State Consumer Privacy Laws in M&A Deals: What to Know

Kathryn Rattigan
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

Data privacy and cybersecurity risks are critical components of M&A transactions due to the potential exposure for legal liability for non-compliance, as well as the financial and reputational harm and the material impact that lax or failed data privacy compliance and cybersecurity safeguards can have on an entity’s ability to conduct its operations.

Therefore, part of the due diligence process of any M&A deal must include an assessment of the applicability of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, CCPA). The CCPA is a consumer privacy law that applies to for-profit entities which collect personal information from California residents. The CCPA is enforced by very active regulators (the California Attorney General and the California Consumer Privacy Agency), and  provides state residents a private right of action in the event of certain security incidents that expose their personal information.

Beyond California, 13 other states have passed consumer privacy rights laws (the laws in Virginia, Colorado, Utah, and Connecticut took effect just this year), and many other states have such consumer privacy rights laws pending. Assessing the applicability of, and compliance with, these state privacy laws is critical to identifying the legal risks involved for businesses operating and providing products or services to customers in the U.S. As such, in an M&A transaction, the acquirer should first review the state-specific threshold requirements for applicability, which may include the target company’s gross annual revenue and the number of state residents’ information processed by the target company. The CCPA, for example, reaches any business that has over $25 million in gross revenue in a year, and that processes personal information of a California resident (note that processing has a very specific—and broad—definition under the CCPA). And, unlike other privacy statutes in the past that only apply to individual consumers, the CCPA applies to information collected from B2B partners and employees.

Confirming compliance (or non-compliance for that matter) with the CCPA and other similar state consumer privacy laws is essential to the deal. One way in which the acquirer can begin due diligence in this space is to review the entity’s online privacy policy to see if it outlines consumers’ rights related to their personal information under these state laws (note that there are very specific requirements). Of course, this is only one piece of privacy due diligence during a deal. There are sector-specific privacy and security laws, international privacy laws, and other applicable state privacy and security laws. Remember to do your homework.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide