Yahoo’s sale to Verizon could be in jeopardy or severely discounted due to its recent disclosure about a 2013 data breach. This isn’t just a big company problem; smaller firms seeking to be acquired also need to be concerned because privacy violations become a liability that transfers to the acquiring company regardless of the acquisition size.
Over the last year, data privacy has become a tier-1 consideration for investors, lawyers, and startup founders alike when trying to sell their companies.
According to recent reports, fines for violations of data privacy could equal or exceed $150B USD in the next year. Because of this, data privacy is already having a considerable impact on M&A valuations, as well as the indemnifications directors and officers need to provide to execute a sale.
Compliance with data privacy regulations is not easy; in many cases, each customer must consent to each use of their personal data. They also have the right to know how companies are using their data, the right to object to that use, and can request to be forgotten from your company’s systems. It’s imperative to understand your data privacy risk exposure when regulators or potential business partners come calling.
The Impact on M&A Valuations
Until roughly a year ago, privacy was, at best, a secondary consideration in deal valuations. However, as more buyers see customer data as a primary asset from acquisitions, and better understand their risk exposure from the target company’s data handling policies, privacy practice assessments have become an important component of the overall acquisition’s risk assessment and valuation. The larger the customer base is, the greater the buyer’s risk exposure from your data privacy practices.
Former Madrona Venture Group Venture Partner and current CEO of Qumulo, Bill Richter, recently completed a transaction where he had to take out insurance to indemnify the buyer against any privacy violations the company may have made.
“When a big company buys a small company there’s asymmetric sensitivity to data privacy. Giant consumer brands think about privacy in totally different ways,” he said.
Regulators tend to focus on the “top of the pyramid” in terms of company size and work their way down to smaller companies. According to Richter, the only time the top and bottom of the pyramid meet is in an M&A transaction. This can create massive liability and risk concerns for buyers and consequently impact valuations.
No matter where your company is headquartered, founders must familiarize themselves with global privacy regulations.
For example, the European Union’s (E.U.) General Data Protection Regulation (GDPR), begins enforcement of one of the strictest privacy policies globally in May 2018, and it’s already becoming the blueprint for other countries setting data privacy standards. Even if you’re a small company in the United States, GDPR would apply if you collect information about E.U. consumers, sell services or ship products there, or even if you have an E.U.-specific website. In fact, you don’t even need to have a single employee in the E.U. for GDPR to apply. Penalties for breaches are up to 4 percent of a company’s worldwide revenue – a significant blow to any size company.
For companies in growth mode, especially startups, careful planning around data privacy practices could make or break a lucrative sale. Here are some things you should consider:
Think Globally: Stay on top of privacy regulations in all jurisdictions that matter to you — or that will in the future — paying close attention to where and how countries are applying their laws extraterritorially. This will save time and money down the road.
Value your Data: Marcus Morissette, eBay’s Global Privacy Officer, recommends that companies first understand whether company data of any sort will be of value in a transaction. He likens data to plutonium: “It’s very valuable if you’re running a nuclear reaction, but if you’re not, it will just cost you money to store or dispose of.” If your data is of value, you need to be able to verify its origination, any past enforcement actions, if there are transfer clauses, and certify there aren’t any problems that will impact the buyer.
Notice and Consent: Make sure you notified your customers on how their data is being used, and consider getting consent as well. With GDPR looming, express consent is likely to be more important. It’s also necessary to have a way to track notice to and consent from customers on an ongoing basis. Your privacy notice should be clearly accessible, accurate, forward-looking – i.e., broad enough to contemplate future use cases – and address what happens in the event of a sale or transfer of your business or assets.
Investors are becoming more aware of the significant risk they take on by acquiring companies that haven’t prioritized privacy and data security. Kate Lucente, an expert privacy attorney at DLA Piper, says investors are now more attuned to risks related to how the data is collected, stored and used internally, as well as to how it can be transferred to an acquiring company.
She also advises knowing what rights are transferred with the use of that data, whether all or part of data can be transferred at all, and whether customers must be notified of transfers in advance – the answers to these questions vary depending on what your privacy notice says, the type of deal (e.g., merger or asset sale), and the jurisdictions in scope.
Lucente has seen a deal significantly discounted due to poor record keeping. In the deal, about 80 percent of the company’s customer base was in the U.S., and about 10 percent was in the E.U. and Canada (both of which have stricter privacy laws than the US, with respect to the transfer of personal data in an acquisition), and because the acquisition target couldn’t document that they had the right privacy practices in place the deal was significantly discounted because the acquirer viewed a significant portion of customer data as unusable post close.
Prove you Operate with Integrity: As GDPR and similar regulations expand, we’re likely to see greater audits and even high-profile lawsuits.
Under GDPR, companies are required to notify customers and regulators of a data breach, the latter of which will most likely trigger an audit of the company’s privacy policies. Make sure you have a way to prove, in an audit or lawsuit, that you’re using people’s data in a manner consistent with the consent you have from them.
Effective data privacy practices are essential to any company’s growth strategy. And when companies don’t handle their customer or employee privacy data correctly, it can severely devalue a company or potentially even kill an M&A transaction entirely.