The Acquisition Dilemma
CEO Privacy Exercise · BUSN 101 / MIS
10:00
Phase 1 — The Briefing

You just paid $50M
for 2 million strangers.

Your company — NovaSpark Technologies — just closed the acquisition of DataFlow Inc., a direct competitor in the customer loyalty software space. The deal made strategic sense: DataFlow had solid technology and, more importantly, a massive customer base. But now that the ink is dry, your General Counsel has flagged a serious problem: DataFlow's 2 million customers never agreed to share their data with you. They signed up for DataFlow. They trusted DataFlow. Many of them have no idea NovaSpark exists. As CEO, the decision about what to do with that data lands entirely on your desk.

🏢
Your companyNovaSpark Technologies — loyalty software, $120M revenue, 800 employees
🤝
What you acquiredDataFlow Inc. — competitor, 2M customers, $50M price
📋
Data in the recordsFull name, email, purchase history, location, browsing behavior
⚖️
Legal statusDataFlow's ToS had a "successor company" clause — technically allows transfer, but barely
💰
Board expectation$8M year-one revenue was projected from marketing to these contacts
⚠️
Max legal exposureCCPA: up to $100–$750 per consumer per violation × 2M records

Your Leadership Team — They All Have an Opinion

Chief Financial Officer
Marcus Webb
"We baked $8M of year-one revenue from these contacts into the acquisition model. If we don't monetize this data, the deal math falls apart and I have to explain that to the board."
VP Marketing
Priya Sharma
"These 2 million people are exactly our target customer. We can segment them perfectly. This is the best lead list we've ever had. We'd be crazy not to use it."
General Counsel
James Okafor
"The ToS has a successor clause — we're technically covered. But I'd be lying if I said I was comfortable. California regulators have been aggressive. I'd rather you hear my concerns now than after a lawsuit."
Head of Data Privacy
Sofia Mendez
"I've seen this play out at three other companies. The short-term revenue never justifies the liability and brand damage. My recommendation is to ask for consent or delete the data entirely."
Board Chair
Diane Cho
"We paid $50 million. I need to see a plan that extracts value from this acquisition — but I also need to sleep at night. Bring me a decision with a clear rationale."
Head of Engineering
Raj Patel
"Whatever you decide, I need to know before we migrate the systems. Once the databases are merged, it's very hard to separate them again — and a breach during migration would be catastrophic."

The Legal Landscape — What You Need to Know

CCPA
California Consumer Privacy Act. Gives California residents the right to know how their data is used and the right to opt out of its sale. Applies to companies doing business in California regardless of where they're headquartered.
Penalty: $100–$750 per consumer per incident
FTC Act
The Federal Trade Commission can investigate "unfair or deceptive" data practices even without a specific privacy statute. They don't need CCPA to come after you — they can act on their own authority if they find your practices deceptive.
Penalty: Consent decrees, ongoing audits, fines
Class Action
Any group of affected customers can band together and sue as a class. In privacy cases, even small individual harms become enormous when multiplied across millions of people. Cases often settle — but settlements are expensive and public.
Exposure: $100 × 2M = $200M theoretical max

Your Task — What to Do in the Next 10 Minutes

  • Read all four options carefully — understand both the upside and the risk of each.
  • As a group, choose one option and commit to it. You cannot choose more than one.
  • Prepare to answer three questions from the board: What did you decide? Why? What's your biggest risk?
  • Assign someone to be the spokesperson. The rest of the group plays the board — ask the hard questions.
Phase 2 — Your Decision
Select your option — then prepare to defend it
A
Merge the databases & start marketing immediately

Import all 2M DataFlow records into your CRM and begin targeted email campaigns. Legal says the "successor company" clause in the ToS provides cover. You've paid for this data — use it.

Questions your group must answer
  • How do you respond when a customer calls and says "I never agreed to hear from you"?
  • If a journalist asks "did these customers consent?" — what do you say?
  • What's your plan if the FTC opens an investigation six months from now?
↑ Revenue now ↑ Full data value ↓ Legal exposure ↓ Customer trust ~ Regulatory scrutiny
B
Send an opt-in email — ask permission before contacting anyone

Email all 2M DataFlow customers explaining the acquisition and asking them to explicitly opt in before you ever contact them again. Transparent and legally safe — but industry opt-in rates run 15–20%, meaning you'll lose most of the database.

Questions your group must answer
  • How do you explain to Marcus (CFO) that you're voluntarily giving up 80% of the leads?
  • What exactly does the opt-in email say? How do you frame the acquisition positively?
  • What do you do with the 80% who don't respond — delete them immediately or wait?
↑ Trust & transparency ↑ Legal safety ↓ Lose ~80% of records ↓ Misses revenue target ~ Board pressure to explain
C
Delete all acquired customer data — start clean

Permanently and verifiably delete all 2M DataFlow customer records. Announce it publicly. You paid $50M and the data was part of that valuation, but you've decided customer privacy outweighs the revenue opportunity. Grow your customer base organically.

