White Paper / January 2024

Representing Privacy Legislation as Business Risks

How Technology Companies Discuss the GDPR and CCPA in Investment Risk Disclosures

cover of the white paper, showing the title and also symbols representing the SEC, padlocks, dollar signs, etc.
Download the Paper

A team of researchers have published a CLTC white paper examining how technology companies assess the business risks of privacy regulation like the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). Using Form 10-K documents — annual regulatory reports for investors that publicly traded companies must file with the U.S. Securities and Exchange Commission (SEC) — the researchers examined how companies frame various risks related to privacy, and how they integrate these risks into their decision-making.

The paper, Representing Privacy Legislation as Business Risks: How Technology Companies Discuss the GDPR and CCPA in Investment Risk Disclosures, was authored by Richmond Wong, Assistant Professor of Digital Media at Georgia Tech’s School of Literature, Media, and Communication (and previously a postdoctoral researcher at the UC Berkeley Center for Long-Term Cybersecurity), and Andrew Chong, a PhD candidate at the UC Berkeley School of Information. The paper is based on an academic paper written by the two scholars (and co-authored by R. Cooper Aspegren) that was published in April 2023 for the Proceedings of the ACM on Human-Computer Interaction.

“Concerns over consumers’ data privacy have increased in recent years… yet how decisions around data privacy are made within technology companies largely remains unclear, even though these practices represent a significant lever by which privacy rights can be protected,” the authors explain in the paper’s introduction. “While technology companies have faced public and regulatory pressure to protect data privacy rights, it is not fully clear how companies assess these privacy concerns as risks, or how they make decisions that integrate privacy concerns as business risks.”

Andrew Chong and Richmond Wong
Andrew Chong (L) and Richmond Wong (R)

Wong and Chong conducted qualitative analysis of 40 Form 10-K filings from nine companies — Microsoft, Salesforce, Facebook (now Meta), Google (now Alphabet), Apple, Amazon, Uber, Airbnb, and DoorDash — from between 2015 and 2020. They focused primarily on the section of the Form 10-K in which companies detail “Risk Factors,” but they also integrated other sections, such as sections in which companies describe their business overall.

“Several insights emerged from analyzing technology companies’ Form 10-Ks,” the authors wrote. “Notably, the types of risks discussed in these documents focused on potential harms that a company might face, rather than the types of risks that might lead to a violation of privacy…. Our analysis of how companies publicly frame business risks to (financial) stakeholders suggests that privacy is framed as more than a user-centered issue, but is also framed in terms such as regulatory compliance, public relations and reputation, or its effects on business models.”

The authors distill five framings that companies use to make their privacy practices legible to investors as business risks:

  • Regulatory risks: Describing potential direct penalties and legal consequences the company might face, such as fines or government investigation.
  • Reputational risks: Describing how the company’s reputation among the public may be adversely affected if the company is found to have violated data privacy laws.
  • Risks related to internal business practices: Describing how the laws may affect the company’s existing business practices, such as making targeted advertising practices more costly.
  • Risks related to external stakeholders and ecosystems: Describing how the laws may increase costs or risks in their relationships with stakeholders outside of the company, such as additional data privacy auditing or training that the company has to do with vendors.
  • Cybersecurity risks: Describing new steps or reporting requirements that the company may need to conduct in relation to cybersecurity.

The paper includes an overview of key implications for different groups, including researchers and designers, privacy advocates and practitioners, and policymakers:

  • Companies disclose both direct ways (such as legal fines and penalties) and indirect ways (such as reputational harms) that their business may be affected by privacy and data protection legislation, suggesting that privacy legislation has a range of effects that extend beyond regulatory compliance.
  • Form 10-K filings provide insight into companies’ practices related to privacy, including privacy legislation’s impact on companies’ business models and data collection practices.
  • Researchers and designers might consider new interventions and designs that help investors and business decision-makers make more privacy-preserving decisions.
  • Privacy advocates and practitioners could more effectively use the rhetorical framings of business risk when advocating for more privacy-preserving business practices.
  • New forms of disclosures and transparency reporting may help address data privacy as a part of corporate governance.
  • By understanding how companies frame and represent business risks, researchers can consider a range of technical, social, or policy interventions that might work within companies’ governance systems.

Wong and Chong also consider potential future research questions that could build on this study, such as whether the companies’ response to the privacy laws are similar in other sectors (such as vehicle manufacturers, hotels and airlines, or retail companies), and how other digital human rights and technology ethics issues, such as issues around responsible innovation or AI harms, are framed and discussed as business risks in a Form 10-K.

“Our research has a range of implications for policymakers,” the authors wrote. “First, securities regulation may provide a way to force companies to disclose more about their digital human rights practices, including privacy…. Second, our analysis suggests that policymakers should consider the indirect ways that law and regulation can influence corporate behavior. One of the surprising things we found is that companies’ discussion of business risks mentioned the GDPR and CCPA in ways beyond regulatory risk. The laws indirectly influence companies’ behaviors, as well.”

To speak with the authors, or for more information, contact cltc@berkeley.edu.


Representing Privacy Legislation as Business Risks: How Technology Companies Discuss the GDPR and CCPA in Investment Risk Disclosures