Data privacy and cybersecurity risks are critical components of M&A transactions due to the potential exposure for legal liability for non-compliance, as well as the financial and reputational harm and the material impact that lax or failed data privacy compliance and cybersecurity safeguards can have on an entity’s ability to conduct its operations.

Therefore, part of the due diligence process of any M&A deal must include an assessment of the applicability of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, CCPA). The CCPA is a consumer privacy law that applies to for-profit entities which collect personal information from California residents. The CCPA is enforced by very active regulators (the California Attorney General and the California Consumer Privacy Agency), and  provides state residents a private right of action in the event of certain security incidents that expose their personal information.

Beyond California, 13 other states have passed consumer privacy rights laws (the laws in Virginia, Colorado, Utah, and Connecticut took effect just this year), and many other states have such consumer privacy rights laws pending. Assessing the applicability of, and compliance with, these state privacy laws is critical to identifying the legal risks involved for businesses operating and providing products or services to customers in the U.S. As such, in an M&A transaction, the acquirer should first review the state-specific threshold requirements for applicability, which may include the target company’s gross annual revenue and the number of state residents’ information processed by the target company. The CCPA, for example, reaches any business that has over $25 million in gross revenue in a year, and that processes personal information of a California resident (note that processing has a very specific—and broad—definition under the CCPA). And, unlike other privacy statutes in the past that only apply to individual consumers, the CCPA applies to information collected from B2B partners and employees.

Confirming compliance (or non-compliance for that matter) with the CCPA and other similar state consumer privacy laws is essential to the deal. One way in which the acquirer can begin due diligence in this space is to review the entity’s online privacy policy to see if it outlines consumers’ rights related to their personal information under these state laws (note that there are very specific requirements). Of course, this is only one piece of privacy due diligence during a deal. There are sector-specific privacy and security laws, international privacy laws, and other applicable state privacy and security laws. Remember to do your homework.