Mergers and acquisitions (M&A) can be transformative, but hidden compliance risks—especially regarding privacy and data protection—often lurk beneath the surface, especially regarding privacy and data protection. In California, strict laws like the California Consumer Privacy Act (CCPA) and the California Invasion of Privacy Act (CIPA) are being aggressively enforced through litigation. Plaintiffs’ firms are increasingly targeting companies whose websites use certain technologies (e.g., chatbots, session replay, cookies) that may run afoul of CIPA and CCPA, potentially resulting in significant liability for acquirers post-close.

Whether you are buying or selling a company, it’s crucial to address these privacy issues early in your M&A process.

For Buyers: Ask the Right Questions—Don’t Buy Liability

Due diligence is the buyer’s opportunity to identify and mitigate risks before finalizing a deal. To avoid inheriting a ticking privacy time bomb, buyers should:

  • Incorporate Specific Privacy Diligence Questions
    • Is the target’s website CIPA and CCPA compliant?
    • Are visitors notified about the collection and sharing of personal information (including IP addresses, chat transcripts, session replays, cookies, etc.)?
    • Has the target ever received any demand letters, lawsuits, or regulatory notices relating to CCPA or CIPA compliance?
    • What third-party technologies (e.g., session replay, analytics, advertising plugins) are used on the website? Are vendor agreements in place, and do they address privacy?
  • Review Web and App Technology
    • Inventory all tracking, chat, and recording technologies on the website.
    • Ensure required consents/disclosures are in place (pop-ups, banners, disclosures in privacy policy).
  • Assess the Cost of Remediation
    • If gaps are found, estimate the financial, operational, and reputational impact of bringing the website into compliance.
    • Negotiate indemnity, escrow, or purchase price adjustments as appropriate.

For Sellers: Shore Up Compliance Before Negotiations

Buyers will discover privacy gaps, unless you address those gaps first, which can delay the deal, reduce the sale price, or create hard questions post-close. Sellers should:

  • Audit the Website Now
    • Identify all data collection, tracking, chat, or recording technologies.
    • Engage privacy counsel or consultants to flag CCPA/CIPA compliance issues.
  • Update Documentation and Policies
    • Ensure your privacy policy, cookie disclosures, and consent mechanisms are current and legally sufficient for California and other relevant jurisdictions.
  • Remediate High-Risk Practices
    • Disable or properly disclose any session replay or “trap-and-trace” technologies.
    • Review agreements with vendors that process web visitor data.
  • Document Your Compliance Efforts
    • Maintain records of your investigation and remediation steps.
    • Be transparent with buyers; proactive efforts can build trust and defend your valuation.

Website privacy litigation isn’t going away, and regulatory scrutiny will only increase. For buyers, robust due diligence can prevent expensive surprises shortly after closing. For sellers, fixing compliance weaknesses before sale preserves deal value and speeds up negotiations. In every M&A involving a consumer-facing website or app, CIPA and CCPA compliance must be an explicit part of diligence. Ask the right questions, address vulnerabilities, and avoid inheriting (or passing along) privacy liabilities that could haunt both parties for years to come.