Counsel is drafting the privacy representations and warranties for a stock purchase agreement covering a target that markets to California consumers. The buyer wants the representations to do real diligence work rather than merely paper over risk. Which drafting choice best serves the buyer's goal of allocating privacy risk to the seller?
- AA narrow representation that the target has a privacy policy posted on its website, with no statement about the accuracy of that policy or compliance with it.
- BA representation that the buyer has independently satisfied itself as to the target's privacy practices and waives reliance on any seller statement about data handling.
- CA representation limited to the statement that no data breach has been publicly disclosed in the past twelve months.
- DA broad representation that the target has at all times complied with all applicable privacy and data protection laws and its own published commitments, qualified only by a disclosure schedule of known exceptions. Correct
Why A is wrong: This is tempting because it looks like a privacy representation, but mere existence of a posted policy says nothing about compliance, so it gives the buyer almost no protection and fails to allocate risk to the seller.
Why B is wrong: This sounds rigorous but actually waives the buyer's recourse, so a candidate confusing buyer diligence with risk allocation would choose it, while in fact it shifts risk onto the buyer rather than the seller.
Why C is wrong: Public-disclosure-only and a twelve-month window leave undisclosed breaches and broader compliance gaps untouched, so although it addresses one risk it is far too narrow to allocate privacy risk to the seller.
Why D is correct: Correct: a compliance representation tied to applicable law and the target's own commitments, backed by a disclosure schedule and indemnity, shifts unknown privacy exposure to the seller and surfaces known issues for pricing.