It was perhaps inevitable after Facebook’s disappointing quarterly earnings announcement last week triggered what reportedly is the largest single day share price drop ever that securities class action lawsuits against the company would follow. And indeed on Friday at least two securities class action lawsuits were filed against the company. While the lawsuit filings may have been predictable, at least one of the lawsuits contains an interesting and unexpected variant on the standard pattern – one of the two lawsuits contains allegations that the company made misrepresentations about its readiness for the May 2018 effective date of General Data Protection Regulation (GDPR) and about the impact of GDPR compliance on the company’s business and operations. As discussed below, these allegations reflect the growing liability exposures arising from growing privacy-related concerns and regulation.
In its quarterly earnings conference call after the close of business on July 25, 2018, Facebook reported slower-than-expected revenue growth for the period—though coming in at more than 40%—and said it expected quarterly revenue growth to decline over the rest of the year. The company also reported lower user growth in Canada and the U.S., and a decline in the daily user base in Europe. Facebook executives attributed the decline in Europe to the GDRP privacy regulations that went into effect during the second quarter. The company’s CFO also said that the company’s operating margins are likely to fall in coming reporting periods due to unfavorable currency conditions and owing to the company’s need for additional investments in security and safety. The CFO also reported on users’ increasing use of Facebook features with “lower rates of monetization.” During the next trading day, the value of the company’s shares declined 19%, representing a drop in market capitalization of nearly $120 billion.
On Friday, a Facebook shareholder filed a putative securities class action lawsuit in the Southern District of New York against the company, its CEO, Mark Zuckerberg, and its CFO, David Wehner. The complaint purports to be filed on behalf of investors who purchased Facebook shared between April 25, 2018 and July 25, 2018. The complaint (a copy of which can be found here) alleges that the defendants failed to disclose that “(i) the number of daily and monthly active Facebook users was declining; (ii) due to unfavorable currency conditions and plans to promote and grow features of Facebook’s social media platform with historically lower levels of monetization, such as Stories, Facebook anticipated its revenue growth to slow and its operating margins to fall; and (iii) as a result Facebook’s public statements were materially false and misleading at all relevant times.”
A separate putative securities class action lawsuit filed in the Southern District of New York against Facebook and certain of its executives represents a different approach to the company’s disclosures. The separate lawsuit, filed by Facebook shareholder Fern Helms, on behalf of a purported class of Facebook investors who purchased Facebook securities between October 1, 2017 and July 26, 2018, focuses on the company’s disclosures about its GDPR readiness and related privacy issues. In her complaint (a copy of which can be found here), Helms names as defendants the company, Zuckerberg, Wehner, and Facebook COO Sheryl Sandberg.
Helms alleges that during the class period the defendants made misleading statements about or failed to disclose that
(1) the implementation of the General Data Protection Regulation (“GDPR”), which was adopted by the European Union on or around April 14, 2016, would have a foreseeable and materially negative impact on use of [Facebook’s] Platform, revenue growth, and profitability because the informed consent required by the GDPR resulted in many users rejecting Facebook’s privacy policies and/or procedures and exposed a significant number of fake accounts on the platform; (ii) by May 25, 2018, Facebook’s Platform use and revenue growth had already begun to decline as a result of Facebook’s efforts to comply with the GDPR; (iii) the decline in Facebook’s Platform use and the increase in costs as a result of complying with the GDPR had a materially adverse effect on Facebook’s financial health, including its revenue and projected growth; and (iv) as a result Facebook’s public statements were false and misleading at all relevant times.
These latest lawsuits are of course not the first suits to hit Facebook as a result of its privacy-related issues. Earlier this year following disclosures that Facebook had given data analytics firm Cambridge Analytica access to user data, the company was hit with a number of lawsuits, including lawsuits filed by investors who alleged that the company had mispresented its policies with respect to the use and sale of its user data. I raised at that time the question of whether privacy-related issues might possibly represent the next big D&O liability exposure.
