When performing due diligence in connection with a merger or acquisition, one item that should not be overlooked is the target company’s privacy policies. If the business of the target relies on account holders, subscribers, or others who provide the business with personally identifiable information, a seller who ignores the target’s privacy policies may find itself purchasing a business with no ability to access the existing customer base.
The purchaser ultimately acquired the assets, but only after entering into a consent order in which the parties agreed to destroy all personally identifiable information before the asset transfer.
The FTC warning should serve as a reminder that purchasers should carefully review privacy policies as part of their intellectual property due diligence. In addition, companies with a goal of being acquired should review their privacy policies to ensure that the policies will allow a successor to continue the business with the existing customer base.