Claimed Failure to Disclose GDPR’s Collateral Impact Leads to Class Action Against Nielsen Holdings

By:  Robert Cattanach, Partner in Dorsey, and Sam Bolstad, Dorsey Associate

In what could be a harbinger of things to come for business models negatively impacted by the throttling of data flow under the European Union’s General Data Protection Regulation (“GDPR”), Nielsen Holdings (“Nielsen”) was named in a putative class action complaint on August 22, 2018, for allegedly misrepresenting the anticipated effects of GDPR on Nielsen’s business model.  Importantly, the class action takes aim not at Nielsen’s ability to comply with GDPR, but rather the effects of GDPR on the big data platforms used by Nielsen.  Nielsen provides consumer market analytics, particularly regarding digital media and e-commerce.  When big data platforms and associated analytic providers began restricting access to consumer data in order to comply with GDPR, it apparently negatively impacted Nielsen’s business model.  Those effects surfaced in Nielsen’s latest Q2 financial report, causing its stock to drop by more than 25 percent, and giving rise to the class action claims.

The claims are based on Nielsen’s downplaying of anticipated changes in the privacy space, as initially provided by the company’s CEO, who stated, “For measurement, we still have the access to all the data that we need for our measurement products including our relationship with Facebook.”  When Nielsen released its Q2 report, however, the company conceded, “Our results are significantly below our expectations as revenues were impacted by GDPR and changes to the consumer data privacy landscape.  We have several hundred clients and data partners in this space and market changes have been disruptive.”  In the Q2 report itself, Nielsen acknowledged it had missed its targets, and downgraded its EBITDA margin growth, net income, and free cash flow.

The claims are hardly a slam dunk.  Beyond the traditional challenge of linking the difference in anticipated versus actual performance to a specific event like the ripple effects of GDPR, the plaintiff class will have to prove that Nielsen and its CEO knew—at the time it issued its public statements—that Nielsen likely would in fact be materially and negatively impacted by the GDPR’s effect on the big data ecosystem, particularly the availability of data necessary for Nielsen’s model.  Critical to this inquiry will be the actual analysis conducted by or on behalf of Nielsen as to the impacts of GDPR on Facebook and others, and on which Nielsen and its CEO may have relied in earlier statements designed to reassure investors.

The important take-away from these claims, certainly for publicly traded analytical services companies likely to be affected by changes in the privacy space but perhaps even others as well, will be to consider carefully any public statements about the impacts of GDPR and similar privacy initiatives in the US and abroad.  Establishing that Nielsen knew its data sources were restricting access in a manner that would affect Nielsen’s business model, and that Nielsen failed to reflect that knowledge in its public statements will be required to prove claims for violations of Sections 10(b) and 20(b) of the Exchange Act (the latter against Nielsen’s individually named CEO and CFO), as well as Rule 10b-5 violations.

Many companies, including those squarely in the wheelhouse of new privacy requirements, rolled out new privacy policies and practices only moments before GDPR took effect, or are still in the process of doing so.  Analysts are asking more informed and challenging questions about the impact of GDPR.  While ‘I honestly don’t know’ may be an accurate response and avoid liability for wrongly predicting the financial fallout from GDPR and similar initiatives, it may not be much comfort to investors.

Financial Industry Groups Should Have a Pulse on the California Consumer Privacy Act of 2018

By:  Divya Gupta, Partner in Dorsey’s Southern California Office

Financial institutions that are grappling with how the European Union’s General Data Protection Regulation (“GDPR”)may impact their U.S. operations should also be keeping a close eye on the California Consumer Privacy Act of 2018 (“CCPA”).  The CCPA, or Assembly Bill (“AB”) No. 375, which was passed on June 28, 2018 and is set to take effect in 2020, mirrors some GDPR protections by providing California residents greater control over the dissemination of their personal data, including the option of barring companies from selling their data.

Financial institutions in the United States are well versed in dealing with privacy regulations, particularly given the obligations imposed by the federal Gramm-Leach-Bliley Act (“GLBA”) and the California Financial Information Privacy Act (“SB1”). Notably the CCPA does not include a blanket exception for financial institutions generally or for entities that comply with the GLBA or SB1.  Moreover, with California being ahead of the pack in the area of consumer privacy, the national implications posed by the passage of the CCPA are abundant.

