Why Legal Due Diligence Is the Layer Most Buyers Skip (and Regret)
You've found a promising online business. The P&L looks solid, traffic is consistent, and the seller seems legit. So you wire the money and⦠six months later you're dealing with a trademark dispute you never knew existed, a supplier contract that expired at closing, or a GDPR compliance bomb ticking under the hood.
Legal due diligence (Legal DD) is the part of the acquisition process most buyers underinvest in β especially in the sub-$500K range where deals move fast and brokers aren't always incentivized to slow things down. Flippy's seen it all from the crow's nest: buyers who move fast and break things, and buyers who move carefully and build empires.
This guide won't substitute for a qualified attorney (seriously β get one), but it gives you a complete framework so you know *what* to ask for, *why* it matters, and *what* red flags should make you pause.
> Disclaimer: This article is for educational purposes only and does not constitute legal advice. Always consult a qualified lawyer in your jurisdiction before completing any acquisition.1. Intellectual Property: Who Actually Owns What
IP is often the *real* asset you're buying. A SaaS product without clean IP ownership is like buying a house on land someone else owns.
Trademarks- Is the brand name trademarked? In which jurisdictions (US, EU, UK)?
- Who owns the trademark β the business entity or the individual seller?
- Are there any pending oppositions or conflicting marks?
- Run a USPTO / EUIPO / UKIPO search yourself. Don't just take the seller's word.
- Who's the registrant on WHOIS? It should be the selling entity, not a personal account.
- Is the domain auto-renewing? When does it expire?
- Are subdomains used for revenue-generating features separately registered?
- Who wrote the content? Was it freelancers with signed IP assignment agreements?
- Is there licensed stock photography or software in the product?
- Do you have the original design files (Figma, PSD) or just the exported assets?
- Was the codebase built with open-source components? Review the licenses (GPL can be a trap).
- Did contractors sign IP assignment clauses? Without them, *they may own the code they wrote*.
- Are there any third-party APIs or SDKs that restrict commercial transfer?
2. Contracts and Agreements to Review
Every online business runs on a web of agreements. You need to map them all before closing.
Terms of Service & Privacy Policy- Are they up to date? Outdated ToS can expose you to liability.
- Does the privacy policy actually reflect data practices? (This matters a lot for GDPR/CCPA β more on that in section 3.)
- Are key supplier contracts transferable to a new owner? Some have change-of-control clauses that terminate the agreement on acquisition.
- What are the payment terms, minimum order quantities, and exclusivity provisions?
- If the business runs an affiliate program, do those agreements transfer?
- Are affiliates notified of the ownership change (some programs require this)?
- Are all workers properly classified? Misclassified contractors are a liability landmine.
- Do key employees have non-solicitation or non-disclosure agreements?
- If there are employees in the EU, are employment contracts compliant with local labor law?
- Is the business reliant on Amazon, Shopify, or Google? Review their ToS carefully β many explicitly prohibit or restrict account transfers.
- Amazon Seller Central accounts, in particular, are tied to the individual and not always legally transferable.
3. Regulatory and Compliance Checks
Data Privacy (GDPR / CCPA)- Does the business collect personal data from EU or California residents?
- Is there a compliant consent mechanism and a data processing record?
- Who are the data processors (email providers, analytics tools), and are DPAs in place?
- What happens to the user data at closing β data transfer agreements may be required.
- Some niches require licenses: financial services, healthcare, firearms accessories, alcohol, supplements. Verify what's needed in the seller's jurisdiction *and* yours.
- If you're buying across borders (e.g., US buyer acquiring a UK business), local rules apply in both places.
- Is the business registered for sales tax / VAT where required?
- Any back taxes or open audits? Ask for clean tax clearance certificates where possible.
4. Pending Legal Issues and Liabilities
This is where skeletons hide.
Litigation History- Ask directly: has the business ever been sued, or is there any pending litigation?
- Check court records (PACER in the US, Companies House in the UK, INFOGREFFE in France).
- High chargeback rates can get a merchant account terminated and signal product/trust issues.
- Request the last 12β24 months of chargeback data.
- Has the business ever received DMCA notices? Issued them?
- Unresolved IP disputes could follow the business post-sale.
- Google penalty history (manual actions in Search Console)
- Amazon account health warnings, suspension history
- App store violations (for mobile apps)
5. Post-Closing Covenants and Warranties
The deal doesn't end at closing. What happens *after* the wire clears matters just as much.
Asset Deal vs. Share Deal This is a critical structural decision. In an asset deal, you buy specific assets (domain, content, code, customer list) β liabilities generally don't transfer. In a share deal, you acquire the entire legal entity, including *all* historical liabilities. Most online business acquisitions are structured as asset deals for this reason, but share deals are sometimes preferred for tax or contract-transfer reasons. *Your lawyer needs to advise on this based on your jurisdiction.* Non-Compete Clause- How long? How broad? Is it enforceable in the seller's jurisdiction?
- US non-competes have faced increasing scrutiny (FTC attempted a ban in 2024). UK and EU rules differ significantly.
- How long will the seller be available for training and handover?
- Is this formalized in the purchase agreement with milestone payments or holdbacks?
- What does the seller indemnify you against? Pre-closing liabilities? IP claims?
- What's the cap on indemnification? Is there an escrow holdback to back it up?
- The seller should rep that: the business is legally organized, there's no pending litigation, IP is clean, and financials are accurate.
- Consider R&W insurance for larger deals (typically $1M+).
Quick Legal DD Checklist
| Category | Item | Status |
|---|---|---|
| IP | Trademark search (USPTO/EUIPO) | β |
| IP | Domain registrant verified | β |
| IP | Contractor IP assignment agreements | β |
| IP | Open-source license audit | β |
| Contracts | Supplier contracts reviewed & transferable | β |
| Contracts | Affiliate agreements transferable | β |
| Contracts | Platform ToS compliance (Amazon, etc.) | β |
| Compliance | GDPR/CCPA data practices verified | β |
| Compliance | Industry licenses confirmed | β |
| Compliance | Sales tax / VAT compliance checked | β |
| Liabilities | Litigation history disclosed | β |
| Liabilities | Chargeback history reviewed | β |
| Liabilities | Google penalty / platform ban history | β |
| Structure | Asset deal vs. share deal confirmed | β |
| Post-close | Non-compete clause reviewed | β |
| Post-close | Transition period formalized | β |
| Post-close | Indemnification terms reviewed | β |
Start Browsing Vetted Deals
The best legal protection starts with buying from reputable marketplaces where sellers have already gone through baseline vetting. Browse deals across the top acquisition platforms, or filter by source β Empire Flippers deals and Flippa listings are great starting points depending on your deal size. Don't want to miss a deal that matches your criteria? Set up deal alerts and Flippy will ping you when something relevant hits the market.FAQ
Do I really need a lawyer to buy a small online business?For deals under $50K, many buyers skip legal counsel and rely on standard purchase agreements. It's a calculated risk. For anything above that threshold β especially if the business has employees, complex IP, or platform dependencies β legal counsel is strongly recommended. The cost of a lawyer is almost always less than the cost of discovering a problem post-close.
What's the difference between an asset deal and a share deal?In an asset deal, you buy specific business assets (domain, code, content, brand) β historical liabilities typically stay with the seller's entity. In a share deal, you acquire the legal entity itself, inheriting everything including past legal exposure. Most online business deals under $5M are structured as asset deals. Always confirm the structure with your attorney.
Can Amazon Seller Central accounts be legally transferred?Amazon's ToS technically prohibits direct account transfers. In practice, acquisitions are often structured around the business assets rather than the account itself, or the seller remains a temporary account holder during transition. This is a known grey area β get specific legal advice if an Amazon account is central to the deal.
What happens to GDPR obligations when I acquire a business with EU users?You become the new data controller. This means you inherit the obligation to honor existing consent, maintain data processing records, and ensure lawful data transfer (you'll likely need a data transfer agreement at closing). Consult a GDPR-specialist attorney for any acquisition involving significant EU user data.
How do I protect myself from pre-closing liabilities I don't know about?Representations & warranties in the purchase agreement are your main tool β the seller attests that no undisclosed issues exist. For larger deals, consider a holdback escrow (a portion of the purchase price held for 6β12 months) and/or Representations & Warranties (R&W) insurance.