Key Takeaways
- Controller and processor misclassification is the foundational error in data privacy diligence. If a target has categorized itself as a processor when it functions as a controller, its privacy notice, consent records, and contractual flow-downs are structurally defective across every jurisdiction where it processes personal data.
- Missing or defective Standard Contractual Clauses for EU-to-US transfers cannot be cured retroactively for data already transferred. Buyers acquiring targets with EU data flows and no SCC documentation are inheriting historical violations in addition to prospective remediation obligations.
- BIPA class action exposure in Illinois does not require proof of actual harm. A target that collected employee fingerprints for timekeeping or used facial geometry for any purpose without the required written release has potential per-violation statutory damages that can aggregate to a material deal liability independent of any actual breach.
- Post-close privacy notice integration is not a routine IT task. Merging two companies' data processing activities without updating privacy notices and re-obtaining consent where required can constitute a violation of every privacy law applicable to both companies' customer populations.
Privacy diligence in M&A has expanded from a narrow HIPAA and GLBA review conducted by compliance specialists into a cross-disciplinary analysis that touches the target's technology architecture, vendor contracts, customer relationships, marketing technology stack, and employee data practices. The expansion reflects a regulatory environment where enforcement has become serious and international, where private rights of action for biometric data and certain state-law violations produce litigation exposure independent of regulatory action, and where cross-border data transfer rules have been destabilized by repeated invalidation of EU-US adequacy frameworks.
A buyer that closes an acquisition without conducting structured privacy diligence inherits every pre-closing violation of the target. Unlike environmental contamination, which at least has physical boundaries, privacy violations are often invisible in the data: a target that processed employee biometric data without written consent, transferred EU personal data without Standard Contractual Clauses, or failed to honor consumer deletion requests has liability that does not appear on the balance sheet and that standard representations and warranties insurance may exclude or undervalue. The only reliable way to assess that liability is to conduct the diligence.
This sub-article is part of the Cybersecurity and Data Breach Diligence in M&A: A Practical Playbook for Buyers and Sellers. It covers the full scope of privacy diligence in cross-jurisdictional acquisitions: controller and processor scoping; data mapping and processing inventories; GDPR lawful basis and consent records; EU-to-US transfer mechanisms including SCCs, the Data Privacy Framework, and Schrems II Data Transfer Impact Assessments; the CCPA/CPRA framework and the expanding state privacy patchwork; sector overlays including HIPAA, GLBA, COPPA, and BIPA; Data Processing Agreement inventory and vendor flow-downs; ad-tech and third-party cookie diligence; post-close privacy notice integration; breach notification timelines; and remediation planning as a deal term.
Acquisition Stars advises buyers and sellers on privacy diligence and post-close privacy integration in M&A transactions. Nothing in this article constitutes legal advice for any specific transaction or data processing program.
Why Data Privacy Now Rivals Cyber in Deal Risk
For most of the 2010s, privacy diligence in M&A was treated as subordinate to cybersecurity review. The assumption was that a clean penetration test and a satisfactory SOC 2 report resolved the material data-related risks. That assumption no longer holds. Regulatory enforcement has matured across every major jurisdiction: EU data protection authorities have issued fines in the hundreds of millions of euros for GDPR violations unrelated to data breaches, covering everything from unlawful consent mechanisms to defective data processing agreements. U.S. enforcement from the FTC, state attorneys general, and sector-specific regulators has accelerated, and private class action litigation for biometric data violations under Illinois BIPA has produced settlements that would be material in any mid-market transaction.
The structural risk has also shifted. A cybersecurity breach is a discrete event with a defined onset. Privacy violations are often systemic: a target that has processed personal data without a valid lawful basis under GDPR, or that has failed to implement opt-out mechanisms under CCPA, has an ongoing violation that accumulates prospective exposure until remediated. A buyer who closes the acquisition absorbs both the historical violation and the continuing exposure, because the post-close entity is the data controller and the regulatory target.
The patchwork of applicable law adds complexity that cybersecurity review does not face in the same way. A target with U.S. operations serving consumers in California, Colorado, Connecticut, Illinois, Texas, and Virginia, plus EU operations, is subject to at least seven distinct privacy regimes with different consumer rights, different opt-out mechanisms, different enforcement structures, and different timelines for breach notification. Buyers must map each regime to the target's data flows before they can assess aggregate exposure, and that mapping is not possible without a complete data processing inventory. The starting point for all privacy diligence is therefore the same: understand what data the target processes, where it goes, and under what legal authority.
