FTC Signals Major Shift: Children’s Privacy a Top Enforcement Priority

FTC Prioritizes Children's Data Privacy

The Federal Trade Commission (FTC) has made clear that protecting children’s privacy is now a top enforcement priority under its new leadership. Recent statements from FTC Commissioner Melissa Holyoak reinforce that businesses handling children’s data should prepare for heightened regulatory scrutiny.

Speaking in Washington, D.C., during the International Association of Privacy Professionals (IAPP) Global Privacy Summit, Commissioner Holyoak emphasized that children’s privacy remains a significant enforcement priority for the FTC. Central to this renewed focus is the enforcement of the Children’s Online Privacy Protection Act (COPPA), with the agency already advancing significant updates to the rule.

The FTC is not the only regulatory body focusing on children’s privacy. Also speaking at the IAPP Global Privacy Summit, many representatives of state regulatory bodies focused on enforcing state data protection laws, similarly echoed the desire to focus on higher-risk activities. The focus includes paying closer attention to governing the processing of teens’ personal information online as well as practices related to the sale of data from minors. For companies that have historically leveraged the age threshold under COPPA for bifurcating data collection practices between children and others, this may pose a challenge as data related to teens is not within the scope of that original COPPA threshold but would be the focus of regulatory enforcement at the state level. Given the heightened focus regulators across the board are placing on this scenario, companies dealing with data related to teens should consider mapping out specific use cases where this may be an initial step, analyzing the potential risk of each individually.

Businesses that collect, use, or share children’s data should act now to evaluate and strengthen their privacy practices to mitigate regulatory risk. Varnum’s Data Privacy and Cybersecurity Practice Team stands ready to help your organization navigate these developments, strengthen your compliance strategies, and stay ahead of regulatory risk.

The Changing Landscape of Dispute Resolution for Website Operators

The Changing Landscape of Dispute Resolution for Website Operators

Historically, many website operators have included a provision in their published website terms and conditions or terms of use (Terms) governing how a website visitor is able to resolve disputes with the website operator. Recently, due to a proliferation of privacy-related litigation relating to the use of tracking technologies embedded on websites, website operators are reconsidering the most effective ways to address the dispute resolution mechanism included in the Terms.

Why Has Arbitration Historically Been the Industry Standard?

Arbitration has long been the preferred method for website operators to handle disputes with website visitors because it offers some key advantages over other mechanisms for dispute resolution, such as mediation and litigation:

  • Efficiency: Arbitration proceedings typically proceed to a resolution faster than court litigation does, which reduces the time and resources spent on resolving disputes.

  • Lower Costs: Arbitration is generally less expensive than litigation because it requires lower legal fees and preparation costs compared to traditional trials, and decisions are generally not appealable.

  • Confidentiality: The private nature of arbitration helps protect companies’ reputations.

  • Control: Companies can select the arbitrator and establish their own rules for the proceedings, which provides a tailored approach to dispute resolution.

What is Causing This Change?

These benefits have made mandatory arbitration provisions a staple in website Terms.  However, the benefits of maintaining mandatory arbitration provisions appear to be waning. This shift can be largely attributed to the rise in tracking-technology litigation, as website operators face privacy-related challenges by plaintiffs under federal laws such as the Electronic Communications Privacy Act (ECPA) and the Video Privacy Protection Act (VPPA), as well as state laws like California’s Invasion of Privacy Act (CIPA). While the use of tracking technologies, such as cookies and pixel tags, are common features of websites, increased complaints about these tools pose a significant challenge for website operators that rely on traditional arbitration provisions.

Mass arbitrations, which are the filing of hundreds or even thousands of individual claims on behalf of website visitors, have created administrative burdens and high costs for website operators, as website operators generally pay for most or all of the arbitration fees. Because of this strategy, website operators are recognizing the need to adapt to the complexity and volume of data-privacy actions by reevaluating their default dispute-resolution strategy. This reevaluation includes revising arbitration clauses to include mechanisms like bellwether processes, where a small number of cases are resolved first in order to guide the resolution of subsequent cases. Notably, at least one court has refused to compel arbitration of a class action against a website operator on the grounds that its arbitration agreement, including the mass-arbitration bellwether provision, was unenforceable because it was “permeated by provisions which are unconscionable and violative of New Jersey public policy.”[1] Another option is to require informal dispute resolution before arbitration, such as mediation. Additionally, some website operators are considering opting out of mandatory arbitration altogether, or at least carving out data-privacy disputes from the general arbitration provision, to allow disputes to be handled by the courts; this might result in more litigated class actions than in the past. 

What Options Do Website Operators Have?

There are several strategic options to address these challenges. For example, website operators may consider revising arbitration clauses, opting out of arbitration altogether, and utilizing alternative dispute-resolution mechanisms. Each of these approaches have distinct pros and cons:

Option
Pros
Cons
Revise arbitration clauses
Streamlines mass claims, potentially reducing administrative burdens and costs with bellwether processes. Alternatively, if privacy-related claims are carved out, this would allow the website operator to maintain the benefits of the arbitration provision while mitigating the risks of mass arbitrations stemming from privacy-related complaints.
Remains costly. The revised clauses may be challenged and struck down in court, limiting their effectiveness.
Opt out of mandatory arbitration
Allows disputes to be handled by the courts. The burdens of dealing with numerous individual claims can be ameliorated with class actions.
Exposes companies to the possibility of larger payouts, increased public/media scrutiny. Heightened legal risks.
Utilize alternative dispute-resolution mechanisms (e.g., mediation[2] or an ombudsman program[3] )
Flexible, less adversarial, and more suitable for resolving certain types of less complex disputes.
May not be suitable for complex cases. Outcomes are somewhat less predictable, in line with their increased informality.

