner’s Office, has, for example, issued detailed guidance as to how a privacy policy should be drafted;[6] a target’s privacy policy should therefore be assessed by reference to such local standards or published guidance in each Member State.[7]

However, assessing whether a target’s privacy policies are adequate and whether the target is in compliance with these policies requires identification of those policies that apply to the personal data in question, and that may not be a simple task:

  • Different policies applicable to different data sources. First, the target may publish several different privacy policies that govern the use of personal data collected through various mechanisms (for example, through its online platform, its mobile application or in materials sent via mail).
  • Different policies applicable to different subsidiaries, business lines or divisions. Second, the target may consist of several subsidiaries or business lines, and their privacy policies may vary (including as a result of the fact that some subsidiaries or business lines were acquired from third parties and their pre-acquisition policies were maintained).
  • Updates or changes to the privacy policy. Third, a privacy policy may have changed over time.  However, statements made in old policies (or in prior versions of the current policy), with which the target currently does not comply, may still give rise to liabilities because the applicable privacy policy governing a particular set of personal data is the one that was made available (to the persons from whom the personal data was collected) at the time of collection of such data.  It is thus important to identify that policy which was in effect when the personal data concerned was collected.  For example, in 2004 the FTC alleged in a complaint against Gateway Learning Corp. that it was an unfair practice for Gateway to apply the terms of a new privacy policy to information it had collected from consumers under an earlier policy (“Respondent’s retroactive application of its revised privacy policy caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers”).[8]  Similarly, in 2011, Borders sold its customer personal data (including personal data of approximately 45 million customers) to Barnes & Noble in a bankruptcy auction.  The FTC sent a letter to the court-appointed consumer privacy ombudsman stating its view that any transfer of personal data in connection with the bankruptcy should be subject to significant restrictions.  The FTC specifically noted that Borders’ privacy policy had changed over time, initially stating “we do not rent or sell your information to third parties…. we will only disclose your email address or other personal data to third parties if you expressly consent to such disclosure” and later being amended to state that customer information may be transferred if Borders engages in an M&A transaction.[9]

Once the relevant policies are identified, they should be carefully reviewed.  Such diligence is focused on two main areas.  First, the policies should be reviewed to determine whether they contain all the information required to be published under applicable law.  Examples of the types of information that privacy laws in various jurisdictions may require include the precise categories of personal data collected; the purposes for which customers’ personal data is intended to be used; the categories of third parties with whom the personal data is shared; and information about, and a mechanism to obtain consent to the use of, cookies.  Second, the policies should be reviewed to determine whether there are statements or promises in the policies with which the target does not comply.  This inquiry obviously requires diligence of the target’s actual practices.

Finally, if the target does not have an online privacy policy, it is important to determine whether it is required to have one.  Absence of a published policy may violate a contractual obligation or give rise to violation of law (for example, the privacy laws of the state of California require all operators of commercial web sites or online services that collect personal data about individual consumers residing in California to post privacy policies).

  • Trap 1: A purchaser should not stop inquiring even after receiving a copy of a company’s privacy policy.  A company can have multiple privacy policies in effect at any given time (for different platforms and/or business lines) and each of those policies could lead to privacy-related liabilities.  Policies from the previous years (or past versions of the current policy) may also be relevant, to the extent they are different from the current ones.
  • Trap 2: A purchaser should not be lulled into a false sense of security by a target’s privacy policy that provides detailed promises regarding data security (e.g., use of firewall, encryption and/or Secure Socket Layer technology) or personal data handling (e.g., claiming that servers reside only in a certain jurisdiction).  This may indicate that the target is privacy-savvy and equipped to deal with associated risks, but it also increases the risk of non-compliance with such promises, so it should encourage further diligence.

iii. Contractual Obligations. A final area of inquiry is the target’s contracts with third parties (other than its published online or offline policies).  When the target is a service provider that has entered into agreements containing privacy-related requirements, assessment of compliance with such contractual obligations may be important.  A particular area of concern in this context is the target’s indemnification obligations and the extent to which its liabilities under each contract may be capped or otherwise limited.  The nature of privacy-related exposure is such that a significant portion of the potential liability is associated with third-party claims, namely where users and customers bring actions (including class actions) for privacy breaches.

One area that is often overlooked in privacy diligence is the existence of contractual obligations to comply with the published policies of third-party platforms through which the target’s goods or services are provided.  In particular, more and more products and services are offered via third-party online platforms (including Facebook, Android and iOS apps, and Amazon Web Services) and usage of these platforms may require compliance with their privacy standards.  Similarly, many third party services used in connection with apps, such as Google Analytics and Google Adsense, require such compliance as part of their terms of service.

Finally, under EU law, when a data “controller” (namely, an entity that determines the purposes and means of the processing of personal data) enters into a contractual arrangement with a data “processor” (namely, a third party that processes personal data on behalf of the controller, such as a service provider), such a contract must (i) be enshrined in a written agreement, (ii) require that the data processor act only on the instructions of the controller and (iii) require the processor to comply with security obligations equivalent to those imposed on the controller under applicable national legislation.  Under U.S. federal law, the Gramm-Leach-Bliley Act as implemented by various federal agencies generally requires companies that offer financial products or services to individuals to (a) take reasonable steps to select and retain third-party service providers capable of maintaining appropriate safeguards for the protection of non-public records and information and (b) contractually require such service providers to implement and maintain such safeguards.  Similar requirements exist in some cases under U.S. state law (e.g., Massachusetts and Maryland, where companies must require by contract that service providers implement and maintain appropriate data security measures).  New York’s proposed cybersecurity regulations, which would apply to certain entities operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance or financial services laws, require such entities to have a policy of including preferred data security provisions in their agreements with third party service providers.[10]  It is therefore important to confirm that the target’s agreements with third-party service providers contain provisions that comply with such laws.

