Regulatory risk for privacy growing, but falls unevenly on Facebook, Google, 10-K filings show

As Lyft, the second-largest US mobile app ride-sharing company, filed for its initial public offering today, it warned that privacy and data security would be a significant regulatory risk for the San Francisco-based company.

Lyft warned investors in its S-1 filing that the new California Consumer Privacy Act, set to go into effect in 2020, and other data protection laws “could greatly increase the cost of providing our offerings, require significant changes to our operations or even prevent us from providing certain offerings in jurisdictions in which we currently operate and in which we may operate in the future.”

Lyft is not alone in making those kinds of regulatory warnings. For a select group of Internet companies, new data protection laws such as the CCPA and Europe’s General Data Protection Regulation have vaulted privacy and data security to the forefront of their annual warnings to investors about regulatory risk.

Last year, Facebook mentioned the word “privacy” 17 times in its annual 10-K filing with the US Securities and Exchange Commission. This year, Facebook has mentioned privacy 137 times in its 10-K filing, a seven-fold jump. Google parent Alphabet had a similar 500-percent jump in its invocation of privacy as a regulatory risk in the annual 10-K filing this month. Both companies mentioned the GDPR and CCPA as a source of risk.

That level of risk is not universal, however, and Google and Facebook are at greater risk given that the collection of personal data is so central to the business models of both advertising giants. Indeed, many tech companies whose latest annual filings were analyzed by MLex — Apple, Amazon and Netflix, for example — did not ramp up their privacy risk warnings at all between 2018 and 2019.

Other companies, including Twitter, Adobe Systems and Microsoft, had only modest increases in the number of privacy warnings issued to investors.

Indeed, the MLex analysis of 10-K filings that included all the so-called FAANG Internet giants — Facebook, Apple, Amazon, Netflix and Google — suggests the impact of increasing privacy regulation is falling unequally across the industry.

“I am not surprised by the findings,” said Marc Rotenberg, president of the Electronic Privacy Information Center. “As a group, the FAANG companies may dominate the Internet economy. But on the privacy issue, Facebook and Google are clearly the focus of concern.”

Overall, the total number of privacy references in the regulatory filings doubled between 2018 and 2019, but about 90 percent of those additional references were in the filings by Google and Facebook.

For Facebook, which is believed to be in settlement talks with the US Federal Trade Commission over the Cambridge Analytica privacy leak that it revealed in March 2018, privacy regulation is now an immediate threat to its bottom line. Facebook’s 10-K filing, filed Feb. 1, warned investors 15 times that it could face financial or injunctive consent decrees from European or US regulators in the next year.

One factor that could affect its financial results, Facebook warned, were “changes in the legislative or regulatory environment, including with respect to privacy and data protection, or actions by governments or regulators, including fines, orders, or consent decrees.”

Consumer worries about privacy could become a growing revenue headwind, the social media giant said, if “there are decreases in user sentiment due to questions about the quality or usefulness of our products or our user data practices, or concerns related to privacy and sharing, safety, security, well-being, or other factors.”

Justin Brookman, a former FTC official who is now the director of consumer privacy and technology policy for Consumer Reports, agreed that Facebook and Google have the most regulatory exposure on privacy, “both due to the aggressive nature of their practices as well as the fact that both are under privacy orders with the FTC.”

“Netflix and Apple on the other hand certainly do things with data, but their practices tend to be more limited to first-party interactions, though Apple is a platform and that complicates things somewhat,” Brookman told MLex.

Google warned investors in its 10-K of a variety of the new data protection or privacy laws in Europe and the United States, as well as localization laws in other countries such as India, that could require US Internet companies to store their data within the physical boundaries of countries that could affect its business.

One of those worrisome new laws, Google said, is “the California Consumer Privacy Act of 2018 that comes into effect in January of 2020, and gives new data privacy rights to California residents and regulates the security of data in connection with Internet connected devices.”

The CCPA, mentioned as a regulatory risk by 10 of the 20 companies whose filings were examined by MLex, was passed by the California legislature in late June of 2018 and had hardly appeared as a potential new law at this time last year. The GDPR, which became fully effective during the past year, was mentioned as a regulatory worry by 15 of the 20 companies, up from 12 mentions last year.

The large majority of the annual filings were made to the SEC this month; Yelp and Lyft filed today. Yelp also warned about the impact of the CCPA, saying it “creates new data privacy rights for users that may result in significantly greater compliance burdens for us.”

Equifax is another company bracing for an enforcement action from US regulators, including the FTC. The company said in its 10-K filing on Feb. 21 that it has been informed by the staff of the FTC and the Consumer Financial Protection Bureau that they will seek injunctive changes to the consumer-credit agency’s business model, as well as a potential financial penalty.

Equifax increased the number of privacy references by 18 percent over last year in its annual filing, and flagged CCPA and GDPR as regulatory risk issues for the company. And it warned about other US states following California’s lead in passing comprehensive data protection laws.

“A number of states, such as Maryland, Massachusetts and Washington, appear to be following California’s lead and have introduced comprehensive data privacy legislation modeled after the California Consumer Privacy Act or the European General Data Protection Regulation,” Equifax said.