DealLawyers.com Blog

This Gibson Dunn memo reviews some of the privacy and cybersecurity issues that buyers should keep in mind when conducting M&A due diligence. This excerpt discusses the potential applicability of the ever-growing number of state privacy laws:

Applicability of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the “CCPA”), is a critical part of the due diligence process, as the CCPA is enforced by active regulators (both the California Attorney General and the new California Consumer Privacy Agency), and provides a private right of action in the event of certain security incidents. Statutory damages can reach up to $750 per consumer per incident, and CCPA regulatory penalties can be as high as $7,500 per each intentional violation (or $2,500 for unintentional violation).

Outside of California, state privacy laws are developing in other jurisdictions as well—13 states have passed laws, with laws in Virginia, Colorado, Utah, and Connecticut taking effect just this year. Closely assessing the applicability of, and compliance with, these various state privacy laws is essential to identifying the legal risks involved for businesses operating and catering to customers in the U.S. As a first step acquirors should review the state-specific threshold requirements for applicability, which may include the target company’s gross annual revenue and/or the number of state residents’ information processed.

For example, the breadth of the CCPA’s applicability is particularly broad—any business that has over $25M in revenue a year, and processes personal information of a California resident, will be subject to the law. Notably, any business that says they do not collect personal information—a refrain not uncommon in this area—is likely wrong, if they do business in California or outside the U.S. Indeed, unique amongst the state laws, but more similar to the GDPR, the CCPA applies to information collected from B2B partners, employees, and others not traditionally seen as “consumers,” making these laws relevant to nearly every transaction.

Other topics addressed in the memo include the potential applicability of E.U./UK GDPR and other international laws, sector-specific privacy and cybersecurity laws, outdated or missing privacy notices, the target’s practices regarding storage of sensitive personal information, and its cybersecurity protocols, policies and procedures, and insurance arrangements.

– John Jenkins