Consumer privacy is an increasing concern in many countries. On October 28, 2014, the US Federal Communications Commissions (FCC) announced that it had joined the Global Privacy Enforcement Network (GPEN), of which the US Federal Trade Commission (FTC) was already a member. The GPEN is a group of about 50 worldwide privacy enforcement authorities and has coordinated international privacy law enforcement actions and investigations.
App-Related Privacy Violations
In September of 2014, the GPEN published the results of an enforcement action carried out in May to evaluate whether mobile apps complied with data protection laws. Twenty-six data protection bodies reviewed 1,211 apps and found that most violated data privacy laws:
85% of the apps failed to provide consumers with clear information on how the apps collected, processed, and disclosed personal data.
With 59% of the apps, it was difficult for consumers to find information about privacy before they installed the apps.
31% of the apps seemed to request more personal data than was reasonably necessary.
In 43% of cases, the privacy notices were too small to read on a mobile device screen.
Those figures suggest a high level of potential privacy-related risk for any buyer acquiring a target company that makes apps. However, all companies may have privacy risks, whether or not they made apps.
Fines for Privacy Violations
The US has been especially vigilant in going after firms that fail to protect consumer privacy. For example, recent US government fines and penalties include:
$32.5 million against Apple
$22.5 million and $17 million against Google
$15 million against ChoicePoint
$14.5 million against Hewlett-Packard
The UK also imposed privacy-related fines of up to $5 million against HSBC and Norwich Union Life. The European Parliament Committee on Civil Liberties recently proposed privacy-related fines up to €100 million.
Privacy Due Diligence
Intellectual property due diligence has long been a standard part of the M&A process. The acquiring company will want to know about the nature and value of the intellectual property rights it’s acquiring, and about both in-bound and out-bound IP licensing issues. M&A agreements typically contain representations and warranties that the target company isn’t infringing any third-party IP rights.
However, it’s far less common for M&A reps and warranties to include references to privacy rights. A prospective buyer should insist on such a clause, and should perform due diligence to clarify the scope of the risk.
Prospective buyers should determine:
The extent to which the target company collects, stores, or uses personal data from consumers or its own employees
The nature of the data collected
The uses to which the data is put
The countries where the data is collected and used
Whether the data is transferred across borders
The terms of the agreements under which the data was obtained
Whether consumers or employees had the opportunity to review and actually consent to the terms of these agreements
If the due diligence process uncovers actual or potential violations of privacy laws, the parties can determine how best to mitigate risks.