In raising this question about the possibility of privacy issues becoming an important part of the D&O liability landscape, one thing I specifically mentioned was the recent effective date of the GDPR. GDPR, I noted, not only raised the possibility of companies getting hit with regulatory enforcement actions, but also raised the possibility of investors and others seeking to hold companies liable for failing to fulfill privacy requirements and subjecting the company to liabilities and penalties.
The second of these two latest lawsuits filed against Facebook represents a specific example of the way in which the new GDPR regulations can give rise to D&O litigation. In her complaint, Facebook shareholder Fern Helms alleges that Facebook failed to disclose that the implementation of the GDPR would have a foreseeable negative impact on the company’s financial performance, and also that the effectiveness of the GDPR requirements was having a negative impact on the company’s user data, as well as that the costs of complying with GDPR would adversely affect the company’s financial health.
Facebook may be a particularly high-profile example, but it is far from the only company that is struggling or going to struggle in its compliance with GDPR and experience negative impacts on its financial results as a result of GDPR compliance. Not every company that struggles to comply with GDPR is going to get hit with a D&O lawsuit. But as companies across the marketplace release financial reports showing the extent to which the GDPR implementation has affected their financial results, there may well be other investors who feel they have been misled about the companies’ state of GDPR readiness or about the impacts the companies expected from GDPR implementation.
The particularly interesting thing to me about the GDPR-related sequence of events at Facebook and the resulting securities litigation is that the sequence did not involve any regulatory action. In trying to anticipate how the implementation of GDPR might lead to D&O claims, I had focused on the possibility of investor claims following in the wake of regulatory action. Those types of follow-on claims might well still arise. However, the Facebook sequence and resulting securities lawsuits are interesting because the problems arose without the involvement of any regulators, based solely upon the negative impact on the company’s reported financial results arising from costs associated with GDPR-related compliance. Again, Facebook is not the only company that is struggling with these issues, and is surely not the only company that will report that it has been negatively impacted by GDPR compliance-related costs and requirements, and Facebook may not be only company hit with a GDPR compliance-related securities lawsuit.
A further recent development even further underscores the possibility of these kinds of privacy-related issues leading to D&O lawsuits. As I noted at the time, at the end of June California adopted its own privacy-related legislation. The California Consumer Privacy Act of 2018 imposes on businesses significant privacy obligations, creates a number of privacy rights, and provides for enforcement both through private right of action and regulatory enforcement. The California legislation presents many of the same challenges and potential litigation risks that I raised above with respect to the GDPR. The Act’s passage arguably represents a significant step toward making privacy issues a prominent part of the liability landscape in the months and years ahead.
In making these privacy-related conjectures, I want to be sure to emphasize a particular analytic distinction. As has been well-documented on this blog, there have been data breach-related D&O lawsuits for some time. While the track record on the data breach-related D&O lawsuits is at best mixed, they represent a distinct phenomenon from the privacy-related issues on which I am focusing in this blog post. The two sets of Facebook securities lawsuits filed this year help make this point. Neither the earlier Cambridge Analytica lawsuit nor the more recent earning quarterly earnings disappointment lawsuits involved a data breach. Rather, the lawsuits related to privacy concerns and to governmental regulations focused on privacy concerns. While both the data breach and privacy issues involve user data, they related to very different operational concerns and will affect companies in very different ways.
The issues surrounding privacy have to do with the way businesses collect and use consumer data, not just whether or not the businesses keep the data secure. These issues surrounding the use of consumer data are likely to be of continuing and increasing importance, both because of the increasing numbers of businesses collecting and using consumer data and because of the increasing regulatory focus on these processes, as, as for example in the GDPR and the new California legislation.
It is probably worth noting here that while Facebook did experience a massive stock price drop, that does not necessarily mean that the new lawsuits are meritorious. Among other things, these new complaints undoubtedly will face motions to dismiss based on the respective complaints’ alleged failure to meet the PSLRA’s heightened pleading requirements with respect to scienter. Neither complaint alleges that the defendants engaged in insider trading during the class period or otherwise benefited financially. The complaints allege only that the defendants knew or should have known that the supposed misrepresentations were false. It remains to be seen whether and to what extent these new lawsuits will be successful.