Google’s Acquisition of Fitbit Highlights the Importance of Data Privacy and Security

On November 1, Google announced it had entered into a definitive agreement to acquire Fitbit for approximately $2.1b. Both companies made a point to highlight the importance of data protection in their announcements of the acquisition. “Strong privacy and security guidelines have been part of Fitbit’s DNA since day one, and this will not change. Fitbit will continue to put users in control of their data and will remain transparent about the data it collects and why. The company never sells personal information, and Fitbit health and wellness data will not be used for Google ads,” Fitbit expressed in its press release. Google’s blog post on the acquisition further reiterated its commitment to data privacy rights, “[Google] will give Fitbit users the choice to review, move, or delete their data.” 

As evidenced by Google’s acquisition of Fitbit, privacy and data security considerations have come to play a central role in today’s mergers and acquisitions (M&A) landscape. M&A can expose companies to elevated risk in numerous ways. For example, when a company merges with or acquires a company that is subject to different regulatory concerns, such as HIPAA or COPPA, new resources may need to be assigned to make sure all privacy and security requirements are addressed. A cursory review of news headlines confirms that numerous companies have suffered from data breaches or other privacy/security incidents as a result of failing to fully assess and address privacy and cybersecurity risks during M&A. A growing number of companies have recognized that proactive privacy practices are strategically critical in the M&A context because of how costly a mistake can be—and, conversely, just how beneficial good practices can be in realizing value across a company’s potentially lucrative data flows. Regulators are also more acutely attentive than ever to companies’ privacy practices and statements. 

In the “Privacy and Data Security in Mergers & Acquisitions” privacy advisory, TrustArc highlights several best practices for M&A:

Pre-M&A Planning and Internal Strategy/Objectives 

  • A company should assess and fully understand its own privacy program maturity level, data flows, information security practices, partners’ data inputs and outputs, and contractual obligations. 
  • All parties should consider how their privacy and data security posture could have a material effect on the proposed deal, even if the transaction is not focused on the data involved. All parties must thus consider their risk profile, and that of any potential transactional partners, in order to evaluate what eventual requests to make to alleviate risk concerns; achieve relative regulatory robustness; and maintain the value and usability of any underlying personal data to be transferred. 

The Due Diligence and Pre-Signing Stages 

  • At a minimum, all parties involved will need to evaluate their privacy notices—for all products, services, and regions, whether covering mobile devices, an ad tech platform, or a marketing website, to name a few—to identify any potential areas where they may implicate different countries’ domestic legislation such as in the U.S., with the FTC Act § 5 covering unfair or deceptive practices. 
  • Companies must give careful consideration to their data security protocols, the parameters and monitoring of their vendor relationships, and their own employees’ personal data.

Items to Consider at Post-Signing and Post-Closing 

  • Will a special regulatory review be necessary based on the publicly-traded nature of the parties, the proposed deal’s financial valuation, or because the transaction implicates a highly-regulated industry? 
  • Is there any data, personal or otherwise, that is adjudged to be either not germane to the merged entity or overly sensitive/unwanted such that it will be intentionally excluded from the data transfers among the parties (and thus deleted, returned or aggregated)?
  • How will the companies’ policies be revised and/or combined? How will employee/ HR records be integrated? Whose infrastructure will be used and whose data will be ported in? 

To learn more, read the TrustArc “Privacy Advisory: Privacy and Data Security in Mergers & Acquisitions” here

Privacy Advisory: Privacy and Data Security in Mergers & Acquisitions

Digital Advertising Alliance Summit in New York

Privacy and data security considerations, far from being relevant solely for international data transfer or data breach reasons, have come to play a central role in today’s mergers and acquisitions (M&A) landscape — for buyers and sellers alike.

There are several practical privacy and data security considerations that companies should keep in mind during the mergers and acquisitions process. Each phase of the merger and acquisition process has its own specific considerations. The following are examples from each of those phases discussed in the Privacy Advisory: Privacy and Data Security in Mergers & Acquisitions.

I. Pre-M&A Planning and Internal Strategy/Objectives

EU General Data Protection Regulation (GDPR) Compliant — Has any M&A-interested party been assessed against the EU GDPR law that takes effect on May 25, 2018, which may impact any company that handles EU resident data? Have the same companies also assessed or requested that their own partners/vendors be GDPR-compliant?

II. The Due Diligence and Pre-Signing Stages

At a minimum, all parties involved will need to evaluate their privacy notices — for all products, services, and regions, whether covering mobile devices, an ad tech platform, or a marketing website, to name a few — to identify any potential areas where they may implicate different countries’ domestic legislation such as in the U.S., with the FTC Act § 5 covering unfair or deceptive practices.

III. Post-Signing and Post-Closing

Regulatory Reviews—Will a special regulatory review—which often sees voluminous requests for internal records—be necessary based on the publicly-traded nature of the parties, the proposed deal’s financial valuation, or because the transaction implicates a highly-regulated industry?


To read the entire advisory, which includes best practices and examples, download it here.

