Acquiring Direct-to-Consumer E-commerce Businesses: Do Data Privacy Statutes Apply? featured image

Acquiring Direct-to-Consumer E-commerce Businesses: Do Data Privacy Statutes Apply?

by John DiGiacomo

Partner

Internet Law

When starting, acquiring, or merging with a direct-to-consumer (“DTC”) e-commerce business, there are many legal issues that must be considered. One of the more important is compliance with consumer data privacy statutes. Nearly 20 States in the U.S. have now enacted consumer data privacy and protection statutes. The general concern of these statutes is to protect consumer data that is collected by online businesses and then processed, stored, sold, shared, etc. Whether these statutes apply to your DTC e-commerce business now and whether they might be applicable after the acquisition/merger are among many potential legal issues that must be considered.

Are data privacy statutes applicable to your DTC e-commerce business NOW?

Unfortunately, the applicability of these data privacy statutes depends on several factors, and the statutes are not uniform. Thus, for example, the Kentucky Consumer Data Protection Act (“KCDPA”) applies to:

  • Businesses that conduct business in Kentucky OR produce products or services that are TARGETED to residents of Kentucky AND, in the previous 12 months, 
  • Controlled or processed personal data of 100,000 consumers or more (not just Kentucky consumers) OR
  • Controlled or processed personal data of 25,000 consumers AND derived over 50% of gross revenue from the sale of personal data

The Maryland Online Data Privacy Act (“MODPA”) uses a similar definition. The MODPA applies to:

  • Businesses that conduct business in Maryland OR produce products or services that are TARGETED to residents of Maryland AND, in the previous 12 months, 
  • Controlled or processed personal data of 35,000 consumers or more, excluding data processed solely for payment processing (emphasis added) OR
  • Controlled or processed personal data of at least 10,000 AND derives over 20% of gross revenue from the sale of personal data

As can be seen, depending on the factors, the MODPA may apply to a DTC e-commerce business while the KCDPA may not. Note that there are other permutations in these data privacy statutes, and full due diligence will be necessary to determine if any of them apply.

Note further that the exception for payment processing may be less relevant to DTC e-commerce businesses since these businesses tend to rely on data analytics, which, in turn, require the collection and storage of large amounts of information about who their consumers are and what their preferences are.  Often, DTC businesses are buying and trading data in order with other online retailers to locate consumers with an ideal set of preferences and behaviors.

Will any of the data privacy statutes apply to the DTC e-commerce business AFTER the acquisition or merger?

In determining the applicability of the statutes, the factors are based on the business AS A WHOLE, including subdivisions, affiliates, and other controlled businesses. So, an e-commerce business aggregator that begins a process of bringing many similar brands under one company may eventually meet one or more thresholds of applicability of these data privacy protection statutes.

An example is the recently reported acquisition by Havenly Brands of luxury home furnishing online brand Burrow. As reported, this is the fifth furnishing brand that Havenly has acquired “… as it builds out its portfolio of home brands.” If it has not already done so, Havenly will eventually find itself subject to compliance with at least one State’s consumer data protection statute.

Contact Internet Law and Data Privacy Attorneys at Revision Legal

For more information, contact the experienced e-commerce merger and Acquisition Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Copyright

The holders of copyrights for newspapers, magazines, books, and other publications are involved in numerous legal battles with owners of AI modules over alleged copyright infringement. The plaintiff copyright owners claim that the AI large language modules have been trained on huge quantities of copyrighted materials without permission and — most importantly — without payment. […]

Read more about Does the AI-Copyright Legal Fight Represent a National Security Threat?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Corporate

The owners of most small, closely-held businesses negotiate and sign some form of an “Owner’s Agreement.” An important part of such Agreements is the “Buy-Sell” provisions. These are often some of the most difficult to negotiate. The gist of the buy-sell part of the Owners’ Agreement is to establish the rules for what happens if […]

Read more about How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Status on Social Media Moderation Statutes and Cases

Status on Social Media Moderation Statutes and Cases

Internet Law

Social media content moderation by technology platforms was one of the “hot” legal topics in 2023-2024. Three States — California, Texas, and Florida — passed different statutes to either require more content moderation (California) or to limit such moderation (Texas and Florida). All the statutes, in one way or another, demanded more transparency and information […]

Read more about Status on Social Media Moderation Statutes and Cases

Put Revision Legal on your side