Scoping Controller and Processor Relationships
The threshold question in any GDPR-applicable diligence is whether the target is a data controller, a data processor, or both, with respect to each category of personal data it handles. A controller determines the purposes and means of processing: it decides what data to collect, why, and how. A processor acts only on the controller's documented instructions. The distinction carries significant legal consequences: controllers bear the primary obligations under GDPR (lawful basis, privacy notice, data subject rights, DPA obligations, transfer mechanisms), while processors have a narrower set of obligations that arise primarily from their contract with the controller.
Misclassification is common. Technology companies that process customer data on behalf of enterprise clients often classify themselves as processors when they in fact determine the purposes of secondary analytics processing, making them joint controllers or independent controllers for that processing activity. B2B SaaS companies that retain and analyze usage data for product improvement, fraud detection, or benchmarking across their customer base are exercising control over that data for their own purposes, regardless of how their contracts characterize the relationship. Buyers should evaluate classification not by reading the target's contracts but by analyzing actual data flows: who decides what data is collected, for what purpose, and whether it is shared with third parties.
Joint controllership arrangements (where two entities jointly determine purposes and means) require a specific contractual arrangement under GDPR Article 26, including a transparent arrangement that specifies each party's obligations and a mechanism for data subjects to exercise their rights against either controller. Targets that operate data-sharing relationships with advertising partners, data brokers, or affiliate networks without a documented joint controllership arrangement are exposed to GDPR enforcement for the structure of that relationship, independent of whether the underlying processing has a valid lawful basis.
Under U.S. state laws, the equivalent analysis maps controller and processor concepts to different labels: CCPA/CPRA uses "business" (analogous to controller) and "service provider" or "contractor" (analogous to processor). A service provider relationship requires a written contract prohibiting the vendor from using personal information for purposes other than providing the contracted service. If a target's vendor contracts do not contain the required service provider language, those vendors may be classified as third parties who received a "sale" of personal information, triggering CCPA opt-out requirements retroactively for all data shared with those vendors.
Data Mapping and Processing Inventory
A data processing inventory (also called a Record of Processing Activities or RoPA under GDPR Article 30) is the foundational document for privacy diligence. It catalogs every category of personal data the target processes, the purposes of processing, the legal basis relied upon, the categories of data subjects (customers, employees, vendors, website visitors), the third parties with whom data is shared, the retention periods, and the technical and organizational security measures in place. GDPR requires controllers with more than 250 employees, or any controller whose processing is likely to result in a risk to individuals, to maintain this record in writing and make it available to supervisory authorities on request.
In diligence, the RoPA serves as a baseline map of all privacy obligations the buyer will inherit. A well-maintained RoPA substantially accelerates the diligence process by providing a structured starting point for evaluating lawful basis compliance, transfer mechanism coverage, and DPA inventory gaps. A target that cannot produce a RoPA, or that produces one that is materially incomplete (covering only GDPR-facing customer data while omitting employee data, third-party analytics, or B2B contact processing), signals that the underlying compliance program is underdeveloped and that diligence will require forensic reconstruction from system-level data rather than policy-level review.
Data mapping in U.S. privacy law follows a similar but less formally codified process. Buyers should request a data inventory covering: categories of personal data collected and the business purpose for each; the sources from which data is collected (directly from consumers, from third-party data brokers, from cookies and tracking technologies); the categories of third parties to whom data is disclosed and the contractual basis for each disclosure; whether data is sold or shared for cross-context behavioral advertising; and the retention and deletion schedule for each data category. This inventory becomes the foundation for assessing CCPA/CPRA opt-out gap coverage, state law applicability by jurisdiction, and the completeness of vendor Data Processing Agreements.
Automated discovery tools can assist in mapping data flows by analyzing network traffic, API calls, and data storage schemas, but they do not substitute for legal analysis. Data that appears in a system may be processed under a vendor contract that was never entered into the target's DPA inventory, and data that appears to be anonymized may retain re-identification risk if combined with other datasets the buyer will control post-close. The diligence process must combine technical discovery with legal analysis of the contractual and regulatory framework governing each identified data flow.
GDPR: Lawful Basis, Consent, and Data Subject Rights
GDPR requires that every processing activity have a documented lawful basis under Article 6. The six available bases are: consent of the data subject; performance of a contract with the data subject; compliance with a legal obligation; protection of vital interests; performance of a task carried out in the public interest; and legitimate interests of the controller or a third party, provided those interests are not overridden by the data subject's rights and freedoms. For special category data (health, biometric, racial or ethnic origin, genetic data, and other sensitive categories), processing requires both an Article 6 lawful basis and a separate Article 9 condition, which is typically explicit consent, employment law compliance, or another narrowly defined ground.
