Case 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 1 of 143 Exhibit 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Electronically Case 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Pa(FlfeEOL43 bv Superior Court of Cahfcrni a, County ef San .'vldtec on 6/28/2019 By _ /$/ Mia Marlowe Deputy Clerk R. Alexander Saveri (173102) SAVERI & SAVERI, INC. 706 Sansome Street San Francisco, C A 94111 Telephone: (415)217-6810 Facsimile: (415)217-6813 P. Terry Anderlini, Esq. (044783) ANDERLINI & MCSWEENEY LLP 66 Bovet Road, Suite 285 San Mateo, CA 94402 Telephone: (650) 212-0001 Facsimile: (650) 212-0081 i Attorneys for Plaintiff SUPERIOR COURT OF THE STATE OF CALIFORNIA COUNTY OF SAN MATEO JOHN O’CONNOR, a California resident, Plaintiff, v. MARK ZUCKERBERG, SHERYL K. SANDBERG, JAN KOUM, MARC L. ANDREESSEN, PETER A. THIEL, REED HASTINGS, ERSK3NE B. BOWLES, SUSAN D. DESMOND-HELLMAN, KENNETH I. CHENAULT, and JEFFREY D. ZIENTS, Defendants, Case No.19-CIV-03759 DERIVATIVE COMPLAINT FOR: (1) DECLARATORY RELIEF; (2) VIOLATIONS OF CALIFORNIA CORPORATIONS CODE § 25400; (3) VIOLATIONS OF CALIFORNIA CORPORATIONS CODE § 25401; (4) VIOLATIONS OF CALIFORNIA CORPORATIONS CODE § 25402; and (5) CONTROL PERSON LIABILITY UNDER CALIFORNIA CORPORATIONS CODE § 25504 and FACEBOOK, INC., a Delaware corporation with principal executive offices located in California, Nominal Defendant. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE i 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 3 of 143 TABLE OF CONTENTS Page I. SUMMARY OF THE ALLEGATIONS . 1 II. JURISDICTION AND VENUE . . . . . 10 A. The “Choice of Forum” Provision in Facebook’s Restated Certificate of Incorporation is Invalid and Unenforceable . . . . . 1 1 B. This Court Has Jurisdiction Over the Causes of Action Alleged Herein . 13 III. PARTIES . 13 A. Plaintiff . . . . . 13 A. Nominal Defendant . 13 B . Individual Defendants . 14 IV. GENERAL ALLEGATIONS PERTAINING TO ALL CAUSES OF ACTION . 16 A. Duties of the Individual Defendants . . . . . 16 A. Control, Access and Authority . 20 B. Conspiracy, Aiding and Abetting, and Concerted Action . . 20 V. ALLEGATIONS ESTABLISHING PLAINTIFF’S INDIVIDUAL RIGHT TO DECLARATORY RELIEF . 21 A. The Forum Provision is Invalid and Unenforceable in the State of California . 23 1 . California Has a Strong Interest in Enforcing Its Securities Laws That Significantly Outweighs Delaware’s Attenuated Interest in General Governance Issues Bearing No Connection to This Case . 24 2. The Forum Provision Seeks to Operate as a Prospective Waiver of Plaintiffs Rights and Remedies Under California Law and Is, Therefore, Against Public Policy . 25 3 . The Forum Provision is Unconscionable Because Plaintiff Did Not Consent to Its Adoption and Facebook’s Minority Shareholders Cannot Vote to Modify or Repeal the Provision . 28 B. The Forum Provision Is Invalid and Unenforceable Under Delaware Law . 30 COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE ♦ * 11 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 4 of 143 1 . The Forum Provision is Facially Invalid Because It Exceeds the Scope of the Delaware Statute and Impermissibly Seeks to Regulate Other Matters That Are Not “Internal Affairs” . . . . 30 2. The Forum Provision is Invalid “As Applied” to This Action Because the Delaware Chancery Court Lacks Jurisdiction . 32 3. Facebook’s Board Adopted and Maintains the Forum Provision for Self- Interested and Disloyal Purposes, and Its Enforcement Would Be Inequitable and Is Not Permitted By Delaware Law . 34 VI. ALLEGATIONS ESTABLISHING DEFENDANTS’ LIABILITY FOR VIOLATIONS OF THE CALIFORNIA SECURITIES LAWS . 35 A. Background of the Company and its Business . 36 1 . Facebook’s Advertising Business is the Source of Substantially All of Its Revenue . 37 2. Facebook’s Platform Was Designed to Allow “Reciprocal” Access to User Data . 39 3. Defendants Transitioned Facebook’s Advertising Business to Mobile Devices Beginning in 201 1 and the Company’s Revenues Skyrocketed 41 A. Facebook’s Misleading and Deceptive Practices Respecting User Privacy Were the Subject of an FTC Investigation in 2011, and the Board Was Forced to Agree to a Consent Order to Resolve the FTC Complaint . . . 42 B. The Cambridge Analytica Incident Reveals Rampant Privacy Violations at Facebook and That Defendants Failed to Comply With the FTC Consent Order ....46 C. Defendants Misrepresented the Impact That the Cambridge Analytica Scandal and Subsequent Revelations Would Have on Facebook’s Financial Performance . 51 D. Defendants Falsely and Misleadingly Represented That Facebook’s Policies and Practices Respecting User Privacy and Data Security Complied With Applicable Laws and Regulations, Including the FTC Consent Order . 56 E. Defendants’ Public Statements to Users and Investors Alike Were Materially False and Misleading With Respect to the Company’s Data Security and Privacy Policies . 60 1 . Defendants’ Statements Omitted and Failed to Disclose That Facebook’s Platform and Policies Allowed Third Parties to Obtain Users’ Personal Information and Data Without Their Consent . . . 69 COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE I * ♦ 111 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 5 of 143 2. Defendants’ Statements Omitted and Failed to Disclose Material Facts About the Acquisition and Monetization of WhatsApp . 71 a. The FTC Warned Facebook About Potential Violations of the Consent Order In Connection with the WhatsApp Acquisition . 74 b. Defendant Koum Resigned From Facebook’s Board and as WhatsApp’s CEO in the Midst of the Scandal . 76 3. Defendants’ Statements Omitted and Failed to Disclose Facebook’s Secret Agreements With Device Manufacturers . 78 4. Defendants’ Statements Omitted and Failed to Disclose Facebook’s Adjudicated Violations of Law . .. . 81 a. The German Supreme Court Declared Facebook’s “Friend Finder” Feature Unlawful in 2016 . . 81 b. The Spanish Agency for Data Protection Fined Facebook €1 .2 Million Euros in 201 7 . . 82 c. The French Data Protection Authority Fined Facebook its Maximum Allowable Fine in 2017 . . 82 d. A German Court Found Facebook’s Default Settings are Illegal and Facebook’s Terms of Service are Invalid to Obtain Consent in 2018 . 83 e. Facebook Was Ordered to Stop Tracking Internet Usage and Faces Up to €100 Million in Fines . . . 83 VII. DEFENDANTS AUTHORIZED MANIPULATIVE SHARE REPURCHASES AND FALSE AND MISLEADING STATEMENTS THAT ARTIFICIALLY INFLATED FACEBOOK’S STOCK PRICE . . . 84 A. Facebook’s Board Approved Facebook’s Share Repurchases and Increased Authorizations Totaling More Than $24 Billion . 85 B. Defendants’ Materially False and Misleading Statements and Omissions Caused Facebook’s Stock to Trade at Artificially Inflated Prices, Which the Company (Over) Paid to Repurchase Its Shares . 