Each option requires careful consideration based on the website operator’s industry, size, customer base, and the legal environment in which it operates.  For example, revising an arbitration clause might involve carving out privacy-related claims from the provision’s scope. Accordingly, it is important for website operators to discuss tailoring strategies with an experienced attorney.

The approach that any individual company might take to tailoring its website Terms is highly dependent on a variety of factors, including its specific industry, operational scale, customer demographics, and the regulatory environment it is subject to and operates within. Varnum’s experienced data privacy team can help your business navigate this changing landscape and assess the risks and benefits of possible approaches. Varnum is well-equipped to assist in that decision-making process, offering comprehensive guidance so you can make informed decisions about dispute resolution strategies, ensuring alignment with both legal requirements and business objectives.

[1] See Achey v. Cellco P’ship, 475 N.J. Super. 446, 450; 293 A.3d 551, 553–554 (App. Div. 2023).

[2] The Program on Negotiation at Harvard Law School’s website explains that the goal of mediation “is for a neutral third party to help disputants come to a consensus on their own. Rather than imposing a solution, a professional mediator works with the conflicting sides to explore the interests underlying their positions.”

[3] An organizational ombuds “operates in a manner to preserve the confidentiality of those seeking services, maintains a neutral/impartial position with respect to the concerns raised, works at an informal level of the organizational system (compared to more formal channels that are available), and is independent of formal organizational structures.”

Is Insurtech a High-Risk Application of AI? 

Is Insurtech a High-Risk Application of AI? 

While there are many AI regulations that may apply to a company operating in the Insurtech space, these laws are not uniform in their obligations. Many of these regulations concentrate on different regulatory constructs, and the company’s focus will drive which obligations apply to it. For example, certain jurisdictions, such as Colorado and the European Union, have enacted AI laws that specifically address “high-risk AI systems” that place heightened burdens on companies deploying AI models that would fit into this categorization.

What is a “High-Risk AI System”?

Although many deployments that are considered a “high-risk AI system” in one jurisdiction may also meet that categorization in another jurisdiction, each regulation technically defines the term quite differently.

Europe’s Artificial Intelligence Act (EU AI Act) takes a gradual, risk-based approach to compliance obligations for in-scope companies. In other words, the higher the risk associated with AI deployment, the more stringent the requirements for the company’s AI use. Under Article 6 of the EU AI Act, an AI system is considered “high risk” if it meets both conditions of subsection (1) [1] of the provision or if it falls within the list of AI systems considered high risk and included as Annex III of the EU AI Act,[2] which includes, AI systems that are dealing with biometric data, used to evaluate the eligibility of natural persons for benefits and services, evaluate creditworthiness, or used for risk assessment and pricing in relation to life or health insurance.

The Colorado Artificial Intelligence Act (CAIA), which takes effect on February 1, 2026, adopts a risk-based approach to AI regulation. The CAIA focuses on the deployment of “high-risk” AI systems that could potentially create “algorithmic discrimination.” Under the CAIA, a “high-risk” AI system is defined as any system that, when deployed, makes—or is a substantial factor in making—a “consequential decision”; namely, a decision that has a material effect on the provision or cost of insurance.

Notably, even proposed AI bills that have not been enacted have considered insurance-related activity to come within the proposed regulatory scope.  For instance, on March 24, 2025, Virginia’s Governor Glenn Youngkin vetoed the state’s proposed High-Risk Artificial Intelligence Developer and Deployer Act (also known as the Virginia AI Bill), which would have applied to developers and deployers of “high-risk” AI systems doing business in Virginia. Compared to the CAIA, the Virginia AI Bill defined “high-risk AI” more narrowly, focusing only on systems that operate without meaningful human oversight and serve as the principal basis for consequential decisions. However, even under that failed bill, an AI system would have been considered “high-risk” if it was intended to autonomously make, or be a substantial factor in making, a “consequential decision,” which is a “decision that has a material legal, or similarly significant, effect on the provision or denial to any consumer of—among other things—insurance.

Is Insurtech Considered High Risk?

Both the CAIA and the failed Virginia AI Bill explicitly identify that an AI system making a consequential decision regarding insurance is considered “high-risk,” which certainly creates the impression that there is a trend toward regulating AI use in the Insurtech space as high-risk. However, the inclusion of insurance on the “consequential decision” list of these laws does not definitively mean that all Insurtech leveraging AI will necessarily be considered high-risk under these or future laws. For instance, under the CAIA, an AI system is only high-risk if, when deployed, it “makes or is a substantial factor in making” a consequential decision. Under the failed Virginia AI Bill, the AI system had to be “specifically intended to autonomously make, or be a substantial factor in making, a consequential decision.”