Consent under GDPR must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent covering multiple processing purposes in a single statement, and consent buried in terms of service do not meet the GDPR standard. Buyers should review the target's consent collection interface and consent records for the period covered by any applicable statute of limitations or the period the buyer expects the pre-existing consent to support post-close processing. Invalid consent is not merely a technical violation: it means that processing relying on that consent lacked a lawful basis from the outset, which is a more serious violation than a consent mechanism that was valid but imperfectly documented.
Legitimate interests as a lawful basis requires the controller to complete a three-part assessment: identify the legitimate interest, demonstrate the necessity of the processing for that interest, and balance the interest against the data subject's rights. Many targets in diligence cite legitimate interests as their lawful basis for marketing, analytics, and fraud prevention without having completed or documented a Legitimate Interests Assessment. Undocumented LIA reliance is an enforcement risk that regulators have consistently cited in investigations.
Data subject rights under GDPR include the right of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection to processing based on legitimate interests or for direct marketing, and rights related to automated decision-making. Buyers should review the target's subject access request process and response times, the volume of SARs received and the average response time, the procedures for handling erasure requests (including whether erasure is propagated to sub-processors), and the mechanisms for handling portability requests. Backlogs of unanswered SARs or a pattern of responses exceeding the 30-day deadline are indicators of a compliance infrastructure that will require investment post-close.
EU-to-US Transfers: SCCs, DPF, and Schrems II
Personal data originating from the European Economic Area cannot be transferred to a country outside the EEA unless the destination country provides an adequate level of data protection (as determined by an EU Commission adequacy decision) or the transfer is covered by an approved transfer mechanism. The available mechanisms for EU-to-US transfers are: the EU-U.S. Data Privacy Framework (DPF), which requires the U.S. recipient to self-certify through the Department of Commerce; Standard Contractual Clauses (SCCs) approved by the European Commission; Binding Corporate Rules for intragroup transfers; or derogations for specific circumstances (explicit consent, contract performance, vital interests, and others) that are narrowly interpreted and not available for routine commercial data transfers.
The 2021 SCCs, which replaced the 2010 SCCs invalidated by the Schrems II ruling of the Court of Justice of the EU, provide four modules covering different controller-processor combinations. Importantly, the 2021 SCCs require the parties to conduct a Transfer Impact Assessment (TIA, also called a Data Transfer Impact Assessment or DTIA) assessing whether the laws of the destination country allow authorities to access transferred data in a way that undermines the protections afforded by the SCCs. In the context of EU-to-US transfers, the TIA must address U.S. surveillance laws including Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, and evaluate whether supplemental technical or contractual measures are needed to ensure the SCCs provide an essentially equivalent level of protection to that guaranteed in the EEA.
Buyers should request copies of all SCCs executed by the target covering EU-to-US data flows, verify that the correct module has been selected for each transfer, confirm that the SCCs reference the current 2021 version rather than the invalidated 2010 SCCs, and determine whether a TIA has been completed and documented. Missing SCCs for any material EU-to-US data flow are a GDPR Chapter V violation that cannot be retroactively cured for data already transferred. Post-close, the buyer must execute new or amended SCCs as controller or processor in the restructured group structure.
The DPF adequacy decision of July 2023 provides an alternative to SCCs for self-certified U.S. organizations. Buyers should verify whether the target is DPF-certified, confirm that the certification is current and covers the relevant data categories and processing activities, and assess the litigation risk that the DPF adequacy decision may be challenged in the CJEU. A prudent buyer will negotiate a representation that SCC documentation is in place as a fallback regardless of DPF certification status, because two prior EU-US adequacy frameworks (Safe Harbor and Privacy Shield) were invalidated during ongoing commercial relationships, creating immediate remediation obligations for all affected data flows.
CCPA/CPRA and the Expanding State Privacy Patchwork
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, is the most comprehensive U.S. consumer privacy law applicable to private-sector data processing. CCPA/CPRA applies to for-profit businesses that meet at least one of the following thresholds: annual gross revenue exceeding $25 million; annual buying, selling, or sharing of personal information of 100,000 or more California consumers or households; or deriving at least 50% of annual revenue from selling or sharing personal information. Buyers must evaluate whether the target triggers CCPA/CPRA applicability and, if so, whether the target's privacy program covers all of the required elements: privacy notice at collection, data subject rights (access, deletion, correction, portability, opt-out of sale and sharing, opt-out of automated decision-making, and limitation of sensitive personal information use), vendor contracts with service provider language, and data retention schedules.
