United States District Court, N.D. California, San Jose Division
IN RE FACEBOOK, INC. SECURITIES LITIGATION
ORDER GRANTING DEFENDANTS' MOTION TO DISMISS
CONSOLIDATED CLASS ACTION COMPLAINT RE: DKT. NO. 93
J. DAVILA UNITED STATES DISTRICT JUDGE.
lawsuit stems from the revelation that Cambridge Analytica
acquired the private Facebook data of millions of users and
that, upon learning of this leak, Facebook allegedly
attempted to suppress evidence of the breach contrary to its
are persons who purchased shares of Facebook common stock
between February 3, 2017 and July 25, 2018 (the "Class
Period"), who believe that Mark Zuckerberg, Sheryl K.
Sandberg, and David M. Wehner, collectively Defendants, made
materially false and misleading statements and omissions in
connection with the purchase and sale of Facebook stock.
See Consolidated Complaint ("Compl.")
¶ 1, Dkt. 86. They allege that Defendants violated
Section 10(b), 20(a), and 20A of the Securities Exchange Act
of 1934 (the "Exchange Act") and Rule 10b-5
promulgated thereunder because Defendants made guarantees
that the Cambridge Analytica, and related data-privacy
scandals, would not impact Facebook stock while knowing this
to be false. Specifically, Plaintiffs focus on
Defendants' statements and omissions "concerning
Facebook's privacy and data protection practices"
and their impact on Facebook's stock price during two
time periods: March and July 2018.
have filed a motion to dismiss the lawsuit arguing that
Plaintiffs have not, and cannot, meet Rule 9(b)'s
heightened pleading requirements for securities fraud and
instead allege "an overarching hindsight theory."
Motion to Dismiss ("Mot.") at 2, Dkt. 93.
Defendants make four main arguments all centered around
Plaintiffs' inability to meet the elements of securities
fraud. First, Defendants argue Plaintiffs have not pled an
actionable misstatement or omission because they have not
identified any false statements. Defendants argue the 36
"actionable" statements or omissions Plaintiffs
raise are, in fact, neither actionable nor fraudulent because
Plaintiffs make no attempt to plead that Defendants lied or
mislead investors. As explained infra Section
III.C.1.a., as to all the allegations, only Statement 22 is
Defendants argue Plaintiffs have not pled a strong inference
of scienter because Plaintiffs do not (1) relate the alleged
misstatements to any conduct establishing scienter or (2)
show facts that the Defendants knew the challenged statements
were false. Further, Defendants contend that Plaintiffs offer
only conclusions without alleging any specific facts to
support these conclusions. As explained infra
Section III.C.2. the one actionable Statement, Statement 22
lacks scienter because Plaintiffs do not allege with
sufficient particularity that Defendant Sandberg made the
statement knowing it was false.
Defendants contend that Plaintiffs fail to plead loss
causation since Defendants had already warned investors of a
potential stock decline and cannot trace any corrective
disclosure to the stock price's drop. Finally, Defendants
argue that Plaintiffs cannot show reliance based on a
"fraud-on-the market" theory because the Cambridge
Analytica scandal was already known a year before the start
of the putative class action and so the market already
reacted to the data breach. The Court does not reach these
arguments because it GRANTS the Motion to
Dismiss on alternative grounds.
the Plaintiffs do not adequately plead a securities fraud
violation. Here, it is Plaintiffs' burden to point to
plausible and particular facts tending to show fraudulent
behavior by Defendants. Without such a showing, Plaintiffs
cannot survive the higher evidentiary pleading standard
enumerated in Rule 9 of the Federal Rules of Civil Procedure.
See Fed. R. Civ. Pro. 9(b). Thus, for the reasons
below, Defendants' Motion to Dismiss is
was founded by Mark Zuckerberg who is now the Chief Executive
Officer ("CEO") of the company. Compl. ¶ 28.
Sheryl Sandberg is the Chief Organization Officer
("COO") and David Wehner is the Chief Financial
Officer ("CFO") of Facebook. Id.
¶¶ 30-31. Facebook is a social-media networking
website that allows users to create profiles and share
information about themselves to their "community."
