Data privacy and security risk and compliance issues relating to exchanges of personal information during merger, acquisition, and similar transactions can sometimes be overlooked. In 2023, we summarized an enforcement action resulting in a $400,000 settlement following a data breach that affected personal information obtained during a transaction.
California aims to bolster its California Consumer Privacy Act (CCPA) to more clearly address certain obligations under the CCPA during transactions. Awaiting Governor Newsom’s signature is Assembly Bill (AB) 1824 which seeks to protect elections made by consumers to opt-out of the sale or sharing of their personal information following a transaction. More specifically, when a business receives personal information from another business as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, and the transferee business assumes control of all of, or part of, the transferor, the transferee business must comply with a consumer’s opt-out elections made to the transferor business.
With this change, suppose a consumer properly opts-out of Company A’s sale of personal information, and Company A is later acquired by and controlled by Company B. In this case, under AB 1824, Company B would be obligated to abide by the consumer’s opt-out election provided to Company A. Among the many issues that come with the transfer of confidential and personal information during a transaction, due diligence should consider a process to capture and communicate the optout elections of consumers of the transferor business.
If signed, the amendments made by AB 1824 would take effect January 1, 2025.