While the Attorney General will not start enforcing the California Consumer Privacy Act (CCPA) until July 1, 2020, covered businesses are required to comply as of January 1. The penalties for not complying with the CCPA can be steep. If you are a CCPA-covered business and are contemplating a sale, or you are contemplating acquiring a CCPA-covered business, you should be asking yourself the following as part of the deal:

Does the subject company currently comply?

Due diligence in M&A deals involving CCPA-covered entities should include reviewing whether the covered entity currently complies. This should include reviewing:

• Privacy notices: Covered businesses are required to provide certain notices to consumers of the businesses’ data-collection practices and consumers’ CCPA rights.

• Processes to collect and implement consumer requests: Covered businesses must have processes to receive, and comply with, various consumer requests (including data access, deletion and opt-out requests).

• Recordkeeping practices: Covered businesses must keep consumer request records.

• Training policies and materials: Covered businesses must train employees who have CCPA-related responsibilities.

• Cyberinsurance policies: While not a specific obligation under the CCPA, a review of the target company’s cyberinsurance policies will be critical to assessing the value of any cyber risks.

How does the subject company track the information it collects?

A covered business cannot comply with the CCPA if it does not understand what consumer information it collects, how it collects the information, how the information moves inside and outside of the business and whether or not the data is sold. The buyer in a M&A transaction should review the target’s data-mapping practices.

What written contracts does the subject company have that implicate CCPA obligations?

Any covered business that sells or shares consumer information (either to a buyer or third-party service provider) will have written agreements that impose obligations on these entities under the CCPA. Requiring these entities’ compliance by a contractual provision helps ensure that occurs. Agreements with service providers must also limit the service providers’ use of the transferred data in order to avoid the sharing of that data being deemed a “sale.” All of these types of agreements should be reviewed.

What is the value of consumer information that is collected and/or sold?

Businesses that derive material revenue from selling consumer information must be prepared to account for possible large-scale opt-out requests — and value that accordingly.

A covered business that derives revenue from consumer data must also be prepared to disclose the data’s value. The CCPA prohibits businesses from charging different fees or rates based on whether a consumer has exercised her or his opt-out (or other) rights unless those fees are directly related to the value of the consumer’s data. If a business intends to charge different rates based on the value of the data to its business, it must explain to the consumer how that value is derived.

Financial projections in M&A valuations should also include the costs of CCPA compliance (or compliance failure) on the expense side.

How do target companies approach data security?

The CCPA’s private right of action for breaches of certain covered data can result in significant liability. In order to recover damages, a private plaintiff suing under the CCPA must show the breach resulted from the defendant’s failure to use “reasonable security procedures and practices.” A baseline for showing “reasonable security” starts with a comprehensive data-security policy. The acquiring company should review both how the target company protects its consumer data and how clearly those procedures are documented.

Does the transaction itself implicate a “sale” of consumer information?

Both the acquiring and target businesses will need to consider whether the overall deal implicates a “sale” of consumer information as that term is defined in the CCPA. A “sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” That definition contains a carve-out for the transfer of information as an asset “that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business….” While this exception is likely to apply to most M&A transactions, the transaction documents should specifically reference the information transferred under this provision to minimize the risk that consumers’ opt-out rights will apply.

Jennifer Post and Luke Sosnicki are partners with Thompson Coburn LLP.

Return to Index

For reprint and licensing requests for this article, CLICK HERE.