GDPR vs CCPA in Vendor M&A Review

If I’m buying a company that relies on vendors, I’m not just buying software and contracts - I’m buying old privacy risk too. Under GDPR, fines can hit €20 million or 4% of global annual revenue. Under CCPA, penalties can reach $7,500 per intentional violation. That can change price, indemnities, escrow terms, and closing conditions fast.

Here’s the short version:

• I need to map what personal data vendors handle
• I need to confirm each party’s legal role
• I need to check which law applies
• I need to review DPAs, service provider terms, SCCs, and TIAs
• I need to separate fix-now issues from risk-allocation issues
• I need to flag past transfer gaps that won’t disappear after closing

The biggest split is simple: GDPR focuses on legal basis, controller/processor roles, and cross-border transfer rules. CCPA focuses on notice, opt-out rights, and whether a vendor is a service provider, contractor, or third party.

That means my diligence usually comes down to a few high-impact checks:

• Under GDPR, I look for:
  • lawful basis under Article 6
  • Article 28 contract terms
  • valid 2021 SCCs
  • a TIA for EU-to-U.S. transfers
• Under CCPA/CPRA, I look for:
  • notice at collection
  • a working “Do Not Sell or Share My Personal Information” link where needed
  • contract language that keeps vendors in service provider or contractor status
  • old data-sharing setups that may count as a sale or sharing

One bad role label can throw off notices, contracts, and risk analysis under both laws. And if old EU-to-U.S. transfers lacked valid SCCs, I can fix future flows, but I can’t erase past exposure.

CF on Cyber: Cybersecurity Due Diligence in M&A Deals Under the CCPA and GDPR

sbb-itb-e766981

Quick Comparison

If I had to boil the article down to one point, it’s this: GDPR problems usually sit in transfer rules and processing rules, while CCPA problems often sit in vendor classification and opt-out failures. That’s the lens I’d use before I touch price, reps, or closing steps.

GDPR vs CCPA: A side-by-side comparison

In vendor M&A review, the gap between GDPR and CCPA shapes diligence requests, contract red flags, and the cost to fix problems.

Those differences tell you which vendor records deserve the closest look: role maps, notices, DPAs, and transfer terms.

Scope, roles, and enforcement differences

Under GDPR, the two roles that matter most are controller and processor. The controller decides what personal data gets collected and why. The processor handles that data only on the controller's instructions.

CCPA uses a similar setup, but with different labels. You look at business as the rough controller equivalent, service provider or contractor as the rough processor equivalent, and third party for any entity that falls outside those two buckets.

That third party label is where deals can get messy fast. If a vendor receives personal information without a compliant service provider contract, the transfer may be treated as a sale under CCPA. Once that happens, opt-out duties kick in right away. And in many deals, the target never built those mechanics in the first place.

As M&A attorney Alex Lubyansky put it:

"Controller and processor misclassification is the foundational error in data privacy diligence. If a target has categorized itself as a processor when it functions as a controller, its privacy notice, consent records, and contractual flow-downs are structurally defective." ^[1]

This kind of mix-up isn't just bad labeling. It's more like building a house on the wrong blueprint. The contracts are off, the notices are off, and the consent records are off too.

Notice, rights, and transfer rules that affect diligence

GDPR requires a documented legal basis for every processing activity, whether that's consent, contract, legitimate interest, or something else under Art. 6. CCPA does not. Instead, it centers on notice at collection and the consumer's right to opt out of sale or sharing.

That changes what diligence looks like in practice. A GDPR-compliant target should be able to map a legal basis to each data flow. A CCPA-compliant target should be able to show clear disclosures and working opt-out tools. Same broad privacy theme, very different homework.

Cross-border transfers create another review path under GDPR that CCPA simply does not impose. Any EU-to-US data flow needs an adequacy decision or approved safeguards such as Standard Contractual Clauses (SCCs). And those SCCs must be the 2021 version. Older 2010-era SCCs are not valid.

