Emerging Legal Risks: How Privacy and ESG Obligations Can Lead to Class-Action Litigation

Often attributed to Mark Twain, the phrase “the only two certainties in life are death and taxes” actually originated in a 1789 letter from Benjamin Franklin to Jean-Baptiste Leroy, a prominent French Scientist. When it comes to issues among corporations, one might add a third certainty: you are going to be sued. A betting person knows that a lawsuit (or regulatory inquiry) is going to:

seek policies, procedures, emails, social media communication, reports, research, contracts, audits, diagrams, photos, logs, and other “tangible and intangible things” that contain personal data (employees, customers, and third parties), in order to
seek damages for wrongs or to unearth nefarious, unethical, illegal, improper, or deceitful business activities that allegedly harm consumers, the environment, shareholders, employees, and even other corporations.

A public company that is emailing, communicating, documenting, developing, training, reporting and detailing a compliance program, should recognize that those activities will implicate privacy rights and corporate obligations and environmental, social and governance (ESG) issues. These ESG initiatives will be reviewed with great interest by opposing counsel and regulators in exhaustive and mind-numbing detail when a lawsuit arises.

There are many disciplines one could choose to discuss downstream legal risk, but privacy and ESG are topical, share common principles and happen to be in the sights of regulators and individual plaintiffs in 2022 and 2023. Security and privacy of data is a component of Social Capital in the Sustainability Accounting Standards Board (SASB) Standards, which identifies the subset of ESG issues most relevant to financial performance. Additionally, privacy and ESG initiatives address impactful human rights, the human condition, ethics, Artificial Intelligence, data monetization, the vendor “ecosystem” as well as the climate ecosystem, advertising and such grand rights as the “right to know,” and the “right to be forgotten,” the latter being particularly challenging in this age of digital propagation.

On May 25, 2022, the United States Securities and Exchange Commission (SEC) came out punching on ESG regulations, proposing ESG Related Disclosures bound to shake up corporate board agendas over the next five years and beyond. For example, a quick glance at California dockets shows more than 200 legal claims have been filed referencing the California Consumer Privacy Act (CCPA). Collectively, these developments are particularly meaningful given the common thread of consumer protection found throughout each discipline, signal a growing tsunami of costly litigation and require a nuanced understanding of the legal and technical minefields in disclosing data in legal proceedings.

As regulators and the public increasingly expect businesses to function as vehicles for ethical and socially responsible growth, privacy and ESG initiatives have moved from the periphery to a priority in C-Suites and boards. While these parallel programs become more central to every aspect of compliance, privacy and ESG programs are generally not designed with litigation risk in mind, nor do they anticipate the unique nature of distributed data and an evolving vendor ecosystem touching multiple jurisdictions. With a private right of action to enforce certain privacy rights in California, a newly formed and empowered privacy enforcement agency, an influx of new state privacy laws across the country, and higher scrutiny around public-facing ESG disclosures, businesses will be required, in litigation, to produce a range of company-created and maintained records, including:

Record-keeping policies and practices
Protocols for honoring consumer requests and reporting metrics
Documentation reflecting reasoned, and reasonable, approaches to valuing and monetizing personal data
Security practices consistent with industry standards
Policies and practices for limiting the collection of personal data to what is necessary and legitimate
Climate-related reports, research, compliance activities, etc.

Once litigation is “reasonably anticipated” (a dynamic which may include regulatory inquiries as well), a unique set of legal obligations and duties are triggered, requiring special treatment of in-scope data and, in many cases, the use of customized tools particularly designed for meeting the high standards of evidentiary requirements.

Litigation is messy and expensive (recall the 2010 Deepwater Horizon disaster, where British Petroleum was sentenced to pay $4 billion in criminal fines, penalties and restitution, including $2.4 billion for natural resource restoration). Litigation readiness and proactive due diligence can help businesses mitigate the monetary and reputational risks. Whether litigation risk stems from privacy-based obligations or ESG disclosures, the path to resolution is never a straight one. Discovery requests span documents, records, reports, policies, assessments, audits, communications, and research, not to mention the potential minefields of “discovery on discovery” where parties seek to prove intentional destruction of key corporate records demonstrating malfeasance or breaches in a fiduciary duty.

It’s about building trust

Privacy and ESG are critical to a business’ relationships with its customers, employees, business partners, and shareholders, as both involve the impacts of a business’ operations from a social responsibility perspective and developing trust with stakeholders.

Ultimately, both ESG and data privacy address the common good, accomplished through the implementation of a range of policies, procedures, contractual relationships and reportable metrics. ESG refers to the practice of evaluating an organization’s stated goals related to sustainability, social justice, and ethical governance against its investment and commitment towards achieving those objectives – much of which implicates the collection and use of personal information. Interestingly, privacy (and its close cousin, security) appears both as a unique sub-element in most commonly used ESG frameworks, but also is statutorily defined as a result of state, local and international legislation. Privacy programs concern an organization’s commitment to ensuring individuals control on when, how and the extent their personal data, under the organization’s control is used, shared with, or communicated to others.

In much the same way that security and privacy have become boardroom issues, ESG and privacy have taken greater prominence in board and executive discussions. Initially limited to ensuring an enterprise does not engage in illicit activities such as bribery or other financial crimes, corporate governance now requires stewardship of granular data practices that have significant market-moving implications. Specifically, these data practices should facilitate a strong culture of data protection, and away from others with demonstrable deficiencies. A business needs to integrate ESG principles across its enterprise to help inform and direct strategies with a focus on social responsibility and sustainability.

What you say can be held against you

The scrutiny around a business’ commitment to privacy and ESG considerations is magnified when a business’ actions do not align with its words. Many times, these businesses have the right intentions but there is no follow-up or operationalization after statements are made. When a company’s actions do not represent what has been disclosed to the public, questions become causes of action.

In today’s social media era, businesses are under constant pressure from consumers and shareholders to make public commitments to ESG considerations such as sustainability, racism and social justice. To meet these expectations, it has become common for businesses to make aspirational statements and draft forward-thinking policies related to causes. However, with those broad public statements come commitments that require resources and planning as well as increased attention. The SEC is also increasing pressure on companies to make certain disclosures.

In California, the newly formed California Privacy Protection Agency (CPPA) and office of the Attorney General are paying close attention to public-facing privacy notices found on websites that sell goods or services to California residents. Whether it is the proper description of an individual’s privacy rights or a “do not sell” disclosure, a privacy notice is the first impression a business makes with respect to privacy. California regulators have stated that there have been numerous investigations launched after deficiencies in a company’s online Privacy Notice were noticed during web browsing and online shopping in their personal lives. To inform the marketplace and minimize uncertainties, the California Attorney General recently published examples of companies who received a notice for alleged non-compliance. A key takeaway is that most of these companies failed to properly disclose information about individuals’ privacy rights and how to exercise them or did not provide the requisite “do not sell” disclosures in their privacy notices.

What’s next?

A wave of new privacy and ESG litigation is expected in the coming months with new private rights of action and increased enforcement activity from the SEC. A business can use its privacy and ESG obligations to meet its objectives, but proper planning, risk mitigation and process implementation is needed.

We suggest companies do the following immediately and together Protiviti can help: