When starting, acquiring, or merging with a direct-to-consumer (“DTC”) e-commerce business, there are many legal issues that must be considered. One of the more important is compliance with consumer data privacy statutes. Nearly 20 States in the U.S. have now enacted consumer data privacy and protection statutes. The general concern of these statutes is to protect consumer data that is collected by online businesses and then processed, stored, sold, shared, etc. Whether these statutes apply to your DTC e-commerce business now and whether they might be applicable after the acquisition/merger are among many potential legal issues that must be considered.

Are data privacy statutes applicable to your DTC e-commerce business NOW?

Unfortunately, the applicability of these data privacy statutes depends on several factors, and the statutes are not uniform. Thus, for example, the Kentucky Consumer Data Protection Act (“KCDPA”) applies to:

• Businesses that conduct business in Kentucky OR produce products or services that are TARGETED to residents of Kentucky AND, in the previous 12 months, 
• Controlled or processed personal data of 100,000 consumers or more (not just Kentucky consumers) OR
• Controlled or processed personal data of 25,000 consumers AND derived over 50% of gross revenue from the sale of personal data

The Maryland Online Data Privacy Act (“MODPA”) uses a similar definition. The MODPA applies to:

• Businesses that conduct business in Maryland OR produce products or services that are TARGETED to residents of Maryland AND, in the previous 12 months, 
• Controlled or processed personal data of 35,000 consumers or more, excluding data processed solely for payment processing (emphasis added) OR
• Controlled or processed personal data of at least 10,000 AND derives over 20% of gross revenue from the sale of personal data

As can be seen, depending on the factors, the MODPA may apply to a DTC e-commerce business while the KCDPA may not. Note that there are other permutations in these data privacy statutes, and full due diligence will be necessary to determine if any of them apply.

Note further that the exception for payment processing may be less relevant to DTC e-commerce businesses since these businesses tend to rely on data analytics, which, in turn, require the collection and storage of large amounts of information about who their consumers are and what their preferences are.  Often, DTC businesses are buying and trading data in order with other online retailers to locate consumers with an ideal set of preferences and behaviors.

Will any of the data privacy statutes apply to the DTC e-commerce business AFTER the acquisition or merger?

In determining the applicability of the statutes, the factors are based on the business AS A WHOLE, including subdivisions, affiliates, and other controlled businesses. So, an e-commerce business aggregator that begins a process of bringing many similar brands under one company may eventually meet one or more thresholds of applicability of these data privacy protection statutes.

An example is the recently reported acquisition by Havenly Brands of luxury home furnishing online brand Burrow. As reported, this is the fifth furnishing brand that Havenly has acquired “… as it builds out its portfolio of home brands.” If it has not already done so, Havenly will eventually find itself subject to compliance with at least one State’s consumer data protection statute.

Contact Internet Law and Data Privacy Attorneys at Revision Legal

For more information, contact the experienced e-commerce merger and Acquisition Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.