Merger & Acquisition Data Issues: What Data Does the Target Have and What About Consents and Notices?
The California Consumer Protection Act (“CCPA”) becomes effective January 1, 2020. See Cal. Civ. Code, § 1798.100 et seq. The CCPA imposes on businesses that collect personal data a long list of obligations with respect to obtaining consents, providing notices, and ensuring cybersecurity. Failure to comply with the requirements of the CCPA will potentially lead to massive class action lawsuits by consumers and possibly action by the California Attorney General. As such, among many other impacts for San Diego businesses, the CCPA creates an enormous potential area of risk for those involved in mergers and acquisitions. The purchase/sale agreements used when buying or selling a business must now include provisions requiring significant due diligence, representations, and potentially significant holdbacks with respect to data protection and privacy. In particular, the target business must fully disclose and allow full investigation of the following:
- What data has been collected
- What data is currently stored
- The existence of and type of consents obtained from consumers
- The legal validity of any consents under the CCPA
- The existence and type of notices provided and the legal validity of such
- What data has been destroyed/deleted
- If data was destroyed/deleted, in what manner
Under the new CCPA regime, failure to have this information is a failure to understand and guard against legal, financial, and reputational risks. You will need to retain an experienced San Diego corporate attorney to help.
Why is This Important?
Data “hides” in plain sight and nearly every business is collecting consumers’ personal data as part of payment and shipping. This is the key point: Even if a business is not purposely “collecting consumer data,” in fact, every business is collecting such data. Furthermore, simple manipulation of the data often creates personally identifiable data. As a simple example, if your company takes orders online, your business now has payment information. Since shipping is required, your business also has, likely, a home address. Even if the financial information is in a separate database, a simple cross reference provides the personal information to go with the financial information. Does your website require age verification? If yes, there is another category of information that is potentially personally identifiable.
Even for businesses that do not conduct online sales, there are other seemingly innocuous ways that consumer data is collected. For example, does the target business have a process for scanning or otherwise automating orders? Maybe the original is on paper, but the purchase order is scanned into a PDF. If that PDF has consumer information, that is “data” that is potentially covered by the CCPA. Photos are another place where data “hides.” Photos are the most ubiquitous data that is collected and stored. Photos are considered “biometric data” particularly with the advent of facial recognition software. Does the target business use any sort of photo identification or other biometric data? Remember that the CCPA will protect any and all sorts of biometric data. Moreover, photos and video are routinely taken and collected without any sort of consent. Where are these photos/video stores and how securely are they stored? All of these are carry potential legal and financial liability under the CCPA. Any acquiring business must be careful with these risks.
What is the “Plan” for Noncompliance?
Aside from fully vetting the data collection, storage, consent, and security issues, there must be a plan if substantial and material noncompliance is uncovered. Is there a way to “fix” the data to reduce legal risks? Is a purchase price adjustment sufficient? At minimum, data security and consumer privacy clearance must now be a condition precedent to consummating the merger or acquisition. As can be seen, going forward, data, consumer consent, and cybersecurity are complex and important issues that must be front and center with any proposed purchase or sale of a business.
Contact San Diego Corporate Law Today
If you would like more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard’s law practice is focused on business, transactional, and corporate matters and he proudly provides legal services to business owners in San Diego and the surrounding communities. Like us on Facebook.