Legal Blog

M&A Nuggets: Be Prepared for Due Diligence, Before You Go to Market Part 3 – Privacy Policies


Business man's hand holding a pen over a notepad with privacy policy written on it. Calculator, glasses, and coffee cup surround the notepad.


This is Part 3 of a series on steps business sellers should take to make sure their house is in order before going to market.  The Health Insurance Portability and Accountability Act, better known as HIPAA, was enacted in 1996 as one of the first laws to protect the privacy of personal identifiable information.  The increase in attempts by cybercriminals to obtain or hold hostage private information, whether through ransomware, phishing attacks or other efforts, has been in part the reason for spurts in the enactment of additional privacy laws to protect personal information.  As a result of the greater susceptibility of personal information to attack and the increase in the number of laws designed to protect the information, privacy laws and policies have become one of the due diligence areas most focused on by buyers.

To be prepared, sellers must first understand which privacy laws apply to them.  In the United States, HIPAA, which is designed to protect healthcare information, is the most significant federal law.  At present, there is no overall federal law protecting privacy information in general.  However, several States have enacted their own privacy laws, including California, Virginia, Utah, Colorado and Connecticut, and more are on the way.  It is important to determine whether these laws apply to your business.  A State’s law may apply to your business even though you do not do business in that State.  Among the most important overseas laws is the General Data Protection Regulation, known as GDPR, which regulates the information of residents of the European Union.  Again, just because your business does not operate in the European Union does not mean that your business is not subject to the GDPR, as that law applies to businesses that collect and process information of European residents.

The privacy laws establish policies and standards that must be followed to protect personal information.  Once it is understood what laws are applicable to your business, the next step is to determine whether your business has in place the policies and standards that are required, including whether its online privacy policies and terms of use are sufficient.  Making sure that your business is in compliance with privacy laws will not only go a long way to protect the personal information of persons who do business with you (your employees, customers and members of the public who visits your website or app), but will provide comfort to potential buyers that you have adequately dealt with this area of high risk.

If you have any questions about this or any other M&A issue,
please contact Glenn Solomon at or 443-738-1522.


ABOUT GLENN D. SOLOMON | 443-738-1522

Glenn D. Solomon is a principal at Offit Kurman and has provided counsel to businesses and business owners for more than twenty-five years. He has extensive experience in the purchase and sale of businesses, structuring ownership agreements, and advising companies in financial distress.












Offit Kurman, one of the fastest-growing, full-service law firms in the United States, serves dynamic businesses, individuals and families. With 18 offices and more than 250 lawyers who counsel clients across more than 30 areas of practice, Offit Kurman helps maximize and protect business value and personal wealth by providing innovative and entrepreneurial counsel that focuses on clients’ business objectives, interests and goals. The firm is distinguished by the quality, breadth and global reach of its legal services and a unique operational structure that encourages a culture of collaboration. For more information, visit