Beyond California, state consumer privacy laws have been enacted and are in force in Colorado (Colorado Privacy Act), Connecticut (Connecticut Data Privacy Act), Virginia (Consumer Data Protection Act), Utah (Utah Consumer Privacy Act), Texas (Texas Data Privacy and Security Act), Montana, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Iowa, Indiana, Tennessee, and Kentucky, with additional states advancing legislation. While these laws share structural similarities (controller and processor concepts, consumer rights, opt-out of sale, Data Protection Assessments for high-risk processing), they differ in threshold applicability, definition of sensitive data, enforcement structure (AG-only vs. private right of action), and cure period before enforcement action.
The buyer's diligence obligation is to map the target's consumer base against each applicable state law to determine which regimes apply and whether the target's current compliance program covers all applicable jurisdictions. A target with a California-compliant privacy program may still have gaps under Colorado's CPA (which requires opt-out of targeted advertising, not just sale) or Texas's TDPSA (which applies to controllers that process Texas residents' data regardless of revenue threshold, subject to the small business exemption). The state law inventory should be completed early in diligence so that gap remediation can be scoped and costed before closing.
Data Protection Assessments (DPAs) required under several state laws (including Colorado, Connecticut, Virginia, and others) must be completed before engaging in high-risk processing activities, including targeted advertising, sale of personal data, processing of sensitive data, and profiling that produces legal or similarly significant effects. Targets that have not completed DPAs for applicable high-risk activities are exposed to enforcement actions following any regulatory investigation. Buyers should request copies of all completed DPAs and assess the completeness of the target's assessment program against each applicable state's requirements.
Sector Overlays: HIPAA, GLBA, COPPA, BIPA
Sector-specific federal privacy laws layer additional obligations on top of general privacy regimes for data in regulated categories. HIPAA applies to Covered Entities (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their Business Associates (entities that create, receive, maintain, or transmit protected health information on behalf of a Covered Entity). In M&A, HIPAA diligence focuses on four questions: whether the target is a Covered Entity or Business Associate; whether the target's Business Associate Agreements with counterparties are current, contain the required elements, and survive the transaction structure; whether the target's Security Rule technical safeguards meet minimum standards; and whether the target has a history of breach notifications or HHS Office for Civil Rights investigations.
GLBA (the Gramm-Leach-Bliley Act) applies to financial institutions, including banks, broker-dealers, insurance companies, and non-bank financial companies that are "significantly engaged" in financial activities. GLBA requires financial institutions to provide initial and annual privacy notices explaining their data-sharing practices and to implement a Safeguards Rule information security program. Buyers acquiring financial services businesses must verify that GLBA privacy notices are current, that the Safeguards Rule program meets the FTC's 2023 updated standards (which added specific technical requirements including penetration testing, multi-factor authentication, and incident response planning), and that any non-public personal information sharing arrangements with affiliated or non-affiliated third parties are compliant.
COPPA applies to operators of websites and online services directed to children under 13, or that have actual knowledge that they are collecting personal information from children under 13. Buyers acquiring consumer-facing digital businesses should assess whether COPPA applies by evaluating the target's user demographics, marketing materials, and platform design against the FTC's factors for determining whether a service is "directed to children." COPPA violations, including failure to obtain verifiable parental consent before collecting children's data and failure to post compliant privacy policies, carry civil penalties per violation that the FTC has imposed aggressively.
Illinois BIPA applies to any private entity that collects, captures, purchases, receives through trade, or otherwise obtains a person's biometric identifier or information. The required elements are a written policy, a written release signed by the individual before collection, and limitations on storage, use, and third-party disclosure. BIPA's private right of action, combined with its per-violation statutory damages and the absence of an actual-harm requirement for standing, has made BIPA class actions the highest-stakes privacy litigation risk in U.S. M&A. Buyers acquiring targets with employees in Illinois, customers who interact with the target's technology in Illinois, or any biometric data processing touching Illinois residents should conduct BIPA-specific diligence as a distinct work stream.
DPAs and Flow-Downs in Vendor Contracts
Under GDPR Article 28, every controller that engages a processor to process personal data on its behalf must enter into a Data Processing Agreement (DPA) with the processor. The DPA must specify the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. It must also include specific mandatory provisions: the processor may process personal data only on documented instructions from the controller; the processor must ensure that authorized personnel are bound by confidentiality; the processor must implement appropriate technical and organizational security measures; the processor must flow-down DPA obligations to any sub-processors; the processor must assist the controller in fulfilling data subject rights requests; the processor must assist with security and breach notification obligations; the processor must delete or return personal data at the end of the contract; and the processor must make available information necessary to demonstrate compliance.
