After months of being on the hot-seat on Capitol Hill, in the press, and among its users, Facebook is now facing a pair of shareholder suits alleging that it misled investors about its expected revenues and user growth. These suits compound the privacy problems that recently plagued the company, and they also reflect the impact of new European privacy legislation. Altogether, the suits – and others that may follow as tag-alongs – are a cautionary tale about the downstream effects of compliance issues for high-tech companies.

The two suits, Kacouris v. Facebook and Helms v. Facebook, were filed in the Southern District of New York immediately on the heels of Facebook’s infamous July 26, 2018 earnings call. That call announced disappointing revenue and user growth figures, and led to Facebook’s stock dropping 20% in a single trading day, for a record-breaking loss of $120 billion in market value. The shareholder plaintiffs in Kacouris and Helms purportedly bought shares affected by this drop during the preceding quarter. They allege that their injuries resulted from Facebook making false or misleading statements related to expected revenues and user growth, and failing to timely disclose that the number of Facebook users was declining.

Plaintiffs in Kacouris allege that, because of a shift in strategy to promote areas of Facebook with lower levels of monetization, Facebook had anticipated that its revenue growth would slow and its operating margins would fall, but failed to timely alert investors to this possibility prior to the July 26 earnings call. Although Facebook had indicated earlier in 2018 that it was shifting its focus from the newsfeed to “stories,” a different way of showcasing user information, the Kacouris plaintiffs allege that Facebook did not adequately inform investors that this shift would have dramatic implications for revenue growth.

Separately, the Helms plaintiffs allege that Facebook failed to warn investors – before the July 26 earnings call – about the impact that compliance with Europe’s new General Data Protection Regulation (GDPR) would have on its bottom line. Plaintiffs in Helms alleged that “Defendants’ statements failed to disclose that Facebook’s efforts to comply with GDPR would have a foreseeable and negative impact on the use of the Platform, Facebook’s ability to collect data about its user base, and, in turn, Facebook’s ability to sell advertising and its revenue.” The Helms plaintiffs further allege that, because the GDPR requires Facebook to obtain informed consent from its EU users, many of those users would decline to participate in Facebook after being fully apprised of its privacy policies. Compliance with GDPR also eliminated a number of fake accounts, further hurting Facebook’s user numbers. This was information the Helms plaintiffs assert was not, but should have been, disclosed on a more timely basis, rather than for the first time on the earnings call.

The suits punctuate Facebook’s annus horribilis. While testifying for two days in April before the Senate Judiciary Committee, Facebook CEO Mark Zuckerberg faced withering criticism over Facebook’s handling of user data, including the revelation that Cambridge Analytica had improperly accessed 87 million Facebook users’ personal information, and Facebook’s failure to address U.S. election meddling by foreign users. These events all eroded Facebook’s user base and revenue, and negatively impacted the value of the stock. The additional revelations on the July 26 earnings call not only confirmed and amplified the market’s opinion of Facebook, they finally pushed investors to sue.

This litigation highlights several risks faced by high-tech companies, particularly those with privacy aspects to their business. First, although not expressly raised by the Kacouris complaint, it is not difficult to discern that Facebook’s underlying compliance flaws – as exposed in the Cambridge Analytica and related scandals – are a subtext for the lawsuit. Had Facebook not already been battered in the press and among its user base, one can envision that the revelations on the July 26 earnings call would not have had such a devastating impact on the stock price, in which case litigation may well never have ensued. Similarly, had Facebook not been forced to publicly account for its privacy shortcoming before GDPR implementation, one can infer that the plaintiffs in Helms might not have been so eager to pounce on Facebook’s alleged failure to warn investors about the anticipated costs and impacts on the user base of GDPR compliance. Indeed, had users not already been strained by Facebook’s earlier privacy lapses, their sensitivity to providing “informed consent” might not have pushed so many to leave the service. Second, the Helms complaint demonstrates that companies need to carefully analyze, anticipate, and announce their potential compliance costs – here, regarding the GDPR – lest their failure to do so result in stock-price impacts and shareholder litigation.

Facebook has learned hard lessons about the role and impacts of privacy in an increasingly interconnected technological world. Other social media and similar companies would do well to study and consult counsel about these lessons, to avoid repeating Facebook’s mistakes and suffering the same sort of consequences.