Data Privacy (GDPR/CCPA) Considerations in Acquisitions

Data privacy regulations create specific obligations and risks in business acquisitions. Whether you're acquiring a business in the EU (GDPR), California (CCPA/CPRA), or other regulated jurisdictions, understanding how customer data, employee data, and consent obligations transfer is essential for avoiding costly regulatory penalties and reputational damage. Since the GDPR took effect in May 2018, EU data protection authorities have issued more than €4.5 billion in cumulative fines, underscoring the material financial exposure that acquirers face when privacy compliance is overlooked.

The EU General Data Protection Regulation affects acquisitions in several ways:

• Due diligence data sharing: The seller must have a lawful basis (legitimate interest) to share personal data during due diligence. Data rooms should use anonymized or pseudonymized data where possible.
• Data processing agreements: If the buyer accesses personal data pre-closing, a data processing agreement (DPA) may be required.
• Legal basis for continued processing: Post-acquisition, the buyer must ensure it has a valid legal basis to continue processing the acquired personal data.
• Consent: If the business relies on consent for marketing, verify that consents cover the post-acquisition use and the new legal entity.
• Privacy notices: Update privacy notices to reflect the new data controller (buyer entity) post-closing.
• Data Protection Officer: Determine whether a DPO appointment is required for the acquired business.

The California Consumer Privacy Act (as amended by CPRA, effective January 2023) applies to businesses meeting specific thresholds: annual gross revenue over $25 million, data on 100,000+ consumers, or 50%+ of revenue from selling personal information. The California Privacy Protection Agency (CPPA) now enforces these rules with increasing scrutiny of M&A transactions.

• Business purpose exception: CCPA allows sharing personal information for due diligence as part of a merger or acquisition transaction.
• Opt-out rights: Post-acquisition, consumers retain the right to opt out of the sale of their personal information.
• Purpose limitation: The buyer must use acquired personal data only for purposes compatible with the context in which it was collected.
• Updated disclosures: Privacy policies must be updated within 90 days post-acquisition.

1. Inventory all personal data collected, processed, and stored by the target
2. Review privacy policies, consent mechanisms, and data processing agreements
3. Assess compliance history: any data breaches, regulatory investigations, or complaints
4. Evaluate data security measures: encryption, access controls, incident response plans
5. Check cross-border data transfers: Standard Contractual Clauses, adequacy decisions, Binding Corporate Rules
6. Review vendor contracts for data processing terms and subprocessor obligations
7. Assess consent quality: was consent freely given, specific, informed, and unambiguous?
8. Check for Data Protection Impact Assessments (DPIAs) on high-risk processing activities

The deal structure you choose, whether a stock purchase or asset purchase has significant implications for how personal data transfers and what obligations you inherit:

• Stock purchase: The legal entity remains the same data controller. Existing consents and processing bases generally continue. Update privacy notices to reflect ownership change.
• Asset purchase: Personal data must be actively transferred to the buyer's entity. This constitutes a new disclosure/sharing of personal data, requiring a lawful basis. Existing consents may not cover the new entity.
• Employee data: Under GDPR/TUPE, employee data transfers automatically with the undertaking in asset deals. In non-EU asset deals, new consent or notice may be required.

• GDPR fines: Up to €20 million or 4% of annual global turnover (whichever is higher)
• CCPA fines: Up to $7,500 per intentional violation; $2,500 per unintentional violation
• Class action risk: Under CCPA, consumers can seek $100-$750 per consumer per incident for data breaches
• Successor liability: The European Data Protection Board has confirmed that the acquiring entity inherits the target's compliance history, including liability for past violations discovered after closing
• Reputational damage: Data privacy failures post-acquisition can erode customer trust and brand value

• Use anonymized or pseudonymized data during due diligence to minimize GDPR risk
• Verify that existing consents and privacy notices cover post-acquisition data processing
• Asset deals create more data privacy complexity than stock deals due to the need to transfer data between entities
• Budget for privacy compliance updates (notice changes, DPAs, potential re-consent campaigns) in your post-acquisition plan
• GDPR fines of up to 4% of turnover make privacy due diligence a material financial risk

In a stock deal, yes, the acquired company retains its full compliance history, including any past violations. The EDPB has confirmed that supervisory authorities can investigate and fine for pre-acquisition breaches discovered after the deal closes. In an asset deal, liability generally stays with the seller's entity, but the buyer must still ensure that transferred data has a lawful processing basis.

Under GDPR, the seller may share personal data during due diligence under a “legitimate interest” basis, but only the minimum data necessary. Best practice is to use anonymized or aggregated data wherever possible and to limit access to a small team under strict confidentiality agreements. Under CCPA, there is an explicit “business purpose” exception that permits data sharing as part of an M&A transaction.

Within the first 90 days, update all privacy notices to reflect the new data controller, review and renegotiate vendor data processing agreements, appoint a Data Protection Officer if required, and conduct a gap analysis between your privacy standards and the acquired company's practices. Budget $20K-$50K for a professional privacy audit on mid-sized acquisitions.