Thus, the scope of regulated AI use, which varies from one applicable law to another, must be considered together with the business’s proposed application to get a better sense of the appropriate AI governance in a given case. While there are various use cases that leverage AI in insurance, which could result in consequential decisions that impact an insured, such as those that improve underwriting, fraud detection, and pricing, there are also other internal uses of AI that may not be considered high risk under a given threshold. For example, leveraging AI to assess a strategic approach to marketing insurance or to make the new client onboarding or claims processes more efficient likely doesn’t trigger the consequential decision threshold required to be considered high-risk under CAIA or the failed Virginia AI Bill. Further, even if the AI system is involved in a consequential decision, this alone may not deem it to be high risk, as, for instance, the CAIA requires that the AI system make the consequential decision or be a substantial factor in that consequential decision.

Although the EU AI Act does not expressly label Insurtech as being high-risk, a similar analysis is possible because Annex III of the EU AI Act lists certain AI uses that may be implicated by an AI system deployed in the Insurtech space. For example, an AI system leveraging a model to assess creditworthiness in developing a pricing model in the EU likely triggers the law’s high-risk threshold. Similarly, AI modeling used to assess whether an applicant is eligible for coverage may also trigger a higher risk threshold. Under Article 6(2) of the EU AI Act, even if an AI system fits the categorization promulgated under Annex III, the deployer of the AI system should perform the necessary analysis to assess whether the AI system poses a significant risk of harm to individuals’ health, safety, or fundamental rights, including by materially influencing decision-making. Notably, even if an AI system falls into one of the categories in Annex III, if the deployer determines through documented analysis that the deployment of the AI system does not pose a significant risk of harm, the AI system will not be considered high-risk.

What To Do If You Are Developing or Deploying a “High-Risk AI System”?

Under the CAIA, when dealing with a high-risk AI system, various obligations come into play. These obligations vary for developers[3] and deployers[4] of the AI system. Developers are required to display a disclosure on their website identifying any high-risk AI systems they have deployed and explain how they manage known or reasonably foreseeable risks of algorithmic discrimination. Developers must also notify the Colorado AG and all known deployers of the AI system within 90 days of discovering that the AI system has caused or is reasonably likely to cause algorithmic discrimination. Developers must also make significant additional documentation about the high-risk AI system available to deployers.

Under the CAIA, deployers have different obligations when leveraging a high-risk AI system. First, they must notify consumers when the high-risk AI system will be making, or will play a substantial factor in making, a consequential decision about the consumer. This includes (i) a description of the high-risk AI system and its purpose, (ii) the nature of the consequential decision, (iii) contact information for the deployer, (iv) instructions on how to access the required website disclosures, and (v) information regarding the consumer’s right to opt out of the processing of the consumer’s personal data for profiling. Additionally, when use of the high-risk AI system results in a decision adverse to the consumer, the deployer must disclose to the consumer (i) the reason for the consequential decision, (ii) the degree to which the AI system was involved in the adverse decision, and (iii) the type of data that was used to determine that decision and where that data was obtained from, giving the consumer the opportunity to correct data that was used about that as well as appeal the adverse decision via human review. Developers must also make additional disclosures regarding information and risks associated with the AI system. Given that the failed Virginia AI Bill had proposed similar obligations, it would be reasonable to consider the CAIA as a roadmap for high-risk AI governance considerations in the United States. 

Under Article 8 of the EU AI Act, high-risk AI systems must meet several requirements that tend to be more systemic. These include the implementation, documentation, and maintenance of a risk management system that identifies and analyzes reasonably foreseeable risks the system may pose to health, safety, or fundamental rights, as well as the adoption of appropriate and targeted risk management measures designed to address these identified risks. High-risk AI governance under this law must also include:

  • Validating and testing data sets involved in the development of AI models used in a high-risk AI system to ensure they are sufficiently representative, free of errors, and complete in view of the intended purpose of the AI system;
  • Technical documentation that demonstrates the high-risk AI system complies with the requirements set out in the EU AI Act, to be drawn up before the system goes to market and is regularly maintained;
  • The AI system must allow for the automatic recording of events (logs) over the lifetime of the system;
  • The AI system must be designed and developed in a manner that allows for sufficient transparency. Deployers must be positioned to properly interpret an AI system’s output. The AI system must also include instructions describing the intended purpose of the AI system and the level of accuracy against which the AI system has been tested;
  • High risk AI systems must be developed in a manner that allows for them to be effectively overseen by natural persons when they are in use; and
  • High risk AI systems must deploy appropriate levels of accuracy, robustness, and cybersecurity, which are performed consistently throughout the lifecycle of the AI system.

When deploying high risk AI systems, in-scope companies must carve out the necessary resources to not only assess whether they fall within this categorization, but also to ensure the variety of requirements are adequately considered and implemented prior to deployment of the AI system.

The Insurtech space is growing in parallel with the expanding patchwork of U.S. AI regulations. Prudent growth in the industry requires awareness of the associated legal dynamics, including emerging regulatory concepts nationwide. Varnum’s Data Privacy and Cybersecurity Practice Team continues to monitor these developments and assess their impact on the Insurtech industry to help your business stay one step ahead.  

[1] Subsection (1) states that an AI system is high-risk if it is “intended to be used as a safety component of a product (or is a product) covered by specific EU harmonization legislation listed in Annex I of the AI Act and the same harmonization legislation mandates that he product hat incorporates the AI system as a safety component, or the AI system itself as a stand-alone product, under a third-party conformity assessment before being placed in the EU market.”

