The FTC can hold an acquirer responsible for the bad data privacy practices of a company that it acquires. Evaluating a target’s data privacy practices, however, can be daunting and complicated by the fact that many “data” issues are first identified months, or years, after a transaction has closed. For example, although it is relatively easy to read a potential target’s privacy policies it is far more difficult to verify that the policy is accurate or complete. The following provides a snapshot of information concerning privacy violation penalties.

Due diligence questions to consider in a M&A transaction in order to evaluate data privacy related rsisk:

1. Has the target received a regulatory inquiry concerning its data privacy practices?
2. Has the target received litigation claims concerning its data privacy practices?
3. Has the target tracked data privacy complaints submitted to it by consumers?
4. Has the target tracked data privacy complaints submitted by consumers to government agencies, including the quantity and nature of data privacy complaints lodged with the Federal Trade Commission?
5. Is the target subject to a sector specific data privacy law?
6. Do the target’s internal privacy policies and procedures comply with legal standards?
7. Do the target’s external privacy policies and procedures comply with legal standards?
8. Has the target conducted a data map or a data inventory?
9. What are the target’s data retention policies?
10. With whom does the target share data?
11. Does the target have a vendor management program in place?
12. Have the vendors used by the target provided appropriate contractual protections?
13. Did the target have an employee, such as a Chief Privacy Officer, who was focused on data privacy issues?
14. If the target conducted operations internationally did it have a strategy in-place for handling the cross-border transfers of information?

1. United States (FTC) v. Playdom, Case No. 11-00724 (C.D. Cal. May 11, 2011).

[View source.]