In a ruling last week, Delaware Vice Chancellor Travis Laster denied motions to dismiss in the shareholder derivative suit against Facebook executives for failing over the course of several years to protect users’ data privacy. The alleged privacy violations to which the lawsuit relates were the subject of a massive $5 billion penalty that Facebook agreed to pay to the FTC to settle charges that the company had violated a 2012 consent order relating to protecting users’ privacy. As discussed in a May 10, 2023, Law360 article (here), Vice Chancellor Laster made his ruling from the bench in a telephonic hearing. Vice Chancellor Laster’s ruling is also discussed in a May 10, 2023, Associated Press article (here). As discussed below, Vice Chancellor Laster’s ruling underscores the extent to which privacy-related issues represent an area of significant corporate liability exposure.

Background

As discussed here, in July 2019, Facebook agreed to pay a $5 billion penalty resolves charges that the company had violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information. Among other things, the agency said in its press release about the $5 billion penalty that Facebook “repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.” The FTC’s formal complaint against Facebook can be found here.

In order to “prevent Facebook from deceiving its users about privacy in the future,” Facebook agreed to a new 20-year settlement order that overhauls the company’s privacy-related decision making by “boosting the transparency” and holding the company accountable via “overlapping channels of compliance,” including, among other things, creating a privacy committee on the company’s board of directors. The order introduces several new levels of external oversight as well. The order also imposes what the agency called “significant new privacy requirements” including a new “comprehensive data security program,” as well as limitations on use of facial recognition technology and on the company’s use of user information such as phone numbers, passwords, and email addresses.

The Derivative Lawsuit

In April 2018, a plaintiff shareholder filed the first of several shareholder derivative lawsuits in Delaware Chancery Court against certain Facebook directors and officers, including Facebook founder Mark Zuckerberg, former Chief Operating Officer Sheryl Sandberg, and venture capitalist Marc Andreesen, relating to the FTC penalty and related user data privacy violations. The various derivative suits were later consolidated.

The consolidated complaint alleges that the Facebook executives repeatedly ad continually violated the 2012 FTC consent order. The complaint alleges that, among other things, the company later sold user data in direct violation of the consent order and removed disclosures from privacy settings that were required by the consent order. The complaint alleges that the company’s conduct resulted in significant fines from European regulators and also resulted in the 2018 Cambridge Analytica scandal (in which it was revealed that Facebook has sold personal information of tens of millions of Facebook users to a British political consulting firm).

The complaint has three counts. Count One alleges that Zuckerberg, Sandberg, and Facebook Vice President Konstantinos Papamiltiadis breach their fiduciary duties of care and loyalty by permitting the company to engage in activity that violated the 2012 consent order. Count Two alleges that Zuckerberg, Sandberg, and nine other directors ignored red flags that the 2012 consent order was being violated. Count Three alleges that Zuckerberg, Sandberg, and Andreesen and five other directors sold their personal holdings in Facebook stock while in possession of material nonpublic information. The defendants filed motions to dismiss, arguing that the plaintiff has failed to make the requisite pre-suit demand that the Facebook board take up the lawsuit.

The plaintiffs are seeking damages to be awarded to the company, disgorgement of profits allegedly made through insider trading and corporate governance reforms.

The May 10, 2023, Ruling

In a May 10, 2023, bench ruling during a telephonic hearing, Vice Chancellor Laster denied the defendants’ motions to dismiss the two fiduciary duty claims and also denied the motion to dismiss the insider trading ruling as to Zuckerberg, but granted the motion with respect to the insider trading allegations against seven other directors.

In denying the motions to dismiss, Laster agreed with the plaintiff that a shareholder demand would have been futile because there is a reasonable doubt that a majority of the relevant Facebook board members, many with close personal ties to Zuckerberg, would be willing to confront him over the company’s privacy failures.

According to news reports of his ruling, Laster described the plaintiff’s 412-page complaint as “encyclopedic and specific,” and as “replete with particularized facts” that sets out a “highly detailed story of “recidivist lawbreaking.” Laster, according to the news reports, said that the complaint “tells a story of directors who were on notice of law breaking, and who either went along with it or consciously disregarded it.”

Laster reportedly said further that “What we don’t have is a little lawbreaking, what we don’t have is isolated lawbreaking, what we don’t have are immaterial violations… This is a case involving allegedy wrongdoing on a truly colossal scale.”

Instead of complying with the consent order, Laster found, Facebook became an “information bank and broker,” that collected detailed data on users, which it shared with other companies in exchange for advertising dollars. The “most significant red flag” came in 2018, when Facebook users discovered that Cambridge Analytica had misappropriating their personal data with out their consent.

Discussion

I have long said that privacy-related issues represent a significant and growing area of potential corporate liability. While I think many if not most companies face these risks, it seems that one company in particular — Facebook — seems to be setting all of the precedents that substantiate the extent to which privacy issues are such a significant concern. Facebook not only was the subject of the massive $5 billion FTC penalty related to privacy issues, but the company also paid $550 million in the largest ever settlement involving allegations had violated the Illinois Biometric Information Protection Act (BIPA), as discussed here. Facebook seems to be one-company dataset for examples of the kinds of problems that privacy-related issues can present for a company. (In October 2021, the parent company of Facebook changed its name to Meta Platforms.)

In that regard, it is worth noting that in addition to the $5 billion FTC penalty, in July 2019, at the same time as Facebook agreed to pay the FTC’s penalty, Facebook also agreed with the SEC to pay $100 million to resolve the agency’s allegations that the company misled investors regarding the risk of misuse of Facebook user data.

The Cambridge Analytica scandal and the FTC fine were also the subject of a separate securities class action lawsuit. While, as discussed above, the shareholder derivative lawsuit largely survived the defendants’ motions to dismiss, dismissal was granted in the securities class action lawsuit in December 2021. The dismissal currently is on appeal.

All of these various developments underscore how significant privacy-related issues now are as a potential source of corporate risk. To be sure, some may say that Facebook represents a unique privacy risk, given the nature of its platform and its business model. Facebook is indeed a new age media company. However, while Facebook’s privacy-related challenges may reflect the unique characteristics of its social media platform, the fact is that the privacy-related concerns that these various Facebook-related developments indicate liability concerns that every company now faces.

Vice Chancellor Laster’s rulings and comments in the derivative lawsuit highlight the extent to which corporate boards have a role in supervising privacy issues. The implication is that it is the board’s responsibility to ensure that privacy issues are managed and controlled appropriately.

Facebook may be the company that is now taking all of the arrows on these issues, but it would be a mistake to conclude that these developments represent concerns unique to Facebook. To the contrary, the privacy concerns behind all of these developments apply to all companies and their boards.