The California Consumer Privacy Act (“CCPA”) became effective on January 1, 2020; the first true comprehensive data privacy law in the United States. Though enforcement started in July, many companies are still struggling to implement a CCPA-compliant framework. As part of that process, public companies subject to the law should consider whether their data practices prompt any material disclosures pursuant to Item 105 of Securities and Exchange Commission (“SEC”) Regulation S-K, which became effective on November 9, 2020 and requires disclosure of material factors that make investing in their securities speculative or risky.
Data privacy laws around the world impose significant financial penalties for noncompliance. However, fines are not the only risk that companies face from privacy regulations, as compliance with privacy and security regulations can also have a material risk on a company’s operations, including:
– Loss of access to markets and customers;
– Negative reputation damage;
– Charges for responding to data breaches; and
– Loss of key personnel.
Examples of Privacy Shareholder Litigation
Public companies should note that class action plaintiffs have used data privacy statutes to support securities fraud claims, and companies should expect to see similar claims predicated on compliance with the CCPA. Rather than basing the claim on a direct violation of the privacy statute at issue, such as the CCPA, the complaints can be alleged violations of federal securities laws which claim that the company did not accurately disclose its compliance with regulatory obligations under the privacy law or disclose the impact that the privacy law would have on its business.
For example, shareholders of Nielsen Holdings PLC (“Nielsen”) brought a securities class action against the company and some of its officers and directors alleging securities fraud under the federal securities laws based on false or misleading statements made by the company regarding how Europe’s General Data Protection Regulation (“GDPR”) would impact its business and financial performance. Similarly, a class action suit was filed against Facebook, alleging that the company made false and misleading statements regarding its compliance with the GDPR and the impact that the legislation would have on its business and operations. In the Facebook example, the company revealed in its first quarterly earnings report after GDPR’s implementation that “a significant decline in users in Europe, zero user growth in the United States, decelerating worldwide growth of active users (i.e., those most responsible for generating data used in targeted advertising), lower than expected revenues and earnings, ballooning expenses affecting profitability, and reduced guidance going forward.” The company’s stock dropped by nearly 19% the following day.
The Facebook and Nielsen cases show that shareholders are willing and able to file suit based on violations of the federal securities law rather than harm to consumers based on direct violations of privacy statutes like the GDPR or CCPA.
Public Company Privacy Disclosure Considerations
Public companies should, at a minimum, assess and disclose their compliance with and exposure to various privacy regulations (e.g. GDPR and CCPA). In doing so, they should not provide generic risk disclosure provisions but rather provide specific examples of risk or exposure that each regulation may pose.
Among other considerations, public companies should consider how:..
Global Privacy State of Play: What to Pay Attention to in 2023
There is no better way to kick things off in 2023, and just before Data Protection Day, th…