Key Takeaways: Companies active in buy-side mergers and acquisitions must prioritize operational efficiency and consistency. This article details four ways for “serial acquirers” to pursue this mission, from pursuing data mapping efforts and categorizing diligence requests into a risk-based hierarchy to updating policies and developing a routine approach to privacy and security governance.

Introduction

As the intricate web of state, federal, and international privacy laws continues to grow, companies routinely involved in buy-side mergers and acquisitions face challenges in balancing transactional costs and operational efficiency. Serial acquirers must navigate the evolving landscape of data privacy and security law with sophistication and precision. This article offers advice in the data privacy and security context for serial acquirers to streamline their transactional processes and maximize the value of their investments.

1. Create data maps

Data mapping involves understanding how personal information flows into, through, and out of a company. At a high level, this process includes identifying what categories of information are collected and from what sources, how such information is accessed and used within the organization, the third parties to whom such information is disclosed, and the retention policies governing the storage and deletion practices of the data.

Given that serial acquirers, by nature, deal with multiple acquisitions (and sometimes overlapping deals), the process of integrating the acquirer’s practices and procedures with the target company’s practices and procedures can be complex. Mapping out the existing information flows in the target company can ease this integration process by identifying areas of existing alignment and processes ripe for adjustment.

In addition, data mapping can inform compliance efforts by producing a preliminary determination of the privacy-related laws a target company may be subject to. For example, the data mapping process would identify whether a company collects children’s information, and thus whether it may be subject to various laws governing such data, such as the Children’s Online Privacy Protection Act (“COPPA”). Leveraging this information will allow acquirers to identify flags early in the transactional process, providing more time to analyze the issue and potentially decreasing compliance and integration costs.

2. Categorize diligence requests according to type of deal and risk tolerance

Although every deal has its specialized issues, common data privacy and security themes often arise depending on the size of the deal, the purchaser’s risk tolerance, and the nature of the target company’s operations.

Common issues include a target company’s lack of formal data privacy policies and training on data security topics; compliance with the ever-growing web of state consumer privacy laws that mandate certain privacy policy disclosures; and an ad hoc approach to managing data collection, use, and storage practices. The types of speed bumps that arise may also be dependent on the type of business being acquired. For example, a serial acquirer in the healthcare space will routinely be concerned with HIPAA compliance, while a company with several investments in advertising technology companies may be particularly keen on compliance with applicable marketing laws.

Part of this classification effort includes staying apprised of privacy enforcement trends in order to accurately assess and weigh various risks. For example, California has experienced a recent surge in lawsuits brought against companies using certain website tracking tools, such as pixels or cookies, in order to monitor user behavior. As another illustration, the Federal Trade Commission (“FTC”) has branched out from primarily focusing on privacy policy misrepresentations to also addressing structural privacy concerns, such as those associated with the usage of dark patterns. Recognizing the details of these enforcement trends—such as the mechanism of enforcement, elements of claims, and judicial or legislative resolution—is crucial to accurately predicting the prospect of future actions against a target company and its purchaser.

Serial acquirers should familiarize themselves with the common themes in order to handle such issues in a timely and consistent manner. By developing a dynamic, proactive strategy for approaching data privacy and security diligence, businesses can save on remediation costs and smooth post-closing integration.

3. Update privacy policies

It is common for target companies, especially those in the lower to middle markets, to have outdated or boilerplate privacy policy language on their website. Some policies may be overinclusive (in that the policy covers a broader range of practices than the company actually engages in), while others are underinclusive (in that they do not state the full scope of the company’s practices). Some companies may not have a privacy policy at all.^[1]

The FTC has reiterated that inaccurate, incomplete, or misleading privacy policy language constitutes an unfair or deceptive trade practice under Section 5 of the FTC Act, which can result in enforcement actions being initiated against the company, culminating in consent decrees which require companies to engage in closer monitoring of their own privacy practices and to operate with greater transparency in their dealings with consumers. Subsequent violations of such consent decrees may result in steep regulatory fines and injunctive relief. 

Reviewing a target company’s privacy policy during the transactional process is necessary to accurately access the risks associated with the company’s data privacy and security practices, as well as the public disclosures it makes with regard to those practices. Consistent with this approach, acquirers should consider revising privacy policies as a standard post-closing matter to ensure that the company’s privacy promises and practices reflect the posture of the company going forward, either as a standalone subsidiary or as part of the consolidated entity. Adopting this practice will mitigate information gaps between the target company and acquirer while ensuring compliance with applicable law.

4. Formulate an approach for data privacy governance and training

As with the presence (or absence) of privacy policies, there is a wide variation in the adequacy of a target company’s data privacy governance and security training. Some companies have minimal formal policies and procedures relating to data privacy, while others may have a comprehensive and sophisticated data privacy regime complete with multiple detailed policies and procedures that are reviewed by designated personnel on a regular basis. Other companies may have no policies or procedures in place at all. Serial acquirers must determine if they will centralize policymaking and training, encourage target companies to develop and implement their own policies, or take a mixed approach with moderate oversight.

Serial acquirers should develop a plan for amending or drafting data privacy and security policies, such as a data breach response plan, information security policy, business continuity and data recovery plan, and data retention policy, as well as any other policies which may be specific to a particular target company (for example, a biometric data policy and associated consent form if the company utilizes fingerprint-based timeclocks). One approach is to formulate a general policy for the parent company, with specific plans issued to add-on companies that incorporate and supplement the overarching policy as needed to promote consistency across the acquirer’s portfolio. Post-closing, purchasers should ensure that plans are implemented and that employees are trained on appropriate policies and procedures.

Ultimately, the responsibility for data privacy and security governance falls on the serial acquirer. Developing a goal-oriented policymaking philosophy and communicating plans to target companies during the latter stages of the diligence process mitigates risks and costs associated with operational inconsistencies.

Conclusion

As data privacy and security laws grow increasingly complex, companies that routinely engage in buy-side transactions must develop robust strategies for streamlining diligence and reducing transaction costs. By incorporating the practical guidance in this article, serial acquirers can promote efficiency and harmony across their investment portfolio. For further guidance on leveraging legal expertise to streamline your transactional operations, contact a professional in our Data Privacy and Security or Mergers & Acquisitions practice areas.

^{[1] According to a study conducted in 2023, it is estimated that roughly two-thirds of websites do not have a privacy policy. Mary Fetzer, Most websites do not publish privacy policies, researchers say, Pennsylvania State University Information Sciences and Technology (Oct. 25, 2023), https://www.psu.edu/news/information-sciences-and-technology/story/most-websites-do-not-publish-privacy-policies-researchers.}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}