How Does CCPA Affect Mergers & Acquisitions?
If your company is preparing for a liquidity event or doing the due diligence associated with acquiring a business, there are privacy implications you should be considering. One consideration is the costs associated with coming into compliance of the newly purchased business. It’s important to factor these costs in the valuation and integration plans of the acquisition. CCPA (California Consumer Privacy Act) is one of the laws you should be thinking about.
When Selling the Company, Did You “Sell” Consumer Data?
When you sell the company are you “selling” the data? CCPA defines sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” The transfer of information as an asset “that is part of a merger, acquisition…” falls under that definition and CCPA compliance would apply.
Have You Done a Data Inventory?
One of the key components of compliance under CCPA, GDPR and other privacy laws is to know what information you collect, how it’s collected, where it’s stored, who has access to it and if it is being “sold”. Data mapping is an essential part of a mature privacy program. If you can’t document all of this you can’t comply with the CCPA or many other data privacy laws. From an M&A perspective the acquiring company should audit the data-mapping practices of the target company to ensure that all data is appropriately accounted for.
Get It in Writing.
The sale of personal data to a third-party must have written agreements that make obligations to your compliance to the CCPA. For example, access, opt-out and deletion requests received from consumers must be extended to all parties who that information was sold to within 90 days. Also, be sure to review the target company’s agreements with its service providers and 3rd party vendors to ensure they invoke appropriate security protocols and comply with the CCPA.
Do You Know the Value of the Personal Information?
The value and monetization of personal information has a few implications. As stated above, businesses selling personal information need to provide clear notice about consumer rights to opt out of the sale of their data. When a new company owns the data, it would not be uncommon to see an increase in consumers exercising their rights to stop selling their personal information, or to opt-out from marketing campaigns. Therefore, companies should make sure to have the right experience for customers to opt-out.
More importantly, the acquiring company should consider the costs associated with coming into compliance of their newly purchased asset. For example, CCPA prohibits businesses from charging different fees or providing a lesser service if a consumer has opted out or requested their information not be sold. If the acquiring business charges different rates or provides a reduced service they must notify the consumer why or change their practices.
Are You Secure?
Do you have reasonable security procedures and practices in place to protect personal information? If you don’t, CCPA’s private right of action for data breaches could be an expensive endeavor. With statutory penalties of $100 to $750 per consumer, per incident, a single large data breach followed by class-action litigation could be incredibly expensive.
Acquiring companies in M&A deals need to fully understand the privacy and security risks of the businesses they are looking to acquire. The target company also needs to be able to accurately disclose this information. Due diligence should include:
- Privacy notices including for appropriate notice of data collection, the right to opt-out, description of financial incentives offered to consumers who permit their information to be used.
- Ability to facilitate consumer requests for their right-to-know about their personal information and for access, opt-out, and deletion requests.
- Accurate recordkeeping. CCPA requires businesses to keep records of consumer requests and responses for two years and include compliance metrics in their online privacy policies.
- Review training programs for appropriate categories of employees, vendors, contractors and partners.
- Insurance coverage. Cyber insurance is not required but it is important when assessing the value and impact of a cyber-attack.
Remember the results of a thorough diligence exercise can have a significant impact on the valuation of a deal. Complying with CCPA or other privacy laws will have associated risks and costs.
- Understand the implications of selling data.
- Evaluate the costs to correct or support compliance, and risk mitigation.
- Review all 3rd party agreements for CCPA compliance.
- Identify warranties, representations and insurance to protect the business.