undisclosed risks at Meta
10 February 2022
Lots of attention to one SEC disclosure about regulatory risks for Instagram and Facebook in Europe: Meta warns it may shut Facebook in Europe but EU leaders say life would be 'very good' without it.
So that's a story, but from here in California the really interesting risk disclosures are a few that aren't there. Meta has some risks related to ongoing violations much closer to home.
The company has not been acknowledging CCPA Right to Know (RtK) letters from California residents who do not have Facebook accounts. If Facebook still maintains shadow profiles on people who do not have accounts, then refusing to disclose them to the person described in the profile is a CCPA violation. A person cannot be required to agree to a company's Terms of Service in order to exercise their rights under CCPA. (Or maybe Facebook already bulk-erased the shadow profiles of anyone from California who they don't have signed up as a user?)
The personal information in Facebook's gradually coming out in discovery in In re Facebook, Inc., Consumer Privacy User Profile Litigation. We don't know exactly how much extra data they will have to start disclosing, but if they're putting this much effort into fighting discovery in one case, it has to be enough to be worth mentioning as a risk to the SEC.
Meta is ignoring or mishandling Authorized Agent RtKs. This is a fairly common issue at surveillance marketing companies. Authorized Agents are still rare, and a lot of companies don't have a process in place to handle them correctly. But a high-profile company like Meta is likely to get a bunch of agent RtKs, and it's reasonable to expect them to disclose the associated risks.
See the CCPA
for more details. A
Download your Information portal
is allowed for complying with CCPA Right to Know, but only for
people who already have accounts, and
a business maintains a
password-protected account with the consumer, and only when
fully discloses the personal information that the
consumer is entitled to under the CCPA.
All three of these items are much more likely than the
likely be unable to offer a number of our most significant products
and services, including Facebook and Instagram, in Europe
scenario. So they could really use a mention in the next Form 10-K
or other documents.