DPA inventory in diligence means reviewing every vendor contract where the vendor processes personal data on behalf of the target to determine whether a compliant DPA is in place. A target with a large vendor ecosystem (SaaS platforms, cloud infrastructure providers, analytics services, marketing technology vendors, HR software) may have hundreds of vendor relationships that require DPAs. Many vendors provide standard DPA annexes or data processing addenda as exhibits to their standard subscription agreements, but these standard forms vary in quality and many pre-2021 agreements reference the invalidated 2010 SCCs rather than the current 2021 version.
Sub-processor provisions are a material DPA diligence item. The main DPA with each vendor should require the vendor to obtain controller approval (either specific approval for each sub-processor or general authorization with notification and objection rights) before engaging any sub-processor. Vendors that have not maintained a current sub-processor list or that have onboarded sub-processors without required notification are in breach of DPA obligations, and by extension, the controller (the target) may have GDPR liability for unauthorized sub-processing.
Under U.S. state laws, the equivalent of the DPA is the service provider contract or contractor contract under CCPA/CPRA, and the processor contract under state laws modeled on the Virginia CDPA framework. These contracts must include provisions prohibiting the vendor from selling or sharing the personal information received from the controller, from using the information for any purpose other than the specified business purpose, and from retaining the data beyond the contract term. Buyers should confirm that the target's vendor contracts include the required service provider or processor language for all applicable state law jurisdictions, because missing contractual provisions can result in the vendor relationship being classified as a sale or disclosure of personal information, triggering consumer opt-out rights retroactively.
Ad-Tech, Cookies, and Third-Party Data Exposure
Advertising technology diligence has become one of the most complex components of privacy review in consumer-facing business acquisitions. The modern ad-tech stack typically involves dozens of third-party scripts deployed on the target's website and mobile applications: advertising pixels (Meta, Google Ads, LinkedIn, TikTok), analytics platforms, tag management systems, data management platforms, demand-side platforms, customer data platforms, session recording tools, and A/B testing frameworks. Each of these scripts may collect personal data from the target's website visitors independently of the target's stated data collection practices, and the aggregate data shared with third parties through the ad-tech stack may constitute a "sale" or "sharing" under CCPA/CPRA or processing requiring consent under GDPR.
Cookie consent under GDPR requires that non-essential cookies and tracking technologies receive prior, freely given, specific, informed, and unambiguous consent before deployment. Consent must be as easy to withdraw as to give, and cookie banners that use dark patterns (pre-ticked boxes for non-essential cookies, "Accept All" buttons that are visually prominent while "Reject All" or "Manage Preferences" options are de-emphasized) have been the subject of regulatory enforcement by EU data protection authorities, including the French CNIL, the Irish DPC, and national DPAs across multiple member states. Buyers should review the target's consent management platform implementation, the consent records retained, and the vendor list approved under the IAB Transparency and Consent Framework if applicable.
The CCPA/CPRA "sharing" definition covers disclosure of personal information to third parties for cross-context behavioral advertising purposes even without monetary consideration. A target whose website deploys Meta Pixel, Google Analytics, or any other advertising technology that passes personal identifiers to a third-party advertising platform is likely sharing personal information within the CPRA definition, and consumers have the right to opt out of that sharing through a "Do Not Sell or Share My Personal Information" link and by recognizing Global Privacy Control (GPC) signals. Buyers should verify whether the target's opt-out mechanism properly suppresses data transmission to all third-party advertising platforms when a consumer opts out, including server-side event transmission and any lookalike audience data already uploaded to advertising platforms.
Third-party data brokers in the target's marketing data supply chain present additional exposure. Targets that purchase consumer data from data brokers for targeted advertising or direct marketing may have received data collected without compliant consent, and using that data post-close exposes the buyer to regulatory risk for the processing of unlawfully obtained data. Buyers should map all third-party data purchases, evaluate the data broker's consent documentation, and assess whether any data received under defective consent claims should be purged at closing rather than integrated into the buyer's customer data infrastructure.
Integration of Privacy Notices and Customer Choices
Post-close integration of two companies' data processing activities is one of the most legally complex aspects of privacy in M&A, because data collected under one entity's privacy notice cannot automatically be used for purposes described only in the other entity's privacy notice. The FTC has taken enforcement action specifically against companies that used data acquired through acquisitions in ways inconsistent with the privacy representations made to consumers at the time of collection. Under GDPR, the purpose limitation principle prohibits processing data for purposes materially different from those for which it was collected, and the data subject has not consented to purposes described in the acquiror's privacy notice simply because the acquisition has occurred.