Id. ¶ 37. The platform also enables third-party
developers' applications or websites ("apps")
to access users' information. Id. ¶¶
45-46. Importantly before 2015, a user could consent to an
app developer gaining access to their personal data and
the personal data of his or her friends (referred to
herein as "third-party consent"). Id.
and sharing of data on Facebook are governed by an agreement
between Facebook and users, including Facebook's Data
Policy (also referred to as the "Data Use Policy"
Terms of Service (formerly "Statement of Rights and
Responsibilities"), Compl. ¶ 4, 60, 200, 232. These
agreements explain how users can control the use of their
data. Id. ¶ 301(b).
2015, Facebook's policies allowed users to share
information about their friends with third-party app
developers, i.e. "third-party consent."
Id. ¶¶ 46, 82. Defendants subsequently
announced that they would overhaul Facebook's privacy
practices to better protect user data and would tell people
if their data was shared with Cambridge Analytica.
Id. ¶ 18. Specifically, in 2014, Facebook
stated that changes would "dramatically limit the
Facebook information apps could access, " and
"turn[ed] off users' ability to provide access to
their friend's personal data." Id.
¶¶ 79, 251, 266(b), 280. However, in April 2018, it
was revealed that Defendants still permitted third parties to
access user data, known as "whitelisting."
Id. ¶¶ 19, 140.
app developers must agree to Facebook's Platform Policies
before offering apps on Facebook. ¶¶ 176, 301. This
limits the use and collection of user data and requires
developers to explain what type of information they will
collect and how it will be used. Id. The policy
prohibits developers from selling, licensing, or purchasing
user data and from transferring data to advertisers or data
brokers. Id. ¶ 301(c).
Relevant Events Allegedly Showing Material Misstatements or
Kogan and Cambridge Analytica.
2013, Kogan, a professor and data researcher at Cambridge
University, developed an app called
"thisisyourdigitallife." Id. ¶ 80-81.
This app was a personality quiz; users were told that the
results would be used only for academic purposes.
Id. ¶ 81. Around 270, 000 people installed the
app and consented to the sharing of their data. Id.
¶¶ 81-82. Due to Facebook's privacy policies,
app developers were able to access data about
"thisisyourdigitallife" user's Facebook
December 2015 The Guardian Article and
December 2015, The Guardian reported that Kogan,
through his company Global Science Research
("GSR"), sold information collected through the
"thisisyourdigitallife" app to Cambridge Analytica,
violating Facebook's policies. Id. ¶¶
7, 150, 232, 280. This article indicated that Cambridge
Analytica developed voter profiles using the data of tens of
millions of Facebook users, which were then used for
political purposes. Id. ¶¶ 80-81. Once
news of the data leak broke, Defendants sent Cambridge
Analytica a letter asking it to delete the data and provide
confirmation of deletion. Id. ¶¶ 9, 90,
92, 96, 98, 150-51, 176. Defendants made no efforts to verify
Cambridge Analytica's assurances that the data was
deleted, investigate the extent of the use or distribution of
data, or verify that the data had been deleted. Id.
of the Cambridge Analytica Story in 2018.
March 17, 2018, three years after the original Cambridge
Analytica story broke, The New York Times and
The Guardian reported that Defendants delayed acting
to address the Cambridge Analytica data breach and that data
had not been deleted but was used in connection with
President Donald Trump's campaign. Id.
¶¶ 150, 153-54. These reports allegedly
contradicted Defendants' representations of data
protection, specifically the fact that user data could still
be accessed by developers without user's knowledge or
consent, i.e., whitelisting. Id. ¶ 14,
19. Facebook did, however, immediately suspend Cambridge
Analytica, its parent company, and Cambridge Analytica
employees from the Facebook platform. Id. ¶
response to the stories, Facebook's common stock dropped
nearly 7% on Monday, March 19, 2018, the first trading day
after the news broke. Id. By March 27, 2018, the
stock was trading as low as $152/share, a drop of nearly 18%
in value from its price before the stories broke.
Id. ¶ 15. The Securities and Exchange
Commission ("SEC") began investigating
"whether Facebook adequately warned investors that
developers and other third parties may have obtained
users' data without their permission or in violation of
Facebook policies." Id. ¶ 16.
