Interested in training for your team? Click here to learn more

Impact of EU GDPR and New California Privacy Law on M&A: New Due Diligence and Other Challenges for Buyers and Sellers

Mitigating Risk With Reps and Warranties, Post-Closing Considerations

Recording of a 90-minute premium CLE webinar with Q&A

This program is included with the Strafford CLE Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Thursday, July 11, 2019

Recorded event now available

or call 1-800-926-7926

This CLE course will examine issues to consider when an M&A target company is subject to the California Consumer Privacy Act (CCPA) or the EU's General Data Privacy Regulation (GDPR), and best practices in conducting due diligence of such companies. The panel will discuss the complexities in determining if a company is subject to CCPA or GDPR, consequences if it has failed to comply with these new regulatory regimes, and how reps and warranties and insurance can be used to protect the buyer and seller.


Due diligence in M&A has long included an assessment of the cybersecurity and privacy protocols of the target company. But the new CCPA and GDPR have raised the stakes for compliance, particularly for target companies that process or collect personal information or trade consumer data. Not only can vulnerabilities in a security network be transferred to the acquiring company but so can regulatory and noncompliance issues.

Prior to engaging in an M&A transaction, strategic questions such as whether the company will be expanding into new industries and/or new geographic regions; whether any new products or technologies are part of the business goals; whether the company is going to change how it uses information; and how the risk profile of the company may change, must be considered.

Counsel should gain a comprehensive understanding of the data privacy and security profiles of each party. Factors which must be evaluated include a "data map" outlining where and how each company stores data, the location of customers or other parties providing personal information, and policies regarding how each company collects, uses and destroys personal information. A similar analysis may also be necessary for third-party contractors.

The acquisition agreement should include detailed representations and warranties relating to data security and privacy, and delineate remedies in the event of a breach. The parties may also require insurance against losses associated with a data breach or a violation of data privacy laws.

Listen as our authoritative panel discusses the impact of CCPA and GDPR on mergers and acquisitions. The panel will examine the scope of CCPA and GDPR, what due diligence questions must be answered upfront, and how reps and warranties and insurance can help resolve any uncertainties concerning data breaches and compliance.



  1. Overview of GDPR and CCPA - different types of M&A deals effected
  2. Early stage activities (sell-side perspective)
    1. Preparation of a business for sale
    2. Deal structuring
  3. Due diligence phase (buy-side perspective)
    1. Who should conduct diligence and who should respond
    2. Identifying key risks - specific CCPA and GDPR points to consider
  4. Doing the Deal
    1. Reps, warranties, indemnities; other data privacy provisions
    2. Ancillary documents (e.g. privacy notices)
  5. Post-deal considerations
    1. Managing use of data/databases post-deal / on-going controls
    2. Transitional services and post-deal integration activities


The panel will review these and other critical issues:

  • How should a buyer or merger partner determine if a target company is (or the merged entity will be) subject to GDPR or CCPA?
  • What steps should be followed in conducting due diligence on a target's data privacy and security profile?
  • What representations and warranties should be included in the acquisition agreement to address data privacy and security?
  • Can insurance adequately cover a violation of GDPR, CCPA and similar laws to come?


Gesser, Avi
Avi Gesser

Davis Polk & Wardwell

Mr. Gesser is a partner in Davis Polk’s Litigation Department. He represents clients in a wide range of...  |  Read More

Loughlin, Scott
Scott T. Loughlin

Hogan Lovells US

When clients need innovative solutions for using and protecting valuable data assets, they turn to Mr. Loughlin. He...  |  Read More

Parker, Nigel
Nigel Parker

Allen & Overy

Mr. Parker specializes in intellectual property, data protection and privacy, and commercial contracts. He works across...  |  Read More

Access Anytime, Anywhere

Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Video