July Event Spotlight: Visit with the TrustArc Team at PL&B International Conference (Cambridge) and IAPP Asia (Singapore)

July Event Spotlight

Privacy Laws & Business International Conference
July 3-5
Cambridge, UK

This conference will address how to ensure that the golden age of innovation does not become the dark age of information privacy. Sessions will show how the apparent car crash between innovation and privacy does not need to be a disaster. At one end of the spectrum, innovation can be the enemy of privacy and at the other end, innovation can be an enabler. This conference seeks willingness on both sides to connect with each other in a civilised manner and to find solutions.

Stop by the TrustArc table near the registration area area to say hi and learn about our GDPR Implementation Solutions.

> Learn more here

IAPP Asia Privacy Forum 2017
July 24-25

Asia’s fast progress toward balancing the challenges of privacy and the free flow of information creates a world of opportunities for your organization. Learn how to seize them at the 2017 Asia Privacy Forum. The Forum is the only conference that brings globally recognized IAPP programming to Asia. Join in-depth explorations of issues and ideas for connecting Asian economies to each other and the world. This year’s Forum also features a special pre-conference workshop to help organisations comply with the GDPR.

TrustArc is a sponsor of this event. TrustArc’s Josh Harris, Director, International Regulatory Affairs will be presenting on the panel “The APEC CBPR System: Growth and Opportunities” on Monday, July 24 at 16:35.

> Learn more here

Maximizing Data Utility Under GDPR

31 January 2017
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe

Trying to solve a problem, determine the optimal course of action or make a critical decision in the absence of meaningful data not only is frustrating – it can yield undesirable outcomes. It’s like driving without a map or hiking without a compass, let alone precise GPS. Or, like trying to communicate with a friend, whose last name you don’t remember how to spell, without a phone number, email address or Twitter handle.

In recent years, many business leaders have realized that connected devices, systems and sensors are generating more and more data that can be invaluable to making better business decisions. Yet, they still are deciphering how best to leverage all of the data to drive better business decisions. With impending compliance obligations under the GDPR, they may forfeit those data opportunities if they don’t implement solutions that enable ongoing authorized use of those data.

Last month, I blogged that privacy leaders can be business enablers by supporting the business in maximizing net data value in two key ways: (1) partnering with other data leaders in the organization to establish an integrated approach to data governance that enables data benefit and risks to be evaluated in a holistic way, and (2) driving consistent evaluation of the value and costs associated with the acquisition, storage, use and re-use of data.

This month, Mike Hintze and Gary LaFever published a white paper, Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics in which they tackle the new frontier of “data protection by default” under Article 25 of the GDPR. The concept of data protection by default permeates the regulation and expands upon traditional notions of data minimization or minimum necessary data to prescribe – subject to fines up to 4% of global revenue – implementation of technical and organizational mechanisms for ensuring that only the specific personal data necessary for each specific processing purpose – whether collection, scope of use, length of storage, or accessibility – actually are processed. Hintze and LaFever present a compelling case for companies to proactively implement a robust technical approach to the GDPR’s data protection by default requirements in order to both maximize data value and minimize compliance risk and liability.

As privacy professionals, we spend countless hours with business teams identifying and classifying data elements, determining the processing purposes and the legal basis for any proposed processing, evaluating data retention periods and proposed data transfers. We create data inventories and data flow maps in order to determine whether data minimization, proportionality and onward transfer requirements are met. We are startled when the hours fly by and our analyses are ongoing, and we recognize that the only way we can support goals like maximizing net data value is to rely on technology to scale our work, make it more efficient and ultimately, more effective. With GDPR’s data protection by default requirements in just 15 months, we can no longer put off plans to implement new technology to help us comply.

Fortunately, Hintze and LaFever present solutions based on a concept of “controlled linkability” that refines data so that it can be used for a range of purposes while preserving privacy and protecting the data from unauthorized processing. Controlled linkability thus facilitates extraction of the full value of data, enabling both GDPR and other regulatory compliance as well broad data utilization. In order for businesses to preserve and enhance the value of their data beyond the next 15 months, however, the time to plan for effective implementation of these technology solutions is NOW.

Since so many businesses rely on big data analytics, as increasingly artificial intelligence, to fuel innovation and growth, it has become essential to know how to ensure compliance in a way that allows your data assets to be utilized. Hintze and LaFever are sharing about their approach today in an IAPP webinar on “Unlocking Big Data Value Under the GDPR” featuring Gwendal Le Grand, the Director of Technology and Innovation of La Commission Nationale de l’Informatique et des Libertés (CNIL). You can learn more at



TRUSTe Privacy Risk Summit 2017 – Special Event Launch Pricing!

Screen Shot 2016-12-12 at 9.09.55 AM

One of the best ways to mitigate risk is to know what technological and regulatory change will bring ahead of time. This risk-based approach aligns with the GDPR approach to privacy management.

The 2017 Privacy Risk Summit is set to carry on TRUSTe’s reputation for high quality education programs that help privacy professionals plan for future changes. Past events have brought together EU regulatory experts and Silicon Valley business leaders to discuss the impact of the EU GDPR and how organizations could navigate the global privacy requirements. Whenever there are sweeping changes, such as when IoT took off, TRUSTe is there to help navigate those changes.

Join the 2017 Privacy Risk Summit to learn from 30+ speakers who will be sharing privacy risk management best practices. In addition to being inspired by these keynote speakers, you will also have the opportunity to participate in interactive workshops.

See recaps of previous events here:

If you are interested in attending this year, take advantage of special event launch pricing here.