Questions your group must answer
  • Three investors are unhappy — you just destroyed a piece of what they paid for. What's your letter to them?
  • How long will it take to replace 2M qualified leads organically? Is that acceptable to the board?
  • Is this a PR move, a genuine ethics choice, or both — and does it matter?
↑ Ethically clearest ↑ Zero legal risk ↑ Strong PR story ↓ Write off a paid asset ↓ Investor backlash ~ 18-month rebuild timeline
D
Keep it for internal analytics only — never contact customers directly

Retain the DataFlow records for internal use only — market analysis, product development, trend modeling. You won't email them, sell the data, or share it externally. The data informs your decisions but customers are never aware you have it.

Questions your group must answer
  • If a data breach exposes these records tomorrow, those customers had no idea you had their data. How do you explain that?
  • What's the difference between "we're not contacting them" and "we have their data without consent"?
  • How do you prove to a regulator that the data was truly "internal only" and never misused?
↑ Strategic insights ~ Legal gray area ~ Some board satisfaction ↓ Customers still unaware ↓ Breach risk still exists ↓ Hard to prove in court
Phase 3 — What Happens Next
18-month outcome for each option
Phase 4 — Board Debrief

Discussion Questions

1

Marcus (CFO) had $8M of revenue baked into his model based on using this data. Should financial pressure ever influence a privacy decision? If yes — where do you draw the line?

2

DataFlow's ToS technically permitted contact by a successor company — but those customers clicked "I agree" on an 8-page document they didn't read. Is "technically legal" the same as "ethically acceptable?"

3

Groups who chose Option A: a journalist from the Wall Street Journal calls and asks, "Did NovaSpark contact DataFlow customers without their explicit permission?" How do you answer? Does passing the "front page test" change how you make decisions?

4

Groups who chose Option C: Diane (Board Chair) says you just wrote off a chunk of the $50M you paid. How do you make the case that deleting the data was the right business decision — not just the right ethical one?

5

Option D feels like a middle ground — but Sofia (Head of Data Privacy) says it's actually the most dangerous option of all. Do you agree? What makes "silent retention" potentially worse than active misuse?

6

Flip it: You're a DataFlow customer. You signed up for a loyalty app, shared your purchase history and location — and now a company you've never heard of has all of it. Which option would you want NovaSpark's CEO to choose? Does being the customer change your answer as the CEO?

Instructor Guide — The Acquisition Dilemma

Everything you need to facilitate this exercise, including timing, facilitation prompts, and what to expect from each group.

Learning Objectives

By the end of this exercise, students will be able to:

  • 1Identify the key stakeholders affected when a company makes a data privacy decision — customers, employees, investors, regulators, and the public.
  • 2Apply basic privacy law concepts (CCPA, FTC Act, class action liability) to a real business scenario without needing a legal background.
  • 3Distinguish between what is legally permissible and what is ethically sound — and articulate why those can differ.
  • 4Practice defending a business decision under pressure from skeptical stakeholders — board members, investors, journalists.
  • 5Recognize that data is not just a technical asset — it represents real people with real expectations about how their information is used.

Timing Guide — Total: 35–45 Minutes

5 min
Setup. Project the Student Exercise tab. Read the scenario aloud or ask a student to read it. Walk through the Cast of Characters so students understand who is pressuring them and why. Emphasize that every character's position is legitimate — this is not a case where one person is clearly wrong.
2 min
Form groups & assign roles. Groups of 3–5 work best. Optional: assign each person a character role (CFO, Legal, Marketing, Privacy, Board). This gives quieter students a specific voice to represent.
10 min
Group deliberation. Start the timer. Groups choose an option and prepare their defense. Circulate and listen — don't guide yet. Note which options are popular; you'll use that in the debrief.
8–10 min
Group presentations. Each group states their choice and gives a 60-second rationale. Ask one hard pushback question per group (see Facilitation Tips below). Don't reveal the "right" answer yet.
3 min
Reveal consequences. Click "Reveal Consequences" on the student screen. Let the outcomes land before you say anything. Give students 60 seconds to read silently.
10–15 min
Board debrief. Work through the discussion questions. Question 6 (flip it — you're the customer) almost always shifts the room and is a strong closer.

Setup Instructions

Projection setup

Display this page on the classroom projector. Use the Student Exercise tab for the exercise itself. Switch to Instructor Guide (this tab) when you need facilitation notes — students don't see your screen when you're in the instructor tab unless you switch back.

Timer

The 10-minute timer in the top-right header is visible in both views. Start it when groups begin deliberating. The timer turns yellow at 3 minutes and red at 1 minute. "TIME" appears in red when it expires — no alarm, intentionally. You control pacing.

