Impact of EU GDPR and New California Privacy Law on M&A: New Due Diligence and Other Challenges for Buyers and Sellers

Due diligence in M&A has long included an assessment of the cybersecurity and privacy protocols of the target company. But the new CCPA and GDPR have raised the stakes for compliance, particularly for target companies that process or collect personal information or trade consumer data. Not only can vulnerabilities in a security network be transferred to the acquiring company but so can regulatory and noncompliance issues.

Prior to engaging in an M&A transaction, strategic questions such as whether the company will be expanding into new industries and/or new geographic regions; whether any new products or technologies are part of the business goals; whether the company is going to change how it uses information; and how the risk profile of the company may change, must be considered.

Counsel should gain a comprehensive understanding of the data privacy and security profiles of each party. Factors which must be evaluated include a "data map" outlining where and how each company stores data, the location of customers or other parties providing personal information, and policies regarding how each company collects, uses and destroys personal information. A similar analysis may also be necessary for third-party contractors.

The acquisition agreement should include detailed representations and warranties relating to data security and privacy, and delineate remedies in the event of a breach. The parties may also require insurance against losses associated with a data breach or a violation of data privacy laws.

Listen as our authoritative panel discusses the impact of CCPA and GDPR on mergers and acquisitions. The panel will examine the scope of CCPA and GDPR, what due diligence questions must be answered upfront, and how reps and warranties and insurance can help resolve any uncertainties concerning data breaches and compliance.

1. Overview of GDPR and CCPA - different types of M&A deals effected
2. Early stage activities (sell-side perspective)
   1. Preparation of a business for sale
   2. Deal structuring
3. Due diligence phase (buy-side perspective)
   1. Who should conduct diligence and who should respond
   2. Identifying key risks - specific CCPA and GDPR points to consider
4. Doing the Deal
   1. Reps, warranties, indemnities; other data privacy provisions
   2. Ancillary documents (e.g. privacy notices)
5. Post-deal considerations
   1. Managing use of data/databases post-deal / on-going controls
   2. Transitional services and post-deal integration activities

The panel will review these and other critical issues:

• How should a buyer or merger partner determine if a target company is (or the merged entity will be) subject to GDPR or CCPA?
• What steps should be followed in conducting due diligence on a target's data privacy and security profile?
• What representations and warranties should be included in the acquisition agreement to address data privacy and security?
• Can insurance adequately cover a violation of GDPR, CCPA and similar laws to come?