M&A due diligence has evolved to include cybersecurity assessment as a standard component. Privacy risk due diligence — a distinct and increasingly significant category — has not kept pace. The gap is creating post-acquisition surprises that are both costly and largely preventable.
Companies acquire privacy liabilities along with assets. When a target has been running Meta Pixel on pages with video content without VPPA-compliant consent, the acquirer inherits that class action exposure. When a target has been collecting biometric data without BIPA-required disclosures, the acquirer inherits the litigation risk. When a target's privacy policy hasn't been updated to reflect its actual data practices, the acquirer inherits the regulatory enforcement exposure. These liabilities don't disappear at closing. In many cases, the acquisition itself — by creating a new entity responsible for the target's practices — triggers disclosure obligations that accelerate regulatory scrutiny.
Cybersecurity due diligence became standard M&A practice following a series of high-profile acquisition disasters. Verizon's acquisition of Yahoo — preceded by undisclosed breaches affecting billions of accounts — resulted in a $350 million price reduction and became the case study for why security diligence matters. The transaction community absorbed the lesson: technical security assessment is now a standard component of deal diligence.
Privacy risk has a different profile that has made it slower to enter deal processes. Cybersecurity risk is binary in a way that resonates with deal teams: either the company was breached or it wasn't. Privacy litigation risk is probabilistic and forward-looking: based on current practices and the legal landscape, what is the likelihood and potential magnitude of litigation or regulatory action? This probabilistic assessment requires privacy-specific expertise that deal teams and generalist counsel don't typically have.
The other factor is that privacy litigation risk has escalated rapidly. The deal structures and indemnification practices developed over the past decade were calibrated to a world where privacy litigation was uncommon and settlement amounts were modest. VPPA class actions settling for $50-100 million, BIPA claims settling for hundreds of millions, and state attorney general enforcement actions with multi-million dollar penalties are recent phenomena. Deal teams that haven't updated their diligence frameworks don't know what they don't know.
Effective privacy due diligence for M&A transactions requires outside-in technical assessment of the target's observable data practices combined with document review of privacy policies, consent mechanisms, and any prior regulatory interactions. The combination produces a risk profile that maps specific exposure areas to applicable legal frameworks and estimated liability ranges.
The most reliable component of privacy diligence is technical analysis that doesn't depend on the target's self-reporting. This assessment examines the target's digital properties — websites, mobile applications, and any other consumer-facing technology — and documents the actual data flows: what third-party code is loaded, what data is transmitted to which parties, what consent mechanisms exist and whether they function as described.
This analysis is done from outside the target, using the same tools and methodology that regulators and plaintiffs' counsel use to identify enforcement targets. It produces findings that are independent of what the target discloses in the due diligence process and provides a baseline for evaluating the completeness and accuracy of the target's representations.
Specific findings the outside-in assessment targets: Meta Pixel, Google Analytics, or other tracking tools present on video content pages (VPPA exposure); session replay tools deployed without adequate consent disclosure (CIPA/state wiretapping exposure); biometric data collection components in HR, access control, or customer-facing systems (BIPA exposure); third-party data sharing inconsistent with privacy policy disclosures (FTC deception exposure); consent mechanisms that don't meet state opt-out requirements (multi-state privacy law exposure).
Document review in privacy diligence focuses on three categories: current privacy policies and terms compared against the technical findings, regulatory correspondence including any prior investigations, inquiries, or enforcement actions, and consent records demonstrating that required consents were obtained for data practices that require them.
Privacy policies require careful review not just for what they say but for what they don't say. A policy that accurately describes current practices but was last updated three years ago may be inconsistent with practices introduced since then. A policy that describes data sharing with "service providers" without specifically disclosing the third parties receiving data may create FTC deception exposure if those disclosures are legally required.
Prior regulatory correspondence is among the highest-value items in privacy diligence. A target that has received a civil investigative demand from a state attorney general, responded to an FTC inquiry, or been the subject of a consumer complaint investigation has already been put on notice about specific practices. Post-acquisition, the acquirer inherits the obligation to have addressed the issues that were flagged — and the enhanced liability that comes from acting with knowledge.
The patterns that appear in post-acquisition privacy problems are recognizable in retrospect:
The target's marketing team deployed Meta Pixel across the entire website, including pages with video content, as part of a campaign optimization initiative two years before the acquisition. Privacy and legal weren't involved. The pixel is still running. The acquiring company's first VPPA demand letter arrives eight months post-close.
The target uses a timekeeping vendor whose system includes a fingerprint reader. Illinois employees have been using it for four years. The vendor contract doesn't mention biometric data. The acquisition brings the practice to the attention of privacy counsel for the first time. A BIPA class action follows.
The target's privacy policy was last updated when the company was primarily a B2B software company. Since then, it has pivoted to a B2C consumer application with behavioral analytics, social login, and personalization features. The policy describes none of these. The CPPA initiates an audit of the consumer application eighteen months after the acquisition.
When privacy diligence identifies material exposure, the deal structure needs to reflect it. The specific structuring options depend on the nature and magnitude of the exposure, but common approaches include price adjustment to reflect identified contingent liability, specific indemnification provisions covering privacy litigation and regulatory action, escrow arrangements for quantified near-term risks, and representations and warranties insurance structured to cover privacy-specific exposure.
What doesn't work: relying on general representations and warranties that don't specifically address privacy compliance, and assuming that because the target's legal team didn't flag privacy issues, there aren't any. Privacy counsel with specific technical analysis capability is the difference between discovering privacy exposure in diligence — where it can be priced and structured around — and discovering it post-close, where the options are significantly more limited.
