Select Page


On November 1, Google announced it had entered into a definitive agreement to acquire Fitbit for approximately $2.1b. Both companies made a point to highlight the importance of data protection in their announcements of the acquisition. “Strong privacy and security guidelines have been part of Fitbit’s DNA since day one, and this will not change. Fitbit will continue to put users in control of their data and will remain transparent about the data it collects and why. The company never sells personal information, and Fitbit health and wellness data will not be used for Google ads,” Fitbit expressed in its press release. Google’s blog post on the acquisition further reiterated its commitment to data privacy rights, “[Google] will give Fitbit users the choice to review, move, or delete their data.” 

As evidenced by Google’s acquisition of Fitbit, privacy and data security considerations have come to play a central role in today’s mergers and acquisitions (M&A) landscape. M&A can expose companies to elevated risk in numerous ways. For example, when a company merges with or acquires a company that is subject to different regulatory concerns, such as HIPAA or COPPA, new resources may need to be assigned to make sure all privacy and security requirements are addressed. A cursory review of news headlines confirms that numerous companies have suffered from data breaches or other privacy/security incidents as a result of failing to fully assess and address privacy and cybersecurity risks during M&A. A growing number of companies have recognized that proactive privacy practices are strategically critical in the M&A context because of how costly a mistake can be—and, conversely, just how beneficial good practices can be in realizing value across a company’s potentially lucrative data flows. Regulators are also more acutely attentive than ever to companies’ privacy practices and statements. 

In the “Privacy and Data Security in Mergers & Acquisitions” privacy advisory, TrustArc highlights several best practices for M&A:

Pre-M&A Planning and Internal Strategy/Objectives 

  • A company should assess and fully understand its own privacy program maturity level, data flows, information security practices, partners’ data inputs and outputs, and contractual obligations. 
  • All parties should consider how their privacy and data security posture could have a material effect on the proposed deal, even if the transaction is not focused on the data involved. All parties must thus consider their risk profile, and that of any potential transactional partners, in order to evaluate what eventual requests to make to alleviate risk concerns; achieve relative regulatory robustness; and maintain the value and usability of any underlying personal data to be transferred. 

The Due Diligence and Pre-Signing Stages 

  • At a minimum, all parties involved will need to evaluate their privacy notices—for all products, services, and regions, whether covering mobile devices, an ad tech platform, or a marketing website, to name a few—to identify any potential areas where they may implicate different countries’ domestic legislation such as in the U.S., with the FTC Act § 5 covering unfair or deceptive practices. 
  • Companies must give careful consideration to their data security protocols, the parameters and monitoring of their vendor relationships, and their own employees’ personal data.

Items to Consider at Post-Signing and Post-Closing 

  • Will a special regulatory review be necessary based on the publicly-traded nature of the parties, the proposed deal’s financial valuation, or because the transaction implicates a highly-regulated industry? 
  • Is there any data, personal or otherwise, that is adjudged to be either not germane to the merged entity or overly sensitive/unwanted such that it will be intentionally excluded from the data transfers among the parties (and thus deleted, returned or aggregated)?
  • How will the companies’ policies be revised and/or combined? How will employee/ HR records be integrated? Whose infrastructure will be used and whose data will be ported in? 

To learn more, read the TrustArc “Privacy Advisory: Privacy and Data Security in Mergers & Acquisitions” here