The California Consumer Privacy Act (CCPA) has been amended a number of times since its enactment in 2018. One of the latest amendments to the CCPA, California's Assembly Bill No. 1824, recently took effect Jan. 1, 2025, and changed the CCPA in the context of mergers and acquisitions (M&A), and other types of corporate transactions. Under this amendment, any business acquiring personal information of a consumer from another business as an asset through a merger, acquisition, bankruptcy, or other types of transactions in which the transferee assumes control of all, or part, of the transferor must comply with opt-out of "sale" and "sharing" requests California residents made to the seller before their personal information is transferred to the buyer.
The CCPA is the first comprehensive data privacy law in the United States and applies to for-profit entities if they conduct business in California (even if they are not physically located in the state), collect California residents' personal information, determine how and why the information should be processed, and meet one of the following thresholds: (1) have annual gross revenue in excess of $25 million (adjusted to $26,625,000 starting Jan. 1, 2025); (2) buy, sell, or share the personal information of 100,000 or more California residents or households; or (3) derive 50% or more of their annual revenue from selling or sharing California residents' personal information. The CCPA may also apply to entities that share common branding and control with a company that meets the above requirements, certain joint ventures or partnerships made up of these businesses, and businesses that voluntarily certify to be subject to the CCPA.
Under the CCPA, California residents have the right to opt out of the "sale" of their personal information and "sharing" of their personal information for cross-context behavioral advertising. "Sale" is a defined term under the CCPA and, subject to certain exceptions, broadly encompasses any disclosure of personal information to a third party for monetary or other valuable consideration. "Share" is a subset of "sale" and addresses situations where personal information is disclosed or made available to a third party for cross-context behavioral advertising, which involves tracking individuals across businesses' websites, applications, or services for targeted advertising (e.g., using third-party cookies to track a web user for retargeting). Notably, the CCPA applies across nearly all industries because the law was amended under the California Privacy Rights Act to encompass business-to-business (B2B) and human resources personal information. Thus, AB 1824 is relevant even to B2B companies that do not offer products or services directly to consumers. Companies on buy-side deals should be mindful of this change, as they are now required to honor opt-out requests made to the seller before the acquisition.
In this article, we explore the implications of AB 1824 for companies involved in M&A transactions, focusing on the new legal obligations on the buyer and the necessity of target businesses to maintain opt-out records. Additionally, we provide practical advice on the administrative challenges surrounding the due diligence process and strategies for managing risks and liabilities associated with noncompliance.
Continuity of Consumer Opt-Out Rights in M&A Transactions
AB 1824 was largely supported by privacy advocates for addressing a perceived gap in the CCPA by ensuring the continuity of consumer opt-out rights during business transactions. (See Tracy Rosenberg, 2024 State Legislature Wrap-up, Oakland Privacy Blog (Oct. 6, 2024).) The rationale is that when a California resident exercises the right to opt out of the sale or sharing of personal information, the opt-out request should transfer seamlessly when the personal information transfers as part of the transaction. However, in practice, as the new owner of the transferred business gains access to and populates personal information from the target business, even minor delays in transferring existing opt-outs may result in the sale or sharing of California residents' personal information.
As a result of AB 1824, the buyer will now be required to honor the existing opt-out requests made to the target business prior to closing, adding a layer of complexity to the M&A due diligence and integration process. In preparation for an M&A transaction, the target business should confirm that it maintains records of privacy rights requests, as required under the CCPA regulations, and transfer such records to the buyer. On the buy-side, the buyer should confirm whether the target business (a) is subject to the CCPA, (b) sells or shares personal information, and (c) maintains records of privacy rights requests. Depending on its due diligence findings, the buyer should also take steps during integration planning to ensure it is able to honor the existing opt-out requests at closing. This is particularly important for opt-out requests received right up to the closing date.
While in theory this seems manageable, in practice it may be difficult to maintain opt-out records for companies that sell or share personal information based on their use of third-party advertising cookies on their websites. Oftentimes, companies engaged in sale or sharing of personal information in this context do not know the identity of the individuals exercising the opt-out right. Instead, they suppress the cookies and other trackers that constitute a sale or sharing when web users communicate requests through opt-out preference signals, such as Global Privacy Control, or through cookie management tools. Companies engaged in sale or sharing in this context should consider technical solutions to maintain logs of opt-out requests in the AdTech context, particularly when the consumer exercising the opt-out right is logged into an account and identifiable.
Penalties for Noncompliance
The CCPA has been in effect for over four years and the California attorney general has prioritized enforcement actions against companies that allegedly failed to comply with opt-out of sale obligations. Businesses that fail to comply with the CCPA could face an administrative fine of up to $2,500 for negligent violations and $7,500 for each intentional violation. The California Attorney General's Office or California Privacy Protection Agency may seek to aggregate these penalties through a broad interpretation of what constitutes a violation, as reflected in the prior $1.2 million and $375,000 settlements against companies based on their alleged sale practices. Companies may also face a multi-year injunction for failing to comply.
Therefore, entities contemplating an M&A transaction must be prepared to manage the risks associated with noncompliance, including potential penalties and multi-year regulatory oversight through injunctive relief.
Risk Management and Liability
The flurry of activity surrounding corporate transactions can increase privacy risks, particularly when the seller has a high volume of B2B, human resources, and traditional consumer personal information. Even if a company is in compliance with the CCPA leading up to a corporate transaction, a slight administrative delay stemming from the transfer of existing opt-outs could potentially lead to the sale or sharing of personal information as the buyer integrates the acquired business.
AB 1824 raises questions about which party assumes liability for gaps in noncompliance, especially when nearing a transaction's closing date. Due diligence must include a thorough assessment of potential liabilities, and the deal team must develop a risk management strategy to address these risks, which may involve negotiating indemnification clauses, obtaining insurance, and implementing other contractual protections to mitigate data privacy risks.
Developing and implementing appropriate processes and risk management strategies may be crucial for the parties to M&A transactions to successfully navigate the complexities of data privacy risks in the face of AB 1824 and other similar data privacy laws.
"Reprinted with permission from the January 28th edition of The Recorder © 2025 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited."
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2025. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
