Privacy in Mergers, Acquisitions & Divestitures: Why Data Protection Should Never Be an Afterthought 2025
When two companies decide to merge, when a startup is bought out, or when a business unit is sold off, there’s one thing that always comes with the deal: data. Customer data, employee records, supplier details; in today’s digital economy, personal information is often one of the most valuable assets being transferred. But while the financial and strategic sides of a merger or acquisition usually get all the attention, the privacy implications can be just as critical. Mishandling personal data during a transaction can not only breach the law but also erode trust and even kill the deal.
One of the most famous examples of this came from the early days of e-commerce. When Toysmart.com went bankrupt, it attempted to sell its customer list, despite having promised users in its privacy policy that their information would “never be shared with third parties.” The U.S. Federal Trade Commission (FTC) intervened, declaring the sale deceptive under the FTC Act. It was a landmark reminder that even in bankruptcy or acquisition, companies remain bound by their privacy commitments. In short, you can’t treat data like any other asset, because people’s rights come with it.
During the due diligence phase of a merger or acquisition, privacy risks often emerge long before the ink is dry. Buyers typically request access to detailed business data to evaluate the target company’s value and potential liabilities. This might include customer lists, HR records, or even usage data from apps and websites. The problem? Much of that data is personal, and sharing it prematurely can create compliance issues. A smart approach is to anonymize or aggregate the data before sharing, or at least ensure that a strong confidentiality agreement limits its use solely to evaluating the deal. In some cases, it’s better to wait until closing before transferring any identifiable personal data.
Privacy policies also play a big role here. Laws like California’s Online Privacy Protection Act (CalOPPA) require companies to disclose the categories of third parties with whom they share data. If your privacy notice doesn’t mention that data may be transferred as part of a merger or acquisition, you could be violating your own policy and that can trigger enforcement. This is why many companies now include language stating that personal data may be disclosed or transferred as part of a merger, acquisition, or even negotiations for such a deal. Including this upfront notice gives legal flexibility and transparency to everyone involved.
Once the deal closes, the focus shifts to integration. The acquiring company needs to decide how to handle the newly obtained personal data, whether to merge it with existing databases or keep it separate. Two big principles come into play. First, use compatibility: the buyer can usually use the data as the seller did, but if they plan to use it for new purposes, they might need to update privacy notices or even get fresh consent from users. The FTC has required this in several post-merger cases. Second, data segregation: when only part of a business is sold, only the data relevant to that business should transfer. That means careful data mapping and filtering to ensure that unrelated personal information doesn’t accidentally go with it.
Privacy and security due diligence are now standard in any serious M&A process. Buyers assess whether the target company complies with privacy laws such as GDPR, COPPA, or HIPAA, and whether it has faced data breaches or enforcement actions. They’ll also ask for representations and warranties confirming that the seller complies with data protection requirements and has disclosed any past issues. If hidden problems emerge, for example, undisclosed scraping of user data or lax security practices, the impact can be severe, from a lower purchase price to a complete deal collapse.
After the acquisition, the work isn’t done. The new owner must integrate the acquired entity into its privacy and security framework. That may involve updating privacy notices, combining or segregating databases, and aligning cybersecurity controls. It’s also wise to communicate openly with users, explaining that their data has a new owner and outlining what that means for them.
The key takeaway for privacy professionals and for anyone studying for the CIPP or CIPM certifications is simple: privacy obligations don’t disappear during a merger or sale. Data protection travels with the data. Companies are accountable for the promises they’ve made, and regulators like the FTC have shown they will enforce those commitments, even in complex transactions or bankruptcy cases.
In the end, successful M&A isn’t just about numbers and strategy, it’s also about integrity and compliance. When organizations treat privacy as part of the value of the business, not just an afterthought, they protect both their reputation and the trust of the people behind the data.
Sources:
- https://corpgov.law.harvard.edu/2016/11/10/privacy-in-ma-transactions-personal-data-transfer-and-post-closing-liabilities/
- https://www.loeb.com/en/insights/publications/2022/02/data-privacy-and-security-considerations-in-ma-transactions
- https://www.dataprotectionreport.com/2022/10/privacy-and-cybersecurity-due-diligence-considerations-in-ma-transactions/
