State Consumer Privacy Laws in M&A Deals: What to Know
Thursday, November 16, 2023
M and A Transactions, Consumer Data Privacy Concerns
Print Mail Download i

Data privacy and cybersecurity risks are critical components of M&A transactions due to the potential exposure for legal liability for non-compliance, as well as the financial and reputational harm and the material impact that lax or failed data privacy compliance and cybersecurity safeguards can have on an entity’s ability to conduct its operations.

Therefore, part of the due diligence process of any M&A deal must include an assessment of the applicability of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, CCPA). The CCPA is a consumer privacy law that applies to for-profit entities which collect personal information from California residents. The CCPA is enforced by very active regulators (the California Attorney General and the California Consumer Privacy Agency), and  provides state residents a private right of action in the event of certain security incidents that expose their personal information.

Beyond California, 13 other states have passed consumer privacy rights laws (the laws in Virginia, Colorado, Utah, and Connecticut took effect just this year), and many other states have such consumer privacy rights laws pending. Assessing the applicability of, and compliance with, these state privacy laws is critical to identifying the legal risks involved for businesses operating and providing products or services to customers in the U.S. As such, in an M&A transaction, the acquirer should first review the state-specific threshold requirements for applicability, which may include the target company’s gross annual revenue and the number of state residents’ information processed by the target company. The CCPA, for example, reaches any business that has over $25 million in gross revenue in a year, and that processes personal information of a California resident (note that processing has a very specific—and broad—definition under the CCPA). And, unlike other privacy statutes in the past that only apply to individual consumers, the CCPA applies to information collected from B2B partners and employees.

Confirming compliance (or non-compliance for that matter) with the CCPA and other similar state consumer privacy laws is essential to the deal. One way in which the acquirer can begin due diligence in this space is to review the entity’s online privacy policy to see if it outlines consumers’ rights related to their personal information under these state laws (note that there are very specific requirements). Of course, this is only one piece of privacy due diligence during a deal. There are sector-specific privacy and security laws, international privacy laws, and other applicable state privacy and security laws. Remember to do your homework.

Copyright © 2024 Robinson & Cole LLP. All rights reserved.

Current Legal Analysis

More from Robinson & Cole LLP

Eleventh Circuit Provides New Guidance on Class Action Settlements
by: Wystan M. Ackerman
PFOA and PFOS Are CERCLA Hazardous Substances – Now What?
by: Megan Baroni
Generative AI Poses Unique Risks to Data Security, NIST Warns
by: Sean C. Griffin
Vermont Data Privacy Act, Most Robust Consumer Protections Since CCPA
by: Kathryn M. Rattigan
X Corp Loses Battle Over Public Data Access
by: Blair V. Robinson
CISA Issues Advisory on Black Basta Ransomware
by: Linn F. Freedman
Privacy Tip #398 – Cybersecurity Agencies Issue Guidance for Civil Society on Mitigating Cyber Threats
by: Linn F. Freedman
Health Care Entities Continue to Get Pummeled by Cybersecurity Attacks
by: Linn F. Freedman
Massachusetts Court to Determine the Legality of Snapchat Surveillance
by: Kathryn M. Rattigan
Crumbl Sued for Disclosing Data to Stripe Without Consent
by: Linn F. Freedman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins