Tech Transactions & Data Privacy 2022 Report: Data as an Asset: Considerations in Technology Transactions and M&A Due Diligence
Friday, February 11, 2022
Tech Transactions Disclosures Mergers Acquisitions
Print Mail Download i

Tech Transactions & Data Privacy 2022 Report

In today’s economic environment, it is increasingly important for businesses to derive value from data they collect from and about their customers. This data can be an essential asset in assisting companies to improve or enhance existing products or services, or develop new products or services, identify predictive usage patterns in technology platforms, and target potential sales or marketing opportunities. In addition, technology providers have access to significant amounts of their customers’ data in connection with the services they provide, and in many cases seek to use such data for their own business purposes. As a result of this environment, in recent years many companies have sought to acquire businesses that have either robust data sets or strong data analytics capabilities to help develop actionable insights from data.

Businesses need to be prudent regarding their objectives for the collection, use and protection of data, especially in light of stronger enforcement of existing state, federal and international laws and regulations relating to the protection of personal data and the passage and implementation of new privacy laws by various states containing substantially similar requirements to those imposed by the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), including Virginia’s Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA). While the use of data may present significant opportunities, businesses must be aware of the substantial regulatory, contractual and reputational risks associated with failure to comply with applicable privacy laws. This article will provide tips for best practices for negotiating technology agreements, both from the perspective of technology providers and their customers, as well as guidance regarding key issues to consider with respect to businesses’ data use and collection practices in due diligence for M&A transactions.

Data Rights in Technology Agreements

In the negotiation of agreements between software or other technology providers and their customers, it is imperative that terms relating to data collection, use and disclosure clearly state the rights and obligations of the parties. This requires the drafting of carefully crafted language designed to reflect the interests of both parties and to ensure compliance with applicable legal requirements.

Technology providers often seek to secure rights to collect and use a broad range of data from their customers, from metadata relating to the use of any software products to the information disclosed by such customers for processing. Such broad rights permit these providers to develop or enhance their products or services, perform analytics regarding their customer base and otherwise commercialize data for their business purposes. Many companies have begun to utilize a “give to get” model, in which customers must contribute data to be able to use functionality in a software, such as shared databases or analytics dashboards that aggregate data across such providers’ customer base to provide benchmarks and other insights. For example, certain procurement management software providers offer functionality to permit their customers to view analytics dashboards comparing payment terms and amounts by type of vendor across the provider’s customer base. In “give to get” models, such customers may only access these dashboards if they agree to share data for inclusion within the dashboards. Such models benefit technology companies by removing ambiguity regarding data rights and expressly permitting data usage in a manner that enhances the provider’s products and services, but may present difficulties for their customers, as discussed below.

On the other hand, the companies using such technology products or services have an interest in limiting data collection and use for purposes solely as necessary to enable the technology provider to deliver the products or services being purchased. In many cases, the disclosure of data carries risk, whether it is personal information subject to state or federal privacy requirements or confidential financial information that could result in harm to the company if disclosed. Additionally, technology providers often seek broad representations and warranties from their customers regarding the customer’s right to disclose data to the vendor and permit certain secondary uses and further disclosures of data by the technology vendor. At times, these terms also pose risk to the extent they conflict with any agreements or understandings between the customer and the consumers or data subjects from whom it collects data (such as a privacy notice or an authorization to disclose data). As a result, customers of technology vendors should attempt to limit any use or disclosure of information to the extent possible and seek additional protections regarding the confidentiality of such data.

Such protections often include requirements that any data used for any purpose other than the direct provision of products or services to the company be aggregated and anonymized (i.e. that the data, as used, does not identify the company, any consumer or any information unique to either the company or any consumer). These limitations provide protection against the improper disclosure of personal information in violation of applicable law and help mitigate the risk of disclosure of any other confidential information. However, the parties must ensure that such aggregation and anonymization is conducted in accordance with the various standards imposed by applicable laws to which they are subject. For example, GDPR imposes certain requirements relating to the “anonymization” of personal data, while entities subject to HIPAA must comply with specific requirements regarding the de-identification of Protected Health Information (PHI) via either the “Safe Harbor” or “Expert Determination” methods of de-identification, and further, Business Associates must abide by the limitation that they only de-identify or aggregate the PHI of multiple Covered Entities upon receipt of explicit permissions to do so from the applicable Covered Entity.

