If you're a private equity investor, a venture capitalist, part of a mergers and acquisitions team, or simply looking to invest some of your savings into another company, privacy-related due diligence is something you cannot overlook.
This article will explain why you, as an investor, must have due diligence around privacy practices. It will list the documents you must review, and what to look for during your review to make the smartest financial decisions about potential investments.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. Why are Privacy Practices Important for Investors' Due Diligence?
- 2. How Do Privacy Laws Influence Privacy Practices Due Diligence for Investors?
- 3. What are the Key Documents to NOT Overlook in Privacy Practices Due Diligence?
- 3.1. Privacy Policy
- 3.2. Terms and Conditions Agreement
- 3.3. Service Level Agreements
- 4. What are Some Common Oversights of Investors When Reviewing Privacy-Related Documents?
- 4.1. Lack of Regulatory Compliance
- 4.2. Inaccurate Portrayal of Actual Business Practices
- 4.3. Weak Data Security
- 4.4. Overly Weak or Strict Terms and Conditions Clauses
- 4.5. Impossible Promises and Incomplete Action and Response Plans
- 4.6. Consumer-Unfriendly Legal Policies
- 5. What are the Top Recommendations for Investors in Regard to Privacy Practices Due Diligence?
- 6. Summary
Why are Privacy Practices Important for Investors' Due Diligence?
Proper due diligence around privacy practices is a process that will help you determine whether a potential investment is worth it. It will give you insight into whether the investment is something that can make you money, or something that will cost you money and time with lawsuits and fines.
By reviewing the privacy practices of a company, you'll be in a better position to gauge the company's alignment with legal standards and catch any potential areas of risk.
Legal documents like Privacy Policies, Terms and Conditions agreements and Service Level Agreements (SLAs) contain important information and insights into a company, such as:
- Their steps for legal compliance
- How much exposure to privacy-related risks the company has
- The company's overall integrity in how it operates
How Do Privacy Laws Influence Privacy Practices Due Diligence for Investors?
Privacy laws like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA/CPRA) don't explicitly require investors to have due diligence around privacy practices. However, they do leave investors at risk of great financial loss and of being caught up in lawsuits if they invest in companies that violate these laws.
These laws and regulations place strict obligations on companies that handle personal data, with non-compliance penalties reaching millions of dollars.
For investors who are serious about due diligence, reviewing privacy-related documents will give insight into how a company adheres to applicable privacy laws - or if they don't.
For example, a Privacy Policy review will let you see how a potential investment company collects, processes, stores, and shares data, and if it does so in line with legal requirements.
Doing this will help you see if a potential investment is too big of a legal risk. While you may not directly be sued, your money will be tied up in a company that may end up going out of business due to legal fines, litigation costs, ruined public reputation, and diminished customer trust.
What are the Key Documents to NOT Overlook in Privacy Practices Due Diligence?
There are 3 primary documents that you'll need to review when practicing due diligence:
- Privacy Policy
- Terms and Conditions agreement
- Service Level Agreement
Privacy Policy
A Privacy Policy is where a company will outline and disclose important legally-required details such as what personal data a company collects, how it uses and stores it, and what rights users have.
For potential investors, this legal document will help reveal a company's data handling practices and show what level of compliance the company has with regulations. It can also help point out any potential issues, violations, or legal liabilities.
For example, consider how this clause in Equilife's Privacy Policy shows that the company is on top of rights offered to residents of a variety of locations. This would be a good sign that the company is aware of global privacy laws and takes steps to comply with them:
Terms and Conditions Agreement
A Terms and Conditions Agreement is also often referred to as a Terms of Use or Terms agreement. While the names are different, they function in the same way: to govern the relationship between a company and its users, setting out user rights, restrictions, obligations, and limitations on the company's liability.
For investors, Terms and Conditions agreements help indicate the company's approach to risk management. For example, a thorough Terms and Conditions Agreement will include extensive limits on liability, disclaimers of warranties and other types of relevant disclaimers, and a termination-without-cause clause. User rules and requirements will be clearly outlined, and will limit behavior that may put the company at risk.