[2] Annex 3 of the EU AI Act can be found at https://artificialintelligenceact.eu/annex/3/

[3] Under the CAIA, a “Developer” is a person doing business in Colorado that develops or intentionally and substantially modifies an AI system.

[4] Under the CAIA, a “Deployer” is a persona doing business in Colorado that deploys a High-Risk AI System.

ERISA Fiduciary Duties: Compliance Remains Essential

ERISA Fiduciary Duties: Compliance Remains Essential

The Employee Retirement Income Security Act of 1974 (ERISA) establishes a comprehensive framework of fiduciary duties for many involved with employee benefit plans. Failure to comply with these strict fiduciary standards can expose fiduciaries to personal and professional liability and penalties. With ERISA litigation on the rise, a new administration, and recent news that the Department of Labor (DOL) is sharing data with ERISA-plaintiff firms, a refresher on fiduciary duty compliance is necessary.

What Plans Are Covered?

ERISA’s fiduciary requirements apply to all ERISA-covered employee benefit plans. This generally includes all employer-sponsored group benefit plans unless an exemption applies, such as governmental and church plans, as well as plans solely maintained to comply with workers’ compensation, unemployment compensation, or disability insurance laws.

Who Is A Fiduciary?

A fiduciary is any individual or entity that does any of the following:

  • Exercises authority over the management of a plan or the disposition of assets.
  • Provides investment advice regarding plan assets for a fee.
  • Has any discretionary authority in the administration of the plan.

Note that fiduciary status is determined by function, what duties an individual performs or has the right to perform, rather than an individual’s title or how they are described in a service agreement. Fiduciaries include named fiduciaries. Those specified in the plan documents are plan trustees, plan administrators, investment committee members, investment managers, and other persons or entities that fall under the functional definition. When determining whether a third-party administrator is a fiduciary, it is important to identify whether their administrative functions are solely ministerial or directed or whether the administrator has discretionary authority.

What Rules Must Fiduciaries Follow?

Fiduciaries must understand and follow the four main fiduciary duties:

  • Duty of Loyalty: Known as the exclusive benefit rule, fiduciaries are obligated to discharge their duties solely in the interest of plan participants and beneficiaries. Fiduciaries must act to provide benefits to participants and use plan assets only to pay for benefits and reasonable administrative costs.
  • Duty of Prudence: A fiduciary must act with the same care, skill, prudence, and diligence that a prudent fiduciary would use in similar circumstances. Even when considering experts’ advice, hiring an investment manager, or working with a service provider, a fiduciary must exercise prudence in their selection, evaluation, and monitoring of those functions and providers. This duty extends to procedural policies and plan investment and asset allocation, including evaluation of risk and return.
  • Duty of Diversification: Fiduciaries must diversify plan investments to minimize the risk of large losses, with limited exceptions for ESOPs.
  • Duty to Follow Plan Documents and Applicable Law: Fiduciaries must act in accordance with plan documents and ERISA. Plans must be in writing, and a summary plan description of the key plan terms must be provided to participants.

Fiduciaries also have a duty to avoid causing the plan to engage in any prohibited transactions. Prohibited transactions include most transactions between the plan and individuals and entities with a relationship to the plan. Several exceptions exist, including one that permits ongoing provision of reasonable and necessary services.

Liabilities and Penalties

An individual or entity that breaches fiduciary duties and causes a plan to incur losses may be personally liable for undoing the transaction or making the plan whole. Additional penalties, often at a rate of 20% of the amount involved in the violation, may also apply. While criminal penalties are rare, are possible when violations of ERISA are intentional. Causing the plan to engage in prohibited transactions may also result in excise taxes established by the Internal Revenue Code.

To limit potential liability, plan sponsors and fiduciaries should ensure the appropriate allocation of fiduciary responsibilities, develop adequate plan governance policies, and participate in regular training. Plan sponsors may purchase fiduciary liability insurance to cover liability or losses arising under ERISA. In addition, the DOL has established the Voluntary Fiduciary Correction Program (VFCP), which can provide relief from civil liability and excise taxes if ERISA fiduciaries voluntarily report and correct certain transactions that breach their fiduciary duties. The VFCP program was recently updated with expanded provisions for self-correction of errors, which are addressed in a previous advisory.

Understanding and adhering to the responsibilities outlined under ERISA allows fiduciaries to better serve and protect the financial well-being of participants and beneficiaries. If you have any questions regarding your responsibilities under ERISA or need assistance ensuring your plan policies are consistent with ERISA regulations, please contact a member of Varnum’s Employee Benefits Team.

Video Privacy Protection Act: What’s Next After Sixth Circuit Creates Split

Sixth Circuit Creates Split on VPPA 'Consumer' Definition

The Video Privacy Protection Act (VPPA) is a federal law aimed at prohibiting the unauthorized disclosure of a person’s video viewing history. While the VPPA was originally enacted in 1988 to prevent disclosure of information regarding an individual’s video rental history from businesses like Blockbuster, the explosion of the internet in the decades since has greatly expanded its potential reach, giving rise to countless lawsuits targeting businesses’ websites. One such case, involving the alleged disclosure of the plaintiff’s video viewing history through use of Meta’s data-tracking Pixel, was recently decided by the United States Court of Appeals for the Sixth Circuit, in a decision that serves to narrow the reach of the VPPA.