87 VIII. AT THE SAME TIME FACEBOOK WAS REPURCHASING ITS SHARES, DEFENDANTS ZUCKERBERG, SANDBERG AND KOUM SOLD THEIR SHARES AT PRICES THEY KNEW WERE ARTIFICIALLY INFLATED . 88 COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE iv 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Case 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 6 of 143 IX. DEFENDANTS ARE LIABLE FOR DAMAGES TO FACEBOOK . 98 X. DEMAND ON FACEBOOK’S BOARD WAS FUTILE AND THUS, EXCUSED ..99 A. Demand Was Futile Because A Majority of Facebook’s Board Faces a Substantial Likelihood of Liability . 100 B. Demand Was Also Futile Because Facebook and Its Board Are Dominated and Controlled By Zuckerberg . 102 C. Demand Was Also Futile Because a Majority of The Directors Lack Independence From and Are Beholden to Zuckerberg . , . 105 1 . Defendant Thiel Lacks Independence . 105 2. Defendant Andreessen Lacks Independence . 109 3 . Defendant Sandberg Lacks Independence . Ill 4. Defendant Desmond-Hellmann Lacks Independence . 115 5. Defendant Chenault Lacks Independence . 115 6. Defendant Zients Lacks Independence . 116 7. Facebook Director Peggy Alford Lacks Independence . 117 FIRST CAUSE OF ACTION . 118 Declaratory Relief Pursuant to to Code of Civil Procedure, § 1060, etseq. SECOND CAUSE OF ACTION . 120 Violations of Corporations Code §§ 24400, 25500, etseq. THIRD CAUSE OF ACTION . 125 Violations of Corporations Code §§ 25401, 25501, etseq. FOURTH CAUSE OF ACTION . 130 Violations of Corporations Code §§ 24404, 25505, etseq. FIFTH CAUSE OF ACTION . 134 Control Peson Liabililty Pursuant to Corporations Code § 25504 PRAYER FOR RELIEF . 135 COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE v 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Case 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 7 of 143 Plaintiff John O’Connor (“Plaintiff’), a California resident and a shareholder of Facebook, Inc. (“Facebook” or the “Company”) stock continuously since February 21, 2017, brings this action: (i) individually as to the First Cause of Action for declaratory relief pursuant to section 1060 of the Code of Civil Procedure; and (ii) derivatively on behalf of Facebook as to the Second Cause of Action for violations of Corporations Code section 25400 (market manipulation), the Third Cause of Action for violations of Corporations Code section 25401 (false and misleading statements), the Fourth Cause of Action for violations of Corporations Code section 25402 (insider selling), and the Fifth Cause of Action for control person liability under Corporations Code section 25403, against the Individual Defendants (defined below), who are liable for damages and equitable remedies under Corporations Code sections 25500, f 25501, 25502, and 25504, et seq., respectively, pursuant to section 800 of the Corporations Code, and alleges as follows: I. SUMMARY OF THE ALLEGATIONS 1 . On March 1 7, 20 1 8, the New York Times and the Observer reported that Cambridge Analytica, a data firm retained to assist the Trump election campaign, had accessed and retained the information of 50 million users of Facebook’ s social networking website, without their authorization and informed consent. According to the Observer, a whistleblower had revealed that Cambridge Analytica utilized Facebook’ s app developer platform to obtain the personal information of Facebook users in early 2014, to create a system to profile U.S. voters and target certain of those individuals with personalized political advertisements. Christopher Wylie (“Wylie”), a Canadian data analytics expert who worked with Cambridge Analytica and Cambridge research professor Dr. Aleksandr Kogan (“Kogan”) to create the dataset, told the Observer: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.” Facebook subsequently confirmed that Cambridge Analytica had access to and may have used the personal information of at least 50 million Facebook users - later increased to at least 87 million users - most of whom are U.S. citizens. Cambridge Analytica collected user data collected through an application or “app” called COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 8 of 143 “thisisyourdigitallife” designed by Kogan and his company, Global Science Research (“GSR”). GSR, in collaboration with Cambridge Analytica, created the app, which was a personality test, with the collected data supposedly to be used for academic purposes. Approximately 270,000 people downloaded the app using their Facebook login credentials. However, this was not the reason that the story made headlines. Rather, the “news” was that Cambridge Analytica had obtained Facebook users’ personal information and other data via Facebook’s platform, which was permitted - and encouraged - by Facebook’s platform and policies. Kogan, like hundreds of thousands of other third party apps, obtained Facebook users’ personal information, and that of their friends, without their knowledge and consent. Kogan then shared with Cambridge Analytica for use on the Trump election campaign. 2. Neither Facebook’s chief executive officer (“CEO”), defendant Mark Zuckerberg (“Zuckerberg”), nor its chief operating officer (“COO”), defendant Sheryl Sandberg (“Sandberg”), made any public statement initially in response to the reports regarding Cambridge Analytica. Instead, in a comment to the Guardian, a “Facebook spokeswomen” stated, “Mark, Sheryl and their teams are working around the clock to get all the facts and take the appropriate action moving forward, because they understand the seriousness of this issue. The entire company is outraged we were deceived. We are committed to vigorously enforcing our policies to protect people’s information and will take whatever steps are required to see that this happens.” 3. Facebook was not deceived, at least not by Cambridge Analytica. The Company’s public (minority) shareholders, users of the ubiquitous social networking website, and the public in general were, however, as Facebook’s top executives and members of its Board of Directors (the “Board”) intentionally misrepresented the nature of Facebook’s business, which depended upon the Company’s ability to obtain information about its users that they voluntarily shared with Facebook on its website, as well as its surreptitious, deceptive and often unlawful business practices, for over a decade. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 2 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Case 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 9 of 143 4. Defendants deliberately concealed the fact that Facebook’s platform allowed any third party app developer to access information about Facebook users, and could use that information for various purposes, just like Cambridge Analytica had done. 5. Indeed, gathering user data was Facebook’s self-proclaimed goal from the time it launched its platform in 2007, and the Company’s business has grown along with Facebook’s user base. Facebook monetizes user data by selling advertisements targeted specifically to its users, and the Company’s unique ability to offer targeted advertising services, which depend upon the data Facebook gathers from its users, has allowed it to dominate the online advertising market. 6. Defendants knew that Facebook’s business depends on maintaining user trust and confidence in the security of their personal information that they share on Facebook. Moreover, Defendants were required to know, and they were required to ensure that Facebook maintained adequate internal controls and procedures to monitor and enforce violations of Facebook’s policies, pursuant to the terms of a consent agreement that Facebook was forced to enter into to resolve the U.S. Federal Trade Commission (the “FTC”) complaint for violations of the FTC Act after the FTC found in 201 1 that Facebook made misrepresentations about the extent to which it protected user privacy and falsely stated that it did not provide advertisers with information about Facebook users without their consent (among other things). 7. The consent agreement was subsequently entered as an order (the “Consent Order”) that specifically required Facebook to implement and maintain policies designed to ensure that user data was protected and that third parties could only access user data through Facebook’s platform if they complied with its policies and obtained the express consent of Facebook users. Facebook was also prohibited from “making any further deceptive privacy claims,” and from “misrepresenting] in any manner, expressly or by implication, the extent to which it maintains privacy or security of [user] information,” and required to accurately describe its practices with respect to the “collection [and] disclosure of any [user] information” COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 3 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 10 of 143 and “the extent to which [Facebook] makes or has made [user] information accessible to third parties” (among other things). 8. Despite the FTC Consent Order, which all of the members of Facebook’s Board of Directors (the “Board”) received and were required to comply with, Defendants falsely represented throughout the relevant period while it was in effect that Facebook protected the personal information of its users by ensuring that third parties could only access user data if they complied with Facebook’s policies and obtained the express consent of Facebook users. 9. Rather than monitoring and enforcing Facebook’s policies and promises to protect user privacy, and contrary to their public statements, the Individual Defendants turned a blind eye to repeated violations, and made false and misleading statements about the fundamental nature of Facebook’s business, its dependence on obtaining user data, and the Company’s practices with respect to the security of user data. 10. Accordingly, Facebook’s initial statements in response to the Cambridge Analytica scandal denied any wrongdoing by Facebook’s employees or that anyone at the Company was responsible for causing the leak of Facebook user data to Cambridge Analytica. Rather, Facebook representatives stated that Kogan had violated Facebook’s platform policies, including those relating to Facebook’s developer application programming interface (“API”), and that the Company had learned of the so-called “violation” as early as 2015, but by then, the applicable policy had already been changed to clearly indicate that any similar instance of a third party app obtaining user information via the platform was a violation of Facebook’s policy. Further, Defendants represented that Facebook had implemented app review standards that were designed to ensure that nothing similar would be permitted to occur on Facebook’s platform, and third party apps would not be able to use Facebook users’ information platform in that way ever again. 1 1 . But Defendants did not disclose that the platform policy applied only to third party app developers, not to Facebook apps. Defendants also did not disclose that Facebook failed to monitor and enforce those policies, and that other third party companies still had COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 4 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 11 of 143 access to user data and could use it for the same type of nefarious purposes as Kogan and Cambridge Analytica. 12. Moreover, Defendants failed to disclose a plethora of unlawful business practices that contributed to Facebook’s growth, and which Defendants permitted to continue as Facebook grew exponentially larger. 1 3 . Beginning in approximately 2011, defendant Mark Zuckerberg (“Zuckerberg”), Facebook’s founder and Chief Executive Officer (“CEO”), oversaw plans to consolidate the social network’s power and control competitors by treating its users’ data as a bargaining chip, while publicly proclaiming to be protecting that data. 14. On June 3, 2018, an article published by The New York Times reported that Facebook had entered into agreements over the past decade with at least 60 device makers, including Apple, Amazon, BlackBerry, Microsoft and Samsung, that allowed them to access vast amounts of Facebook users' personal information, including data about friends who had blocked such third-party access. These data-sharing partnerships, which Facebook has entered into since 2007, before the Facebook platform became ubiquitous, gave these developers the ability to offer “features” of the social network, such as messaging, “like” buttons and address books, on their own websites and mobile devices. 15. The following day, House Judiciary Committee member David Cicilline (“Cicilline”) (D-R.I.), stated that defendant Zuckerberg had “lied to Congress” when he testified before several committees in April of 2018 and stated that Facebook users have “complete control” over who sees their data. Cicilline also questioned whether Facebook’s data-sharing practices violate the FTC Consent Order, which required Facebook to, among other things, “establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to address . . . privacy risks related to the development and management of new and existing products and services for consumers . . ..” It also bars Facebook from misrepresenting the extent of its privacy protections and mandates that it get COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 12 of 143 explicit consent from users before changing the way their data is shared with third parties (among other things). 