Reveal & Discussion flow

The "Reveal Consequences" button is locked until a group has clicked an option. If you're running this as a full-class exercise rather than individual groups, click any option on behalf of the class before revealing. The consequence for the chosen option appears highlighted in blue — all four options are shown so students can compare paths.

Reset

The "↺ Reset exercise" link at the bottom of the student view clears all selections and scrolls to the top. Use this between class sections.

Facilitation Tips — What to Expect & How to Push Back

There is no objectively correct answer. Your job is to make every option feel harder than it looks.

Option A — Merge & Market

Who chooses this: Students with a strong business-first orientation, or students who are anchored to the $50M paid and the $8M revenue projection. This is usually the most popular first instinct.

The strongest argument for it: The ToS permitted this. They consented — even if they didn't read it. Every company does this after acquisitions. Customers can unsubscribe.

Your pushback: "If a reporter asks 'did these 2 million people consent to receive marketing from NovaSpark?' — what do you say? Not legally — what do you say to a journalist?"
Option B — Opt-In Email

Who chooses this: Students who are ethically oriented and risk-averse. This option feels "correct" and safe, so it's popular with students who want to do the right thing without giving up everything.

The strongest argument for it: Consent is consent. You get genuine opt-ins who actually want to hear from you. The 17% who stay are more valuable than the 100% you'd be forcing.

Your pushback: "Marcus is looking at you. You just chose to give back 83% of the leads you paid $50M to acquire. What do you say to him — and to the board — right now?"
Option C — Delete Everything

Who chooses this: Students who want the clearest ethical position. Often chosen by students who are most bothered by the consent problem. Less common — most students feel the financial pressure makes this untenable.

The strongest argument for it: Total legal safety, strong PR story, long-term trust signal to your own customers. Apple and Patagonia have built enormous brand value on exactly this kind of decision.

Your pushback: "You told the board the data was a key asset when you argued for the $50M price. Now you're deleting it. Three investors are calling. What do you tell them — and will they trust your judgment next time?"
Option D — Internal Analytics Only

Who chooses this: Students looking for a middle path who feel they've found it. This option seems clever — you get value without the marketing risk. These groups are often most surprised by the consequence reveal.

The strongest argument for it: You're not contacting anyone, not selling data, not misusing it. You're just learning from it. Businesses use aggregate data all the time.

Your pushback: "Six months from now there's a breach. A DataFlow customer gets a notification saying their data was exposed — by a company they've never heard of. How do you explain why you had their data without ever telling them?"

Discussion Question Facilitation Notes

Q1 — Financial pressure

Most students will say "no, financial pressure shouldn't influence ethics." Push on this: "So if this decision cost the company $30M instead of $8M — your answer is the same?" The goal is to surface the tension, not get a clean answer.

Q2 — Technically legal vs. ethically acceptable

This is the core concept for the exercise. Good anchors: the ToS was written by lawyers, not by the marketing team that decided to use it. "Consent" obtained through a buried clause isn't really consent in any meaningful sense.

Q3 — The front page test (Option A groups)

This question often causes Option A groups to quietly revise their thinking. The "front page test" — would you be comfortable if this decision appeared on the front page of a newspaper — is a classic business ethics framework worth naming explicitly.

Q4 — Justifying Option C to investors

Push students to think about trust as a measurable asset. Apple's privacy positioning is worth $X in market cap. Patagonia's mission-driven stance drives significant customer loyalty. Trust isn't just soft — it compounds.

Q5 — Why Option D is dangerous

The key insight: retaining data creates liability even if you never use it for marketing. A breach exposes people who had no idea you had their data — making the PR damage worse, not better, than if you'd contacted them directly.

Q6 — The flip (save for last)

This is your strongest closer. Ask for a show of hands: "As a DataFlow customer — raise your hand if you'd want them to choose Option A." Then "Option C." The shift is usually dramatic and leads naturally into a discussion about the gap between how we act as businesses and what we expect as consumers.

Connections to Course Concepts

  • Data as an asset: This exercise illustrates that data has real financial value — and real liability. It's not neutral.
  • Stakeholder theory: The cast of characters represents classic stakeholder tensions — shareholders vs. customers vs. employees vs. regulators.
  • Information asymmetry: The customers don't know what's happening. The company has all the information and all the power. This is a defining feature of most privacy problems.
  • Regulatory environment: CCPA, GDPR, and FTC enforcement are real and growing. Any MIS or business student entering the workforce will encounter these frameworks professionally.
  • Ethics frameworks: Option A maps to utilitarian reasoning (greatest revenue for the company). Option B to procedural fairness. Option C to deontological ethics (it's wrong regardless of outcome). Option D is a gray-area consequentialist argument that backfires.