Shareholder sues Nielsen, CEO and CFO, seeking class certification and damages over the Company’s alleged misleading statements regarding its preparedness for the GDPR and the impact the statute would have on the Company’s business. This case is significant because the plaintiff’s claims do not allege violations of the GDPR, a well-known European Union data protection statute, but are grounded in U.S. securities law, for the defendant’s alleged lack of preparation for the GDPR and for making misleading representations with respect thereto.
Arun Bhattacharya (“Plaintiff”), a shareholder of Nielsen Holdings PLC (“Nielsen” or the “Company”) sued Nielsen and its CEO and CFO in United States District Court for the Southern District of New York last week, seeking class certification for all Nielsen shareholders who acquired their shares between February 8, 2018 and July 25, 2018, and alleging that the Company, the CEO and CFO, misled shareholders and the public about the potential impact of the E.U.’s 2018 General Data Protection Regulation (“GDPR”) on Nielsen’s revenue streams and the Company’s preparedness for the legislation.
According to the Complaint, Nielsen’s two business segments provide its clients with consumer behavior information and analytics across the consumer goods and media consumption sectors. Plaintiff alleges that Nielsen relies at least in part on consumer data provided by third-party data aggregators such as Facebook to generate its own consumer metrics for clients. Plaintiff further alleges that during the February -July 2018 period, Nielsen and its CEO and CFO, through shareholder documents, press releases and conference calls with investors and the finance industry, intentionally made false and misleading statements regarding the potential impact of the GDPR on the Company’s business : “[the GDPR] has been more of a non[-] event from our side as compared to how it played out for some others”; the Company’s compliance readiness for the privacy requirements of the statute : “GDPR, we’ve been focused on this for some time…. We’re ready. And we don’t see any significant impact for our . . . business.”; and whether the statute would affect Nielsen’s access to the third-party data upon which it relies for the analytics the Company provides its clients: “We still – we’ll still have access to all the data that we’re going to need for our products. So yes, we’re in good shape.”
Despite Nielsen’s assurances regarding the effect of and the Company’s readiness for the GDPR, however, Plaintiff alleges that the Company’s 2Q18 financial results “significantly missed the Company’s public net income and free cash flow estimates by a wide margin” and that the Company, “placed the blame squarely on the effectiveness of GDPR which it had assured investors it was “ready for.” In addition, the GDPR’s effect on Nielsen’s data partners, Plaintiff alleges, restricted Nielsen’s access to data necessary to service its own clients, further driving down Nielsen’s revenues for the period. “Our results are significantly below our expectations as revenues were impacted by GDPR and changes to the consumer data privacy landscape. We have several hundred clients and data partners in this space, and market changes have been disruptive.”.
Plaintiff claims that as a result of Nielsen’s 2Q18 disclosures on the GDPR’s impact on its earnings, the Company’s stock dropped more than 25% on July 16, 2018, the day Nielsen issued its earnings report. Plaintiff alleges that he and all similarly situated shareholders were damaged by the defendants’”… publicly issuing false and misleading statements and omitting to disclose material facts necessary to make defendants’ statements . . . not false and misleading.” Accordingly, Plaintiff is seeking damages for violation of Section 10(b) and Rule 10b-5 of the Securities Exchange Act as well as certification of a Class Action pursuant to Rule 23 of the Federal Rules of Civil Procedure.
While this case is a securities fraud complaint seeking class action certification, and not a data privacy or cybersecurity case, it is noteworthy because it is one of the first, if not the first, case brought under U.S. law, seeking damages against a corporation operating in the U.S. for the company’s alleged failure to assess adequately the impact of the GDPR on the company’s revenue streams as well as the company’s access to vital data from its data partners. Regardless of the success of Plaintiff’s claims, U.S. corporations should review their data privacy compliance status with newly-enacted data protection legislation – including but not limited to the GDPR and California AB 375 – to ensure they have adequately prepared for the impact of these statutes and forecast revenue accordingly.
A link to the Complaint can be found here.