In 2014, Acxiom acquired LiveRamp, a customer data-onboarding company. The $310 million acquisition saw the joining of a startup with a well-established analytics and software-as-service company. The benefits for both were obvious: LiveRamp stood to benefit from Acxiom’s muscle in the way of technology, resources and talent, as LiveRamp CEO Auren Hoffman noted; and Acxiom got the technology, talent and energy of a startup that saw triple-digit revenue growth in each of the two years prior to the buy. 

But what happens to privacy policies and practices when young and fast-paced merges with established and careful?

Acxiom’s been around since 1969. Its privacy program is global and more than 25 years old, though obviously it’s been tweaked, improved and extended over the years as regulations, laws and technologies have changed. 

So, while LiveRamp had a privacy program in place when it was acquired, that didn’t change Acxiom’s process in thoroughly, very thoroughly, vetting the startup's privacy bona fides before any dotted lines were signed. That was a direct order handed down from Acxiom’s CEO and general counsel to Jennifer Barrett Glasgow, CIPP/US, Acxiom’s then CPO, now emeritus, and Sheila Colclasure, then Americas officer and now global privacy and public policy executive. 

But the good news, Colclasure said, is LiveRamp was doing privacy right already. The company had a privacy program in place and, in fact, just prior to the acquisition, had completed a data-governance compliance audit. It was also already a member of the Network Advertising Initiative and comported with that body’s standards as a best practice, despite the fact that LiveRamp doesn’t do online behavioral advertising. 

“They had really come at it the right way,” she said. 

Regardless, Acxiom has very particular privacy governance techniques, Colclasure said. “We apply privacy policy constructs at the engineering layer,” she said. “We’re a good three years ahead of other players in our space.”

And so began the process of learning LiveRamp’s systems and processes.

“We really looked at everything the company does,” Colcasure said. “Every product, all clients, all the way up the chain.” 

Assessing LiveRamp meant asking questions about what it does, like, “Is it fair not just to the brands we serve and not just to society but to the consumer?”

Fortunately for Acxiom, working with a startup like LiveRamp was easy because the team, as successful startup teams tend to be, was smart and worked quickly. And that’s important, Colclasure said, because one concern for Acxiom in retrofitting LiveRamp’s program to match its own was slowing down innovation in the process. In fact, “It was a challenge to us to evolve our processes so we didn’t slow them down. It was an improvement for us to be as fast as they need us to be and still make sound decisions for really good outcomes,” she said.

Another factor working in Acxiom’s favor was the LiveRamp team’s willingness to do things Acxiom’s way when Acxiom came to it to say, “We found some things, we fixed them, we need you to retrofit your product.”

It makes sense, however, that LiveRamp would eagerly comply, given Acxiom’s experience and maturity. 

“Our team is very senior, many of us have been in the company for 15-plus years deeply immersed in these policy issues,” Colclasure said. “We’ve done this work across all of the major industries, and we know where the bodies might be buried and how to overcome problems and apply ethics to data use.”

For LiveRamp’s part, the heavy lifting came via changes to LiveRamp’s systems that would allow it to get SOC2 security clarification. Otherwise, the work was focused on educating Axciom’s team on systems and making the necessary changes to converge policies and practices. 

“Many of these changes were relatively minor,” said Anneka Gupta, LiveRamp’s Chief Product Officer, “given that LiveRamp had a privacy counsel pre-acquisition and had taken a relatively conservative approach to privacy. The majority of the time was spent on documentation and review of our systems,” but there weren’t major technical overhauls required, Gupta said. 

Operationally, Acxiom hired a full-time privacy person to head up LiveRamp’s team. That person reports to Colclasure and serves as the day-to-day privacy lead, answering questions as needed and working with engineers. But they don’t work in a silo; Acxiom’s privacy impact assessment happens at the ideation phase. So innovation suggestions are elevated to a table of Acxiom’s full privacy team plus other key stakeholders which includes legal, security and engineering to be green- or red-lighted.

