Privacy a Sticking Point for Deals

His company withdrew its $700,000 offer.

Privacy compliance is increasingly a sticking point between targets and acquirers. Lawyers say they're seeing closes delayed, offering prices reduced, and some transactions scuttled altogether as regulatory scrutiny intensifies and buyers become skittish about privacy risks.

Privacy is no longer simply an item on a dealmaking checklist or a vague commitment to users. For scrappy upstarts that dream of a lucrative exit, a clean record is essential, though not always easy to produce. Some young companies may lack privacy policies, some might have standards that don't reflect new state and federal privacy laws, and still others may have frameworks in place that they aren't actually following. “Not all companies can comply with the 100% safest interpretation of the law,” acknowledges Susan Lyon-Hintze, co-chair of Cooley's privacy group. “For some, if you follow the letter of the law exactly, it could mean the death of your business.”

In situations like that, she says, lawyers can sometimes only ask: “So what are some ways we can move in that direction?”

Websites catering to kids, for example, must abide by the Children's Online Privacy Protection Act (COPPA), but compliance falls on a spectrum. Some companies require an adult's e-mail confirmation or a nominal credit card charge to ensure parents are aware of their child's online activity. Others take far fewer precautions. How far a company must go to satisfy COPPA and other privacy regulations is still something of a gray area.

'Skin in the Game'

True Beginnings had a privacy policy that essentially prevented the site from sharing data if the company changed ownership. Such policies are fairly common, meant to assure consumers their information won't be exploited in ways they didn't anticipate. The policy frustrated Plenty of Fish, but that's what it was supposed to do. When a privacy policy stipulates that the data can't be shared, it really can't be, says Ropes & Gray partner James DeGraw. “Those [situations] have been around since the dawn of the Internet.”

Determining whether privacy policies and applications of user information can be reconciled in a potential combination can be tricky, DeGraw says.

Many bigger players look for the cautious handling of data before they will even consider making an offer, pushing even the tiniest startups to polish their policies early on.

A watershed moment came in late 2011, when The Walt Disney Company was fined by the Federal Trade Commission (FTC) over its $563 million up-front purchase of children's gaming company Playdom, where the privacy policies were not quite airtight. The FTC charged Playdom and fingered one of its executives for illegally collecting and disclosing personal information from thousands of its young users. Playdom had potentially been eligible for an extra $200 million in earn-outs. Though Disney settled for $3 million, a tiny fraction of the deal, the FTC action may have jeopardized those optional payments. In any case, the regulatory situation doubtless came as an unwelcome surprise to Disney. Only a few months prior to that FTC action, before moving forward with another deal ' rumored to be only in the tens of millions of dollars ' Disney dispatched a diligence team that was bigger than its potential acquisition's entire employee base, notes Ted Hollifield of Alston & Bird, who counseled the target.

When Lyon-Hintze mentions the Playdom situation to her clients, they're often stunned to learn that an executive was named in the complaint.

“That really grabs any founder's attention,” she says. “On this case, the FTC said no, you don't get to gain from the deal and just walk away ' you'll still have skin in the game.”

'Part of the Culture'

It's the rare deal when privacy questions don't factor in at all.

Only a “tiny minority of companies really have their act together,” says Jeffer Mangels Butler & Mitchell partner Robert Braun. “A good number of companies are completely out to lunch.”

Sometimes privacy lapses are outright deal-breakers. In other circumstances, would-be acquirers may give their targets a few months to clean up operations ' time that could be avoided had executives spent a few hours with a privacy attorney early in the company's existence. Acquirers may alternatively choose to lower their bids, to preserve funds that may be needed to fix things later on.

In a frothy market, however, patience and price sensitivity might not be possible, DeGraw says. If a company low-balls or threatens to walk away, a competitor might scoop up its intended prey.

Beyond the regulatory scrutiny, more users are paying close attention to how their information is being preserved and handled. Often, companies simply want to do the right thing in the interest of consumer trust, says Cooley's Lyon-Hintze.

“More and more clients are coming to us just wanting to know for the sake of being better at protecting consumer privacy,” she says. “For the rest, the fear of a delayed or blocked deal or one that's going to cost them more money is enough to get them to pay attention.”

If they can afford it up-front, most start-ups would rather circumvent privacy concerns than leave cash on the deal table. That's why one unnamed, early-stage tech startup, swore off third-party cookies, one attorney notes.

And increasingly, angel investors and venture capitalists, focused as ever on recouping initial investments, are piping up about privacy issues, attorneys say.

As innovation comes to all corners of the world, attorneys and their clients have puzzled over what areas can escape privacy concerns.

“Considering it'll soon be common to be able to control Christmas lights with an app on a phone, folks are having a hard time coming up with an industry that won't somehow be impacted,” DeGraw says.

Regulators have expressed interest, for example, in the proliferation of information that stems from growing device interconnectivity. Others want to explore what infrastructure could be compromised by devices that promise convenience.

And as hindsight brings clarity and routine to technology transactions, now companies of any stripe ' and deals between them ' come with an expectation of a careful scrub for privacy issues.

“Privacy is part of the culture now,” DeGraw says.

Chelsea Allison covers legal business in Silicon Valley for The Recorder, the San Francisco-based ALM sibling of e-Commerce Law & Strategy. She can be reached at [email protected].

For online dating site Plenty of Fish, there was only one fish in the sea: True Beginnings, a company in Plano, TX, that Plenty hoped to acquire out of bankruptcy.

There was just one problem. The attorney general of Texas said True's membership data shouldn't change hands, on the grounds that it would violate the original privacy policy and create other risks for consumers.