For example, consider this extensive limitation of liability clause from Equilife's Terms of Use agreement. Note how it covers a number of scenarios, and the last point in the clause makes it clear that if someone is unsatisfied with the service, their resolution is to stop using the service instead of suing the company. Thorough clauses like this are a good sign for investors that a company has really done its own due diligence:
Service Level Agreements
Service Level Agreements are contracts that define the level of service a company promises to deliver to its users. SLAs address things such as uptime guarantees, data security measures, and incident response practices.
For investors, SLAs are a great indicator of how reliably a company operates, how committed it is to excellence, and whether it can deliver on its promises. It can also show the level of detail a company has with how it handles any issues that may come up.
For example, consider this clause from the Google Cloud Key Management System SLA. It includes details about uptime being close to 100%. It also acknowledges what will happen if that uptime isn't met for some reason and lets users know that they can receive a credit. This shows that the company likely has a strong system set up to guarantee such a high percentage of uptime, and that it has thoroughly thought out the entire process of how to handle the rare event that something goes wrong. Users are also given peace of mind, knowing that they can get credits if something does go wrong:
What are Some Common Oversights of Investors When Reviewing Privacy-Related Documents?
Here are some of the most common oversights investors have when they review privacy-related documents.
Lack of Regulatory Compliance
Many investors assume that having a Privacy Policy is enough to meet compliance requirements. However, if a Privacy Policy is outdated, inaccurate or just a general template that doesn't include information explicitly required by a relevant privacy law, the Privacy Policy may not be compliant at all.
Early-stage startups may use template Privacy Policies that don't include jurisdiction-specific clauses and information, and this can lead to legal violations and fines.
For example, the GDPR requires that users are informed about their data subject rights. If a Privacy Policy falls under the scope of the GDPR and doesn't include this information, there's a problem.
Check a Privacy Policy for the following:
- Lack of Jurisdiction-Specific Content: Privacy Policies that don't address the laws of all regions where the company operates or collects data are not compliant.
- Vague Language: If the language used is too broad or ambiguous, there will be compliance issues. For example, simply saying "we may share your data with third parties" may not be enough. Look for language that notes what exact type of data will be shared with what types of third parties.
- Outdated Policies: A Privacy Policy may be valid at one point, but changing laws and business practices can make that policy become invalid overnight. Check the "last updated" or "effective date" information on a Privacy Policy to make sure it isn't very old and thus likely out of compliance with new laws and law updates.
Inaccurate Portrayal of Actual Business Practices
A Privacy Policy must accurately reflect a company's actual data practices.
Startups often overpromise in their Privacy Policies, for example by claiming that they never share any personal data, while they actually engage in third-party data sharing for analytics or marketing purposes.
If a Privacy Policy claims a business behaves one way, but in reality it behaves in another, this is inviting huge issues with violating privacy and data protection laws.
Do the following:
Verify Data Flows: Before investing in a company, verify their data flows to make sure reality lines up with what's presented in the Privacy Policy. Focus on the company's data collection, storage, and sharing practices to make sure everything lines up.
Weak Data Security
Privacy Policies and SLAs will give a brief, general statement about a company's approach to data security, such as the use of encryption. But investors will need to go deeper on this topic to make sure the company isn't at risk of data breaches and mishandling of any breaches that may happen.
Data breaches can cost millions in remediation, fines, and lost business, so this is very important information to know as an investor.
Do the following:
- Review Actual Security Standards in Place: Don't just rely on what the Privacy Policy says. Meet with the relevant teams and verify that the company does in fact have top notch data security standards in use.
- Look at Data Breach Response Plans: Make sure the company has a data breach response plan in place, with methods of quickly notifying users and required authorities and ways to mitigate any damage. Without this, it's a very risky investment.
- Look for Vendor Oversight: Does the company oversee its third-party providers to make sure they also have adequate security standards and breach response plans in place? Verify this.
Overly Weak or Strict Terms and Conditions Clauses
You might think that a Terms agreement is sufficient as long as it has any type of limitation of liability clause, and a clause that addresses legal issues (such as a dispute resolution or arbitration clause).
