Practical privacy considerations during Mergers and Acquisitions
Join Teresa Troester-Falk and Ilan Jenkins expound upon the privacy considerations that arise during Mergers and Acquisitions. Listen to the recording here. Transcription below:
Hello everyone and welcome to today’s privacy snapshot and practical privacy tip. I’m excited that Ilann Jenkins at Full Stack Law is with me today. We collaborate on privacy compliance matters and Ilan has a ton of experience thinking through and working with companies dealing with all the privacy matters that arise during mergers and acquisitions process. So whether you are the company being acquired or you are the company acquiring, we are seeing more and more privacy issues rise to the surface and slowing down deals, killing deals and coming as a surprise to a lot of the people involved. So Ilan, you and I have spoken about this and you have thought through all of the experience that you’ve had and have distilled your experience into three takeaway notions. There are obviously many more, but three things in particular that are really important to think through, whether you are the company being acquired, or you are the acquirer. So I’m going to pass it on to you to share your tips.
Thank you first, thank you for having me on the show, and very excited to talk about privacy in M&A. And the first thing that I wanted to say is that it’s very rare for deals to get killed. I would say that, in my experience, it’s a very small percentage of deals that don’t go forward. It does happen every now and then. And I’ve seen it a couple of times, mostly because the sellers didn’t adhere so well to these three tips. So hopefully these are helpful for sellers who want to be acquired. The way that I normally like to think about an M&A deal is that it’s sort of like you know, when you’re out shopping for a house or a car, you get a listing or you see an and you see the pictures. And maybe you get to do a walkthrough or a test ride. But you know, there’s something there, which you don’t see, which you would want to know about going forward to decide, you know, do you want to go forward with this deal? Or what issues might there be? And so what the privacy team is trying to do an M&A diligence process is get more information about what’s going on with the sellers business and the product line. And we do that so that the privacy team can advise the decision makers on what the value of the company might be or whether or not to go forward. And so the more the sellers can do to help educate the privacy team, the better because then the privacy team can get a better idea of what the company does from a privacy standpoint. And so some of these three tips may seem obvious, but I think they bare emphasizing in the M&A context. The first one, I think really is no the product. This seems pretty simple. But I’ve been on a number of phone calls with CEOs and CTOs, general counsel’s who have a general idea of what their product does. But there are often gaps, or they sometimes disagree with each other. And I think it’s it’s really key for everyone at the seller to be on the same page as to what the product does. And when I talk about, you know, what the product does, we’re looking for things like how the data is collected, how it’s stored. Is it encrypted? You know, is it shared with any third parties, which we’ll get to later. These are all really key for helping the privacy team get a better idea of how the product works and what we need to be looking at. And if if the if the leaders at the company, the CEO and the GC Maybe you don’t know as much of the technical detail, that’s okay. What’s important is that they identify the right people who can walk the privacy team through how the product works. Because if people on the phone are disagreeing about how the product works, it doesn’t paint the best picture for the seller as to whether or not they’re truly ready to sell. And are they ready to integrate with a larger entity?
I think that’s an excellent point. Having worked at a very acquisitive company where there were many deals that were killed – It is a great point where the selling company did not fully understand all the data that was being captured how it was being shared. So excellent point. No product.
So those are red flags.
Excellent point. And if you’re a startup, I still see a lot of cut and paste privacy statements.
The third point is third parties. Third parties are always a soft spot for every company. Every client that I’ve worked with every company where I’ve worked, it’s hard to identify who all the third parties subprocessors are. Oftentimes these contracts get signed and legal doesn’t know but we all know They’re important because those are recipients of the personal data. And that has an impact because number one, as the buyer buyer wants to know, where’s the state of going because it impacts the DPAs that we might need with those entities. And with the Privacy Shield changes from last month, you know, what’s the data transfer mechanism that’s in place? There was a Privacy Shield that basis before, do we need to switch gears and use something else now? And if so, can we use something else even. Another issue that I see often come along with third parties is that the buyer may not like a certain third party or may not be able to work with a certain third party, for example, if they’re a competitor, or if they’ve been involved in litigation in the past. So I think those are those are key as well as to keep in mind, you know, who are your third parties? Do you have the contracts in place with them, and how much data is actually being shared?
Let’s talk about Privacy During M&As
Are you ready to demonstrate compliance with the CCPA, the GDPR, or other privacy laws? The key is operational know-how, a practical plan, and privacy expertise.
Ask us how we can help you feel confident and at ease with your privacy compliance efforts.