In prior posts on this site, I have identified privacy-related issues as a potentially important source of future D&O claims. In making these projections, one thing I had in mind was the possibility of claims as a result of the enforcement of the EU’s General Data Protection Regulation, which went into effect in May 2018. There have in fact already been GDPR-related securities class action lawsuits filed in the U.S., including the securities suit filed in August 2018 against U.K.-incorporated media tracking company Nielsen Holdings. In a January 4, 2021 opinion, Southern District of New York Judge Jesse Freeman granted in part and denied in part the defendants’ motion to dismiss the Nielsen Holdings lawsuit. Of significance to the questions concerning privacy-related claims, the plaintiff’s allegations concerning defendants’ statements after GDPR went into effect about the GDPR’s impact on the company survived the dismissal motion. A copy of Judge Furman’s opinion can be found here.
Nielsen is a data analytics company best known for its television ratings service. The company’s business is broadly organized into two segments: (1) the “Buy” segment, focused on consumer purchasing and spending analytics; and (2) the “Watch” segment, focused on media audience measurement and analytics.
On August 8, 2018, Nielsen and certain of its executives were sued in a securities class action lawsuit filed in the Southern District of New York. Several related lawsuits were subsequently filed and ultimately consolidated and the lead plaintiffs later filed a consolidated amended complaint. In September 2019, the plaintiff filed a second consolidated amended complaint, and the defendants filed a motion to dismiss.
The plaintiffs’ amended complaint alleged that the defendants had made misrepresentations both with respect to the company’s Buy segment and with respect to the company’s Watch segment.
With respect to the Buy segment, the plaintiff alleged that in its 2016 SEC filings defendants had failed to disclose that discretionary spending was trending downward as a result of its clients’ lack of interest in the company’s analytics offerings; that the company had materially misleading revenue for casts for the Buy sector business from 2016 to 2017; and that the company had misrepresented the fair value of the Buy segment and its goodwill in the company in the company’s SEC filings.
With respect to the Watch statement, the plaintiffs’ alleged that both before and after the GPDR went into effect on May 25, 2018, the defendants had made statements that the Watch sector business would continue to grow, notwithstanding GDPR, and that its business would remain unaffected. The claims were based on company statements before GDPR went into effect that GDPR would not have “a major impact” on the Watch business, that the company was “ready” for GDPR and “in good shape” and made other reassuring statements. Similarly, after GDPR went into effect, the defendants allegedly made various reassuring statements, among other things, saying that it would be a “non-event.”
However, in July 2018, the company disclosed that it was reducing its guidance as many of the company’s customers were pulling back on their spending on Watch sector products pending further data on how GDPR would affect the market. The company also disclosed that because of GDPR-related privacy concerns the company had lost access to key data critical for its analytics. The company’s share price declined 25% on the revised guidance and other disclosures.
The January 4, 2021 Order
In his January 4, 2021 order, Judge Furman held that the plaintiffs had not stated a claim with respect to the allegations concerning the Buy segment, except he concluded that the plaintiff had stated actionable claims with respect to the defendants’ alleged failure to disclose in its 2016 SEC filings about the decline in discretionary spending; that the defendants had made misleading statements about the Buy segment in July 2016, that the defendants had made misleading statements in 2016 and 2017 about the Buy segment goodwill.
With respect to the plaintiff’s allegations concerning the Watch statement and pertaining to the impact of GDPR on the company, Judge Furman concluded the plaintiffs’ allegations concerning the pre-GDPR statements were not actionable. These allegations, Judge Furman said, “do not come close to meeting the heightened pleading requirement.” The plaintiffs’ allegations about the post-GDPR statements were based on post GDPR developments which amount, Judge Furman said to “nothing more than fraud by hindsight.” Judge Furman also found that the risk factors in the company’s SEC filings contained “cautionary language” about the GDPR’s possible negative effects that “adequately warned investors of the impending risk.”
However, Judge Furman reached a different conclusion concerning the defendants’ post-GDPR statements, finding that after GDPR went into effect, the defendants “issued misleading statements regarding the regulation’s effect on Nielsen.” Company executives continued to describe GDPR as a “non-event” and to ensure investors that the company had access to all the data it needs, notwithstanding GDPR’s privacy requirements. Judge Furman said that the plaintiffs “sufficiently allege that Defendants made misleading guarantees about GDPR’s impact on Nielsen’s business that negate any previous disclosure and plausibly allege scienter.” Accordingly, Judge Furman said, “while Defendants’ motion is granted as to Plaintiffs’ pre-GDPR-related claims, it is denied as to their post-GDPR-related claims.”
Much of Judge Furman’s ruling relates to the plaintiffs’ allegations concerning the company’s Buy segment, which do not involve GDPR-related allegations. However. His ruling with respect to the company’s Watch sector involves allegations pertaining to GDPR’s impact on the company. While Judge Furman dismissed the plaintiffs’ allegations concerning the company’s statements before GDPR went into effect, he denied the motion to dismiss with respect to the plaintiffs’ allegations based on the defendants’ alleged statements after GDPR went into effect about GDPR’s impact on the company.
At a very minimum, this lawsuit and Judge Furman’s ruling on the motion to dismiss show how a company’s statements concerning the impact of GDPR can lead to claims against a company, and indeed how those GDPR-impact type statements could be held to be actionable under the U.S. federal securities laws.
At the time this lawsuit was filed in August 2018, I noted that the lawsuit showed the ways that increasing regulatory and legislative focus on privacy concerns could lead to D&O claims. To be sure, at the time GDPR went into effect, I expected a slightly different form of GDPR-related claim. I thought the D&O claims would arise after company’s were hit with one of the huge fines that GDPR authorizes regulators to impose. I thought investors might allege after a fine of that type either that they had been misled about the extent of the company’s privacy controls, about the possibility of a fine, or about the potential scale of a fine. So far there have been no lawsuits of that type – and indeed, as discussed here in connection with the December 2020 GDPR fine levied on Twitter, there have been relatively few GDPR fines.
However, even though this lawsuit is not the type of GDPR-related lawsuit I thought we might see, it still represents an example of how GDPR-related concerns can lead to D&O claims, and more generally, how the generally increased regulator and legislative focus on privacy creates an environment with which privacy-related D&O claims might emerge. As Judge Furman’s ruling in this case shows, these claims could prove to be sufficient to survive a motion to dismiss. The ultimate relevance of this lawsuit is that companies continue to make statements about how GDPR is affecting the operations and finances. This lawsuit shows how those kinds of lawsuits could lead to D&O claims.