16. On June 29, 2018, in response to Congressional questions to Zuckerberg, Facebook provided a 747 page document and admitted that it actually gave dozens of companies special access to user data, contrasting with the Company’s prior public statements. Indeed, Facebook disclosed that it was still sharing information of users’ friends, such as name, gender, birth date, current city or hometown, photos and page likes, with over 60 app developers nearly six months after it said it stopped access to this data in 2015. Facebook also disclosed that it shared information about its users with 52 hardware and software makers, including such large United States corporations as Amazon.com, Apple Inc., and Microsoft Corp, as well as Chinese firms such as Huawei Technologies Co. and Alibaba Group. 1 7. On July 2, 2018, the Washington Post reported that the SEC, FTC, and FBI have joined the DOJ inquiry “in its inquiries about the two companies” (Facebook and Cambridge Analytica) and specifically Facebook’s “actions and statements” over a period of years. According to the Post, the inquiry is focused on what Facebook knew years ago and what it failed to tell “users or investors,” as well as whether there were “discrepancies in more recent accounts” like executives’ testimony before Congress. Facebook representatives admitted the focus of the inquiry is “the social network’s public statements about Cambridge Analytica.” 18. On July 1 1 , 201 8, the Wall Street Journal reported that the SEC is also investigating whether Facebook adequately warned investors in a timely manner about the possible misuse and improper collection of user data. 19. Following these reports, Facebook released its earnings report for the second quarter of 201 8 on July 25, 201 8. The Company missed revenue estimates, offered a weak sales forecast for future quarters and reported a decline of users in Europe. During the earnings conference call, Facebook CFO David Wehner stated that revenue growth will fall by “high single-digit” percentages over the next two quarters, partly because Facebook planned to give people more options with their privacy settings, including letting them limit the kinds of ads COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 6 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 13 of 143 they saw. Zuckerberg also said profits would most likely take a further hit because the company planned to spend more on security. As a result of this revelation, Facebook’s stock price was down 18 percent at opening on July 26, 2018, a loss of more than $100 billion in market value. 20. The bad news continued when, on September 28, 2018, Facebook announced that 50 million users had been compromised in a massive data breach that put their entire accounts in the hands of unknown rogue actors. An additional 40 million users also had their accounts reset due to uncertainty about the scope of the breach. Once inside Facebook’s security wall, the attackers stood in Facebook users’ shoes - with complete and total control over their profiles, accounts, and social media interactions. The attackers also gained access to any apps or services that the victims had linked to their Facebook account using the “Facebook Login” feature, putting users of thousands of other apps at risk of having their accounts hijacked and misused. 21 . In October 2018, the Company’s image was further tarnished when academics discovered that Facebook was using contact information that users had provided for security purposes, such as for two-factor identification logins, to engage in ad targeting. On October 30, 2018, Facebook announced its financial results for the third quarter of 2018, and Facebook’s Chief Financial Officer (“CFO”), David Wehner (“Wehner”), stated that the Company would not be providing revenue guidance for 2019. Facebook’s Form 10-Q for the third quarter of 2018, filed the following day, disclosed that the Company’s operating expenses had significantly risen as the number of Facebook’s employees had increased to 33,606 from 23,165 in the same period for the previous year, and would continue to rise, as the Company “expect[sj such headcount growth to continue for the foreseeable future.” 22. And, on November 1 5, 2018, the New York Times published a bombshell report following an investigation that revealed Zuckerberg and Sandberg “ignored warning signs and then sought to conceal them from public view” over the past three years and “passed off security and policy decisions to subordinates.” The report found that Facebook tried to “deflect COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 7 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 14 of 143 blame” and “mask” the extent of the Cambridge Analytica scandal. The report indicates that Facebook knew about Russian activity on the platform as early as spring 2016, more than a year before the company alerted the public, and Sandberg clashed with Stamos over how to handle the problem. The report revealed that the Audit Committee was briefed by Stamos and Stretch regarding Russian activity on Facebook, and the entire Board was also informed at the quarterly Board meeting held on September 6, 2017. The Times also reported that Facebook had resorted to “aggressive” lobbying tactics and tapped its Washington connections to shift blame to tech rivals and ward off critics, and had hired a firm known for opposition research, Definers Public Affairs, which tried to discredit critics by linking liberal billionaire George Soros to activists protesting Facebook. 23. In response to the New York Times story, Facebook’s “Lead Independent Director,” defendant Susan Desmond-Hellman, issued the following statement on behalf of the entire Board, in support of defendants Zuckerberg and Sandberg on November 15, 2018: “As Mark and Sheryl made clear to Congress, the company was too slow to spot Russian interference, and too slow to take action. As a board we did indeed push them to move faster. But to suggest that they knew about Russian interference and either tried to ignore it or prevent investigations into what had happened is grossly unfair. In the last eighteen months Facebook, with the full support of this board, has invested heavily in more people and better technology to prevent misuse of its services, including during elections. As the U.S. mid-term showed, they have made considerable progress and we support their continued to efforts to fight abuse and improve security.” 