Practical Privacy Considerations During Mergers and Acquisitions
Join Teresa Troester-Falk and Ilan Jenkins in expounding upon the privacy considerations that arise during Mergers and Acquisitions. Listen to the recording here. Transcription below:
Teresa Troester-Falk
Hello everyone, and welcome to today’s privacy snapshot and practical privacy tip. I’m excited that Ilann Jenkins at Full Stack Law is with me today. We collaborate on privacy compliance matters, and Ilan has a ton of experience thinking through and working with companies dealing with all the privacy matters that arise during the mergers and acquisitions process.
So whether you are the company being acquired or you are the company acquiring, we are seeing more and more privacy issues rise to the surface and slowing down deals, killing deals, and coming as a surprise to a lot of the people involved. So Ilan, you and I have spoken about this, and you have thought through all of the experience that you’ve had and have distilled your experience into three takeaway notions. There are obviously many more, but three things in particular that are really important to think through, whether you are the company being acquired, or you are the acquirer. So I’m going to pass it on to you to share your tips.
Ilan Jenkins
Thank you first, thank you for having me on the show, and very excited to talk about privacy in M&A. The first thing that I wanted to say is that it’s very rare for deals to get killed. I would say that, in my experience, it’s a very small percentage of deals that don’t go forward. It does happen every now and then. And I’ve seen it a couple of times, mostly because the sellers didn’t adhere so well to these three tips. So hopefully, these are helpful for sellers who want to be acquired.
The way that I normally like to think about an M&A deal is that it’s sort of like, you know, when you’re out shopping for a house or a car, you get a listing or you see an and you see the pictures. And maybe you get to do a walkthrough or a test ride. But you know, there’s something there, which you don’t see, which you would want to know about going forward to decide, you know, do you want to go forward with this deal? Or what issues might there be? And so what the privacy team is trying to do an M&A diligence process is get more information about what’s going on with the sellers business and the product line. We do that so that the privacy team can advise the decision-makers on what the value of the company might be or whether or not to go forward.
And so, the more the sellers can do to help educate the privacy team, the better because then the privacy team can get a better idea of what the company does from a privacy standpoint. So some of these three tips may seem obvious, but I think they bear emphasizing in the M&A context. The first one, I think, really is not the product. This seems pretty simple. But I’ve been on a number of phone calls with CEOs and CTOs, and general counsels who have a general idea of what their product does. But there are often gaps, or they sometimes disagree with each other. And I think it’s really key for everyone at the seller to be on the same page as to what the product does. And when I talk about, you know, what the product does, we’re looking for things like how the data is collected, how it’s stored. Is it encrypted? You know, is it shared with any third parties, which we’ll get to later?
These are all really key for helping the privacy team get a better idea of how the product works and what we need to be looking at. And if the leaders at the company, the CEO, and the GC, maybe don’t know as much of the technical detail, that’s okay. What’s important is that they identify the right people who can walk the privacy team through how the product works. Because if people on the phone disagree about how the product works, it doesn’t paint the best picture for the seller as to whether or not they’re truly ready to sell. And are they ready to integrate with a larger entity?
Teresa Troester-Falk
I think that’s an excellent point. Having worked at a very acquisitive company where there were many deals that were killed – It is a great point where the selling company did not fully understand all the data that was being captured and how it was being shared. So an excellent point. No product.
Ilan Jenkins
Exactly. Yeah. The other thing to keep in mind, too, is that the business leaders that the buyer had been talking to the seller for a long time, and may not have spoken with the privacy team to give them any background yet. So the privacy team may be coming in relatively blind and not know what the product does. So their context might be pretty minimal. And then the other point here is that the primacy team may be handling numerous deals at the same time. And so it’s easy for us to get wrapped up in different deals that sound similar, or we may just not have had a chance to go through something.
So those are things to also keep in mind. Secondly, one of my favorites is the privacy policy. This is something that privacy lawyers and privacy teams tend to harp on a lot, but I think for a good reason. It really functions sort of like the first stop for the privacy team in terms of learning about the company. It is sort of your advertisement, at least from a Privacy standpoint; it’s the first place we’re going to go to learn about the company to see what kind of Privacy Practices you have and how much thought you’ve put into it. And to sort of think about, you know, what kind of questions Do I need to consider when talking to the seller?
That said, you know, if the privacy policy is a little old, or it’s too basic, or it’s missing key concepts, those are things that may be a red flag. So before the seller gets involved in a new deal, it would be a good idea to go through the privacy policy to see when did we last updated it. Have we covered all the necessary requirements from clickable laws? Does it need to be beefed up somewhere? I think those are all really key. The important thing here is that you want to give the privacy team as little to dig into as possible. If the privacy policy raises Too many red flags. That’s something you want to avoid. And it’s an easy place for us to go pick on certain things and say, Well, if your privacy policy says this, and in the product discussions, you said that, and they don’t match up, what’s going on there?
So those are red flags.
Teresa Troester-Falk
Excellent point. And if you’re a startup, I still see a lot of cut-and-paste privacy statements.
It’s not something that the company is thinking about; you know, they’re focused on products. So: know your products, double check your privacy policy. And finally, the third point.
Ilan Jenkins
The third point is third parties. Third parties are always a soft spot for every company. In every client that I’ve worked with every company where I’ve worked, it’s hard to identify who all the third parties subprocessors are. Oftentimes these contracts get signed, and legal doesn’t know, but we all know They’re important because those are recipients of the personal data. And that has an impact because, number one, the buyer wants to know, where’s the state of going because it impacts the DPAs that we might need with those entities. And with the Privacy Shield changes from last month, you know, what’s the data transfer mechanism that’s in place?
There was a Privacy Shield on that basis before; do we need to switch gears and use something else now? And if so, can we use something else? Another issue that I see often come along with third parties is that the buyer may not like a certain third party or may not be able to work with a certain third party, for example, if they’re a competitor or if they’ve been involved in litigation in the past. So I think those are those are key as well as to keep in mind, you know, who are your third parties? Do you have the contracts in place with them, and how much data is actually being shared?
Teresa Troester-Falk
And that comes up, obviously, outside of M&A as a really critical invulnerable point for a lot of companies. So this is a privacy snapshot we could go on and talk a lot more detail, but I love those points: know your product, double check your privacy policy and know your third parties. So for those of you listening and are thinking about or working toward some kind of merger or acquisition, BlueSky Privacy and Full Stack law is here to help. Thanks, Ilan.
Ilan Jenkins
Thank you.
Let’s talk about Privacy During M&As
Are you ready to demonstrate compliance with the CCPA, the GDPR, or other privacy laws? The key is operational know-how, a practical plan, and privacy expertise.
Ask us how we can help you feel confident and at ease with your privacy compliance efforts.
Follow us on LinkedIn: https://www.linkedin.com/company/blueskyprivacy/mycompany/
