Data privacy and cybersecurity risks are critical components of M&A transactions due to the potential exposure for legal liability for non-compliance, as well as the financial and reputational harm and the material impact that lax or failed data privacy compliance and cybersecurity safeguards can have on an entity’s ability to conduct its operations.

Therefore, part of the due diligence process of any M&A deal must include an assessment of the applicability of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, CCPA). The CCPA is a consumer privacy law that applies to for-profit entities which collect personal information from California residents. The CCPA is enforced by very active regulators (the California Attorney General and the California Consumer Privacy Agency), and  provides state residents a private right of action in the event of certain security incidents that expose their personal information.

Beyond California, 13 other states have passed consumer privacy rights laws (the laws in Virginia, Colorado, Utah, and Connecticut took effect just this year), and many other states have such consumer privacy rights laws pending. Assessing the applicability of, and compliance with, these state privacy laws is critical to identifying the legal risks involved for businesses operating and providing products or services to customers in the U.S. As such, in an M&A transaction, the acquirer should first review the state-specific threshold requirements for applicability, which may include the target company’s gross annual revenue and the number of state residents’ information processed by the target company. The CCPA, for example, reaches any business that has over $25 million in gross revenue in a year, and that processes personal information of a California resident (note that processing has a very specific—and broad—definition under the CCPA). And, unlike other privacy statutes in the past that only apply to individual consumers, the CCPA applies to information collected from B2B partners and employees.

Confirming compliance (or non-compliance for that matter) with the CCPA and other similar state consumer privacy laws is essential to the deal. One way in which the acquirer can begin due diligence in this space is to review the entity’s online privacy policy to see if it outlines consumers’ rights related to their personal information under these state laws (note that there are very specific requirements). Of course, this is only one piece of privacy due diligence during a deal. There are sector-specific privacy and security laws, international privacy laws, and other applicable state privacy and security laws. Remember to do your homework.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.