The California Consumer Privacy Act (“CCPA”) became effective on January 1, 2020; the first true comprehensive data privacy law in the United States. Though enforcement started in July, many companies are still struggling to implement a CCPA-compliant framework. As part of that process, public companies subject to the law should consider whether their data practices prompt any material disclosures pursuant to Item 105 of Securities and Exchange Commission (“SEC”) Regulation S-K, which became effective on November 9, 2020 and requires disclosure of material factors that make investing in their securities speculative or risky.
Data privacy laws around the world impose significant financial penalties for noncompliance. However, fines are not the only risk that companies face from privacy regulations, as compliance with privacy and security regulations can also have a material risk on a company’s operations, including:
- Loss of access to markets and customers;
- Negative reputation damage;
- Charges for responding to data breaches; and
- Loss of key personnel.
Examples of Privacy Shareholder Litigation
Public companies should note that class action plaintiffs have used data privacy statutes to support securities fraud claims, and companies should expect to see similar claims predicated on compliance with the CCPA. Rather than basing the claim on a direct violation of the privacy statute at issue, such as the CCPA, the complaints can be alleged violations of federal securities laws which claim that the company did not accurately disclose its compliance with regulatory obligations under the privacy law or disclose the impact that the privacy law would have on its business.
For example, shareholders of Nielsen Holdings PLC (“Nielsen”) brought a securities class action against the company and some of its officers and directors alleging securities fraud under the federal securities laws based on false or misleading statements made by the company regarding how Europe’s General Data Protection Regulation (“GDPR”) would impact its business and financial performance. Similarly, a class action suit was filed against Facebook, alleging that the company made false and misleading statements regarding its compliance with the GDPR and the impact that the legislation would have on its business and operations. In the Facebook example, the company revealed in its first quarterly earnings report after GDPR’s implementation that “a significant decline in users in Europe, zero user growth in the United States, decelerating worldwide growth of active users (i.e., those most responsible for generating data used in targeted advertising), lower than expected revenues and earnings, ballooning expenses affecting profitability, and reduced guidance going forward.” The company’s stock dropped by nearly 19% the following day.
The Facebook and Nielsen cases show that shareholders are willing and able to file suit based on violations of the federal securities law rather than harm to consumers based on direct violations of privacy statutes like the GDPR or CCPA.
Public Company Privacy Disclosure Considerations
Public companies should, at a minimum, assess and disclose their compliance with and exposure to various privacy regulations (e.g. GDPR and CCPA). In doing so, they should not provide generic risk disclosure provisions but rather provide specific examples of risk or exposure that each regulation may pose.
Among other considerations, public companies should consider how:
· Their business practices could create nexus with various data privacy laws;
· Increased awareness among consumers about their rights may limit or prohibit the company’s ability to use the personal information in a manner that is material to its business practices;
· Data protection laws are an ever-evolving area of the law which will require constant vigilance to understand and accommodate the changes
· Failure to comply with privacy or data protection obligations could result in governmental investigations, enforcement actions or litigation, resulting in monetary penalties to the company, restrictive injunction terms, or a general loss of trust in the company;
Public companies with a robust internal privacy monitoring framework will be in a better position to adapt as these regulations continue to expand across the globe. Companies with an obligation to shareholders should aim to transparently communicate any privacy concerns in an effort to mitigate the risk of facing privacy shareholder suits.
How Can Clym Help?
Whether your company is public or private, Clym provides a cost-effective, scalable and flexible platform to comply with GDPR, CCPA and other laws as they come online. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.