Another issue that arises from the use of aggregated or anonymized data relates to the ownership of such aggregated or anonymized data. The ownership of data is a distinct issue from use and disclosure rights under privacy laws but also plays a key role in the ability of technology providers to derive value from customer data. Generally, customers of technology providers seek to and do retain ownership of the original data disclosed to technology providers in connection with the use of such providers’ products and services. The ownership of aggregated or anonymized data is a more complex matter - technology providers often seek to own such data to allow for flexibility in the use of the data for their own business purposes. Conversely, many customers prefer to retain exclusive ownership of any data or new technology derived from the original data (particularly any personal or otherwise sensitive data) they disclosed to the service provider. However, though such customers may not be willing to relinquish ownership, they may instead be willing to grant a limited license to the service provider to permit the use of any anonymized aggregated data in connection with the delivery or enhancement of the products or services used by the customer. This way the customer as well as other customers of the provider benefit from the use of the data.

More broadly, the use of data by technology providers raises a number of issues regarding intellectual property rights in software or other technology created through the use of or derived from the use of their customers’ data. If a technology provider uses its customer’s data (whether the original data provided or any anonymized or aggregated derivatives of such data) to create any software (or enhancements to existing software), algorithms, models or other commercially valuable materials, the parties will need to determine ownership rights to such newly created intellectual property. The resolution of this issue is dependent on a number of factors, including the nature of the data, relative bargaining power of the parties, whether anything produced is intended to be a work product created specifically for the customer, contributions from the respective parties of assets or other resources in connection with the development of the new technology and scope of intended data use.

In addition to the foregoing, technology agreements which involve the technology provider’s access to and use of data also implicate a number of issues relating to the allocation of risk, data security obligations and responsibilities of the parties upon termination of the agreement. The following checklist provides a non-exhaustive summary of potential key issues and questions for review in connection with terms implicating data usage and ownership rights in technology agreements.

Issues for Review in Technology Agreements

  • What is the nature of the data to be disclosed? How sensitive is the data (e.g., does it relate to an individual’s medical history)?

  • What laws and regulations are applicable to the data, and what obligations to protect the data do such laws and regulations impose?

  • For what purposes is the technology provider permitted to use or disclose data provided by its customer?

  • Do such uses and disclosures conform with the commitments made by the customer to any consumers or other data subjects (e.g., patients or clinical trial participants) from whom it collected data?

  • Does the agreement permit the technology provider to anonymize and/or aggregate any customer data? If so, which party owns this derived data?

  • If the technology partner creates any new intellectual property, such as software, algorithms, models or other materials using or derived from customer data, which party owns such new intellectual property? Is joint ownership of such intellectual property with potential cross-licensing rights a feasible alternative to exclusive ownership by one party?

  • Upon termination, does the agreement require the technology provider to return or destroy data disclosed by its customer? What is the scope of this requirement (i.e. does it only include the original data or any aggregated or anonymized data as well)? If the technology provider is unable to return or destroy any data (e.g., if it has been aggregated with the data of other customers and thus extraction is not feasible or would change the outcomes or analysis?), what obligations regarding the protection of data will survive termination?

  • How will the parties allocate risk for improper use or disclosures of data?

  • Is the technology provider obligated to indemnify its customer for claims relating to data breaches or uses of data in violation of applicable law? Is the customer required to indemnify the technology vendor for the customer’s disclosure of data to the vendor which it does not have the right to make?

As discussed below, the ownership of any data is a key issue in the performance of diligence in connection with M&A transactions, as acquirers will need assurances that the selling company has appropriate rights to its data.

Considerations in M&A Due Diligence

It is essential that any company seeking to acquire another where the target company’s data is a key asset perform thorough due diligence regarding such company’s data collection, use and safeguarding practices.

First and foremost, the acquirer must ensure that the target company has the appropriate rights to collect, disclose and use any data that it does collect or has collected and permit use for secondary purposes, such as creating derivative works from the original data collected. If the target company collects personal information directly from consumers, the acquirer must ensure that the target collected and uses such personal information in accordance with applicable law. This includes ensuring, where applicable, that any personal information was collected in accordance with the target’s privacy notice and contractual arrangements, that such information is only used for the purposes described in the privacy notice and that any legally-required requests for the deletion or opt-out of the disclosure of such information are honored.

If the target collects data from other businesses in the course of providing services to such businesses, the acquirer should ensure any such data is only used as permitted by the applicable agreements with such customers, as well as applicable law. Additionally, any diligence should identify any restrictions on the disclosure of data to third parties, as such restrictions may limit the transferability of any data depending on the structure of the merger or acquisition. Further, the acquirer should review any terms relating to ownership of any aggregated or anonymized data. If the target’s customer retains ownership of such data and is granted a license for its use, such license will likely be subject to any restrictions on the assignment or transfer of the underlying agreement.Any such diligence should involve the review of the target company’s consumer-facing privacy notice (if applicable), internal policies and procedures relating to data collection, use and security, and its relevant contracts. The diligence should also review the target company’s history, including any actions taken against it for past violations of privacy law or any data breaches. However, a review of any legally required documentation is likely to be insufficient, as acquirers must have certainty that the target is complying with any privacy notices, contracts or policies in practice. Accordingly, the acquirer should review any books and records of the target company to assess the target’s compliance with its stated practices, and perform testing on the target’s security controls to review potential vulnerabilities.

