With the adoption of more stringent privacy laws across the globe, we have seen an exponential increase in privacy technology (or “tech”) vendors offering automated privacy compliance solutions. Among other things, privacy tech vendors provide software and services to assist companies with a whole range of services, including data inventory and mapping, privacy assessments, compliance reports and risk management, as well as policies, individual rights automation and other records that may be required as part of an organization’s compliance obligations. Many privacy tech vendors pitch their solutions to organizations as designed to “easily” assist with ongoing global compliance with the aid of automation and/or algorithms. Depending on the price that you are willing to pay, relying on these solutions can indeed be helpful to automate certain aspects of privacy compliance, including data mapping, consent mechanisms, records of processing or individual rights management. However, in their marketing materials, many privacy tech vendors – big or small, paid or free – caution companies that using legal professionals for privacy compliance will simply be too costly. Based on our experience, this is misleading at best, and a recent situation really reveals just that.

Our M&A team recently represented a seller in its acquisition, where privacy disclosures became a central sticking point and actually held up the transaction timeline and ultimate closing. The entity being sold – our client – was a US-based B2B platform. Having no in-house counsel or privacy team (like many small to mid-sized companies), the client engaged one of the larger privacy tech vendors to assist with privacy compliance. The client specifically engaged the privacy tech vendor because it had bought into the idea that it would be far less costly than to use a law firm for its privacy work. Unfortunately, it turned out to be quite the opposite.

Initially, when asked to evaluate the privacy disclosures for the transaction, we reviewed the client’s privacy policy, which turned out to be poorly written and simply not adapted to the nature of their business. In an attempt to get more clarity, we spoke directly with the privacy tech vendor’s “consultants” – who were offering up legal advice despite not being attorneys, all the while disclaiming that they do not provide legal advice. As part of the services offered by the vendor, “consultants” (or advisers) are assigned to customers to work with the software and algorithms in order to provide assessments as to applicable laws and compliance obligations related thereto. However, our conversation with these particular consultants revealed that there was tremendous confusion about which laws potentially applied – an assessment that any experienced privacy attorney would have made very easily based on a no-frills (and free) questionnaire. In fact, the consultants lacked the granular knowledge and understanding of data protection laws in order to make certain important determinations. Our client’s business and operations with respect to data collection were very straightforward – no medical or sensitive information, no massive consumer tracking – and yet obtaining a clear-cut assessment from the vendor was near-impossible. To be fair, the company had designated someone with little privacy knowledge within the organization to interface with the privacy tech vendor, and the individual conceded that using the platform was overwhelming. Over a two-year period of working with the privacy tech vendor, and even with most of the required information provided by the client, the vendor had only provided a tentative overall assessment as to applicable laws, some very generic information about training and other obligations with no substantive client-tailored information, and a flawed template of a privacy notice to hold things over.

In addition, when we reviewed the engagement agreement with the privacy tech vendor, we realized that the client had paid upfront for services that were not – at the time of the engagement – known to be necessary, and in fact turned out to not be necessary at all based on their own “consultants’” preliminary assessments. After spending upwards of $200k for access to the software as well as unneeded services and modules that kept being added on by the vendor (even absent a final assessment as to applicable laws), the client had nothing to show for but an inaccurate and confusing privacy notice, a half-baked assessment and some limited and generic resources about privacy. What’s more, the M&A transaction was being held up in large part because of this issue, and to clean the mess up, now it would also have to pay lawyers to get the work done properly.

In the course of reviewing the engagement and the materials/resources provided by the privacy tech vendor and speaking with the consultants, we found a number of irregularities. One example that stood out: the client had been persuaded to pay for a costly data protection impact assessment add-on despite the fact that it was absolutely not recommended, given the limited B2B processing activities, and certainly not GDPR-mandated, because the client was not even subject to GDPR. Another example: during the call, the “consultants” indicated that in their assessment of what constitutes personal data, they relied on the UK ICO’s guidelines and had (incorrectly) determined that the business contact information of individuals in the EU could not possibly constitute personal data. As for the assessment itself, it sputtered out potentially applicable privacy laws in a pre-populated template, and actually made reference on several occasions to a data protection ‘law’ that simply does not exist.

