Navigating Consumer Opt-Outs in Corporate Transactions: Insights on California’s AB 1824

On September 29, 2024, California Governor Gavin Newsom signed AB 1824  into law, amending the California Consumer Privacy Act (CCPA) to require entities involved in corporate transactions, such as mergers and acquisitions, to honor opt-out requests for the “sale” or “sharing” of personal information submitted prior to the transaction. The law aims to enhance consumer privacy protections during corporate transactions by ensuring that pre-existing opt-out requests are recognized and upheld by any transferee/buyer.

By way of background, the CCPA broadly defines “sales” to include any disclosure of personal information for monetary or nonmonetary value, including discounts or services. CCPA 1798.140(ad). Though corporate transactions involve the disclosure of personal information and an exchange of value, the law expressly excludes personal information exchanged incidental to a corporate transaction from the scope of a “sale” subject to the right of opt-out. CCPA 1798.140(ad)(2)(C).

“Sharing” refers to cross-contextual behavioral advertising, such as behavioral advertising cookies or custom audience tools. CCPA 1798.140(ad), (ah). Many covered businesses engage in practices subject to this opt-out right through their use of behavioral advertising cookies on their websites.

The new amendment requires any entity that “assumes control of all of, or part of, the transferor” to honor all opt-out requests concerning selling or sharing received by the transferor prior to the transaction. In practice, the amendment resolves an ambiguity over which party is responsible for an opt-out request received during the course of a corporate transaction. These opt-out request must be honored “no later than 15 business days from the date the business receives the request.” 11 CCR 7026(f)(1). Where an opt-out request is received immediately preceding the transaction’s closing date, the buyer would likely be responsible for ensuring compliance with the amendment.

Therefore, it will be crucial to include precise representations and warranties regarding the disclosure and recognition of opt-out requests in transactional agreements and to ensure that such requests have been properly accounted for during due diligence. For example, a well-drafted transactional document may require the disclosing party to identify all opt-out requests prior to disclosing personal information to the acquiring entity. The disclosing party should also represent and warrant that these requests have been communicated to all necessary third parties.

For covered businesses that use behavioral advertising cookies on their websites, transferring a list of opt-out requests received from website visitors may be onerous during the diligence process. One workaround may be to work with the covered business’s third party consent management vendor to receive a list of all relevant IP addresses or similar online identifiers linked to an opt-out request, or contracting to receive a continuation of services under the vendor’s contract upon the transaction’s closing. This will require a careful review of the existing agreement with the relevant vendor during due diligence to assess whether either solution is feasible.

Finally, there is an ambiguity as to whether the transferee receiving the assets would be prohibited from requesting consent to the sale or sharing of a consumer’s data within 12 months of the consumer submitting the request to the transferor. The CCPA prohibits covered businesses from asking consumers to consent to the sale or sharing of their personal information within 12 months of submitting an opt-out request. 11 CCR 7026(k). The new amendment does not clarify whether that 12-month period would be assumed by the transferee, or whether the 12-month period would no longer apply once the transfer is made. While it seems likely that the 12-month period would still apply to the transferee (or whatever period is left within that 12-month period), it will be a business decision about how to treat opt-out requests received through a corporate transaction. Covered businesses seeking to limit the risk of violating the CCPA should establish procedures to avoid soliciting consent from individuals who submitted opt-out requests to the transferor before the transaction for a 12-month period from the date of the initial request.

For businesses contemplating transactions in the coming months, the following considerations should be taken into account:

Transferer or Seller:

• Prepare an accurate list of California consumers who have submitted opt-out requests within the 12 months preceding a transaction.
• Confirm whether any existing agreement with a third party consent management vendor would allow for the transfer of its services in case of a corporate transaction.
• Draft the transactional agreement to require the buyer’s recognition of opt-out requests received immediately preceding or upon the date of the transaction’s closing, to the extent such requests are not automatically processed.

Transferee or Buyer:

• Assess whether any California personal information is likely to be disclosed in the transaction.
• Conduct thorough diligence on whether the selling entity has received any opt-out requests (or has maintained a process for receiving such requests), and confirm whether the requests have already been honored or need to be acted upon after post-close.
• Request a list of individuals who submitted opt-out requests within the 12 months preceding the projected closing date of the transaction to ensure compliance with this amendment.
• Draft the transactional agreement to require the disclosing party to provide an accurate and final list of all individuals who have submitted such requests.
• Establish procedures to prevent requesting consent for sales or sharing of personal information from consumers who have opted out of such processing in the previous 12 months to the extent the transferee has made a business decision to avoid requesting such consent.

If you have any questions about the CCPA and how it affects your business, please contact our experienced attorneys at BCLP. Our team is prepared to help your business navigate these new amendments.