Data protection considerations in the M&A context

January 2025  |  SPOTLIGHT | MERGERS & ACQUISITIONS

Financier Worldwide Magazine

January 2025 Issue

One of the consequences of the proliferation of new data protection laws going into effect around the world is that every deal today is a ‘data deal’ in some respects. Gone are the days when companies could ignore data protection considerations as part of their due diligence for new acquisitions or investments.

Given that every company leverages personal data today in some capacity – whether it is in the consumer context or in the business to business (B2B) or employment settings – and that there are issues related to new technologies that are increasing companies’ litigation and enforcement risks (including those related to generative AI (GenAI) and the use of pixels and trackers), data privacy concerns have to be top of mind for companies as they engage in new transactions.

Two other factors highlight the importance of proper data protection diligence in an M&A context.

First is regulatory scrutiny. Regulators are increasingly holding companies accountable for issues that target companies suffer after they have been acquired by a larger (and more sophisticated) buyer. The Federal Trade Commission in the US in particular has brought notable enforcement actions against acquiring companies for data breaches suffered by their targets after acquisition (as a result of the target continuing to have inadequate security post-acquisition).

The second factor is not related to due diligence itself but rather tied to how an acquirer wants to use a target’s data post-acquisition. Data protection laws are creating new affirmative obligations for entities in terms of what compliance steps they need to take in relation to their data processing activities.

A less sophisticated target (or a target that was not yet subject to certain data protection laws because of its size) may not have taken some of these steps (such as provide consumers with the right to opt-out of the sale of their personal data). The acquiring entity will have to account for these compliance steps as part of its post-acquisition integration efforts.

Additionally, to the extent that an acquirer wants to specifically purchase a target for its data assets, it should take steps to ensure that it has appropriate permissions to use those data assets for its intended practices. For example, if an acquirer wants to use a target’s data for purposes that go beyond the scope of the privacy policy previously agreed to by the target’s consumers, the acquirer may need to take additional compliance steps to engage in these use cases (such as by obtaining consent from consumers for new use cases involving their data that they did not previously agree to).

The remainder of this article highlights a few of the most relevant data protection considerations for companies in the M&A context. While this is not intended to be an exhaustive list, it provides a relevant starting point for companies to think about these issues as they engage in transactions in 2025 and beyond.

Understand the risk profile of the data assets

While every company has some data issues to consider, the risk profile of a specific target varies based on the type of data it processes. For example, the general profile of a company that processes personal data in a direct-to-consumer context is generally greater than those that only process personal data in B2B or employment contexts (this is due to the fact that there are more laws that are potentially applicable in a direct-to-consumer context, and regulators are more likely to pay attention to potential violations due to consumer protection concerns).

Similarly, companies that process more sensitive categories of data (such as health, biometric, genetic or certain demographic data) in the ordinary course of business also have a greater risk profile because regulators are more likely to bring enforcement actions for misuses of data involving those categories.

That is not to say that diligence issues related to companies that primarily process data in B2B or employment contexts are not relevant. Some privacy laws, such as the California Consumer Privacy Act and the General Data Protection Regulation (GDPR), do not exclude information processed in these contexts.

There are also use case considerations that may be relevant for these categories of information (such as whether a target engages in direct marketing in a compliant manner and issues related to employee monitoring). All of these issues should be taken into account as part of due diligence efforts.

Pay attention to enforcement trends

Related to assessing a target’s risk profile is understanding recent enforcement and litigation trends because these can help identify areas of priority during due diligence. For example, the US has seen a surge of litigation related to companies’ use of pixels and other web trackers.

Given this risk, diligence questions focused on a target’s use of such technologies should be prioritised, especially if a target operates in a regulated space (such as healthcare). Similarly, seemingly every company is engaging in some form of use or development of GenAI. Given the potential data protection concerns associated with the use, development and deployment of these technologies, diligence questions tied to GenAI should also be prioritised.

Assess international implications

The global nature of data flows combined with new rules focused on data transfer restrictions and data localisation obligations are creating new challenges for companies with international operations. For example, companies with European Union (EU)-based operations have to take into consideration whether they have a lawful basis to transfer personal data outside of the EU in compliance with the GDPR. This analysis should be taken into account as part of due diligence efforts, especially if the target has data regulated by a jurisdiction such as China, which has new and complicated rules related to data localisation.

Have an integration plan in place

It should not be surprising for an acquirer if a target (particularly a less sophisticated target) does not have the same level of data security or has not checked every privacy compliance box. The acquiring company should, however, have a plan in place for integration that addresses these gaps.

This plan should identify areas of priority (such as remediating identified security gaps), as well as account for future use cases that go beyond the scope of the target’s current activities (in case additional compliance steps need to be taken prior to the data being leveraged).

 

Kirk Nahra is a partner, Ali Jessani is a senior associate and Sarah Litwin is an associate at WilmerHale. Mr Nahra can be contacted on + 1 (202) 663 6128 or by email: kirk.nahra@wilmerhale.com. Mr Jessani can be contacted on + 1 (202) 663 6105 or by email: ali.jessani@wilmerhale.com. Ms Litwin can be contacted on + 1 (617) 526 6288 or by email: sarah.litwin@wilmerhale.com.

© Financier Worldwide

BY

Kirk Nahra, Ali Jessani and Sarah Litwin

WilmerHale

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.