  • Trap: When the target’s business provides products/services through third-party platforms or relies on third-party service providers, the target may be required to comply not only with its own privacy policies but also with privacy policies and online terms of service published by these third parties.

iv. Internal Practices, Policies and Security Measures. Review of the target’s published privacy policies and contractual commitments, and the applicable privacy laws to which it is subject, is certainly necessary in order to identify the privacy-related requirements that the target must comply with.  However, only an examination of the target’s practices and internal policies (including those provided to employees) regarding collection, processing, storage, protection, use, disclosure, transmission, transfer, retention and disposal of personal data can provide meaningful insight into the target’s privacy-related exposure.  Additionally, a technical overview (even if high level) of the security measures actually employed by the target (such as encryption and breach detection), as well as any procedures and preparedness for breach notification, may be advisable in certain personal data-focused industries.

  • Trap: A purchaser should be sure to confirm the target’s actions match its words.  A target that has sophisticated internal privacy policies and breach procedures may still have significant privacy exposure if it does not make sure that such policies and procedures are notified to all relevant employees and enforced across all of the target’s businesses, subsidiaries or locations.

B. Privacy-related Representations in M&A Agreements

Practitioners often rely on a general “compliance with laws” representation to address privacy-related risks; however, such a representation does not always provide sufficient protection for a purchaser against privacy and data security risks.  The “compliance with laws” representation is often heavily qualified and covers a limited period of time (e.g., the target’s operation during the year prior to the transaction), which may not be appropriate for privacy matters.  The representation also fails to cover certain issues of concern in the privacy context.

Privacy-specific representations can cover not only compliance with privacy laws but also compliance with contractual obligations (and terms of use) relating to personal data and implementation of data security measures that are not necessarily required by law or contract, such as industry-standard security measures (e.g., payment card industry standards), disaster recovery plans and procedures, and backup equipment and facilities.  Such representations may also cover threatened enforcement actions and privacy-related complaints, as well as loss of or unauthorized access to personal data in the past (whether or not constituting a violation of law at the time), given the reputational damage that such issues can give rise to.  Finally, while a “compliance with laws” representation does not include any disclosure requirements, a privacy representation can serve to force the target to disclose information about its policies and practices that is crucial to understanding the magnitude of privacy risks.

Privacy-specific representations, tailored to include the foregoing matters as appropriate, should be considered whenever the risks discussed in this blog post are present.

  • Trap: A purchaser should not assume the “compliance with laws” rep will necessarily cover privacy matters adequately.  A privacy representation that is tailored to the risks associated with the target’s handling of personal data can be used, when appropriate, to cover important areas beyond mere compliance with applicable law. 

A word of caution: privacy-related representations in M&A agreements can offer a certain level of comfort to a purchaser, and they should therefore be negotiated carefully, but they are often qualified by knowledge and/or materiality, and any indemnity for breach of the representations is subject to significant limitations.  And even if damages are awarded as a result of an indemnity claim relating to breach of privacy-related representations, they may not be sufficient to compensate for the type of public relations and customer relationship damage often associated with privacy failures.

***

This concludes the first part of our blog post, dealing with an M&A target’s pre-closing privacy-related liabilities.  In Part 2, to be posted on October 25, 2016, we will discuss the risks associated with transferring or sharing personal data in connection with an M&A transaction, as well as post-acquisition data integration issues.

[1] Throughout this blog post, we use the term “privacy” (or “privacy issues” or “privacy laws”) broadly as including cybersecurity, data protection and data security as related to personal data (and related issues and laws).

[2] This post focuses on U.S. and EU law, but we note that several other jurisdictions have passed or are adopting strict privacy laws.  Among those are countries recognized by the European Commission as having an “adequate level” of protection for all or certain types of personal data processing (i.e., as of the date of this post, Andorra, Argentina, Switzerland, the Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, and Uruguay – please visit http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm) as well as other states such as Brazil, Singapore and South Korea.  In any cross-border transaction, the laws of all relevant jurisdictions should be examined.

[3] The FTC has also been successful in obtaining monetary awards against companies in actions enforcing its orders.  Notably, in 2015, LifeLock agreed to a $100 million settlement with the FTC, after the FTC charged that LifeLock violated the terms of a 2010 federal court order requiring the company to secure consumers’ personal information and prohibiting the company from deceptive advertising.

[4] For further information on the new GDPR framework, please refer to our May 13, 2016 Alert Memorandum:

https://clearymacorpwatch.lexblogplatform.com/wp-content/uploads/sites/106/2016/10/Alert-memo-PDF-Version-2016-50.pdf.

[5] In 2014, the FTC filed a complaint against Fandango and Credit Karma charging that the companies had deceived consumers.  Both had made representations that they could secure their customers’ personal data, but according to the FTC, both had failed to properly implement SSL encryption.

[6] The ICO’s “Privacy notices – code of practice” can be found here.

[7] Additionally, Member State consumer protection laws should also be considered as these may provide for additional information requirements (see, for example, the German Act Against Unfair Competition, which prohibits unfair commercial practices).

[8] See https://www.ftc.gov/sites/default/files/documents/cases/2004/09/040917comp0423047.pdf.

[9] See https://www.ftc.gov/news-events/press-releases/2011/09/ftc-seeks-protection-personal-customer-information-borders.

[10] For further information on New York’s proposed cybersecurity regulations, please refer to our September 20, 2016 Alert Memorandum: https://clearymacorpwatch.lexblogplatform.com/wp-content/uploads/sites/106/2016/10/Alert-Memo-Word-Version-2016-85.pdf