CCPA due diligence is different from GDPR diligence. CCPA is an opt-out law, not a consent law. The investigation focuses not on whether consent was collected, but on whether opt-out rights are honored, whether data sharing is properly disclosed and governed, and whether the acquisition itself will trigger new compliance obligations. The five areas below produce the findings that matter in deal negotiations.
1. Opt-Out Mechanism Audit
The first investigation area is the target's opt-out infrastructure. CCPA requires a "Do Not Sell or Share My Personal Information" link. CPRA requires recognition of Global Privacy Control signals. The audit evaluates whether these mechanisms exist, whether they function, and whether opt-out signals are propagated to all downstream processors.
What we see consistently is a three-part failure. The link exists on the website. It connects to a form or a CMP interface. But the signal generated by that form is not propagated to the advertising platforms, the ESP, the analytics tools, or the data sharing partners. The consumer believes they have opted out. The company's systems continue processing their data. The opt-out record exists in one system. The actual data processing continues in twenty others.
GPC signal recognition is a separate, technical investigation. The audit tests whether the target's website detects the GPC header, whether detection triggers the same opt-out workflow as a manual request, and whether the GPC signal is recorded and enforceable. Most companies we audit do not detect GPC signals at all. Their consent management platform may support GPC detection, but the feature was never enabled.
2. Data Inventory and Classification
CCPA defines 16 categories of personal information, from identifiers and commercial information to biometric and geolocation data. CPRA added "sensitive personal information" as a distinct category with separate opt-out rights. The pre-LOI investigation must determine what categories of personal information the target collects, whether it has classified them correctly, and whether the privacy policy disclosures match the actual data collection.
The data inventory is not a spreadsheet exercise. It requires examining the actual data stores: the CRM schema, the CDP data model, the analytics event taxonomy, the advertising pixel payloads, the cookie inventory. What companies disclose in their privacy policy and what they actually collect are often different. The privacy policy was written when the company had three tools. It now has thirty. Nobody updated the disclosures.
Sensitive personal information under CPRA requires special attention. The category includes precise geolocation, racial or ethnic origin, religious beliefs, health data, sex life or sexual orientation data, Social Security numbers, financial account details, and the contents of mail, email, and text messages. Companies must provide a separate right to limit the use of sensitive personal information. Most companies we audit do not distinguish between ordinary and sensitive personal information in their data architecture.
3. Service Provider and Contractor Agreement Review
CCPA imposes specific contractual requirements on businesses that disclose personal information to service providers and contractors. The agreements must include: the specific business purposes for which the personal information is disclosed, a requirement that the service provider not sell or share the personal information, a requirement that the service provider not use the personal information outside the business relationship, and a certification that the service provider understands and will comply with these restrictions.
The pre-LOI review pulls a sample of vendor agreements (typically 10-15 covering the highest-volume data processors) and evaluates them against CCPA/CPRA contractual requirements. The typical finding is that 60-80% of agreements lack CCPA-specific terms. They may have generic confidentiality clauses. They may reference "applicable law." But they do not contain the specific restrictions and certifications that CCPA requires.
This is a negotiating point. Non-compliant vendor agreements represent a post-close remediation cost. Every agreement must be renegotiated to include CCPA terms. For a company with 30-50 vendors processing personal information, this represents 2-3 months of legal work. That cost should be reflected in the deal model, not discovered in the first quarter of ownership.
4. Data Broker Classification Analysis
CCPA defines a data broker as a business that knowingly collects and sells to third parties the personal information of consumers with whom the business does not have a direct relationship. Data brokers must register with the California Attorney General and comply with additional obligations including the new Delete Act requirements.
The classification analysis evaluates whether the target's business model triggers data broker status. Lead generation companies, B2B data providers, audience data platforms, and ad tech companies commonly meet the definition. The analysis examines whether the target collects personal information about individuals who are not its direct customers, whether it sells or licenses that information to third parties, and whether it has registered with the California AG.
Unregistered data broker status is a specific enforcement target. The California AG has pursued enforcement actions against unregistered data brokers. For PE acquirers, inheriting an unregistered data broker creates immediate enforcement exposure. The remediation is straightforward (register and comply) but the historical non-compliance may trigger penalties for the period of non-registration.
5. Post-Acquisition Data Use Assessment
The fifth investigation area is forward-looking. It evaluates whether the planned post-close data integration will trigger new CCPA obligations. CCPA Section 1798.100(b) requires businesses to provide notice at or before the point of collection about the categories of personal information to be collected and the purposes for which they will be used. If the acquirer plans to use the target's consumer data for purposes not disclosed in the target's privacy policy, new notice and potentially new opt-out rights are triggered.
ESP migrations are the most common trigger. When the target's email database is moved to the acquirer's ESP, the data is now being processed by a different entity for potentially different purposes. CRM consolidations trigger similar issues. Data warehouse integrations that combine the target's consumer data with the acquirer's data create new processing purposes that the original privacy policy did not contemplate.
The pre-LOI assessment maps the planned integration activities against CCPA notice and opt-out requirements. For each planned data use change, the assessment identifies whether new notice is required, whether new opt-out rights are triggered, and what the operational cost of compliance is. This becomes an input to the integration timeline: activities that trigger CCPA obligations must be sequenced to allow for compliant notice and opt-out processes before the data use changes.