2024 saw strong interest in M&A involving companies that use or develop AI offerings. The rise of AI has brought new issues for dealmakers. In particular, 2024 also saw regulators focusing further on the collection and use of data in the development and commercialization of AI products, applying existing rules and developing new approaches to the new technology.
For example, in October, the Federal Trade Commission (“FTC”) announced actions against five companies for allegedly deceptive or unfair practices enabled by AI.[1] This followed the FTC’s complaint in January alleging that Rite Aid Corporation used facial recognition technology “to identify patrons that it had previously deemed likely to engage in shoplifting or other criminal behavior” without appropriate safeguards, including sufficient bias testing. The FTC ordered Rite Aid to, among other things, delete or destroy all photos and videos of consumers collected by the surveillance system as well as any data, models, or algorithms derived in whole or in part from them.[2]
Given the regulatory focus, buyers have increased their scrutiny of data used to train and develop AI products, especially where compliance issues can significantly affect the value of a deal. For example, having to delete algorithms created using data that was allegedly illegally collected or used (“algorithmic disgorgement”) could delay a deal or undermine the target’s business.
Buyers thus are increasingly focused on evaluating potential claims relating to:
- Breach of Contract
- If customer data was used to train the AI model, did the customer expressly consent to such use under the customer contract (e.g., in the end-user license agreement)?
- If the data was obtained from a third party, does the license or data aggregation agreement permit the data to be used to train AI models or is it limited to non-commercial use?
- If the AI offering is dependent on the use of a large language model (“LLM”), is the use of the offering permitted by the contract with the LLM provider?
- IP Infringement
- Is the AI model trained on and does it regurgitate unlicensed third-party copyrighted works?
- If the data was acquired from a third party, does the licensor have the right to make the data available for the applicable use, and what warranties and indemnification has the licensor provided with respect to such data?
- Privacy and Data Protection
- Does the data include personal data and, if so, were the data subjects provided with any required notice and was any required consent obtained from them?
- What privacy laws apply to the data (e.g., the EU’s General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act), and is that something that can be ascertained with confidence (which may not be possible if the data is scraped from public sources)?[3]
- Is the AI model developed in a way that enables the handling of individuals’ rights requests? For example, can the AI model process correction or deletion requests if it outputs incorrect information?
- Other Regulations
- Is the target compliant with applicable AI-specific regulations,[4] such as the EU’s AI Act[5] and regulations specific to financial, health, and other sensitive information?
- Is the target compliant with applicable cross-border data transfer regulations, such as the GDPR, especially where data was scraped in one jurisdiction for processing in another?
- Is the target at risk for claims of allegedly deceptive or unfair use or offering of AI (including with respect to any advertising for the offering), such as by the FTC for violation of Section 5 of the FTC Act?
Data-related risks can lead to:
- A delay due to deep dive diligence to identify faulty data or data from problematic sources (“dirty data”), including to ascertain an ability to remove or segregate that data.
- A closing condition that dirty data or impacted algorithms must be replaced.
- A purchase price adjustment, which requires parties to align on the estimated cost of obtaining clean data and retraining the model based on it.
- Indemnity and special escrow for the identified risks, including the estimated cost of retraining the model based on clean data if required by a third-party claim or regulatory enforcement.
- Buying a target primarily for its AI systems but being unable to use the AI systems due to noncompliance with AI, IP, or privacy laws.
Companies that use or develop AI offerings should ensure good data hygiene to minimize these risks, especially if they are considering a potential exit transaction. Even if the risk of algorithmic disgorgement is unlikely, buyers will be focused on the potential impacts.
[1] See our client alert, FTC Rolls Out Targeted AI Enforcement, Oct. 8, 2024.
[2] See our client alert, The FTC Brings Algorithmic Bias into Sharp Focus, Jan. 8, 2024.
[3] See Using special categories of data for training LLMs: never allowed? by Lokke Moerel and Marijn Storm, Morrison Foerster, Aug. 28, 2024.
[4] See Morrison Foerster Artificial Intelligence Resource Center’s Links to Laws, Regulations, and Regulators by Jurisdiction.
[5] See also our client alert: EU AI Act – Landmark Law on Artificial Intelligence Approved by the European Parliament, Mar. 14, 2024.
[View source.]