Scott Peppet, Privacy Deals
Comment by: Tanya Forsheit
PLSC 2013
Workshop draft abstract:
This paper examines a previously unexplored way in which markets may act to constrain privacy violations: through privacy-related contractual deal terms in mergers, acquisitions, financings, and other corporate transactions. The thesis is that corporate actors perceive regulatory risk related to information security and privacy, and that they seek to moderate that risk when acquiring or financing other entities by conducting privacy-related due diligence and including privacy-related terms in their deals. To the extent that such diligence and terms are effective, they not only prevent or dampen the success of privacy-negligent target firms in a given transaction but also may create a more widespread fear in startups that privacy negligence will prevent future acquisition, financial exit, or growth. This more widespread fear — that ignoring privacy concerns may mean missing out on a future exit — may have pro-privacy effects far beyond the actual threat of regulatory enforcement or prosecution. This paper explores “privacy deals” by interviewing privacy lawyers focused on M&A. It reports on the findings of those interviews, in particular the types of privacy-related deal terms already in use. It also compares different types of corporate transactions — such as acquisitions versus venture financings — to determine when in the life cycle of technology-related firms privacy begins to have transactional implications. Throughout, the goal of the paper is to shed light on the ways in which corporate transactions may or may not be privacy-protective, and to raise the legal and policy implications of such “privacy deals.”