In a published opinion, the Sixth Circuit addressed the issue of who can be considered a “consumer” – and thus able to bring a claim – under the VPPA. The VPPA defines the term “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Citing longstanding canons of statutory construction, the Sixth Circuit reasoned that, when read in context of its surrounding text, the phrase “goods and services” is limited to audiovisual goods and services. The plaintiff, a subscriber to 247Sports.com’s newsletter which contained links to videos that were accessible to anyone on the website, failed to allege that the newsletter itself was audiovisual material, and thus was not protected under the VPPA.

Notably, the Sixth Circuit’s decision was contrary to the conclusions previously reached by other Federal Courts of Appeals, specifically the Second and Seventh Circuits. Those courts had endorsed a broader interpretation of the term, considering a subscriber of any of the provider’s goods or services to be a “consumer” under the VPPA, regardless of whether the subscription was specifically for audiovisual materials. By defying this trend, the Sixth Circuit creates a circuit split that may be resolved by the Supreme Court of the United States. The defendant in the Second Circuit case on this issue has petitioned the Supreme Court to review the decision. Now, with a circuit split apparent, the Supreme Court may be more likely to intervene.

Against this uncertain backdrop, and with the wave of Meta Pixel and similar lawsuits continuing, businesses will need to carefully evaluate the operation of their websites and whether they may be subjected to a VPPA claim. The review should also include an analysis of the effectiveness of any consent provisions that the business may be relying on to avoid liability. Businesses should be aware of the risks presented by the entities they acquire or merge with whose data sharing practices may implicate the VPPA. To mitigate the risk of liability, due diligence in any such transaction should include a thorough review of the target company’s data practices, compliance with privacy regulations, and any ongoing or potential lawsuits tied to the use of tracking technology.

Varnum’s Data Privacy and Cybersecurity Team is closely monitoring new VPPA developments and is well-equipped to help companies navigate these challenges and ensure compliance with evolving privacy laws. Please contact your Varnum attorney if you have questions on the risks associated with data-tracking tools such as the Meta Pixel and how they may apply to your company’s practices.

Selling a Business: A Practical Guide for a Successful Transaction

Selling a Business: A Practical Guide for a Successful Transaction

This guide is designed to help business owners and executives navigate the process of selling a business. It provides an overview of the sale process and practical tips for achieving the best possible outcome and addresses common challenges encountered during deals.   

For many sellers, a transaction will involve unfamiliar procedures and terms where a lawyer can provide valuable guidance. The better the key concepts are understood, the better equipped one will be to make informed decisions and achieve a favorable result.

Sale Process

The timeline for the deal will likely include the following steps:

  • Selecting a business broker who is right for the business.
  • The buyer presents a proposal letter or letter of intent.
  • The buyer prepares an Asset Purchase Agreement (APA) for the parties to negotiate.
  • The seller’s board of directors and shareholders approve the APA.
  • Both the buyer and seller sign the APA at or before closing.
  • Additional steps, such as obtaining real estate title insurance, finishing due diligence, and preparing closing documents.
  • At closing, the buyer pays the purchase price, and the seller transfers the business.

Letter of Intent

The selected buyer will produce a written proposal letter or letter of intent naming the price, transaction structure, and key terms. It should be written to state that it is nonbinding, meaning that everything remains subject to negotiating and signing a more detailed, definitive purchase agreement. The letter of intent will often include a binding agreement to negotiate exclusively with the buyer for a period of time.

Tax Planning

The structure of the transaction will determine the tax implications and the net proceeds. A lawyer can help assess the business’ options and calculate the net cash anticipated after taxes.

Due Diligence

The buyer will often do a thorough business review including financial statements, contracts, employee compensation and benefits, real estate, and other key aspects. Though the process can be time-consuming, it is typically better to provide the requested information rather than contest its necessity.

Review of Governing Documents

Early in the process, the selling corporation should review its articles of incorporation, bylaws, and any shareholder (buy-sell) agreements. The seller should identify anything that could affect the transaction, such as rights of first refusals or super-majority vote requirements. An attorney can help with this.

Structure – Sale of Assets

Many business sales are structured as asset purchases. In this structure, the selling corporation transfers its assets to a buyer-controlled entity. The buyer can form a new corporation to purchase the assets or use an existing entity. The seller keeps its corporate entity and dissolves it after the closing. Buyers do this to avoid any known or unknown liabilities the corporation may have.

Transferred assets include owned real estate, equipment, furniture, accounts receivable, prepaid assets, the goodwill of the business, the name of the paper, all website addresses, etc. In most cases, cash is retained by the selling corporation.

Some working capital liabilities may also be transferred to the buyer, such as accounts payable. Bank debt and other long-term liabilities are typically not assumed by the buyer. Liabilities not assumed by the buyer are paid off at closing and remain an obligation of the selling corporation.

The other transaction structure is for the buyer to purchase the corporation or LLC.

Purchase Price

Larger companies purchasing smaller companies typically pay all cash. Often 5 to 10 percent of the purchase price may be placed in an escrow account with a bank for an agreed-upon period of time.

The purchase price is for the enterprise value of the business without regard to bank debt and other long-term liabilities. This is frequently referred to as selling the business on a cash-free, debt-free basis. The seller will need to pay off any bank debt or other long-term liabilities out of the purchase price. Additional liabilities may include deferred compensation payments and any severance obligations.