If LiveRamp dislikes the team’s answer, it has the opportunity to elevate to the GC, COO or even the CEO, which has happened before, Colclasure said.

And that’s where things can sometimes get sticky, as one might expect. LiveRamp is a young company aiming to innovate, and fast. Acxiom has a well-established brand to protect.

So does Colclasure find herself saying “no” all the time? Not quite, she said. But it happens.

“We’ve had some hard 'no's and been accused of being too conservative in a couple of instances. Our big brand clients want trust with the consumer," she said. "They rely on Acxiom, and LiveRamp, to get their data-enabled solutions right – they don’t want us to enable something that’s going to offend people. So, necessarily, the way we come at innovative business issues is very thoughtful.” 

So as LiveRamp builds products that are ahead of today’s marketplace heading towards digital identity, the internet of things, and machine learning, Acxiom turns to its ethics.

“We go through the whole exam of legality, then co-regulation, then look at, ‘Are these appropriate uses of data?’ and anticipate all the outcomes, and that’s where the ethical construct is so useful,” she said. Sometimes, during whiteboarding with LiveRamp, the message from Colclasure’s team is a bit of a compromise.

“Sometimes it’s not, ‘No, you can’t do that,’” she said. “It’s, ‘I can see how that would be very exciting and I can see it serves consumers, but, in order to meet our fairness standard, you’ve got to do it this way,’” she said.

LiveRamp’s Gupta said there are some differences between the way it used to do privacy and the way it does things now.

“There is definitely a lot more rigor around review and documentation, which has definitely benefitted LiveRamp immensely,” she said. “In addition, because we have a very savvy and sophisticated privacy team at Acxiom, we are more comfortable pushing the envelope and innovating our policies and products to better capture the market needs of our clients.”

What to consider in an M&A deal

Jennifer Archie of Latham and Watkins handles mergers and acquisitions. While she couldn’t comment on specific deals, she said in cases where she’s representing a firm that is being acquired, regardless of its size or role, “We don’t wait to be asked about data practices, where we can see they are fundamental to the value of the transaction. We might put it out there. To get through a merger or acquisition smoothly, there should be no surprises on either side.” 

That’s because “even though the company [being acquired] may be small, for some business models, the data play may be material to the purchase price. In those instances, the banks and acquirers will have considered privacy and data-security compliance,” she said. “You don’t want to overpay, you don’t want to underpay. So an early valuation question may be whether there is something flawed overall in the many ways in which consumer data has been collected, shared, stored or used. You do a big picture read on whether they are on the right track. If there are gaps, is it expensive to fix it? Can the key customer database be transferred to a purchaser without opt-in consent?”

Archie added it’s important, in mergers and acquisitions, to take careful and early diligence when considering how a potential breach at the target company could impact a brand.

“Even indirect or consequential loss of goodwill, business or anticipated profits can theoretically be allocated to the seller or insured against in an M&A transaction,” she said. “However, as a practical matter, damage to brand and reputation arising from negative outcomes to data-related incident are harder to bargain for, claim and/or recover.”

In part one of a two-part series for The Privacy Advisor, attorneys Brad Janssen, Matthew Knouff and Rani Habash discuss other important considerations when entering into an agreement, including asking the target company for things like data maps; documentation on things like data encryption, retention and destruction; and a risk profile on any previous breaches or near-breaches. (Editor's note: Find part two of the series in this month's edition of The Privacy Advisor.) 

Gupta said her advice for companies being acquired is to work, on day one, very closely with the privacy team of the acquiring company to understand the policies and how they are applied to the product in order to understand the differences between that and your existing policies. 

“You are going to know your systems better than the acquiring company, so it’s on your to initially develop proposals of what needs to change based on your understanding of the system,” she said. “Also understand that to do this requires time and resources, if you don’t staff this well with people that have both the business and technical view of your product, it will take much longer to get to resolution on open items.

It’s best to make investments early on, rather than having to retrofit later.

“The patience and hard work will pay off and make both your products and the acquiring company’s products better,” she said.