For Plenty of Fish, that data was the target's most attractive asset. “Who in their right mind is going to buy a dating site with 43 million members if you are not allowed access to those members?” Plenty of Fish's CEO blogged in the wake of the intervention.

His company withdrew its $700,000 offer.

Privacy compliance is increasingly a sticking point between targets and acquirers. Lawyers say they're seeing closes delayed, offering prices reduced, and some transactions scuttled altogether as regulatory scrutiny intensifies and buyers become skittish about privacy risks.

Privacy is no longer simply an item on a dealmaking checklist or a vague commitment to users. For scrappy upstarts that dream of a lucrative exit, a clean record is essential, though not always easy to produce. Some young companies may lack privacy policies, some might have standards that don't reflect new state and federal privacy laws, and still others may have frameworks in place that they aren't actually following. “Not all companies can comply with the 100% safest interpretation of the law,” acknowledges Susan Lyon-Hintze, co-chair of Cooley's privacy group. “For some, if you follow the letter of the law exactly, it could mean the death of your business.”

In situations like that, she says, lawyers can sometimes only ask: “So what are some ways we can move in that direction?”

Websites catering to kids, for example, must abide by the Children's Online Privacy Protection Act (COPPA), but compliance falls on a spectrum. Some companies require an adult's e-mail confirmation or a nominal credit card charge to ensure parents are aware of their child's online activity. Others take far fewer precautions. How far a company must go to satisfy COPPA and other privacy regulations is still something of a gray area.

'Skin in the Game'

True Beginnings had a privacy policy that essentially prevented the site from sharing data if the company changed ownership. Such policies are fairly common, meant to assure consumers their information won't be exploited in ways they didn't anticipate. The policy frustrated Plenty of Fish, but that's what it was supposed to do. When a privacy policy stipulates that the data can't be shared, it really can't be, says Ropes & Gray partner James DeGraw. “Those [situations] have been around since the dawn of the Internet.”

Determining whether privacy policies and applications of user information can be reconciled in a potential combination can be tricky, DeGraw says.

Many bigger players look for the cautious handling of data before they will even consider making an offer, pushing even the tiniest startups to polish their policies early on.

A watershed moment came in late 2011, when The Walt Disney Company was fined by the Federal Trade Commission (FTC) over its $563 million up-front purchase of children's gaming company Playdom, where the privacy policies were not quite airtight. The FTC charged Playdom and fingered one of its executives for illegally collecting and disclosing personal information from thousands of its young users. Playdom had potentially been eligible for an extra $200 million in earn-outs. Though Disney settled for $3 million, a tiny fraction of the deal, the FTC action may have jeopardized those optional payments. In any case, the regulatory situation doubtless came as an unwelcome surprise to Disney. Only a few months prior to that FTC action, before moving forward with another deal ' rumored to be only in the tens of millions of dollars ' Disney dispatched a diligence team that was bigger than its potential acquisition's entire employee base, notes Ted Hollifield of Alston & Bird, who counseled the target.

When Lyon-Hintze mentions the Playdom situation to her clients, they're often stunned to learn that an executive was named in the complaint.

“That really grabs any founder's attention,” she says. “On this case, the FTC said no, you don't get to gain from the deal and just walk away ' you'll still have skin in the game.”

'Part of the Culture'

It's the rare deal when privacy questions don't factor in at all.

Only a “tiny minority of companies really have their act together,” says Jeffer Mangels Butler & Mitchell partner Robert Braun. “A good number of companies are completely out to lunch.”

Sometimes privacy lapses are outright deal-breakers. In other circumstances, would-be acquirers may give their targets a few months to clean up operations ' time that could be avoided had executives spent a few hours with a privacy attorney early in the company's existence. Acquirers may alternatively choose to lower their bids, to preserve funds that may be needed to fix things later on.

In a frothy market, however, patience and price sensitivity might not be possible, DeGraw says. If a company low-balls or threatens to walk away, a competitor might scoop up its intended prey.

Beyond the regulatory scrutiny, more users are paying close attention to how their information is being preserved and handled. Often, companies simply want to do the right thing in the interest of consumer trust, says Cooley's Lyon-Hintze.

“More and more clients are coming to us just wanting to know for the sake of being better at protecting consumer privacy,” she says. “For the rest, the fear of a delayed or blocked deal or one that's going to cost them more money is enough to get them to pay attention.”

If they can afford it up-front, most start-ups would rather circumvent privacy concerns than leave cash on the deal table. That's why one unnamed, early-stage tech startup, swore off third-party cookies, one attorney notes.

And increasingly, angel investors and venture capitalists, focused as ever on recouping initial investments, are piping up about privacy issues, attorneys say.

As innovation comes to all corners of the world, attorneys and their clients have puzzled over what areas can escape privacy concerns.

“Considering it'll soon be common to be able to control Christmas lights with an app on a phone, folks are having a hard time coming up with an industry that won't somehow be impacted,” DeGraw says.

Regulators have expressed interest, for example, in the proliferation of information that stems from growing device interconnectivity. Others want to explore what infrastructure could be compromised by devices that promise convenience.

And as hindsight brings clarity and routine to technology transactions, now companies of any stripe ' and deals between them ' come with an expectation of a careful scrub for privacy issues.

“Privacy is part of the culture now,” DeGraw says.

Chelsea Allison covers legal business in Silicon Valley for The Recorder, the San Francisco-based ALM sibling of e-Commerce Law & Strategy. She can be reached at [email protected].