When performing due diligence in connection with a merger or acquisition, one item that should not be overlooked is the target company’s privacy policies. If the business of the target relies on account holders, subscribers, or others who provide the business with personally identifiable information, a seller who ignores the target’s privacy policies may find itself purchasing a business with no ability to access the existing customer base.
This issue was recently highlighted when the Federal Trade Commission sent a warning letter to the potential purchaser of XY Magazine in a bankruptcy proceeding. XY Magazine was a gay male youth-oriented magazine and website that, according to the FTC letter, collected “a substantial amount of personal information from its members and subscribers, including names and street addresses.” The magazine and website touted an “Amazing Privacy Policy” and assured subscribers and members that “we never share your information with anybody”. The FTC’s warning letter stated that transfer of customer data in a bankruptcy proceeding would contradict the privacy statements and constitute unfair or deceptive trade practices, resulting in a possible violation of Section 5 of the FTC Act.
The purchaser ultimately acquired the assets, but only after entering into a consent order in which the parties agreed to destroy all personally identifiable information before the asset transfer.
The FTC warning should serve as a reminder that purchasers should carefully review privacy policies as part of their intellectual property due diligence. In addition, companies with a goal of being acquired should review their privacy policies to ensure that the policies will allow a successor to continue the business with the existing customer base.
IP Spotlight 