The current proposal includes an exemption for banking institutions and other small businesses that collect less than $25 million in annual gross revenue, which would likely exempt smaller banks and credit unions with less than $1 billion of assets; financial institutions that buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of less than 50,000 consumers, households, or devices; and financial institutions that derive less than 50% of its annual revenue from selling consumers’ personal information.  As it stands, banking institutions operating in California that do not qualify for the exemptions would either have to create a separate process for handling the personal data of the state’s residents or apply the restrictive California standards nationwide.  It is estimated that the CCPA will apply to more than 500,000 U.S. companies and has the potential to affect hundreds of thousands more companies worldwide.

The CCPA establishes several privacy rights for consumers, including the right to know what personal information is being collected; the right to know whether personal information is sold or disclosed and to whom; the right to say “no” to the sale of personal information; the right to access personal information; and, the right not to be charged extra for the exercise of any privacy rights created by the CCPA unless the entity can establish how the exercise of that right increases the cost of providing a good or service.  Further, the CCPA would, in some circumstances, enable residents to bring a private right of action and sue businesses and to collect statutory damages of between $100 and $750 per consumer per incident, or actual damages if greater.  For actions commenced by the Attorney General, the CCPA allows penalties to be imposed for intentional violations of any provision up to $7,500 per violation, or $2,500 for unintentional violations if the violation is not cured within 30 days of notice.

An industry coalition, led by the California Chamber of Commerce, sent the authors of AB No. 375 a 20-page letter in August 2018 expressing concerns regarding the quickly-passed legislation.  The coalition, which includes the California Bankers Association, California Community Banking Network, and California Credit Union League, requested the removal of the privacy initiative from the November 2018 ballot and proposed amendments intended to address drafting errors and to fix aspects of the Bill that would be unworkable and result in unintended negative consequences.  The proposed amendments were addressed to Assemblyman Ed Chau and Sen. Robert Hertzberg, who introduced the AB No. 375 and have committed to “technical fixes,” but the full scope the fixes are yet unclear.  Reportedly, modifications will include a clean-up of the GLBA exemption.  Broader amendments are expected to be proposed by industry groups in 2019.  While the statute set a regulation implementation deadline of June 2019, and the current effective date for compliance with the CCPA is January 1, 2020, the California Attorney General, which has to promulgate significant regulations under the bill, has proposed pushing the regulation deadline back to July 2020, with a corresponding delay in effective date for compliance.  Regardless of the ultimate implementation timetable, financial institutions wishing to be heard should act now.

An effective date of sometime in 2020 may seem sufficiently well in the future to delay serious consideration of the law’s requirements, but based on the last-minute flurry that accompanied the effective date of GDPR, financial institutions which will be potentially affected will have  to evaluate promptly how the CCPA might impact their operations in order to be in a position to comply.  This will include:

  • understanding what personal data is currently being collected;
  • mapping the flow of that data within the organization;
  • preparing an inventory of such data, including any information shared with third parties or vendors;
  • developing processes and procedures for responding to a consumer’s exercise of rights under the new law, including how to store, access and maintain records on consumers who may request information on how their data is being collected, used and shared, as well as demand to opt out of certain uses or sharing.

one’s own current practices in more granular detail, while daunting, will be essential for financial institutions to determine exactly how the CCPA will apply, and which policies and procedures or business practices will need to be updated.

For now, one thing is certain: financial institutions must to pay close attention to the CCPA, especially as it evolves.  Most financial institutions almost certainly will need to put in place new privacy processes to provide California consumers with accurate disclosures regarding how their personal information is used or shared with others.  Most critically, financial institutions will need to consider carefully whether they might wish to adopt across-the-board national processes to comply with California’s high bar.

 

As always, Dorsey’s cybersecurity, data privacy, and consumer financial services team stands more than ready to help with your compliance needs, and will continue to keep you apprised of developments.