The modern economy is fueled by personal data. Described as the “new gold” or “new oil” of today’s digital economy, data are being monitored, collected, and analyzed by public and private entities for strategic and economic value. Coupled with artificial intelligence and machine learning, consumer information and consumer databases have become even more valuable across all industries and around the world.

With data’s rise in quantity and importance, though, has come increasing concern among Americans that their data is less secure today than five years ago.[1] Partisan gridlock, however, has  prevented the United States from making any progress towards comprehensive federal data privacy regulations. By contrast, other Western countries have enacted data privacy laws such as the European Union’s General Data Protection Regulation (GDPR).

In response to the GDPR, and in the absence of a U.S. federal solution, many states have enacted their own data privacy laws that require companies to protect the data of consumers as well as shareholders and, in some cases, employees, officers, and directors. Yet these requirements can conflict with long-standing corporate disclosure obligations. In a new paper, I identify areas of potential conflict and propose ways for legislatures and courts to resolve them.

California was the first state to regulate data privacy and security, enacting the California Consumer Protection Act (CCPA) in 2018.[2] Initially, only a handful of states followed with their own comprehensive data privacy legislation, but more states quickly joined them, and the number of states adopting consumer privacy statutes more than doubled in 2023. This year is on pace to exceed last year’s adoption rate. As of this writing, 20 states have adopted such laws, and four more are currently considering them.[3]

Broad in scope, state data privacy statutes obligate businesses operating in those states to comply with limits on the collection, use, and disclosure of personal information and to provide “consumers” with new rights over their personal data. Yet the meaning of  “consumer” goes well beyond the traditional definition. The California statute, which is the most far-reaching, covers shareholders, employees, directors, and officers of a business. And while narrower, most of the other 19 states’ privacy laws also cover shareholders. Including shareholders in the definition of “consumer” sets up the potential for conflicts between compliance with state privacy statutes and corporate governance and disclosure.

Certain corporate transactions that involve the sale of consumer data, such as mergers and acquisitions, are explicitly exempt from current privacy laws.[4] But depending on the specific language, publication of a corporation’s stock list and other materials in connection with an annual shareholders meeting can also trigger a state’s privacy law. Variations across jurisdictions in the definitions of “selling” (whether the exchange of money or other valuable consideration is necessary for a “sale”) and “sharing” (where “sharing” is limited based on the purpose for the sharing of information) mean that publication of a stock list may trigger the privacy laws in one state but not another. In addition, certain states exempt disclosure of information when it is necessary to comply with federal, state, or local laws or to comply with a court order.[5] Thus, publication of a stock list would not trigger those privacy laws when required by corporate statutory requirements, but would when required by only a corporation’s governing documents.

The most fraught area of corporate disclosure is books and records demands.  Most state corporate codes provide shareholders with a statutory right to inspect a corporation’s books and records. This right can allow shareholders to gain access to traditional corporate information like the stock ledger, financial statements, accounting records, written communications to shareholders, and meeting minutes, as well as a newer and growing category of information – the digital data collected by companies. In recent years, there has been a dramatic increase in the number of inspection claims as well as in the scope of information being requested, indicating that shareholders are increasingly seeking access to private data.

Whether a state’s privacy laws apply to shareholder inspection rights depends on the statute’s specific language. First, certain information disclosed by a corporation would be considered public information and thus not protected under the statute. Second, the definitions of “sale,” “selling,” and “sharing” may not cover information disclosed pursuant to a shareholder demand. Application of privacy laws could, for instance, turn on whether a corporation received valuable consideration in exchange for the information, which consideration could include the dismissal of a pending books and records inspection lawsuit. Moreover, at least one state excludes from its definition of “sale” disclosure to a third party for purposes “consistent with a consumer’s reasonable expectations,” which could arguably include statutory inspection rights.[6] Finally, as mentioned above, some states exempt information sharing pursuant to state laws or court orders. Importantly, this would only apply to court-ordered inspections and not the vast majority of books and records demands, which are resolved outside of court. With state privacy statutes varying greatly, books-and-records inspection rights are an area potentially rife with confusion and conflicting results. Ironically, inspection rights in tension with consumer privacy laws are also an important tool for shareholders to monitor a corporation’s compliance with such obligations.

The development of U.S. privacy law is at a critical juncture. With almost half of the states adopting privacy statutes, it is only a matter of time before courts will have to wrestle with the impact of these statutes on corporate disclosure activities. Moreover, commentators predict that 2023 and 2024 will bring a wave of privacy legislation. As more states pass privacy statutes, Congress will feel pressure to pass federal privacy regulation. As a result, it is essential to identify and address now where privacy obligations and corporate disclosures conflict.

ENDNOTES

[1] See Brooke Auxier, Lee Rainie, Monica Anderson, Andrew Perrin, Madhu Kumar & Erica Turner, Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, Pew Rsch. Ctr. (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information.

[2] The CCPA was subsequently amended by regulations issued by the California Attorney General, the California legislature, and California voters. The latter acted through the California Privacy Rights Act of 2020 (CPRA), which was approved on November 3, 2020, as Proposition 24. California Privacy Rights Act of 2020, 2020 Cal. Legis. Serv. Prop. 24 (to be codified at Cal. Civ. Code §§ 1798.100–.199).

[3] Those states who have adopted statutes are California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. Massachusetts, Michigan, Ohio, and Pennsylvania are currently considering privacy statutes.

[4] See, e.g., Utah Code Ann. § 13-61-101(31)(b)(vii); Colo. Rev. Stat. § 6-1-1303(23)(b)(IV); Cal. Civ. Code § 1798.140(ad)(2)(C); Va. Code Ann. § 59.1-575 (2023).

[5] See, e.g., Cal. Civ. Code §1798.145(a)(1)(A).

[6] See Utah Code Ann. § 13-61-101(31)(b)(iii).

This post comes to us from Professor Megan W. Shaner at the University of Oklahoma College of Law. It is based on her recent article, “Growing Tensions: Consumer Privacy and Corporate Disclosures,” available here.