I have long thought that privacy-related issues represent one of the important emerging areas of D&O liability exposure. One case that I thought represented an example of this emerging risk was the securities class action lawsuit brought against Facebook related to the Cambridge Analytica user data privacy scandal. However, when the court granted the motion to dismiss in the case, the relevance of the Cambridge Analytica case to the discussion of privacy-related issues seemed diminished. But the appellate court has now reversed in part the lower court’s dismissal, restoring the relevance of the case to the privacy-related discussion and highlighting the importance of privacy concerns as an area of emerging D&O liability risk. The Ninth Circuit’s October 18, 2023, opinion in the case can be found here.
In March 2018, news reports revealed that Cambridge Analytica had improperly gathered personal data of millions of Facebook users, without their knowledge, and had retained the data using means beyond Facebook’s control. It soon emerged that Facebook had known of these activities of Cambridge Analytica for over two years, but that Facebook had not informed users, and also that Facebook had allowed certain “whitelisted” third-party apps to access Facebook users’ friends data without the users’ friends consent. Executives of Facebook made various public statements both before and after the various news reports about the Cambridge Analytica use of Facebook users’ data in which the executives assured users that they fully controlled their data and that no third-party could access user data without the users’ consent. When the news about Cambridge Analytica’s use of Facebook user data emerged, Facebook’s stock price declined, and its market capitalization dropped by as much as $200 billion.
In subsequently filed securities class action complaints, plaintiff shareholders alleged that the company had made materially misleading statements concerning (1) the risk of improper access to Facebook users’ data; (2) Facebook’s internal investigation into Cambridge Analytica; and (3) the control Facebook users have over their data. The district court granted the defendants’ motion to dismiss, and the plaintiffs appealed.
The October 18, 2023, Opinion
In an October 18, 2023, opinion written by Judge Margaret McKeown, a three-judge panel of the Ninth Circuit, with Judge Patrick Bumatay dissenting in part, reversed in part and affirmed in part the district court’s dismissal of the lawsuit. Of greatest significance, the appellate court reversed the lower court and revived the lawsuit with respect to the plaintiffs’ allegations concerning what Facebook had disclosed about what it knew about Cambridge Analytica’s misuse of user data.
The panel held that the shareholder plaintiffs had adequately pleaded falsity concerning company statements warning that misuse of Facebook users’ data could harm Facebook’s business. The district court had held that these risk statements were not actionable because Cambridge Analytica’s misconduct was already public knowledge when Facebook made the statements. However, the appellate panel, in reliance on the Court’s 2021 opinion in the Alphabet Securities Litigation case (relating to alleged disclosure of Google+ user data), held that the district court’s approach “overlooks the reality of what Facebook knew.” In the Alphabet case, which I discussed at length here, the Ninth Circuit had said that falsity allegations could survive dismissal if a complaint plausibly alleges that a company’s SEC filings warned that risks “could” occur when those risks had already materialized.
The Ninth Circuit said that the shareholders’ allegations “more than support the claim that Facebook was aware of Cambridge Analytica’s misconduct before February 2017, so Facebook’s statements about risk management ‘directly contradicted’ what the company knew when it filed its 2016 10-K.” A reasonable investor, the appellate court said, “would have understood the risk of a third party accessing and utilizing Facebook user data improperly to be merely conjectural.” Because Facebook had presented the prospect of misuse of user data as “purely hypothetical” when it had already occurred, such a statement “could be misleading even if the magnitude of the ensuing harm was still unknown.”
The panel also reversed the district court’s dismissal of the shareholders’ allegations that Facebook made false statements about the users’ control over their personal data. The appellate panel held that the shareholders had adequately pleaded that the March 2018 revelation about Cambridge Analytica was the first time Facebook investors were alerted that Facebook users did not have complete control over their own data.
The appellate panel did affirm the district court’s dismissal of certain of the plaintiff shareholders’ other allegations, including, in particular, the plaintiffs’ allegations concerning the company’s statements about its investigation of Cambridge Analytica and concerning the company’s third-party app “whitelisting.”
Judge Bumatay concurred in the majority’s dismissal of the Cambridge Analytica investigation statements and the whitelisting statements. However, he dissented from the majority’s revival of the claims concerning use of Facebook user data and user control statements, contending that the shareholders’ allegations were not sufficient to support those claims.
The appellate opinion remanded the case to the district court for further proceedings.
The Ninth Circuit panel’s decision is not about privacy issues as such; the portion of its opinion reversing the district court is focused on the allegation that Facebook allegedly presented risks as hypothetical when, supposedly, the risks had already materialized. Indeed, this point was also a key to the appellate court’s 2021 opinion in the Alphabet/Google+ case.
While the court’s decisions in the Facebook and Alphabet cases are not overtly about privacy issues as such, both opinions do concern alleged misrepresentations having to do with the companies’ customers’ privacy. Indeed, it could be argued that both opinions reflect the appellate court’s concerns that investors were not fully informed about the companies’ privacy-related risks. Both opinions reflect a concern that, at least based on the claimants’ allegations, the companies had not fully disclosed their privacy-related risks.
In that regard, it is worth noting that over the recent months, privacy-related concerns have only increased. At least 13 states have now enacted privacy laws, including several that adopted their laws in calendar year 2023. These state legislative developments reflect growing awareness of and concerns about privacy-related issues. As consciousness around privacy issues grows, companies will be under increasing scrutiny concerning privacy issues and under increasing pressure to made disclosures about their privacy-related processes and controls.
Importantly for the consideration of privacy-related liability risks, the appellate panel’s opinion in the Facebook case not only concerned the company’s alleged presentation of risks as hypothetical that had already (allegedly) materialized, but also concerned the company’s alleged misrepresentations about users’ control of their data. It is important to keep in mind that the appellate court revived these user control-related allegations not because of what the company did or did not tell users themselves about user control of their own data; rather, the appellate court reversed the district court because of what the company allegedly did or didn’t tell investors about users’ control of their data. The key here from a securities litigation standpoint is what companies tell investors about privacy issues and privacy-related risks.
In assessing the implications of the Ninth Circuit’s decision in the context of the significance of privacy-related issues as an area of corporate risk exposure, it is worth noting that, as discussed here, earlier this year, the Delaware Chancery Court denied the motion to dismiss in the Cambridge Analytica-related shareholder derivative lawsuit filed against the Facebook board. (To be sure, the shareholder derivative lawsuit involves a broader scope of issues, among other things including Facebook’s alleged violation of a 2012 FTC consent order.) The dismissal denial in the derivative suit and the Ninth Circuit’s revival in part of the related securities class action lawsuit highlight and underscore the extent of privacy-related issues as a developing source of corporate and securities litigation risk.
Behind all of these developments is the deeper business reality that the collection and use of personal data is an increasingly important part of many businesses’ operations. An increasing number of companies rely on this kind of information to target their marketing, improve or adjust their services, or to develop their products. Indeed, use of personal information is a key part of some of the most important current business initiatives, such as, for example, the efforts to develop self-driving cars. These kinds of increasingly prevalent business initiatives ensure that many companies will have to confront the increasingly complex web of regulatory and legislative requirements regarding consumer privacy.
How all of this ultimately will play out remains to be seen, but I strongly suspect that in the weeks and months ahead, privacy-related concerns will remain at the top of both regulatory and corporate risk management agendas. I also suspect that privacy-related issues will be an increasingly frequent source of D&O claims.