24. By November 16, 201 8, Facebook’s stock price had fallen to new 2-year lows. Defendants continued to affirmatively deny that Facebook’s practices violated the FTC Consent Order, or any other law or regulation, despite a multitude of foreign government investigations that resulted in findings and adjudicated violations of law by Facebook. While Defendants’ false and misleading statements allowed Facebook to evade lawmakers, and avoid making any changes to its platform or policies that could affect its ability to obtain and share COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 8 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Case 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 15 of 143 user data, by the end of 2018, Facebook had incurred substantial fines, penalties and other costs as a result of Defendants’ illegal business practices, and they have caused even more serious damage to Facebook’ s brand and reputation. At the same time, however, Defendants have personally profited from Facebook’ s increasing user base and record revenues attained as a direct result of their violations of the California Securities Act and other laws. 25 . On April 24, 20 1 9, Defendants announced that they expect Facebook to pay somewhere in a range of $3 billion to $5 billion to resolve the FTC’s investigation of Facebook for violations of the Consent Order. 26. But even this is not the extent of the damages that Defendants’ violations of law have caused to Facebook - multiple other U.S. and foreign government agencies are still investigating and attempting to determine how best to regulate Facebook and other tech giants like Apple Inc. (“Apple”) and Google, Inc. (“Google”), which are virtually Facebook’s (and each other’s) only competition. 27. Together, Google and Facebook dominate the online advertising market, capturing approximately 60 percent of its sales. It is no surprise that before joining Facebook in 2008, the Company’s Chief Operating Officer (“COO”), defendant Sheryl Sandberg (“Sandberg”), was the head of Google’s advertising business. 28. Most recently, Facebook and Google’s duopoly of the online advertising market has come under fire. Bloomberg reported on May 3 1, 2019 that the U.S. Department of Justice (“DOJ”) and the FTC are investigating Google for potential antitrust violations, and on June 3, 2019, Bloomberg reported that the FTC will also investigate potential antitrust violations by t Facebook to determine whether Facebook’s practices harm competition in the digital market. On this news, Facebook’s stock price fell 7.5 percent. 29. By this action, Plaintiff, a California resident and a shareholder of Facebook stock since February 21, 2017, seeks, in the First Cause of Action for declaratory relief: (i) a declaration that a purported forum selection clause in Article IX of Facebook’s Restated Certificate of Incorporation is invalid on its face, and as applied to the causes of action for COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 9 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1.7 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 16 of 143 action for violations of the California Corporations Code that are alleged in this Complaint, and is unenforceable to the extent it seeks to prevent Plaintiff or any other Facebook shareholder from asserting derivative claims under the California Securities Law; and (ii) that the Board’s adoption and/or refusal to grant a waiver of the clause constitutes a breach of their fiduciary duties owed to Facebook’s shareholders, and, in the Second through Fifth Causes of Action asserted derivatively on behalf of Facebook: (iii) damages and (iv) other equitable remedies for the Individual Defendants’ violations of California Corporations Code sections 25400, 25401, and 25402. II. JURISDICTION AND VENUE 30. This Court has subject matter jurisdiction over this action under Article VI, section 10 of the California Constitution and California Corporations Code section 800. 3 1 . This Court has jurisdiction over each of the Defendants because each defendant conducts business in California including, but not limited to, the conduct alleged in this complaint, and has sufficient contacts with California in order to render the exercise of jurisdiction by this Court over them permissible under California Code of Civil Procedure section 410.10 as well as the United States and California Constitutions and traditional notions of fair play and substantial justice. Facebook is headquartered in California and maintains its principal executive offices in California, and Defendants, by their wrongful acts alleged herein, caused substantial harm and injury in California, including to California citizens. 32. Venue is proper in this Court because Facebook maintains its principal executive office in Menlo Park, San Mateo County, defendants Sandberg and Koum are residents of San Mateo County, California, and the wrongful acts alleged herein occurred in or emanated from San Mateo County. 33 . Venue is proper in this Court notwithstanding a “choice of forum” provision in Facebook’s Restated Certificate of Incorporation that purports to designate the Court of Chancery of the State of Delaware (the “Delaware Chancery Court”) as the “sole and exclusive forum” for any derivative action on behalf of the Company and any action that asserts a claim COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 10 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 17 of 143 against a director, officer, employee or agent of Facebook for breach of fiduciary duty “or other wrongdoing” which is invalid and/or unenforceable, as alleged below. A. The “Choice of Forum” Provision in Facebook’s Restated Certificate of Incorporation is Invalid and Unenforceable 34. Facebook filed its original Certificate of Incorporation with the Secretary of State of the State of Delaware on July 29, 2004, under the name TheFacebook, Inc. On May 22, 2012, Facebook, Inc.’s Restated Certificate of Incorporation (the “Restated Certificate of Incorporation”) was filed with the Secretary of State of the State of Delaware, and it remains the operative version that is currently in effect. 