It was clear that this particular privacy tech vendor had taken advantage of a company with no internal knowledge of privacy. Although it really had no need for all of the modules or services, the client could not possibly have known whether those were truly needed. The “consulting” advice provided clearly ventured into legal advice without a license to practice law, and was simply wrong on a number of points. When we read what the client had spent with the vendor, we felt that this was price gouging.* This unfortunate situation is just one of many others, where exclusive reliance on a privacy tech vendor has led to inaccurate and/or inconsistent language in privacy notices, misrepresentations about privacy practices, misaligned technical implementations or failure to identify an applicable law. When you consider that one of the cornerstones of data protection law is transparency (and accuracy), this is a big issue.

Takeaway: if your company is seeking to implement or update a privacy program, do your homework and conduct cost comparisons. Make sure that the privacy tech vendor that you are considering is itself compliant with privacy laws. For instance, we have seen numerous “GDPR compliance” providers that did not serve up proper EU cookie banners (within the EEA), or had outdated privacy policies on their own websites. This should be a red flag (and of course it is to us), but one has to know exactly what to look for as well, and that is often not the case with companies without legal or privacy experts on their teams. If you do ultimately use a privacy tech vendor, ask a privacy attorney to review its materials and the agreement, and to make sure that you are not being fear-mongered into purchasing unnecessary add-ons. Make sure to ask if the “consultants”, for those vendors that do offer this as part of the paid package, actually have legal or privacy backgrounds. Finally, know that if you use a privacy tech vendor without legal counsel involved, the information and assessments will likely not be covered by the attorney-client privilege in the event of an audit, investigation or legal action.

Claims by privacy tech vendors that lawyers will always cost more have proven an effective marketing strategy – prompting a dizzying increase in the number of solutions. Yes, most have automated solutions that are clearly useful to clients that actually need them (e.g., cookie banners that are properly implemented or data rights management solutions). Yes, some law firms have very high hourly rates, and privacy can be time-consuming. However, even here in Silicon Valley, there are plenty of small to mid-size firms with solid privacy expertise offering (a) hourly rates for senior attorneys that are lower than a first-year associate’s in big law and (b) limited staffing, such that the client is not paying to train junior attorneys. In the end, many companies, such as our client in the example above, do not need all the bells and whistles of a full-service privacy software provider, but simply need transparent privacy notices, internal policies and records, and staff training – all of which are better left to the lawyers than to a software provider. We have spent countless hours cleaning up after costly privacy tech vendors’ inadequate work. We have also had to do the same with the “free” (or very cheap) privacy or other template generators, which are simply not designed to capture the granular nuances of privacy requirements and laws. On the flip-side, in advising some clients, we have worked alongside privacy tech solutions and allocated respective responsibilities, and this has proven very effective.

The moral of the story is to leave the software technology to software vendors and leave the legal advice to lawyers.

* For the record, we would have been able to provide all the services to the client from the start – albeit, minus the cookie consent management software and automated data subject rights software – for 15-20% of the costs. And ultimately, that’s what we did.

Print:
EmailTweetLikeLinkedIn
Photo of Céline Guillou Céline Guillou

Céline Guillou is a member of Hopkins & Carley’s Corporate Practice and focuses on data privacy law and compliance.  Céline holds the certificate for Certified Information Privacy Professional Europe (CIPP/E) from the International Association of Privacy Professionals (IAPP), the global standard in privacy certification.

Photo of Chiara Portner Chiara Portner

Chiara holds the certificate for CIPP/US for U.S. private-sector privacy from the International Association of Privacy Professionals (IAPP), the global standard in privacy certification.