Privacy Considerations During Mergers & Acquisitions

,

Ever since the East India Company and the English Company Trading to the East Indies (so original, right?) merged in 1708, companies have been joining forces and buying each other out in an attempt to increase their hold on their market of choice.

During the 20th century, a lack of regulations regarding mergers and acquisitions (M&A) resulted in massive conglomerates capable of monopolizing entire industries with untenable pricing strategies and terrible customer service.

Legislative bodies around the world responded by passing aggressive antitrust laws that tightly control how and when M&A transactions happen. Because of these regulations, there are well-established processes for evaluating risk, integrating processes, and transferring assets during a merger or acquisition.

With the rise of consumer privacy advocacy and new digital privacy laws, the M&A game is about to change again. And most companies aren’t prepared to examine how each company’s privacy practices will impact the transaction.

Data privacy law compliance and individual online privacy rights are going to play a major role in shaping business best practices of the future, so let’s talk about the privacy issues that are relevant to merger and acquisition due diligence.

Fraternal, not identical: security and privacy

Before we get too far, we need to make an important distinction. Data privacy and security often get mentioned in the same breath, but while the two are closely intertwined and depend heavily on each other to prevent data breaches, they are not the same thing.

Any responsible due diligence process will examine how target companies administer their cybersecurity, but conducting a risk assessment just for a security program won’t give you an accurate representation of the state of a company’s data management practices.

Who is in charge?

One of the first privacy issues that comes up in M&A activity is which privacy laws and regulations the target company is subject to. And forewarned is forearmed: you might have to contend with more than one.

Companies that operate in the European Union or collect personal information from residents there are subject to the granddaddy of all data privacy laws, the General Data Protection Regulation (GDPR). But, if that same business also has offices or customers in California, Colorado, and Virginia, they’re also subject to state laws like the California Consumer Privacy Act, (CCPA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Privacy Act (VCDPA). 

And that doesn’t even include the existing privacy laws in Bahrain, Israel, Qatar, Turkey, Kenya, Mauritius, Nigeria, South Africa, Uganda, Japan, New Zealand, South Korea, Argentina, Brazil, Uruguay, and Canada.

Not knowing which laws you or your target company need to comply with is the fastest way to set yourself up for a fiasco of failure and fines.

Are you doing what you say you will?

New privacy laws increasingly focus on how data collection processes match up with the descriptions listed in a company’s privacy policy.

Part of the due diligence process should analyze the discrepancies between how a company says they collect and use personal data—and what is actually happening day to day.

One more note: even if the target company’s privacy policy accurately describes their data management practices, if the policy is long and full of legal jargon, make sure you have a team in place to overhaul it and make it user-friendly.

Does the way you use data match your plans for it?

This step can be complicated and incorporates a lot of different privacy principles. For example: if the target company relies heavily on third-party cookies for data collection, how will you be able to compensate as browsers stop supporting this technology?

Another example: if the target company hasn’t created a data inventory, will you be able to comply with data subject access requests or individual rights requests from day one?

What happens if your company operates on the principle of opt-in consent, but the target company is opt-out based? Will that impact your marketing efforts?

These issues don’t necessarily spell doom for your merger or acquisition, but not having a plan in place to address them will.

What are the vendors doing?

Holding data controllers (the companies collecting the data) responsible for the privacy practices of their data processors (vendors who design collection processes, store personal data, transfer data between organizations, prepare data for marketing efforts, etc.) will be a major part of privacy law moving forward. 

This means that in addition to reviewing vendor contracts and agreements during your due diligence, you also need to check out the privacy practices of every vendor that has access to customer data. If there are vendors with risky data management practices and you can’t negotiate better privacy controls with them, it’s time to start looking at renegotiating or canceling the contract and finding a new vendor.

How will future privacy changes and company expansion affect the business model?

In today’s globally connected economy, combining data is a major part of mergers and acquisitions. This combination can have profound effects on customers and business models if it isn’t done correctly.

For example, if a company with an outdated, rudimentary data privacy program acquires an organization with a consumer-focused, privacy-first approach, there will be a major disconnect between the new customers’ expectations and the personalized control your company can provide them. However, this isn’t necessarily a deal-breaker as long as you have a plan to mitigate the fallout and meet customer needs.

Similarly, if you have goals of expanding into new markets whose privacy regulations are stricter than your own, you need to know what resources to dedicate to get compliance.

Don’t let last-minute privacy concerns scuttle a deal

Here’s the TL;DR (too long; didn’t read) version: almost every privacy issue can be resolved if it’s well-understood and if you have enough time to manage it.

Conversely, waiting until the eleventh hour to examine how privacy processes and risks will impact post-merger or post-acquisition integrations can potentially kill what would otherwise be a transformative business opportunity.

Here’s something else to consider—any merger or acquisition inevitably involves a significant amount of change. While everything is in flux, you have a fantastic opportunity to future-proof your own privacy program. 

If you build your program to meet privacy best practices instead of just compliance requirements, you’ll be able to quickly and efficiently respond to the changes in privacy law that inevitably come.

Red Clover Advisors is the privacy partner you need

Whether you need help analyzing a target company or integrating privacy programs after M&A processes are complete, Red Clover Advisors has the experience and knowledge you need to find practical, simple solutions that are customized to your business needs.

If you want to see what we can do for you, contact us today.