When local businesses are bought and sold, sellers and buyers often do not consider data compliance to be a major concern. At most the business has a small website and the business model isn’t focused around data collection. But actions like collecting names and emails, linking with Google analytics, or IP addresses may trigger California Consumer Privacy Act (“CCPA“) compliance.
Buyers and sellers tend to be caught up in wondering how long does it take to sell a business, and can sometimes forget to think about CCPA compliance when performing due diligence on the company, which is not ideal. Due diligence questions can be as simple as clarifying if the company meets CCPA thresholds? The basic threshold for CCPA is that the company:
- Is a for-profit legal entity (e.g. sole proprietorship, partnership, LLC, corporation);
- Collects or receives California residents’ personal information (e.g. either directly from the individual or through other means like cookies);
- Does business in California; and
one or more of the following:
- Have annual gross revenues in excess of $25 million;
- Annually buy, receive, sell, or share the personal information of 50,000 or more California residents; or
- Derive 50% or more of your income from selling California resident’s personal information.
While most business will not fit into the additional criteria and the buyer and seller can easily move on with a simple representation and warranty that the company does not meet the CCPA threshold. If the company does meet CCPA requirements, the buyer and seller will need to perform more due diligence into what data is collected, what are the company’s policies, and has the company complied up until the sale of the business.
If the company falls under CCPA, both buyers and sellers are encouraged to discuss with their attorney about the company’s data collection and processing. Buyers will want more disclosures around the type of personal information collected and the company’s policies. Sellers will want to work to disclose as much as possible so that the buyer can assume the risks.
To better educate both the buyers and sellers, I would suggest reading “Impact of the California Consumer Privacy Act on M&A” by the Harvard Law School Forum on Corporate Governance.
If you have questions about this article or have any other questions about an upcoming purchase or sale of a business, feel free to reach out: email@example.com
The above article is for general information purposes only and should not be relied upon as specific legal advice. This article, or using the firstname.lastname@example.org form, does not in any way form an attorney-client relationship. If you have any questions or would like to learn more, please contact Tara M. Vitale at email@example.com