Export Compliance Daily is a Warren News publication.
Prenup Agreement

Privacy Policies Should Say What Happens in M&A, Experts Say

A clause about the sale or transfer of data in the event of a merger, acquisition or bankruptcy should be included in every company’s privacy policy, lawyers and other experts said in interviews. Data often is a firm's most valuable asset, across online and more traditional industries, said International Association of Privacy Professionals (IAPP) Vice President-Research and Education Omer Tene. A privacy policy is a legally binding document and companies need to be aware of what their privacy policy says and how it restricts their business, said CEO Rebecca Herold of privacy consultant The Privacy Professor.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Companies that don't take such steps risk FTC or state scrutiny, and will upset customers, experts said. RadioShack, which filed for bankruptcy and transferred some assets to Sprint, is among the companies that faced such customer upset over privacy policies (see 1505180043). Experts also said Facebook faced FTC scrutiny when it bought WhatsApp last year in a deal worth about $19 billion.

A company's privacy policy is often written quickly with little thought for the long-term impact of what it says, said Herold, also co-founder of Simbus Information Security & Privacy Services and Solutions. No one goes into a business thinking about the demise of the company, so a privacy policy may not address what would happen to assets like data if there's M&A or bankruptcy, said TRUSTe Senior Consultant and Product Manager Debra Farber. Privacy policies are similar to prenuptial agreements in that it’s good to plan for the unexpected to protect the company, Farber said.

Newer companies often don’t have a huge legal budget and don’t know what will ultimately happen to data, privacy lawyers said. To avoid FTC attention and consumer discontent, companies should be careful not to make vague, meaningless or sweeping statements in a privacy policy, said King & Spalding lawyer Daniel Ray, who advises clients in technology M&A.

It’s easier to insert a clause in a privacy policy early than once a company has interested acquirers, Ray said. If a privacy policy is too vague, a company runs the risk that the disclosure that its data could be sold or transferred isn’t “sufficiently clear,” and the deal could fall through, said Morse Barnes-Brown attorney Faith Kasparian, who focuses on technology M&A, privacy and security. A dating company in Texas wanted to sell its list of users but the privacy policy was so ambiguous the transaction was called off, she said.

If a company interested in buying another notices the seller doesn’t have a strong privacy policy, the acquirer may use that to try to significantly knock down the price, Farber said. Privacy policies aren't required federally for online companies, but because a California statute requires a published privacy policy if so much as an email address is collected many companies post a policy, Kasparian said. Companies need to think about privacy at every stage and aspect of the business and adequately prepare for various circumstances, she said.

Recommendations

Experts recommended steps companies of many sizes and in many industries can take to enact privacy policies now, before potential M&A and before state or federal regulatory scrutiny. They said many of the steps are relatively easy, certainly easier than dealing with problems after they arise, and many aren't particularly costly to implement at an early stage.

The easiest way to ensure a deal is completed is to include a clause in a privacy policy that says an operator can share information with affiliates, a condition that would have allowed that dating company in Texas to share its data with the new owner or parent company, Kasparian said. Clauses referring to what happens to the data in the event of M&A typically constitute one to two lines in a privacy policy, Farber said.

A privacy policy should be broad enough to avoid contradictions and to prevent the company from having to update it every three months, but should be specific enough to educate customers, other consumers and employees, Farber said. Companies should review their privacy policy at least once yearly to ensure the policy is accurate following any significant changes to business practices, new technologies or new laws, Herold said. Companies should ensure that if data travels across borders, the policy follows regulations and laws that restrict cross-border data flows, she said. Companies should give consumers the ability to opt out of having their data shared or sold, Farber said.

When it comes time for takeover talks, a company should do right by the users, because the last thing a company wants is to make the acquisition seem like it’s a cash grab and that upholding the commitments made to consumers isn't important, Ray said. He recommends that companies anticipate how a privacy policy may change since the company was founded and determine which customers agreed to the newer privacy policy that's likely more permissive than those who didn’t, Ray said. Keep an audit trail, he said.

Who owns the data makes a difference to consumers, Tene said: It’s very different to provide data to a company owned by Mother Teresa than it is to a company owned by the Russian mafia. Consumers need to be alerted to changes in ownership and perhaps be given an opportunity to opt out if they aren't comfortable with their data being held by the new owner, he said.

Regulatory Concerns

The FTC and state attorneys general have been active in examining privacy policies, which gives companies all the more reason to address in their privacy policies conditions in which information can be transferred, Kasparian said. Companies continue to get caught trying to sell data even though their privacy policies say they won't, Herold said. The FTC goes after unfair and deceptive practices, Kasparian said. The easiest way to ensure it doesn’t come after a firm is to read the privacy policy and make sure everyone complies with it, she said. “Keep true to what you disclosed.”

After the FTC alleged that Toysmart engaged in unfair and deceptive practices by not stating in its privacy policy that it might sell data (see 1504020032), companies began to include a provision that they wouldn’t sell data unless they declared bankruptcy or were acquired or merged, Tene said. When Facebook purchased WhatsApp, the FTC wrote a letter saying regardless of what the privacy policy stated, the agency expected Facebook to notify consumers and obtain consent if it wanted to do anything with the data that consumers wouldn’t have expected, Tene said. The FTC had no comment for this report.

The FTC is watching and aware of significant M&A activity and it’s an issue the agency is definitely going to focus on, Tene said. The FTC has given attention in recent years to companies that failed to follow through on promises made in privacy policies, but in the future it may look at the kinds of privacy commitments, or lack thereof, a company makes, Ray said. The commission may examine whether data sold in M&A will be used in a way similar to how and why it was originally collected, Tene predicted.