The purchase price often includes a “net working capital adjustment” as well. Net working capital is current assets (excluding cash) minus current liabilities. Net working capital varies daily as revenues are received, expenses are paid, and liabilities and prepaid assets are accrued.

When a business is sold, the buyer and seller will usually agree on a “net working capital target.” The target is intended to be a normal amount of working capital that should be there as of the closing. If the actual net working capital at the time of closing exceeds or is less than the target amount, then the purchase price is increased or reduced dollar for dollar.

The seller will want to be careful about selecting the net working capital target because any shortfall at closing will reduce the purchase price. Different types of businesses have different working capital profiles. So, it is important to make sure the working capital definition and target fit for the business. 

Asset Purchase Agreement

The buyer will prepare a detailed APA listing of the assets being purchased and the purchase price.

The APA will include several representations and warranties from the seller such as:

  • The selling corporation will have all director and shareholder approvals needed to sell the business.
  • The assets being sold will be free and clear of all liens when the transaction closes.
  • The seller’s financial statements are accurate.
  • There are no material liabilities that have not been disclosed to the buyer.
  • The list of employees and their compensation is accurate.

If the representations are not true at the time of the closing, the buyer is not required to complete the transaction.

If the buyer discovers a representation is not true after closing, the buyer may have a claim against the seller. For example, if the seller represents that the equipment is free and clear of liens, and it turns out there is a lien, the seller would be responsible for paying off the lien. The purchase agreement will include limits and procedures related to how and when the buyer can make a claim against the seller.

The seller can protect themselves by including disclosure schedules within the APA documenting any problems or facts contrary to the representations. If disclosed before the closing, the buyer cannot make a claim after the closing. This is where the due diligence review benefits both the buyer and the seller.

The APA will include a list of covenants or promises. The seller will promise to operate its business in the ordinary course between signing and closing. The seller will also agree to negative covenants promising not to do certain major actions between signing and closing, such as entering into a new contract or making a large dividend.

Board of Directors and Shareholder Approval

The board of directors should review and approve the definitive APA before it is signed. If a board decides that a sale of the company is the best decision, the directors have fiduciary duties to make an informed decision in the best interests of the shareholders. Hiring a business broker and soliciting multiple bids for the business is considered the gold standard to get the best possible price from the sale. The directors should carefully review the deal terms and transaction documents. Directors should also include their lawyers in the board meeting and ask to walk through the key terms of the legal agreements. An attorney can help prepare board minutes that document the process followed and the reasons for the transaction.

The APA must also be approved by the corporation’s shareholders (by a majority of the outstanding shares unless there is a super-majority vote requirement). The shareholder meeting takes place either at or before the APA is signed or between the signing and the closing.   

In addition to approving the sale of all assets, the shareholders will often vote to dissolve the corporate entity after the closing. During the dissolution process, the corporate entity turns its assets into cash, pays its liabilities, and then distributes the net proceeds to shareholders.

Dissenters Rights

Most states have a corporations statute that includes dissenters’ rights. Early in the process, an attorney should review the corporations statute and advise whether the transaction is exempt from the dissenters’ rights provisions. In most states, dissenters’ rights do not apply when assets are sold for cash, and the proceeds are distributed to shareholders within one year. If dissenters’ rights apply and the transaction is not exempt, a dissenting shareholder has certain rights to go through a process designed to determine the fair value of their shares.

Real Estate

If the seller leases real estate, the lease must also be reviewed. Oftentimes it will be necessary to receive the landlord’s consent before transferring the lease to the buyer. If the seller owns the real estate, then the real estate will be transferred at the closing.

Title insurance will be obtained to confirm that the seller owns the real estate and to identify any mortgages, easements, or other liens or encumbrances on the property. The buyer will expect all mortgages to be paid at closing, so it gets a clean title to the property.

Often the buyer will obtain a survey of the property to show the precise boundaries and the building’s exact location.

The buyer will also typically hire an environmental consulting firm to examine the real estate for any contamination or asbestos. A Phase I assessment involves a tour of the property, a look at the history of the property, and a determination of whether there are any recognized environmental conditions that may require further investigation. If it looks like there may be serious issues, the buyer may proceed to a Phase II assessment which involves taking soil samples and testing them for contamination.

The buyer may also get a building inspection to inspect the structure, HVAC systems, roof, etc.

Net Proceeds to the Seller

The corporation selling the business closes the transaction and receives the cash purchase price. Out of the purchase price, the seller must pay off its bank loans and other long-term debt. It must also pay its transaction expenses, which include the business broker fee, attorney fees, accountant’s fees, real estate title insurance, etc. Any net working capital adjustment will also affect the net proceeds to the shareholders of the selling corporation.

Early in the process, the seller’s Chief Financial Officer and outside accountant should prepare an estimate of what the net proceeds will be after payment of expenses and taxes.

Escrow Account

The buyer will often withhold between 5 and 10 percent of the purchase price. That money will be put in an escrow account for a period of time. If the seller has misrepresented the business to the buyer, the buyer will take money from the escrow account to make itself whole. If the buyer does not have any legitimate claims, the money will be distributed to the seller at an agreed upon date, often 12 to 18 months after the closing.

For sellers, one tactic is to negotiate a staged release of the escrow funds. For example, 50 percent is to be released to the seller six months after the closing, with the remaining 50 percent to be distributed to the seller 12 months after the closing.