The buyer's post-close privacy notice integration plan must address four distinct questions: which data collected under the target's privacy notices can be processed under the buyer's privacy program without additional notice or consent; which data requires updated notice before it can be used for buyer's purposes; which data requires fresh consent because the intended post-close use is materially different from the stated collection purpose; and which data must be quarantined or deleted because it cannot be integrated into the buyer's processing activities under any compliant framework. This analysis must be completed before post-close integration teams begin combining customer databases or using acquired customer data for marketing purposes.
Consumer choices exercised under the target's privacy program (opt-outs of sale, sharing, or targeted advertising; deletion requests; and consent withdrawals) must be carried over and honored in the buyer's data infrastructure. A buyer that fails to import and honor pre-closing opt-out records commits violations of CCPA/CPRA and applicable state laws effective from the moment those records are ignored post-close. The technical requirement to migrate opt-out signals from the target's consent management system to the buyer's system should be treated as a hard dependency in the integration timeline, not a post-close cleanup item.
Customer-facing notification of the acquisition and any material changes to data processing practices may be required by law, required by the target's privacy policy (which often contains a specific disclosure about what happens to data in an acquisition context), or required by good practice even when not legally mandated. Buyers should review the target's privacy policy merger and acquisition clause, assess whether the policy's terms for acquisition-related data transfers apply to the contemplated transaction structure, and plan the consumer notification timeline as part of the overall integration communications plan.
Data Breach Notification Timelines Post-Closing
A data breach that is discovered after closing but that originated pre-close presents the buyer with a compressed and legally complex notification obligation. All 50 U.S. states have breach notification laws, and the applicable timelines, covered data types, notification recipients (affected individuals, state attorneys general, consumer reporting agencies), and required notice content vary by state. GDPR requires notification to the competent supervisory authority within 72 hours of becoming aware of a breach, and notification to affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
The interaction between the breach notification obligation and the acquisition closing creates a practical problem: if the buyer inherits a security incident that the target had not disclosed, the buyer is now the data controller responsible for notification. The 72-hour GDPR clock runs from when the breach was or should have been discovered, not from when it is deemed "known" under a representation and warranty framework. A buyer that discovers a pre-closing breach during integration is not protected by the target's failure to disclose it in the data room; the buyer's notification obligation runs from the buyer's own discovery.
Buyers should address breach notification risk in the acquisition agreement through a combination of representations (the target has no knowledge of any data breach that has not been disclosed), covenants (the target will notify the buyer promptly of any discovered breaches between signing and closing), indemnification provisions covering pre-closing breach notification costs and regulatory penalties, and R&W insurance coverage that explicitly covers known and unknown data breach events within the applicable policy period. The indemnification and insurance coverage must account for the full scope of notification costs: legal counsel, forensic investigators, consumer notification and credit monitoring services, state AG filing fees, and any regulatory fines.
Sector-specific breach notification obligations layer additional requirements on top of state law. HIPAA requires notification of breaches of unsecured protected health information to affected individuals (within 60 days of discovery), to the Secretary of HHS (within 60 days for breaches affecting fewer than 500 individuals, within 60 days for large breaches with immediate media notification for breaches affecting 500 or more individuals in a state), and to prominent media outlets for breaches affecting 500 or more individuals in a state. GLBA breach notification rules require financial institutions to notify the FTC and affected customers within defined timelines. Buyers acquiring businesses subject to these sector-specific regimes must ensure that post-close incident response procedures address the full regulatory notification matrix.
Remediation Planning Baked into the Deal
Privacy remediation is most efficiently addressed when it is planned before closing rather than discovered as an integration problem post-close. The diligence process should produce a prioritized gap analysis that maps each identified compliance deficiency to the legal regime that requires remediation, the technical or contractual work required, the estimated cost and timeline, and whether the gap can be remediated pre-closing with seller cooperation or requires post-closing access to systems and data. This gap analysis becomes the foundation for negotiating deal terms: price adjustment, escrow, indemnification, or specific post-closing covenants to complete remediation within a defined period.
Pre-closing remediation by the seller is appropriate for gaps that are well-defined and executable without disrupting business operations: executing missing DPAs with vendors, updating privacy notices to reflect current processing activities, implementing a Global Privacy Control opt-out mechanism, completing outstanding Data Subject Rights requests, and filing missing DPF certification updates. Buyers should negotiate seller covenants to complete defined remediation items before closing and to certify completion at closing, with a carve-out from the representations and warranties for any items that cannot be completed pre-close and are instead covered by post-closing covenants.