That point matters more than it may seem. If SCCs are missing or defective for data already transferred, the problem can't be fixed after the fact. The buyer takes on that past exposure at closing ^[1]. CCPA has no matching geographic transfer rule, though cross-border vendor arrangements can still create sale or sharing issues based on how data moves between parties.

There's also one CCPA-specific item buyers need on the checklist. Under AB 1824, effective January 1, 2025, a buyer must honor any opt-out requests that consumers gave to the seller before the deal closed ^[4].

Use these differences to guide the vendor-by-vendor review that comes next.

Vendor review areas that differ under each law

With roles and transfer rules mapped, the next step is to review the vendor records that back them up.

Role mapping and data flow review

Start with the RoPA or data map. That shows which personal data each vendor touches, why it touches that data, and in what role. Without that foundation, role mapping turns into guesswork. ^[1]

The role classification issue matters a lot here. A B2B SaaS vendor may say it's a processor under GDPR or a service provider under CCPA. But if that same vendor uses customer data for its own product analytics, it's acting as a controller. A bad label doesn't just sit on paper. It throws off notices, contracts, and transfer analysis.

Under CCPA, this mistake can be just as expensive. If a vendor gets personal information without the needed service provider or contractor terms in place, that transfer can be treated as a sale even if no money changes hands. The ad-tech stack needs extra scrutiny. Website pixels, scripts, and cookies can trigger CCPA sharing duties and opt-out rules. ^[1]

Required notices and consumer-facing disclosures

After roles are mapped, compare the target's public privacy policy with its actual data flows. If the policy says "we do not sell data" but the site uses third-party tracking pixels, that's a plain compliance mismatch. When the policy and the data map don't line up, treat that gap as a diligence defect.

For GDPR, check that each processing activity has a documented lawful basis. For CCPA, confirm that the notice at collection is present and accurate, and that a working "Do Not Sell or Share My Personal Information" link appears where needed. It also helps to review older privacy policies. If the target told users one thing while its data flows did another, that's a red flag.

Contract terms to inspect first

The two biggest misses here are absent Article 28 DPA terms and missing CCPA sale or sharing limits. The contract review uses a different checklist under each law. This table shows the main provisions to confirm:

For GDPR, the main task is to confirm that Article 28 Data Processing Agreements (DPAs) are in place and include the required terms: subject matter, duration, nature and purpose of processing, data types, categories of data subjects, documented instructions, confidentiality duties, security requirements, and subprocessor approval rights. For CCPA, the focus shifts. You want contracts that clearly prohibit the vendor from selling or sharing personal information and stop the vendor from combining data from the target with data from other clients. ^[3]

Two contract gaps carry the most deal risk:

• Missing or defective 2021 Standard Contractual Clauses (SCCs) for EU-to-US data flows. Those cannot be fixed after the fact for data that has already been transferred.
• Missing or loose breach notice timing. If a vendor contract says "without undue delay" instead of setting a firm window like 48 hours, the buyer may not have enough time to meet GDPR's 72-hour reporting duty. ^[1][5]

Also review any contract rights that let the vendor use customer data for AI training. If the contract is silent or gives broad permission, flag it.

These contract gaps feed straight into the cross-border risk analysis next.

Cross-border risk and deal impact

International transfer risk in vendor arrangements

Once you’ve mapped the contract gaps, the next step is simple: check whether personal data moves across borders, and whether that transfer has legal cover.

Under GDPR, EEA-to-U.S. transfers need adequacy or valid 2021 SCCs plus a TIA. If the SCCs are broken, they do not clean up earlier transfers. That matters in deals. Past transfers made without valid SCCs stay on the books as inherited exposure at closing.

The SCC review is only part of the job. You also need to confirm whether the target has a Transfer Impact Assessment, or TIA, on file. A TIA explains why the destination country’s surveillance laws, including U.S. FISA 702, do not undercut the protection the SCCs are meant to provide. Without a TIA, the transfer setup is unfinished even if the 2021 SCCs were signed.