First Quarter 2018 Earnings Report ("1Q18") and the
April 25, 2018, Defendants released a favorable first quarter
earnings report, 1Q18, which showed that user growth was
unaffected by the continued Cambridge Analytica scandal.
Id. ¶ 21. The report had quarterly revenue,
earnings, and daily and monthly active user growth exceeding
analyst expectations. Id. ¶¶ 21, 186, 188,
190, 270-71. Although a "handful" of advertisers
had "paused spend" with Facebook after the
Cambridge Analytica news, Defendants reported that this did
not appear to reflect a "meaningful trend."
Id. ¶ 274. Defendants also told investors that
it anticipated expenses to increase year-over-year by
"50% [to] 60%, " because of the "significant
investments [Facebook was] making in areas like safety and
security" and due to increased hiring. Id.
¶ 275. The stock price climbed more than 9% following
the release of this report. Id. ¶ 21. By July,
Facebook's stock price was trading well above $200 per
European privacy legislation, the General Data Protection
Regulation (the "GDPR"), became effective
the month after 1Q18 was released. Defendants addressed the
possible impact of this legislation during the investor call.
Id. ¶ 276. Defendants claimed that compliance
with the GDPR would not be an issue because Facebook was
almost compliant. Id. ¶ 20. On this call,
however, Defendants noted that it was "early and
difficult to know ... in advance" the business
implications of the GDPR and anticipated that Facebook's
European daily and monthly user base could "be flat to
slightly down." Lutz Ex. 11, at 8, 23, Dkt. 95.
Defendants noted that there was potential for impact and that
they would monitor it closely. Id.
Second Quarter 2018 Earnings Report
stock price increase ended on July 25, 2018 when Defendants
released 2Q18, which showed a decline in total revenues.
Id. ¶ 21. There, Defendants reported a
significant decline in user-metrics in Europe, zero user
growth in the United States, decelerating worldwide growth of
active users, lower than expected revenue and earnings, and
ballooning expenses affecting profitability. Id. As
a result, the common stock price dropped nearly 19% on July
26, 2018, resulting in a single-day loss of approximately
$100 billion in market capitalization. Id. ¶
23. By July 30, 2018, the price of stock had fallen by 21%,
shedding around $112 billion in market capitalization.
attributed the user growth slowdown to the effects of the
"GDPR rollout, consistent with the outlook we gave on
the Ql call, " but noted that the "vast majority of
people [had continued] opting in to . . . third-party data
use." Lutz Ex. 12 at 7, 18. Defendants maintain that
this is consistent with their premonition during the Ql call
that there would be a "decline" in European users.
Motion to Dismiss at 9, Dkt. 93.
Sale of Facebook Stock.
the Class Period, Defendant Zuckerberg sold approximately 30,
000 Facebook shares for proceeds of more than $5.3 billion,
while Sandberg sold $389 million worth and Wehner $21 million
worth during the same period. Compl. ¶ 13. These
included large sales during the first quarter of 2018-more
than triple what Defendants sold in the last quarter of
2017-before the 2Q18 report was released. Id.
allege Defendants made a total of 36 materially misleading
statements or omissions in press releases, SEC filings,
earnings calls, and public remarks at conferences. The Court
has arranged these statements chronologically and by source
and bolded/italicized the relevant part of the statement.
2015 Statements to The
people or misusing their information is a direct violation of
our policies and we will take swift action
against companies that do ... "
banning those companies from Facebook and
requiring them to destroy all improperly
use the information we have to help verify accounts and
activity, and to promote safety and security on and off of
our Services, such as by investigating suspicious
activity or violations of our terms or
work hard to protect your account using teams of
engineers, automated systems, and advanced technology such as
encryption and machine learning"
partners must adhere to strict confidentiality
obligations in a way that is consistent with
this Data Policy and the agreements we enter into with
sell, license or purchase any data obtained from us or our
services. . . . Don't transfer any data that you receive
from us (including anonymous, aggregate or derived data) to
any ad network, data broker or other advertising or
monetization-related service. . . . Enforcement
is both automated and manual, and can include
disabling your app, restricting you and your app's access
to platform functionality, requiring that you delete data,
terminating our agreements with you or any other action that
we deem appropriate''
notify our users with context around the status of their
account and actionable
recommendations if we assess they are
at increased risk of future account compromise by
sophisticated actors or when we have confirmed their
accounts have been compromised''
own all of the content and information you post on Facebook,
and you can control how it is shared
through your privacy and application settings. In
addition . . . [w]hen you use an application, the application
may ask for your permission to access your content and
information as well as content and information that others
have shared with you. We require applications
to respect your privacy, and your agreement with
that application will control how the application can use,
store, and transfer that content and information. (To learn
more about Platform, including how you can control what
information other people may share with applications, read
our Data Policy and Platform Page.)."
3, 2017 Facebook's 10-K Report: Data
breaches and improper access to or disclosure of our data or
user data, or other hacking and phishing attacks on our
systems, could harm our reputation and adversely affect our
Any failure to prevent or mitigate security breaches and
improper access to or disclosure of our data or user data
could result in the loss or misuse of such data, which could
harm our business and reputation and diminish our competitive
position. In addition, computer malware, viruses, social
engineering (predominantly spear phishing attacks), and
general hacking have become more prevalent in our industry,
have occurred on our systems in the past, and will occur on
our systems in the future. As a result of our prominence, we
believe that we are a particularly attractive target for such
breaches and attacks. Such attacks may cause interruptions to
the services we provide, degrade the user experience, cause
users to lose confidence and trust in our products, or result
in financial harm to us. Our efforts to protect our company
data or the information we receive may also be unsuccessful
due to software bugs or other technical malfunctions;
employee, contractor, or vendor error or malfeasance;
government surveillance; or other threats that evolve. In
addition, third parties may attempt to fraudulently induce
employees or users to disclose information in order to gain
access to our data or our users' data."
we have developed systems and processes that are designed
to protect our data and user data, to
prevent data loss, and to prevent or detect security
breaches, we cannot assure you that such measures will
provide absolute security."
addition, some of our developers or other partners, such as
those that help us measure the effectiveness of ads, may
receive or store information provided by us or by our users
through mobile or web applications integrated with Facebook.
We provide limited information to such third parties
based on the scope of services provided to us. However, if
these third parties or developers fail to adopt or adhere to
adequate data security practices, or in the event of a breach
of their networks, our data or our users' data may be
improperly accessed, used, or disclosed.
users or government authorities could initiate legal or
regulatory actions against us in connection with any security
breaches or improper disclosure of data, which could cause us
to incur significant expense and liability or result in
orders or consent decrees forcing us to modify our business
practices. Any of these events could have a material and
adverse effect on our business, reputation, or financial
3, 2017 Facebook's 10-K Report: Risks Related to Business
we fail to retain existing users or add new users, or if our
users decrease their level of engagement with our products,
our revenue, financial results, and business may be
size of our user base and our users' level of engagement
are critical to our success. . . . If people do not
perceive our products to be useful, reliable, and
trustworthy, we may not be able to attract or retain users or
otherwise maintain or increase the frequency and duration of
their engagement. ..."
number of factors could potentially negatively affect user
retention, growth, and engagement, including if:
there are decreases in user sentiment about the quality or
usefulness of our products or concerns related to privacy
and sharing, safety, security, or other factors;"
"[T]echnical or other problems prevent us from
delivering our products in a rapid and reliable manner or
otherwise affect the user experience, such as security
breaches or failure to prevent or limit spam or similar
"[W]e, developers whose products are integrated with
our products, or other partners and companies in our industry
are the subject of adverse media reports or other negative
3, 2017 Facebook's 10-K Report: Unfavorable Media and
media coverage could negatively affect our
We have been subject to regulatory investigations and
settlements, and we expect to continue to be subject to such
proceedings and other inquiries in the future, which could
cause us to incur substantial costs or require us to change
our business practices in a manner materially adverse to our
27, 2017 White Paver
data collection and theft can affect all types of victims
.... [t]ypical methods include phishing with malware to
infect a person's computer and credential theft to gain
access to their online accounts. . . .
are some of the steps we are taking:
Notifications to specific people if
they have been targeted by sophisticated attackers, with