Why CCPA Creates PE-Specific Risk
The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA), applies to any business that collects personal information from California residents and meets one of three thresholds: $25 million in annual gross revenue, buying/selling/sharing personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling or sharing personal information. Most PE acquisition targets with any California market exposure meet at least the first threshold.
CCPA's risk profile for PE acquirers is different from GDPR or LGPD. CCPA is an opt-out regime, not an opt-in regime. The law does not require consent before data collection. It requires that consumers be given the right to opt out of the sale or sharing of their personal information, the right to delete their data, the right to know what data has been collected, and the right to non-discrimination for exercising those rights. CPRA added the right to correct inaccurate data, the right to limit use of sensitive personal information, and the right to opt out of automated decision-making.
The PE-specific risk appears in the acquisition itself. When a company is acquired, the personal information it holds transfers with the assets. If the acquirer changes how that data is used beyond what was disclosed in the original privacy policy, it triggers new notice and opt-out obligations under CCPA Section 1798.100(b). ESP migrations, CRM consolidations, and data warehouse integrations post-close routinely change how data is used. Most deal teams do not evaluate whether those planned integrations trigger CCPA obligations.
Operational Implications for Portfolio Companies
CCPA's operational impact on PE-backed companies centers on three areas. First, opt-out signal management. CCPA requires businesses to honor opt-out requests, including Global Privacy Control (GPC) browser signals. CPRA made GPC recognition mandatory. What we see in practice is that companies have a "Do Not Sell My Personal Information" link on their website but no technical infrastructure to process the signal. The link exists. The backend process does not. Opt-out requests are received but not propagated to downstream processors, advertising platforms, or data sharing partners.
Second, data broker obligations. CCPA defines "data broker" specifically and imposes registration requirements with the California Attorney General. Companies that sell personal information about consumers with whom they have no direct relationship must register as data brokers. PE-backed companies that aggregate and resell consumer data, operate lead generation platforms, or maintain B2B contact databases that include California residents may trigger data broker classification. The classification carries separate penalties and obligations beyond standard CCPA compliance.
Third, service provider and contractor agreements. CCPA and CPRA impose specific contractual requirements on businesses that share personal information with service providers and contractors. These are not generic data processing agreements. They must include CCPA-specific terms: restrictions on the service provider's use of the data, certification that the service provider understands and will comply with CCPA, and the business's right to take reasonable steps to ensure the service provider uses personal information consistent with CCPA. Most vendor agreements we review in pre-LOI audits lack these terms.
Key Signals in Due Diligence
No GPC Signal Processing
The company's website does not detect or honor Global Privacy Control signals. CPRA makes GPC recognition mandatory. Non-compliance is per-visitor, per-visit.
Opt-Out Records Missing
No centralized record of consumer opt-out requests. Opt-out signals are not propagated to advertising platforms, ESPs, or data sharing partners.
Non-Compliant Vendor Agreements
Service provider and contractor agreements lack CCPA-specific terms. Data sharing is happening without the contractual safeguards CCPA requires.
No Data Retention Schedule
CPRA requires businesses to disclose retention periods and not retain data longer than necessary. Most companies we audit have no documented retention policy.
CPPA Enforcement Direction
The California Privacy Protection Agency (CPPA) became the primary enforcer of CCPA/CPRA in July 2023, taking over from the California Attorney General. The CPPA's enforcement approach has been active from the start. The agency conducted its first sweep of enforcement actions targeting companies that failed to honor opt-out requests and GPC signals. Penalties are $2,500 per unintentional violation and $7,500 per intentional violation, with no aggregate cap.
The per-violation structure creates significant cumulative exposure. A company with 100,000 California consumers that fails to honor GPC signals faces theoretical maximum exposure in the hundreds of millions. Actual enforcement has been more targeted, but the CPPA's public statements make clear that systematic non-compliance with opt-out mechanisms is a priority area.
For PE acquirers, CPPA enforcement creates a specific timeline risk. The agency has shown willingness to investigate post-acquisition data practices. An acquirer that re-purposes consumer data without proper notice, or that fails to honor pre-acquisition opt-out records during integration, faces enforcement exposure that is attributable to post-close decisions. That exposure cannot be indemnified by the seller. It belongs entirely to the buyer.
Explore CCPA Risk Topics
Related Reading
For analysis on how data compliance failures surface in deal processes, see data deliverability and the data debt hidden in acquisitions.