Employee Transition to Buyer

In an asset sale, the employees are the seller’s employees before the closing, and the buyer’s after the closing. The buyer will typically do the same new employee intake paperwork that it would do for any new employee. Employees may be required to fill out an employment application, a form I-9 to verify employment eligibility, etc. Employees will enroll in the buyer’s benefit plans. If the seller has a 401(k), then arrangements will be made to terminate that 401(k) or transfer balances to the buyer’s 401(k) or to individual employee IRAs.

A buyer in an asset purchase is not required to hire all the seller’s employees. Sellers should ask buyers about their intentions as part of the negotiation process and consider severance obligations and policies for any employees not hired by the buyer.

The Closing

At closing, the final documents are delivered, the buyer pays the purchase price, and the business is transferred. Often it is a virtual closing that does not require people to be physically present. The lawyers arrange for documents to be signed and delivered. After the documents are signed, the parties and/or their lawyers will join a conference call, agree that everything is completed, and direct the buyer to transfer the purchase price.

After the Sale

After the closing, the selling corporation then enters a wind-down period that may take 3 to 12 months. The corporation must pay all its creditors.

Bumps along the way 

Every deal comes with its frustrations, which can include:

  • The sale process is taking longer than expected.
  • The buyer’s due diligence review may seem intrusive. Responding to requests is time-consuming, and it may seem like the buyer is requesting the same information repeatedly.
  • The buyer may be slow to commit to the future role of key members of the seller’s management team.
  • The seller may become frustrated with the buyer’s focus on environmental or other risks that have never been an issue in the past.
  • The buyer may seem overly concerned about contracts and vendor relationships that have not caused issues before.
  • Some buyers have a smooth and well-thought-out transition process with good communication. Others may have poor communication and may seem haphazard and reactive. A buyer may also be distracted by other deals in the process.

Tips for a Successful Transaction

Here are some tips that can help achieve a better result for the company, employees, and shareholders:

  • Keep the sale process moving. The longer things drag on, the more likely a bad event will happen. Whether external like market trouble, or internal, like losing key employees.
  • Stay focused on operating the business. A deal can be a huge distraction that negatively impacts operations and earnings. Employees may lose focus, and deteriorating earnings during a sale process can be problematic.
  • Plan ahead for third-party tasks and lead times – for example, environmental assessments, real estate surveys, obtaining consent from landlords, getting shareholder approval, and paying off bank debt or bonds.
  • Review employment agreements, deferred compensation arrangements, or bonus or profit-sharing plans with a lawyer.
  • Be careful with capital expenditures. Using working capital to buy equipment could negatively affect net working capital at closing, and consequently the purchase price.
  • Create complete, detailed, and accurate Disclosure Schedules. Good Disclosure Schedules reduce the risk of post-closing claims from the buyer, helping preserve the net purchase price.
  • Have a good strategy and process for announcing the deal to employees and customers.   
  • Manage shareholder expectations. Net proceeds will be reduced by debts, taxes, and transaction expenses. Even after the closing, there will be a wind-down period before final distributions are made.
  • Consider severance pay for employees who are not hired by the buyer. Some companies pay special bonuses to employees in connection with the deal.
  • Acknowledge that key members of the management team may be conflicted, disappointed, or even outright hostile to the deal. It could mean changes to their title, responsibility, autonomy, compensation, or even their job.
  • Work with a bank early on regarding payoff arrangements for bank debt. If more complex financing, such as bonds, are in place, a lawyer can help navigate the complexities of this process.
  • Be mindful of vacation and travel schedules for key individuals involved in the process to plan ahead and avoid delays.  
  • Speak up and ask questions. Contact a Varnum attorney to assist in the sale of a business.

Involved With a Delaware Corporation? Three Major Changes to Know

What Senate Bill 21 Means for Delaware Corporations

On March 25, 2025, Delaware Governor Matt Meyer signed Senate Bill 21 into law, effecting significant changes to the General Corporation Law of the State of Delaware (DGCL), the statutory law governing Delaware corporations. With over two-thirds of Fortune 500 companies domiciled in Delaware, it continues to be the preferred state of incorporation for businesses drawn to its modern statutory law, renowned Court of Chancery, and developed case law.

Consequently, below are three major takeaways for businesses incorporated in Delaware or individuals involved with a Delaware corporation—as a director, officer, or stockholder—here are three major takeaways:

1. Procedural Safe Harbor Cleansing Related Party Transactions

Under Delaware corporate law, related party transactions involving a fiduciary, such as where a director of a corporation stands on both sides of a transaction, are potentially subject to the entire fairness standard of review. This onerous standard of reviewing a fiduciary’s actions in certain conflicted transactions places the burden on the fiduciary to prove that the self-dealing transaction was fair—both in terms of the process (fair dealing) and substantive (fair price)—given corporate law theory that the fiduciary’s interests may not be aligned with maximizing stockholder value.

Senate Bill 21 establishes a safe harbor pursuant to Section 144 of DGCL for these conflicted transactions (other than take-private transactions) if the transaction is approved by either:

  • A majority of the disinterested members of the board or
  • A majority of the votes are cast by the disinterested stockholders—in each case, subject to certain additional requirements. Consequently, if transactional planners and corporations follow the new procedural safe harbor when entering certain related party transactions, they greatly minimize the likelihood of a successful challenge of any breach of fiduciary duty claim against the corporation’s board.