35. Facebook’s Restated Certificate of Incorporation contains a so-called “Choice of Forum” provision in Article IX (referred to herein as the “Forum Provision”), which states: ARTICLE IX: CHOICE OF FORUM Unless the corporation consents in writing to the selection of an alternative forum, the Court of Chancery of the State of Delaware shall, to the fullest extent permitted by law, be the sole and exclusive forum for (1) any derivative action or proceeding brought on behalf of the corporation, (2) any action asserting a claim of breach of a fiduciary duty owed by, or other wrongdoing by, any director, officer, employee or agent of the corporation to the corporation or the corporation’s stockholders, (3) any action asserting a claim arising pursuant to any provision of the General Corporation Law or the corporation’s Restated Certificate of Incorporation or Bylaws, (4) any action to interpret, apply, enforce or determine the validity of the corporation’s Restated Certificate of Incorporation or Bylaws or (5) any action asserting a claim governed by the internal affairs doctrine, in each such case subject to said Court of Chancery having personal jurisdiction over the indispensable parties named as defendants therein. Any person or entity purchasing or otherwise acquiring any interest in shares of capital stock of the corporation shall be deemed to have notice of and consented to the provisions of this ARTICLE IX. 36. Facebook’s Board adopted the Forum Provision more than seven years ago, in 2012, and despite the Delaware legislature having subsequently enacted a statute in 2015 setting forth the proper scope of a forum selection clause adopted by a board of directors of a Delaware corporation, Facebook’s Board has failed to modify the Forum Provision to comply with the applicable statutory provision in the Delaware General Corporation Law (“DGCL”), section 115 (“Section 115”). Instead, Facebook’s Board has sought to enforce the Forum Provision in other derivative litigation, confirming that it impermissibly seeks to prevent COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 11 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 18 of 143 shareholders from asserting any statutory derivative claims, including causes of action under both federal and California securities laws, not for any legitimate reason that has been recognized by Delaware courts as beneficial or that could potentially benefit Facebook, but for their own self-interested purposes. 37. As alleged below, Facebook’s Forum Provision is invalid on its face, because it is inconsistent with Delaware General Corporation Law (“DGCL”) section 115, and as applied to this particular case, its application would be unreasonable because it impermissibly seeks to regulate “external” affairs and relationships not created by or subject to the jurisdiction of the State of Delaware and would prevent Plaintiff from asserting causes of action under California law against the Individual Defendants (defined below), that are broader and/or provide additional remedies that are not available under Delaware law. 38. The Forum Provision is also invalid and cannot be equitably enforced because it was adopted and affirmatively approved and is maintained by Facebook’s Board for improper and self-interested purposes that are inconsistent with the directors’ fiduciary duties owed to Facebook and its minority shareholders, as alleged below. 39. Moreover, the Forum Provision is invalid and/or unenforceable in the State of California, because it is against public policy to allow the Individual Defendants to escape liability for their violations of the California securities laws, and it is unconscionable under applicable California law because the Forum Provision seeks to diminish or eliminate the substantive rights afforded to shareholders under California law, including under the California Corporations Code, without the consent of Facebook’s minority shareholders and without their ability to meaningfully consent, or to vote to modify or repeal the Forum Provision, as alleged below. 40. Alternatively, the Forum Provision is unenforceable and/or unconscionable as to this particular case or as to Plaintiff, because it seeks to entirely foreclose this action, which is brought by Plaintiff, a California resident, derivatively on behalf of Facebook, a corporation that is headquartered in California, against individual defendants who are California residents, COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 12 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Case 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 19 of 143 and the causes of action under the California Corporations Code cannot be brought in the Delaware Chancery Court. Further, Plaintiff did not consent to the Forum Provision. B. This Court Has Jurisdiction Over the Causes of Action Alleged Herein 41 . As alleged below, the Delaware Chancery Court does not have jurisdiction to determine claims under any state or federal statute, including Delaware statutes that do not expressly provide that the Delaware Chancery Court shall have “exclusive jurisdiction” as among the courts in Delaware to determine such claims. 42. Furthermore, there is no statutory basis for the Delaware Chancery Court to exercise personal jurisdiction over Plaintiff or any other shareholder solely by virtue of his or her share ownership, and the Delaware Chancery Court has specifically noted that it most likely would not have jurisdiction in those circumstances. 43 . The Delaware Chancery Court “is a court of limited jurisdiction. . . . Essentially, the Court of Chancery is a court of equity, requiring an equitable cause of action ... or a plaintiffs need for an equitable remedy (such as injunction) to confer jurisdiction.” Helix Generation LLC v. Transcanada Facility USA, Inc., 2019 WL 2068659, at *1 (Del, Ch. May 10, 2019). “The Delaware Code states that [the] Court [of Chancery] ‘shall not have jurisdiction to determine any matter wherein sufficient remedy may be had by common law, or statute, before any other court...’” Id. (quoting 10 Del. C. § 342). 44. This California Superior Court has jurisdiction over Plaintiffs claims under the California Corporations Code, and where (as here), another court can properly provide a remedy that “would be sufficient, that is, complete, practical and efficient, th[e] [Delaware] Court [of Chancery] is without jurisdiction.” See Helix Generation LLC, 2019 WL 2068659, at * 1 (emphasis added). III. PARTIES A. Plaintiff 45. Plaintiff John O’Connor is a shareholder of Facebook and has continuously held his Facebook stock since February 21, 2017. A. Nominal Defendant COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 13 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 20 of 143 46. Facebook, Inc. is a Delaware corporation with its principal office located at 1 Hacker Way, Menlo Park, California. Facebook owns three of the world’s largest social networks, including Facebook, Instagram, and WhatsApp. Facebook has dual-class stock, and only the shares of its Class A common stock are traded publicly on the NASDAQ under the symbol “FB.” Class A shareholders have one vote for each share, while the Class B shareholders have ten votes for each share held. B. Individual Defendants 47. Defendant Mark Zuckerberg (“Zuckerberg”) is the founder and CEO of Facebook and Chairman of the Board. According to Facebook’s website, Zuckerberg “is responsible for setting the overall direction and product strategy for the company” and “leads the design of Facebook’s service and development of its core technology and infrastructure.” Zuckerberg is the Company’s controlling stockholder with ownership of Facebook voting shares representing more than 60% of Facebook’s voting power. 