For larger structural gaps, particularly those involving BIPA class action exposure, missing SCC documentation for historical EU-to-US transfers, or HIPAA compliance deficiencies, the appropriate deal term is an indemnification escrow sized to the potential liability range rather than a pre-closing remediation covenant. The liability range for these categories of exposure is often wide because it depends on whether regulators or plaintiffs pursue the violation, the geographic scope of affected individuals, and the applicable statutory damage framework. Buyers and sellers should engage privacy counsel to scope the liability range using documented data volumes (number of Illinois employees with biometric data, volume of EU data processed without SCCs, number of PHI records at risk) rather than relying on general representations that no material violations exist.
Representations and warranties insurance coverage for privacy and data protection has become more widely available but remains subject to exclusions for known violations (information disclosed in the data room), regulatory investigations disclosed in the target's representations, and often for GDPR fines (because some insurers classify regulatory fines as uninsurable under public policy in relevant jurisdictions). Buyers should review the specific policy language for privacy exclusions, confirm that the policy covers third-party claims (class actions and regulatory enforcement) arising from pre-closing privacy violations, and assess whether the retention and limit are appropriate for the exposure profile identified in diligence. Privacy-specific rep and warranty coverage should be evaluated as a supplement to, not a substitute for, specific indemnification escrows for identified high-probability privacy liabilities.
Frequently Asked Questions
How do U.S. state privacy laws differ from GDPR in an M&A context?
GDPR applies by subject matter: any processing of EU personal data, regardless of where the processor or controller is located, falls within its scope. U.S. state privacy laws are generally scoped by where the consumer resides and by thresholds tied to revenue, data volume, or the percentage of revenue derived from selling personal data. GDPR imposes affirmative obligations to document lawful basis for every processing activity, appoint a Data Protection Officer in defined circumstances, and complete Data Protection Impact Assessments for high-risk processing. Most U.S. state laws focus on consumer rights (access, deletion, portability, opt-out of sale or sharing) and do not require the same level of documentation infrastructure. In diligence, GDPR exposure typically generates the largest remediation estimates because the fines are calibrated to global annual turnover (up to 4% for the most serious violations), whereas U.S. state law penalties are per-violation statutory amounts that can accumulate significantly in a class action or AG enforcement action but are generally smaller per-incident than GDPR fines on a large-revenue business.
What is the current adequacy status of the EU-U.S. Data Privacy Framework, and how does it affect deal risk?
The European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework in July 2023, replacing the invalidated Privacy Shield. U.S. organizations that self-certify to DPF through the Department of Commerce can receive EU personal data transfers without Standard Contractual Clauses or other supplemental transfer mechanisms. The DPF was immediately challenged by privacy advocates, and litigation in the Court of Justice of the European Union is ongoing as of 2025. Buyers acquiring a target that relies on DPF as its primary EU-to-US transfer mechanism should treat that reliance as temporary and verify that the target has SCC-based documentation in place as a fallback, because a third invalidation of the trans-Atlantic adequacy framework (following Safe Harbor in 2015 and Privacy Shield in 2020) would require immediate transition to SCCs. Deal counsel should negotiate a representation covering DPF certification status and a covenant to maintain SCC documentation in parallel during any DPF uncertainty period.
Which module of the Standard Contractual Clauses applies in common M&A scenarios?
The European Commission's 2021 SCCs provide four modules keyed to the roles of the transferring and receiving parties. Module One (controller to controller) applies when the EU-based entity transfers personal data to a U.S. entity that processes the data for its own purposes, such as a U.S. parent company using HR data from its EU subsidiary. Module Two (controller to processor) applies when the EU entity transfers data to a U.S. entity that processes it only on the EU entity's instructions, such as a U.S. SaaS vendor processing EU customer data on behalf of the EU controller. Module Three (processor to processor) covers sub-processing chains. Module Four (processor to controller) covers the reverse scenario where the EU entity is acting as a processor on behalf of a non-EU controller. In an acquisition context, the buyer must map every cross-border data flow in the target's operations to determine which module applies, because an incorrect module selection or a missing SCC covering a material flow can constitute a violation.
Does a buyer inherit the target's HIPAA Business Associate Agreements after closing?