2. Limiting Who Qualifies as a Controlling Stockholder

Prior to the enactment of Senate Bill 21, whether a stockholder was a “controlling stockholder” and was therefore subject to certain rules under Delaware corporate law, was not set forth in DGCL. Rather, Delaware case law helped transactional planners to determine if a stockholder would be treated as such.

Senate Bill 21 codifies the definition of this term in Section 144 of DGCL. Under the revised Section 144, a “controlling stockholder” is a stockholder who:

  • Controls a majority in voting power of the outstanding stock entitled to vote generally in the election of directors;
  • Has the right to control the election of directors who control the board; or
  • Has the functional equivalent of majority control by possessing at least one-third in stockholder voting power and power to exercise managerial authority over the business of the corporation. This update provides transactional planners and corporations with clear guidelines over who qualifies as a controlling stockholder.

3. Narrowing Stockholder Information Rights

Over the past years, many Delaware corporations have been subject to an increasing number of “Section 220 demands” and related litigation that is often expensive for corporations to handle. Section 220 of DGCL provides stockholders with a statutory right to inspect a corporation’s books and records if the stockholder satisfies certain requirements.

Senate Bill 21 amends Section 220 of DGCL by narrowing what books and records of a corporation the stockholder is generally entitled to review after satisfying certain requirements. Specifically, the term “books and records,” as defined in Section 220 of DGCL, is now limited to certain organizational and financial documents of the corporation, including its annual financial statements for the preceding three years, board minutes, stockholder communication, and other formal corporate documents. Additionally, a stockholder’s demand must describe with “reasonable particularity” its purpose and requested books and records, and such books and records must be “specifically related” to the proper purpose.

In summary, Senate Bill 21’s amendments to DGCL give transactional planners and corporations additional clarity over cleansing conflicted transactions, who qualifies as a controlling stockholder, and the books and records a stockholder may access under Section 220. If you have questions about how the amendments to DGCL impact your Delaware corporation’s actions, reach out to a member of Varnum’s Securities and Capital Markets Practice Team.

 

Understanding Partial Redemptions for Startup Founders

Understanding Partial Redemptions for Startup Founders

Being a startup founder is hard. Among other things, startup founders face long hours, resource constraints, intense pressure, and the need for constant adaptation and resilience in the face of uncertainty. Founders face all these tasks while also being severely underpaid, adding to the list of trials one of the more challenging: personal financial pressure.

As a result of such financial pressure, and the frightening uncertainty of success, it is not unusual for founders to consider a partial redemption or liquidity event in which they sell a portion of their shares to the company or directly to an investor, typically as part of a proposed financing round. Such a redemption provides cash to the founder in exchange for a reduced level of ownership and risk in the company. A partial redemption may be accomplished through a cash purchase directly from the company or by using a portion of the proceeds from a financing round. A partial redemption can be a strategic move with both advantages and potential drawbacks. Understanding the nuances of this transaction is crucial for founders and investors alike.

Why Consider Partial Redemption?

Several factors might drive a company to pursue a partial redemption of the founder’s shares:

  • Liquidity: Founders may seek to cash out a portion of their equity for personal or financial reasons.
  • Tax Planning: Partial redemption can offer tax advantages, especially when structured carefully.
  • Corporate Governance: Reducing the concentration of ownership can improve corporate governance and decision-making.
  • Employee Incentive Plans: Repurchased shares can be used to fund employee stock option plans or other incentive programs.

    Key Considerations:

    Before embarking on a partial redemption, several factors must be carefully evaluated:

    • Valuation: Accurately valuing the company’s shares is essential for determining a fair redemption price. The company should review the current 409A valuation and consider the potential impact the partial redemption will have on future 409A valuations.
    • Tax Implications: The tax consequences for both the company and the founder can vary significantly based on factors such as the founder’s holding period, the redemption structure and the company’s tax status. In general, a shareholder may exclude 100% of gain from the redemption of Qualified Small Business Stock (QSBS) for federal income tax purposes if certain issuance date and holding period requirements are met. However, a founder’s redemption may be disqualified from QSBS tax treatment.
    • Corporate Structure: The company’s legal structure and governing documents may impose limitations or restrictions on share redemptions.
    • Financial Impact: Repurchasing shares can reduce the company’s cash reserves and potentially affect its financial performance.
    • Shareholder Agreement/Investment Documents: Existing shareholder agreements or investment documents may contain provisions related to share transfers, redemptions, rights of first refusal, right of co-sale or tag-along rights. The partial redemption may trigger rights for existing shareholders who may wish to participate in the sale.

    Potential Drawbacks:

    While partial redemption can offer benefits, it also carries potential risks:

    • Dilution of Ownership: If the redemption is not carefully structured, it can lead to dilution of ownership for existing shareholders.
    • Company’s QSBS: Impact on Qualified Small Business Stock (QSBS) for existing shares as well as future purchases.
    • Market Perception: A significant share repurchase can sometimes be interpreted negatively by the market.
    • Loss of Talent: Founders may feel less motivated or committed to the company after a partial redemption.

      The decision to redeem a founder’s shares is complex. Early exits and partial redemptions can provide liquidity and diversification for founders while allowing them to maintain some ownership in the company. However, it is important to consider the potential risks, structuring options and tax implications before the company and founder engage in such a redemption. It is advisable to reach out to your Varnum attorney to review any proposed partial redemption documentation.