48. Defendant Sheryl Sandberg (“Sandberg”) is Facebook’s chief operating officer (“COO”) since 2008 and a Facebook director since 2012. Before she joined Facebook in 2008, Sandberg was Vice President of Global Online Sales and Operations at Google, Inc. (“Google”). 49. Defendant Jan L. Koum (“Koum”) is a co-founder of WhatsApp, Inc. (“WhatsApp”), a Facebook subsidiary, and was CEO of WhatsApp and a Facebook director until April 2018. Koum was a security and infrastructure engineer at Yahoo Inc. from 1998 until 2007, and, in 2009, he designed and launched the WhatsApp mobile messaging service. Koum joined Facebook’s Board when WhatsApp was acquired by Facebook in 2014, and in April 2018, Koum resigned as CEO of WhatsApp and left his position on Facebook’s Board. 50. Defendant Peter A. Thiel (“Thiel”) is a Facebook director since April 2005 and is a Member of the Compensation & Governance Committee. Thiel is the co-founder of PayPal, Inc. (“PayPal”), an online payment company, where he served as CEO, President and Chairman of its board of directors until it was acquired by eBay, Inc. (“eBay”) in 2002. Thiel COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 14 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 21 of 143 is also a founder of Palantir Technologies (“Palantir”), a secretive analytical software company, of Thiel Capital, an investment firm, and of Thiel Capital, a venture capital firm, and he is a Partner of Thiel Capital since 2011 and a Partner of Thiel Capital since 2005. 5 1 . Defendant Marc L. Andreessen (“Andreessen”) is a Facebook director since June 2008 and is a Member of the Audit & Risk Oversight Committee. Andreessen was also a member of the Board’s Compensation & Governance Committee until May 2018. Andreessen is a co-founder and has been a General Partner of Andreessen Horowitz, a venture capital firm, since July 2009 and was a member of the boards of directors of eBay from September 2008 to October 2014, Hewlett-Packard Company from September 2009 to October 2015, and Hewlett Packard Enterprise Company from November 2015 to April 2018. 52. Defendant Susan D. Desmond-Hellmann (“Desmond-Hellman”) is a Facebook director since March 2013 and is Facebook’s Lead Independent Director and a Member of the Compensation & Governance Committee. Desmond-Hellmann was also a member of Facebook’s Audit Committee until May 2018. 53. Defendant Kenneth I. Chenault (“Chenault”) is a Facebook director since February 2018 and is a Member of the Audit & Risk Oversight Committee. Chenault is Chairman and a Managing Director at General Catalyst, a venture capital firm. 54. Defendant Jeffrey D. Zients (“Zients”) is a Facebook director since May 2018 and is the Chair of the Audit & Risk Oversight Committee. Zients is the CEO of the Cranemere Group Limited, a diversified holding company. 55. Defendant Reed Hastings (“Hastings”) was a Facebook director from June 201 1 until May 2019 and was the Chair of the Compensation & Governance Committee. Hastings is CEO and Chairman of the board of directors of Netflix, Inc. (“Netflix”), a provider of an Internet subscription service for movies and television shows, since 1999, and previously was a member of the board of directors of Microsoft Corporation from March 2007 to November 2012. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 15 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 22 of 143 56. Defendant Erskine B. Bowles (“Bowles”) was a Facebook director from September 2011 until May 2019 and was a Member of the Audit & Risk Oversight Committee. 57. The defendants identified above in fflj 47-56 are collectively referred to as “Individual Defendants” and, together with nominal defendant Facebook, as “Defendants.” IV. GENERAL ALLEGATIONS PERTAINING TO ALL CAUSES OF ACTION 58. Each of the Individual Defendants: (a) directly participated in the management of the Company; (b) was directly involved in the day-to-day operations of the Company at the highest levels; (c) was privy to confidential proprietary information concerning the Company and its business and operations; (d) was involved in drafting, producing, reviewing and/or disseminating the false and misleading statements and information alleged herein; (e) was aware of or recklessly disregarded the fact that the false and misleading statements were being issued concerning the Company; and/or (f) approved or ratified the false and misleading statements issued by or on behalf of Facebook or other Individual Defendants, and is liable for violations of the California Corporations Code, as alleged herein. A. Duties of the Individual Defendants 59. Each of the Individual Defendants, by reason of their positions as officers and directors of Facebook, owed Facebook and its minority shareholders fiduciary duties including the duty to act in good faith and exercise reasonable care and diligence in the administration of the affairs of the Company and in the use and preservation of its property and assets, and the highest obligations of trust, loyalty, good faith, candor, and due care, and were required to use their utmost ability to control and manage Facebook in a fair, just, honest, and equitable manner. The Individual Defendants were required to act in furtherance of the best interests of Facebook and its minority shareholders so as to benefit all shareholders equally and not in furtherance of their personal interests or benefit. 60. To discharge their duties as Facebook’s officers and directors, the Individual Defendants were required to exercise reasonable and prudent supervision over Facebook’s COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 23 of 143 management, policies, practices, and controls of the affairs of the Company. Accordingly, the Individual Defendants were required to: 61 . (a) ensure that Facebook was operated in a diligent, honest, and prudent manner in accordance with its bylaws and charter, as well as the laws and regulations of the State of Delaware, the State of California and the United States; 62. (b) conduct the affairs of the Company in an efficient, business-like manner so as to make it possible to provide the highest quality performance of its business, to avoid wasting the Company’s assets, and to maximize the value of the Company’s stock; 63. (c) remain informed as to how Facebook conducted its operations, and, upon receipt of notice or information of imprudent or unsound conditions or practices, to make reasonable inquiry in connection therewith, and to take steps to correct such conditions