Earlier this year when I questioned whether or not privacy-related issues might represent an important emerging area of corporate liability, I was thinking we might see privacy claims emerge over time. I was thinking a longer time frame, over the course of years. What has happened is that the privacy-related claims are materializing now. As I previously noted, in July investors filed a securities suit against Facebook following the company’s quarterly earnings release that disappointed investors in part because company’s growth rate was affected by allegedly unanticipated expenses and difficulties in complying with the EU’s update privacy requirements in the General Data Protection Regulation (GDPR), which went into effect in May.
Investors have now filed an additional lawsuit against a company reporting GDPR-related difficulties. As discussed further below, on August 8, 2018, investors filed a lawsuit against Nielsen Holdings plc after the media performance ratings company disclosed in its quarterly earnings release that GDPR-related changes affected the company’s growth rate, pressured the company’s partners and clients, and disrupted the company’s advertising “ecosystem.” The Nielsen lawsuit underscores the suggestion that privacy-related concerns could be a significant source of corporate liability.
As reflected in the plaintiff’s lawyers’ August 8, 2018 press release, a Nielsen shareholder has filed a purported class action lawsuit in the Southern District of New York against the company, its CEO, and its CFO. The complaint, a copy of which can be found here, raises a number of allegations, including allegations relating impacts arising from the GDPR going into effect.
The Complaint alleges that during the class period the company repeatedly assured investors that “because privacy was built into the way its business processes, the enactment of the European General Data Protection Regulation ‘(GDPR)’ would not impact its necessary access to large data sets provided by its partners like Facebook.”
The complaint alleges that these and other statements were materially false because the company “recklessly disregarded its readiness for and the true risks of privacy regulations and policies, including the GDPR, on its current and future financial and growth prospects” and that the company was “far more dependent on Facebook and other third-party large data set providers” than the company had previously disclosed , and that privacy changes would affect the company’s access to this data.
The complaint alleges that the company “shocked” investors when it released its results for the second quarter of 2018 announcing that it had missed revenue and earnings targets and was revising its forecasts for the year. Among other things, the company said that GDPR and changes in the privacy landscape “impacted our growth rate in the near-term as clients and partners grapple with the changes and work to ensure compliance”; that certain revenues were “partly offset by pressure on our clients and partners” from GDPR and other consumer privacy considerations; that the company’s digital advertising “ecosystem” was disrupted as large digital platforms made changes “to increase security for consumer data.” The company also reported that its CEO would retire at the end of 2018.
The company’s share price declined as much as 25% on the news. The first securities lawsuit was filed several days later. Subsequent lawsuits have also been filed.
Discussion
As I have noted in prior posts, there have already been two lawsuits filed against Facebook on privacy related issues; the first (as discussed here) was the securities suit filed against Facebook based on the Cambridge Analytica user data debacle, and the second was the lawsuit filed against Facebook against based on its quarterly earnings release disappointing based on GDPR-related expenses and difficulties (discussed here). The two earlier Facebook lawsuits and now this latest lawsuit against Nielsen provide specific examples of the ways in which privacy-related issues can lead to D&O claims. The second of the Facebook lawsuits and this lawsuit also provide examples of the ways in which the EU’s new GDPR privacy requirements can lead to D&O lawsuits.
I noted at the time the second Facebook lawsuit was filed that Facebook is far from the only company that was going to struggle with GDPR related expenses and compliance difficulties. As the new lawsuit against Nielsen suggests, other companies are struggling with these issues as well. It is particularly interesting that part of the news Nielsen disclosed in its quarterly earnings release was the its financial performance was being affected by problems its partners and clients were having with GDPR-compliance. This knock-on effect suggests that other companies might also experience disruption as the companies’ customers, vendors, suppliers, and partners themselves struggle with GDPR and other privacy-related compliance.
When I suggested earlier in the year that there might be D&O claims consequences from changes in laws, regulations, and expectations relating to privacy, what I was thinking was that there might well be D&O claims filed in the wake of regulatory action based on privacy-related issues. These kinds of claims might well still arise, at some point down the road when (as seems inevitable) regulators become active in enforcing privacy requirements – and by the way, these privacy requirements include not only the GDPR but also California’s newly enacted privacy law. What is interesting to me about the second of the two Facebook lawsuits and now the Nielsen lawsuit is that privacy-related D&O claims are arising solely based on impacts on companies’ financial performance and are not related to any actions by regulators. I suspect strongly that Facebook and Nielsen are not going to be the only companies that experience financial effects from the impact of GDPR and other privacy regulations, and some companies experiencing privacy-related issues will be hit with D&O claims.
Just as I have emphasized in my prior posts about privacy-related D&O claims, I want to again highlight here a distinction I am drawing between data breach claims and data privacy claims. The data breach claims relate to security issues and how the company secures the data of customers and others. The privacy issues related to the ways the company uses data in compliance with evolving social, legal, and regulatory expectations about privacy. The two topics are related but distinct. While both the data breach and privacy issues involve user data, they relate to very different operational concerns and will affect companies in very different ways.