Data Privacy & Compliance (CCPA, GDPR)

Privacy Law Is No Longer Optional — It’s Operational

Data privacy has shifted from a compliance afterthought to a core business function. With the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), and a growing patchwork of state-level privacy laws, every technology company that collects, processes, or stores personal data faces regulatory obligations that carry real enforcement risk. John Montague advises technology companies on data privacy compliance as an integrated part of his technology transactions practice — not as an isolated regulatory exercise, but as a business consideration that affects product design, commercial agreements, M&A diligence, and investor confidence. His fifteen-plus years of work with technology companies, rooted in the technology transactions practice he developed at Locke Lord LLP (now Troutman Pepper Locke), an AM Law 200 firm, give him the commercial context that pure privacy specialists sometimes lack.

From John Montague: Privacy compliance isn’t just about having the right policy on your website — it’s about whether your actual data practices match what the policy says. I’ve seen companies with perfectly drafted privacy policies that bear almost no resemblance to how the engineering team actually collects and processes data. That gap is where enforcement risk lives.

How We Help

Montague Law’s data privacy practice is built for technology companies that need practical, commercially informed guidance on compliance. John Montague’s work includes conducting privacy compliance assessments against CCPA, GDPR, and applicable state privacy frameworks; drafting and reviewing privacy policies, terms of service, and cookie consent mechanisms that accurately reflect actual data practices; negotiating data processing agreements, data sharing arrangements, and cross-border data transfer mechanisms; advising on privacy-by-design principles during product development and feature launches; preparing data breach response plans and advising on notification obligations when incidents occur; and conducting privacy due diligence in M&A transactions to identify compliance gaps that could create successor liability for acquirers.

The Regulatory Landscape Is Fragmenting

The days when a single privacy policy could cover a company’s compliance obligations are over. CCPA and its amendment, the California Privacy Rights Act (CPRA), created comprehensive privacy rights for California residents. GDPR imposes strict requirements on any company processing data of EU individuals. And a growing number of states — Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others — have enacted their own privacy laws, each with slightly different requirements, thresholds, and enforcement mechanisms.

For technology companies with national or international user bases, this fragmentation creates a multi-layered compliance challenge. A SaaS company serving customers across the U.S. and Europe may need to comply with GDPR, CCPA/CPRA, and several state privacy laws simultaneously — each with different consent requirements, opt-out mechanisms, and data subject rights. John Montague helps companies build unified compliance frameworks that satisfy multiple regulatory regimes without creating operational paralysis.

Privacy compliance is also increasingly relevant in corporate transactions. Investors conducting due diligence on potential portfolio companies examine data practices and privacy compliance as indicators of operational maturity and regulatory risk. Acquirers in technology M&A look at privacy compliance as a potential source of successor liability. Drawing on his venture capital and M&A practices, John advises companies to treat privacy compliance not just as a legal obligation, but as a strategic asset that supports fundraising, partnerships, and exit readiness.

Frequently Asked Questions

Does my company need to comply with CCPA?

The CCPA applies to for-profit businesses that collect personal information of California residents and meet certain thresholds — generally, annual gross revenue over $25 million, buying or selling personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling or sharing consumers’ personal information. Even companies not based in California may be subject to the law if they do business with California residents.

What is the difference between CCPA and GDPR?

While both laws give individuals rights over their personal data, they differ in significant ways. GDPR requires a lawful basis for processing (such as consent or legitimate interest), while CCPA focuses on the right to know, delete, and opt out of the sale or sharing of personal information. GDPR has broader scope, stricter consent requirements, and potentially larger penalties. Many companies doing business internationally need to comply with both frameworks, which requires careful alignment of data practices.

How does privacy compliance affect M&A transactions?

Privacy compliance is a standard component of technology M&A due diligence. Acquirers examine the target’s data collection practices, consent mechanisms, data processing agreements with vendors, cross-border data transfer arrangements, and breach history. Significant compliance gaps can result in purchase price adjustments, enhanced indemnification requirements, or representations and warranties specifically addressing data privacy. John Montague conducts privacy due diligence as part of his integrated M&A and technology transactions practice.

Related Practice Areas: Technology Transactions | AI & Machine Learning Contracts | SaaS & Cloud Services

Need a privacy compliance assessment? Call 904-234-5653 or schedule a consultation.