Yes, subject to the structure of the deal. In a stock acquisition or merger where the target entity survives, existing Business Associate Agreements carry over as a matter of contract law because the contracting party has not changed. The buyer must review each BAA to confirm it does not contain a change-of-control termination right that would be triggered by the acquisition, because termination of a BAA without replacement can constitute a HIPAA violation if the underlying data-sharing relationship continues. In an asset acquisition, the target's BAAs generally do not transfer by operation of law and must be renegotiated with each Covered Entity counterparty before the buyer can lawfully receive or access protected health information. Buyers in healthcare M&A transactions should identify every BAA in the target's vendor and customer contracts during diligence and confirm whether change-of-control provisions require counterparty consent or new agreement execution at closing.
What is the distinction between a 'sale' and 'sharing' of personal information under CCPA/CPRA, and why does it matter in M&A?
Under CCPA as amended by CPRA, a 'sale' means disclosing personal information to a third party for monetary or other valuable consideration. 'Sharing' is a separate defined category covering disclosure to a third party for cross-context behavioral advertising purposes, even without monetary consideration. The distinction matters in M&A because a target that runs digital advertising through programmatic platforms, ad exchanges, or data management platforms may be sharing personal information within the CPRA definition even if it receives no direct payment for the data. Consumers have the right to opt out of both sale and sharing under the CPRA, and a target that has not implemented compliant opt-out mechanisms for sharing relationships faces both regulatory exposure and remediation costs. Buyers should map the target's advertising technology stack against the CPRA sharing definition and quantify the gap between the target's current opt-out infrastructure and a compliant implementation.
How significant is BIPA class action exposure in an M&A transaction involving biometric data?
Illinois BIPA class action exposure is one of the highest-stakes privacy liabilities in U.S. M&A. BIPA provides a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, without requiring proof of actual harm. Courts have certified nationwide and statewide classes in BIPA cases, and the combination of per-violation statutory damages, class treatment, and Illinois's broad definition of biometric identifiers (fingerprints, retina or iris scans, voiceprints, hand or face geometry scans) has produced settlements in the hundreds of millions of dollars against employers using timekeeping systems with fingerprint readers, social media platforms with photo-tagging features, and retailers using facial recognition. Buyers acquiring targets with any biometric data processing touching Illinois residents should treat BIPA exposure as a material deal risk, conduct diligence on whether the target has obtained the required written release from each individual, and negotiate appropriate indemnification or escrow coverage for pre-closing BIPA claims.
What qualifies as 'sensitive personal information' under CPRA, and how does that category affect diligence?
CPRA created a separate regulatory category for sensitive personal information (SPI) that carries heightened consumer rights and additional processing restrictions. The CPRA SPI category includes Social Security numbers and government ID numbers; financial account credentials; precise geolocation data; racial or ethnic origin; religious or philosophical beliefs; union membership; contents of personal communications; genetic data; biometric data processed for identification; health information; and information about sex life or sexual orientation. Consumers have the right to limit a business's use of SPI to what is necessary to provide the requested service. Buyers must map whether the target processes SPI, whether the target has implemented the required SPI limitation notice and opt-out mechanism, and whether the target's vendor data processing agreements extend SPI protections through the supply chain. Targets processing sensitive health, financial, or biometric data without proper SPI controls face both regulatory exposure and reputational risk that buyers should price into deal terms.
What happens to cookie consent records and third-party tracker relationships when a buyer acquires a target's website?
Cookie consent records collected through the target's consent management platform (CMP) are personal data subject to the same data protection obligations as any other personal data. The buyer must assess whether the target's consent records are stored in a portable format, whether they can be migrated to the buyer's CMP infrastructure, and whether post-close changes to the website's tracking technology invalidate prior consent records by materially changing the purposes for which data is processed. Under GDPR, consent obtained for one set of purposes is not valid for materially different purposes, so a buyer that significantly changes the target's data processing activities post-close may need to re-obtain consent from existing users. For CCPA/CPRA opt-out records, the buyer must ensure that opt-out signals received by the target's CMP are honored in the buyer's data infrastructure. Failure to carry over opt-out records can expose the buyer to claims for violations occurring after closing based on processing that disregards pre-closing consumer opt-outs.
Related Reading
Privacy Diligence Counsel for M&A Transactions
Acquisition Stars advises buyers and sellers on data privacy diligence in cross-jurisdictional M&A transactions, covering GDPR, CCPA/CPRA, state privacy law, HIPAA, BIPA, and cross-border transfer compliance. Submit your transaction details for an initial assessment.
Related Practice Areas
Our attorneys handle M&A transactions and securities matters nationwide. Alex Lubyansky leads every engagement personally.