Sellers must also conduct diligence regarding their data assets to mitigate risk and ensure the proper transfer of their assets or ownership interest. Most importantly, sellers must ensure that they in fact have the right to sell, license or transfer any data which will be included in the sale. This includes a review of contracts with data providers to ensure the terms of such agreements permit the sale or disposition of any data, and to permit an opportunity to amend such agreements if required before any potential issues impede the ability of the seller and its acquirer to consummate the transaction. Where applicable, such efforts may also include the review and revision of privacy notices to permit the transfer of data to the acquirer, and the remediation of any potential non-compliance with internal policies and procedures regarding data usage and protection.

The purchase agreement in an M&A transaction will likely include a number of representations and warranties with respect to the seller’s ability to transfer data, and its data collection, usage and protection practices. Acquirers generally seek strong warranties regarding the seller having the right to sell or transfer the data to be included within the sale, the seller’s compliance with applicable privacy law and that there is no pending litigation or enforcement action against the seller relating to its data use practices. Sellers prefer to limit such warranties by adding knowledge qualifiers, limiting the time period for which such warranties are effective (for example, by stating that the seller is compliant with applicable law “as of the effective date” of the transaction).

The following checklist provides a non-exhaustive summary of potential key issues and questions for review in connection with data usage and ownership in M&A transactions.

Issues for Review in M&A Transactions

  • What is the nature of the data to be disclosed? How sensitive is the data (e.g., does it relate to an individual’s medical history)?

  • What laws and regulations are applicable to the data, and what obligations to protect the data do such laws and regulations impose?

  • How will the parties allocate risk for improper transfers or disclosures of data?

  • Does the seller have the right to transfer the rights to any data which it owns or licenses under both applicable law and any agreements with the seller’s data providers?

  • Is the seller compliant with applicable privacy law, and does it comply with its privacy notice and internal policies and procedures? Does the seller have any prior actions taken against it alleging violations of privacy law, or has it suffered any data breaches?

  • Do the representations and warranties in the purchase agreement reflect the foregoing?

  • Is the selling party obligated to indemnify its purchaser for claims relating to data breaches, violation of applicable privacy law, or failure to obtain the right to sell, license or transfer any data which will be included in the sale?

Conclusion

The use of data provides significant opportunities for businesses yet comes with regulatory risk and many contractual issues to consider. Technology providers and their customers must carefully review data usage and ownership terms in their agreements to address a wide range of issues and meet the needs of each party. Additionally, the parties in M&A transactions must each conduct diligence to ensure the selling party’s compliance with regulatory and contractual requirements, internal procedures, and to ensure the selling party has appropriate rights to transfer ownership or license rights to such data. By taking proactive measures to address these issues, businesses can mitigate risk and help realize the potential offered by data. 

© Polsinelli PC, Polsinelli LLP in California

Current Legal Analysis

More from Polsinelli PC

FTC Final Rule Banning Most Non-Competes Passes – What Nonprofits Need to Know
by: Jacob Zerkle , Michael Kuczynski
The 80/20 Rule is Here: CMS Finalizes HCBS Care Worker Payment Requirements
by: Ross E. Sallade , Angelo Spinola
Blockchain+ Bi-Weekly: Week of April 25, 2024
by: Jonathan E. Schmalfeld , Stephen A. Rutenberg
FTC Final Rule Banning Most Non-Competes Passes – What You Need to Know
by: Eric E. Packel , Emma R. Schuering
Finally Final — The DOL Issues Its Long-Expected Final Rule Raising the FLSA Overtime Exemption Salary Thresholds
by: Jason N. W. Plowman , Matthew P.F. Linnabary
"Please Pay No Attention to the Microphone:” DOJ Announces New Program Offering Protections to Criminal Whistleblowers
by: Kurt R. Erskine , Nicole K. Nielly
HRSA Aims for Swift Dispute Resolution with new 340B ADR Final Rule
by: Mary H. Canavan , Kyle A. Vasquez
Critical Infrastructure Cybersecurity – Evolving Incident Response Obligations, Integral to Effective Risk Management
by: Romaine C. Marshall , Kurt R. Erskine
Vote Scheduled for FTC Final Rule Banning Non-Competes – What You Need to Know
by: Eric E. Packel , Sean R. Gallagher
FDA Preemption of State Law for False Labeling Survives Appeal to Supreme Court
by: Gina L. Tincher , Stacy A. Carpenter

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins