When starting, acquiring, or merging with a direct-to-consumer (“DTC”) e-commerce business, there are many legal issues that must be considered. One of the more important is compliance with consumer data privacy statutes. Nearly 20 States in the U.S. have now enacted consumer data privacy and protection statutes. The general concern of these statutes is to protect consumer data that is collected by online businesses and then processed, stored, sold, shared, etc. Whether these statutes apply to your DTC e-commerce business now and whether they might be applicable after the acquisition/merger are among many potential legal issues that must be considered.

Are data privacy statutes applicable to your DTC e-commerce business NOW?

Unfortunately, the applicability of these data privacy statutes depends on several factors, and the statutes are not uniform. Thus, for example, the Kentucky Consumer Data Protection Act (“KCDPA”) applies to:

• Businesses that conduct business in Kentucky OR produce products or services that are TARGETED to residents of Kentucky AND, in the previous 12 months, 
• Controlled or processed personal data of 100,000 consumers or more (not just Kentucky consumers) OR
• Controlled or processed personal data of 25,000 consumers AND derived over 50% of gross revenue from the sale of personal data

The Maryland Online Data Privacy Act (“MODPA”) uses a similar definition. The MODPA applies to:

• Businesses that conduct business in Maryland OR produce products or services that are TARGETED to residents of Maryland AND, in the previous 12 months, 
• Controlled or processed personal data of 35,000 consumers or more, excluding data processed solely for payment processing (emphasis added) OR
• Controlled or processed personal data of at least 10,000 AND derives over 20% of gross revenue from the sale of personal data

As can be seen, depending on the factors, the MODPA may apply to a DTC e-commerce business while the KCDPA may not. Note that there are other permutations in these data privacy statutes, and full due diligence will be necessary to determine if any of them apply.

Note further that the exception for payment processing may be less relevant to DTC e-commerce businesses since these businesses tend to rely on data analytics, which, in turn, require the collection and storage of large amounts of information about who their consumers are and what their preferences are.  Often, DTC businesses are buying and trading data in order with other online retailers to locate consumers with an ideal set of preferences and behaviors.

Will any of the data privacy statutes apply to the DTC e-commerce business AFTER the acquisition or merger?

In determining the applicability of the statutes, the factors are based on the business AS A WHOLE, including subdivisions, affiliates, and other controlled businesses. So, an e-commerce business aggregator that begins a process of bringing many similar brands under one company may eventually meet one or more thresholds of applicability of these data privacy protection statutes.

An example is the recently reported acquisition by Havenly Brands of luxury home furnishing online brand Burrow. As reported, this is the fifth furnishing brand that Havenly has acquired “… as it builds out its portfolio of home brands.” If it has not already done so, Havenly will eventually find itself subject to compliance with at least one State’s consumer data protection statute.

Contact Internet Law and Data Privacy Attorneys at Revision Legal

For more information, contact the experienced e-commerce merger and Acquisition Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Due Diligence: Mapping Data Privacy Exposure Before Closing

Privacy compliance due diligence in a DTC e-commerce acquisition requires a structured review of several distinct questions. First, what data does the target currently collect, process, store, and sell or share? Second, under which statutes is the target currently obligated to comply, based on where its customers are located? Third, is the target currently compliant with those statutes? Fourth, how will the combined entity’s data profile change after the acquisition — specifically, will the combination trigger applicability thresholds in any states where neither entity was previously covered?

The threshold question is often underestimated. A buyer that currently processes personal data of 80,000 consumers acquires a target that processes personal data of 30,000 consumers. Post-closing, the combined entity processes 110,000 consumers’ data — enough to trigger the Kentucky Consumer Data Protection Act’s 100,000-consumer threshold, even though neither party was previously subject to that statute. That post-closing compliance obligation does not show up in a standard legal due diligence review unless the acquisition team specifically maps the combined entity’s post-closing data profile against each applicable state statute.

Representations, Warranties, and Indemnification

In any acquisition of a business that collects personal data, the purchase agreement should include specific representations and warranties about data privacy compliance. Standard reps and warranties in this context include:

• Seller has provided accurate and complete privacy notices to all consumers from whom it has collected personal data, in compliance with all applicable state statutes
• Seller has not sold or shared personal data in a manner that required but did not obtain consumer consent
• Seller has honored all consumer opt-out requests within the time periods required by applicable law
• Seller has not received any formal or informal notice of investigation or enforcement inquiry from any state Attorney General or data protection authority
• Seller’s privacy notices accurately describe all categories of data collected and all purposes for which data is processed, sold, or shared

Indemnification provisions in privacy-related acquisitions should be broader than standard commercial indemnities. The seller should indemnify the buyer for any civil penalty, regulatory fine, class action settlement, or remediation cost arising from a privacy violation that occurred before the closing date, including violations that are discovered after closing. Given that many state privacy statutes have three- to five-year statute of limitations periods, and given that many privacy enforcement actions are triggered by consumer complaints that arrive years after the underlying violation, post-closing indemnification exposure can extend for several years.

Data Transfers, Compatibility, and Post-Acquisition Integration

One of the underappreciated legal risks in DTC e-commerce acquisitions is the transfer of personal data from the target to the buyer as part of the acquisition itself. Consumer data is a key asset in most DTC acquisitions — the customer list, purchase history, behavioral data, and preference profiles are often why the buyer is paying a premium. But that data transfer may itself require consumer notice or consent under applicable privacy statutes.

California’s CPRA, for example, requires that consumers be notified of any new purpose for which their personal data will be used that was not disclosed in the original privacy notice. If the target’s privacy notice stated that personal data would be used “to fulfill your orders and communicate with you about our products,” and the buyer plans to use that same data for cross-brand marketing, targeted advertising across the buyer’s portfolio, or sale to data analytics partners, the original consent may be insufficient. The buyer may need to send updated privacy notices to all transferred consumers and provide them an opportunity to opt out before the new uses begin.