When  Google bought Fitbit in 2019 for $2.1bn, few believed the tech titan couldn’t figure how to make its own workout watch. It was more about the vast reservoir of user data that came with the bundle. In the digital age, personal data has become a plum asset across multiple industries. But the question of how that asset can be used and traded is a legal minefield.

The Wild West era of user data is long gone. Consumers are now protected in many jurisdictions, most notably in the EU by the General Data Protection Regulation (GDPR). Since January 2020, the California Consumer Privacy Act (CCPA) has done much the same for the Golden State. As yet, most of the US doesn’t have such sweeping privacy laws – but that is the direction of travel.

The implications for M&A are huge. You buy a company, you buy the data it holds. Indeed, data may be the main prize, and a big chunk of a company’s valuation. But under the CCPA and similar legislation, it could become a white elephant or even a poisoned apple.

How consumer data complicates a deal

In any deal where personal data is among the assets on offer, many more questions need answering. Such as:

    1. Was all of this data gathered in ways that comply with the law?

    2. Are there any legal restrictions on how I can use this data?

    3. Has the target company breached the rules in the past?

    4. Could my company be fined for this target’s historical non-compliance?

    5. What might it cost to fix any non-compliant issues?

    6. How does all this affect the value of the data – and the value of the target as a whole?

None of these are necessarily deal-breakers. But the CCPA, and data privacy laws generally, are adding fresh layers of complexity. This means more intensive due diligence is needed, along with greater security around the deal process.

Avoiding a data Deepwater Horizon

Data has been called the new oil, and it’s easy to see why. As a resource it has almost infinite applications, from advertising and marketing to the development of every kind of product. But, as with oil, the potential gains can be offset by the risks – in this case, the risks of a non-compliance blowout.

In just two years the CCPA has made big waves.  This list gives a sample of the compliance cases pursued by the California Attorney General, and shows that any type of business can slip up. For instance, an online clothing shop failed to inform its customers of their rights under the CCPA, or tell them how it used their personal information. An entertainment business didn’t give customers any way to opt out of their data being sold. And then there’s the mobile gaming business that installed software from a third-party advertiser. Their app itself didn’t harvest user data, but the adverts did – and many of the players were children. Such cases show how violations can occur through sheer carelessness.

Companies that breach the rules have a 30-day grace period in which to resolve compliance issues. Usually the fixes are easy and cheap. But if unresolved, some violations can result in fines of up to $7,500 per incident, per person. Given that the customers affected may number in the hundreds of thousands, this could be a ruinous financial hit.

This is why companies have grown leery about the data assets they acquire through M&A. Firstly, the data might prove to be of limited value, if it was gathered under restrictions of how it could be used. Secondly, if a non-compliance offence comes to light, then the sins of the target may be visited on the acquiring company. Or – to coin another paraphrase – ‘You own it, you broke it.’

Dealing in the age of data privacy

As alarming as this may sound, the reality is that data privacy laws are not stopping deals. According to recent Mergermarket report, deals worth US$765bn in aggregate were announced in Q22021, up 16% from the preceding quarter. What is clear is that due diligence must raise its game to tackle this additional dimension.

When making acquisitions, you now need to consider any data breaches that the target may have committed in the past, the quality of their privacy statement, their opt-out practices, and any third-party agreements. You must also weigh up the costs of fixing historical issues and of handling compliance activities (such as record keeping) going forward.

It’s also crucial to assess any impact on the value of the data assets themselves. Compliance with the CCPA (or whichever privacy laws apply) may mean, for example, that the data can never be passed on to third parties. Or that the data can be shared but not sold – or that, having been shared, it cannot then be put to other uses by the third party. Consumers may also have the right to request that their data be deleted.

The exact terms of use will depend on the target company’s privacy statement at the time when the customers agreed to hand over their data. As a contract between business and consumer, these terms stay in place even after a target has been acquired. This can restrict how the data may be used, and thus its monetary value. And that can erode the value of the acquisition itself. If due diligence reveals that data assets are not as usable as they first appeared, there may even be grounds for renegotiating.

How the right data room makes a difference

With data privacy being a relatively new area for many businesses, M&A dealmakers will need to tread carefully for some time. Target companies that regularly do business with the EU and the UK, where such rules are more established, should already have good compliance protocols in place. But extra vigilance is always advisable, as errors are easily made and often missed. Unfortunately, some Californian companies are still not taking the CCPA seriously, or have been unwilling to pay for a professional consulting firm to help them ensure compliance.

One of the most effective precautions is to choose a CCPA-compliant data room for handling due diligence. Not only does it enable greater scrutiny of a target’s data law compliance, but it also virtually eliminates the risk of CCPA breaches occurring during the deal process itself.