The extent of
D.C. Attorney General Karl Racine (D) sued Zuckerberg under a local consumer protection law. Under the District’s Consumer Protection Procedures Act, Racine needs to show that Zuckerberg actively participated in or had the authority to control the privacy lapse.
The challenge for Racine will be getting around a corporate law tradition of shielding executives from liability, especially at larger companies where decision-making is often layered.
“The whole purpose of corporate structures is to take on the liability that would otherwise belong to individuals,” said Fred Cate, a law professor and vice president for research at Indiana University who specializes in data privacy and security.
Cate added that it would be hard to show in court that Zuckerberg should be held responsible, despite his influence at Meta as founder, CEO, and board chairman.
Assigning blame to an executive for unlawful conduct typically depends on showing their involvement in relevant day-to-day decisions or their knowledge of the practices at issue. Racine claims to have enough evidence for liability, drawn from documents that have come to light in a related lawsuit that he brought against Facebook in 2018.
Racine’s complaint cites emails from Zuckerberg to other Facebook employees to allege that he had authority over and knowledge of privacy practices that misled consumers about the protection of their personal information and Facebook’s oversight of how third-party apps can use such data.
“This lawsuit is not only warranted, but necessary, and sends a message that corporate leaders, including CEOs, will be held accountable for their actions,” Racine said in a May 23 statement announcing the lawsuit.
It’s generally easier to assign executive liability at smaller companies, where an individual’s direct participation in decision-making can be clearer. At large companies, liability comes down to proving control over decision-making.
“This is a mix of those two things,” said Robert Thompson, a professor at Georgetown University’s law school who focuses on corporate law. “It’s the individual, but in a very big corporation, so it would be a new setting for application of this” executive liability question, Thompson said.
A Meta spokesperson declined to comment on the new lawsuit from Racine.
Racine tried to add Zuckerberg to his ongoing privacy suit against Facebook over its failure to oversee the third-party app that shared consumer data with Cambridge Analytica. The judge overseeing that case rejected Racine’s bid, deeming it too late and questioning whether consumers would benefit from the addition.
Racine’s move to add Zuckerberg in the 2018 suit was one of the first times a law enforcement official has personally targeted the Facebook founder. The US Federal Trade Commission didn’t single out Zuckerberg when they fined Facebook $5 billion as part of a 2019 settlement over privacy lapses related to Cambridge Analytica’s use of personal information on social media users’ friends.
The agency’s two Democratic commissioners at the time disagreed with the decision to shield Facebook’s CEO from liability, according to their dissenting statements. The Republican majority argued that such criticism misses the mark because it “focuses on optics over substance.”
The settlement included other provisions meant to limit Zuckerberg’s ability to make privacy decisions unilaterally, including the establishment of a privacy committee on the company’s board of directors.
The commission has started to name individuals more often in enforcement actions focused on consumer data protections, according to Maneesha Mithal, a former FTC official who’s now a partner at Wilson Sonsini Goodrich & Rosati.
“The belief was that it would serve as more of a deterrent and make individuals take notice and make them more involved in privacy issues like never before,” Mithal said.
The case is District of Columbia v. Zuckerberg, D.C. Super. Ct., No. 2022-CA-2273, complaint filed 5/23/22.