Skip to main content
close search
site logo

Privacy and corporate disclosure laws are on collision course, paper says

States have created a patchwork of consumer privacy laws that will likely conflict with corporate disclosure mandates, according to a law professor.

Published Nov. 21, 2024
Justin Bachman's headshot
Senior Reporter
consumer data privacy laws GDPR
Companies will find increasing conflict between consumer data privacy laws and their corporate disclosure obligations, a legal paper finds. Cristian Storto Fotografia via Getty Images

Amid an absence of federal legislation, nearly half of U.S. states have enacted consumer data privacy laws that will inevitably conflict with longstanding corporate disclosure requirements, a law professor writes in a recent paper.

The welter of state laws aiming to give people more control over their personal information can trigger compliance conflicts for corporations, which are obligated to disclose certain shareholder data under state incorporation laws. 

Notably, books-and-records requests by investors seeking information on a company and annual shareholder meetings are the most likely areas of statutory conflict, writes Megan W. Shaner, a professor at the University of Oklahoma College of Law in Norman. 

“It is only a matter of time before the courts will have to wrestle with the impact of U.S. state privacy statutes on corporations’ activities,” she predicts as additional states consider privacy legislation, further pressuring Congress to offer a national framework.

Shaner analyzed these potential conflicts in a recent paper, “Growing Tensions: Consumer Privacy and Corporate Disclosures,” published in the Southern Methodist University Law Review. Shaner’s research areas focus on business associations, corporate governance, mergers and acquisitions and transactional law.

“The most fraught area of corporate disclosure is books and records demands,” she writes, as “most state corporate codes provide shareholders with a statutory right to inspect a corporation’s books and records.”

Inspection claims in Delaware have experienced a “dramatic increase” in recent years as shareholders avail themselves of these rights to seek private data, according to the paper.

Shaner notes these inspections allow access to “traditional corporate information” such as financial statements, accounting records, written communications and meeting minutes, but also to “a newer and growing category of information — the digital data collected by companies.”

“Given that books-and-records demands have been found to lead to the disclosure of valuable corporate data, it is an area of corporate law poised to come into conflict with consumer privacy statutes,” writes Shaner, a former practicing attorney in Delaware who focused on transactions and corporate governance matters.

“In sum, books-and-records inspection rights are an area rife for conflict between a corporation’s disclosure of data and privacy statutes’ requirements.”

Data protections

To date, federal data privacy legislation has been thwarted due to partisan disagreements about whether state laws should be preempted, whether consumers should have a right of action in a U.S. law and which federal agency should be empowered to enforce companies’ compliance, she writes.

Europe’s General Data Protection Regulation took effect in May 2018 with broad definitions of personal data for all EU citizens, Shaner writes, and served as a guidepost for several other countries and U.S. states seeking to protect consumers’ data. 

The California Consumer Privacy Act of 2018 was in the vanguard among state privacy efforts, signed into law only a month after the GDPR was effective. As of July 2024, 20 states have enacted data privacy legislation, according to the paper. A half dozen others are considering such legislation.

State legislation passed in 2024 “continues the trend of individual state tailoring in crafting privacy laws, with no two statutes being the same,” Shaner wrote.

All states’ data privacy measures currently exempt merger and acquisition activities where consumers’ data are sold as part of the transaction, not triggering disclosure requirements under the privacy laws. The same exemption applies to incorporation laws’ disclosure of stockholder lists in connection with annual shareholder meetings, Shaner wrote.

Potential remedies

Most of the conflict between consumer data and corporate laws arises from how states have defined consumer, according to the paper.

“Drafted with broad strokes, most of the current state privacy statutes would apply to shareholders, and California’s statute also captures employees, directors, and officers within its terms,” she wrote. “Careful statutory drafting can, however, avoid the inclusion of these internal corporate participants.”

States have taken two approaches to narrow the definition of consumer, she wrote. Most exclude people acting in a “commercial or employment context,” which does not exclude shareholders. A few states, however, offer a narrower definition of consumer, “which lends itself to excluding shareholders.”

Most companies cannot address conflicts with consumer privacy statutes through a contract with shareholders or a provision in the entity’s organizational documents, Shaner wrote. 

“This is because consumer privacy statutes typically provide that contracts or agreements purporting to waive or limit the rights or remedies thereunder are deemed void and unenforceable as a matter of public policy,” she wrote, mandating a statutory fix.

Filed Under: Data Privacy

Editors' picks

Company Announcements

View all | Post a press release
ContractCrab Launches AI Contract Review for In-House Legal Teams
From ContractCrab
November 14, 2024
Trellis Launches Trellis AI to Revolutionize Trial Court Litigation
From Trellis
November 19, 2024
Breaches and Bots: Law Firms Face a Trust Crisis with Clients, New Integris Survey Reveals
From Integris
November 18, 2024
Editors' picks
Latest in Data Privacy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell