Earlier this week, The Recorder observed that maintaining strong privacy standards is now a serious requirement for startups interested in M&A, not some “item on a deal-making checklist or a vague commitment to users.” Since the biggest asset of many startups is often data like subscriber lists, neglecting privacy standards can be a deal-killer, the outlet observed.
Surprisingly (to me), one attorney told The Recorder of the issue: “Only a tiny minority of companies really have their act together; a good number of companies are completely out to lunch.”
To find out more about how big a sticking issue privacy has become for acquirers, I talked yesterday with Christine Lyon, an attorney at Morrison Foerster who focuses on privacy and employment law.
Lyon told me that a big part of the shift owes to increased regulatory scrutiny, saying the Federal Trade Commission “has been more active in privacy enforcement generally.”
I asked Lyon who tends to be the most “at risk.” She cited mobile app makers, largely because “they might not think of themselves as collecting personal information, when they are.” (Names and email addresses are considered Personally Identifiable Information, or PII.)
Perhaps unsurprisingly, Lyon also mentioned that two other types of companies that should pay special attention to new state and federal privacy laws are sites that either cater in some way to children or deal with health-related information. When it comes to both, the risk of a misstep is much higher, said Lyon — not to mention that buyers in both cases are always “very interested in what sorts of consents were obtained.”
To correct what the FTC would consider a material issue in their privacy policies, a startup can do a couple of things. First, it can try getting the consent of its users retroactively, though most users won’t give it. (Who wants to be bothered?) Another option is to offer users the opportunity to “opt-out” from permitting a company to transfer its data to an acquirer.
Unfortunately, neither solution may be enough to appease a potential acquirer in the current environment. “An area that’s high risk for enforcement will get buyers’ attention,” she’d told me. “We’re just seeing a lot more issues like this cropping up and sometimes killing deals.”
The lesson here is obvious: companies that skimp on privacy could ultimately end up leaving a lot of money on the table.
Sign up for our morning missive, StrictlyVC, featuring all the venture-related news you need to start you day.