CCPA works differently. The risk does not depend on geography. It depends on classification. In plain English, the key question is whether the vendor terms keep the vendor in service provider status. Ad-tech pixels and analytics tools often create CCPA sharing unless the target has a working opt-out link.

How findings affect price, reps, indemnities, and timing

Each privacy issue needs to turn into a deal term, not just a note in diligence.

Here’s how the most common findings usually map to deal terms:

Missing SCCs are often the toughest item to absorb. Since they can’t be repaired for past transfers, buyers usually push for a special indemnity carved out from standard R&W insurance. An escrow holdback is common when the exposure is material but hard to price before close.

Missing or defective service provider terms under CCPA create a different, but still serious, problem. If a vendor was legally a third party receiving a sale of data, the target may have owed consumers an opt-out tool and never gave them one. That creates a backward-looking gap, and it’s one reason buyers often want cleanup or deal protection before signing.

A practical way to sort the issues is to place them into three buckets:

• Items that need to be fixed before close, such as missing "Do Not Sell" links or core vendor DPAs
• Items that should be handled through deal terms, such as past SCC gaps or backward-looking CCPA sale exposure
• Lower-risk items that can wait for a post-close integration plan, such as merged privacy notices or long-tail vendor contracts

That split helps keep the deal moving without leaving the buyer stuck with open-ended liability.

Conclusion: A memo structure for GDPR and CCPA findings

What the final review memo should include

Turn the diligence findings above into a short memo that drives pricing, reps, indemnities, and closing steps.

The memo should convert diligence findings into clear deal actions. Split it into two separate sections - one for GDPR and one for CCPA - so issues under each law stay separate and ownership is easy to assign.

Use two separate tracks so GDPR and CCPA issues don't blur together.

This format pushes the deal team to decide, fast, what has to be fixed before close and what can wait for post-close remediation.

The top priority is role misclassification and missing or defective 2021 SCCs for EU-to-U.S. transfers. Those are structural issues, and the SCC gap can't be cured for data already transferred ^[1].

Keep the memo short and specific: state the risk, name the governing law, and spell out the required action.

FAQs

Which law matters more in my deal?

It depends on the target company’s jurisdiction and how it handles data. GDPR can apply if the target has an establishment in the EU or UK, offers goods or services there, or monitors behavior. CCPA can apply if the target processes California residents’ personal information, including B2B and HR data.

In many deals, both can apply at the same time. That’s often what happens when data moves across borders and one company ends up facing rules from more than one regime at once.

What privacy issues must be fixed before closing?

Before closing, companies should clean up key privacy issues to cut regulatory and financial risk. That usually means checking a handful of items that can cause trouble fast if they're wrong or missing:

• Correct controller and processor classifications
• Accurate privacy notices, consent records, and contractual flow-downs
• Missing Standard Contractual Clauses for EU-to-US transfers
• Transferable opt-out request records under CCPA
• Required Data Protection Impact Assessments and vendor contract terms

These points may sound dry, but they matter. A bad classification can throw off roles and duties. Missing transfer terms can create problems for cross-border data flows. And if opt-out records or vendor terms aren't in order, the buyer may inherit a mess instead of a clean handoff.

Can past GDPR or CCPA violations be fixed after acquisition?

No. Past GDPR or CCPA violations usually can't be fixed after the fact for data that has already been processed or transferred.

Once the deal closes, the buyer takes on the target’s compliance history, including past violations and any exposure that still exists. For example, if data was moved without a valid transfer mechanism, that issue doesn't disappear later. You can't go back and repair that past transfer. That's why diligence matters so much.

Related Blog Posts

• Data Privacy Due Diligence for Cross-Border M&A
• Privacy Impact Assessments in M&A: Key Steps
• GDPR Risks in Cross-Border M&A Deals
• Top 5 GDPR Risks in Business Transfers