This isn't true, as it overlooks the fact that overly aggressive limitation of liability clauses may be unenforceable in certain jurisdictions.
Similarly, weak and unclear dispute resolution clauses may also be unenforceable.
Both of these can lead to costly litigation.
Check a Terms and Conditions Agreement for the following:
- Unenforceable Clauses: Check for clauses that are either too strict or too vague, or that conflict with legal requirements. These types of clauses will likely cause issues by not being legally enforceable.
Impossible Promises and Incomplete Action and Response Plans
If you invest in any type of tech startup, make sure the Service Level Agreement includes realistic promises, and addresses how downtime issues will be addressed.
Without this type of content, you may see issues as the company scales and can't meet its own promises, and then doesn't handle them appropriately.
Check an SLA for the following:
- Realistic Uptime Information: If an SLA guarantees 100% uptime, this is a red flag.
- Remedy Clauses: If an SLA doesn't address what will happen and what it will do to compensate affected customers in the event of excessive downtime, such as by offering prorated credits, this is also an issue.
Consumer-Unfriendly Legal Policies
This is a more subtle aspect of due diligence, but very important. When you're reviewing a company's legal policies like a Privacy Policy, Terms of Use and SLA, look at it from the perspective of the end user.
This will give you good insight into how a consumer may view the company, either as trustworthy and transparent, or vague and misleading.
Check legal policies for these things:
- Readability: Legal policies that are difficult for your average reader to understand can lower trust users have for a brand and reduce overall user engagement. If there's a ton of legalese, dense paragraphs, and a lack of clarity in general in legal policies, this is a concern.
- Transparency: Legal policies that don't give specific information, are very vague, or are filled with general statements about things won't be looked at favorably by end users. Legal authorities will also have an issue with this, as it shows that the company may not be in compliance with privacy laws.
If the legal policies are written in a clear, transparent and thorough way, this shows that the company has a user-centric approach to things and will work to maintain public trust and brand loyalty.
For example, here's how LinkedIn starts its Privacy Policy, with a ton of user-focused features including starting it with the words "Your Privacy Matters." Links are included to a Help section, a Key Terms section, and to a user choices page. A video is embedded as well, which helps make dense legal information more human-friendly to navigate:
What are the Top Recommendations for Investors in Regard to Privacy Practices Due Diligence?
Below are some actionable steps for investors to take as they navigate privacy due diligence.
- Hire a Privacy Expert: A legal compliance specialist can help you as you thoroughly look over the privacy and other practices of a potential investment opportunity.
- Make Sure Legal Policies Have Jurisdiction-Specific Information: Do a check to make sure any law that would apply is actually complied with. This may mean a Privacy Policy must have specific clauses, such as the GDPR requiring a disclosure of user rights.
- Make Sure Legal Policies are Up to Date: All legal policies should reflect updates to relevant laws, and any changes to business practices. If a policy is older than 6 months old without being updated, this can be a concern.
- Verify Data Practice Claims: Make sure that the company is actually doing what it says it's doing when it comes to things like how it collects, uses and stores personal data of its users.
- Gauge Consumer Image and Trust: Put yourself in the eyes of the end users and consumers, and see if the company looks trustworthy and transparent based on its privacy and other practices. Are legal policies written in a user-centric way?
- Simulate Incident Scenarios: See how the company would respond to a variety of different incidents that may arise, from a data breach to a lawsuit. This will help you get an idea of how the company is ready to react if something ever goes wrong.
Summary
Privacy practices are an important part of the due diligence process for investors. Reviewing legal agreements such as Privacy Policies, Terms and Conditions agreements and Service Level Agreements will help you get a better and more full picture of whether an investment is potentially risky or not.
Look for things such as not complying with all laws, not being transparent, not creating user-friendly legal agreements, and not having plans in place for when things go wrong. Having weak security, impossible service level promises, or incredibly strict liability clauses are other things to watch for.
Any or all of these things will expose the company to financial risks through legal violations and customer lawsuits. As an investor, this is stuff you want and need to know.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.