or practices; 64. (d) establish and maintain systematic and accurate records and reports of the business and internal affairs of Facebook and procedures for the reporting of the business and internal affairs to the Board and to periodically investigate, or cause independent investigation to be made of, said reports and records; 65. (e) maintain and implement an adequate and functioning system of internal legal, financial, and management controls, such that Facebook’ s operations would comply with all laws and its financial statements filed with the SEC and disseminated to the public and Facebook’s shareholders would be accurate; 66. (f) exercise reasonable control and supervision over the public statements made by the Company’s officers and employees and any other reports or information that the Company was required by law to disseminate; and 67. (g) examine and evaluate any reports of examinations, audits, or other financial information concerning the financial affairs of the Company and to make full and accurate disclosure of all material facts concerning, among other things, each of the subjects and duties set forth above. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 17 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ;ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 24 of 143 68. As senior executive officers and directors of a publicly-traded company whose Class A common stock was registered with the SEC pursuant to the Exchange Act and traded on the NASDAQ Global Select Market (“NASDAQ”), at all relevant times mentioned in this Complaint, each of the Individual Defendants had a duty to disseminate accurate and truthful information with respect to the Company’s financial condition and performance, growth, operations, financial statements, business, products, management, earnings, and present and future business prospects; and to correct any previously-issued statements that had become materially misleading or untrue, so that the market price of the Company’s common stock would be based upon truthful and accurate information. 69. During the relevant period, the Individual Defendants made, caused and/or allowed to be made by or on behalf of Facebook the false and misleading statements and omissions that violated California Corporations Code section 25401, and that caused Facebook’s stock to trade at higher prices than if the omitted facts or other information had been accurately disclosed, and engaged in other “market manipulation” conduct that violated section 25400, and subdivision (d) thereof, including approving a “share repurchase program” in 2016 and increased authorizations in 2017 and 2018, for the repurchases of over $14 billion worth of shares of Facebook common stock that were effectuated by the Company throughout 2017, 2018 and the first quarter of 2019 and are presently ongoing, during the same time as defendants Zuckerberg, Sandberg and Koum sold more than $1 billion worth of their personally held shares of Facebook common stock, in the open market, and in connection with various transactions that were approved by Facebook’s Board as described herein. 70. In their positions as officers and directors of Facebook, each of the Individual Defendants had access to non-public information about the Company’s business, operations, corporate and financial affairs, and possessed or had knowledge of material non-public information regarding the Company. 71. By reason of their positions as directors of Facebook, the Individual Defendants’ ownership interests in Facebook, their responsibility under the Company’s bylaws for COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 18 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 25 of 143 managing the company, their presumptive authority to sign key corporate documents including Facebook’s public filings with the SEC, their significant and majority voting power by virtue of their stock holdings and voting agreement, and their affiliations with venture capital firms upon which Facebook and its subsidiaries relied for financing and in connection with acquiring various companies and subsidiaries of Facebook including Oculus VR, each of the Individual Defendants possessed the power and ability to directly or indirectly influence Facebook’s corporate policies and decision making, including the decisions to offer and sell and/or repurchase shares of Facebook common stock described herein, and did, directly or indirectly, exercise control over the wrongful acts detailed in this Complaint. 72. Because of their ability to control the business, operations, and financial and corporate affairs of the Company, each of the Individual Defendants owed Facebook and its shareholders a duty to exercise due care and diligence in the management and administration of the affairs of the Company, including ensuring that Facebook operated in compliance with all applicable laws and regulations. Defendants were and are required to act in furtherance of the best interests of Facebook and its shareholders so as to benefit all shareholders equally and not in furtherance of the Defendants’ personal interest or benefit. 73. Because of their positions of control and authority as directors and officers of Facebook, the Defendants were able to and did control the general affairs of the Company at the time of the violations of California securities laws alleged herein. Thus, each of the Individual Defendants participated in, and is liable as a primary violator or is jointly and severally liable, and/or is a control person who is subject to liability for the primary violations of California securities laws by other Individual Defendants who they control, because they possess the power to directly or indirectly influence Facebook’s corporate policies and decision making, including the decisions to offer and sell and/or repurchase shares of Facebook common stock. 74. The Individual Defendants’ conduct involves a knowing and culpable violation of their obligations as directors and officers of Facebook, the absence of good faith on their part, COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 19 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 26 of 143 or a reckless disregard of their duties that they were aware or should have been aware posed a risk of serious injury to Facebook. Each Individual Defendant ratified each other’s misconduct because they collectively comprised Facebook’s Board and management at all relevant times. A. Control. Access and Authority 75. The Individual Defendants, because of their positions of control and authority, were able to and did, directly or indirectly, exercise control over the wrongful acts complained of herein, as well as the contents of the various public statements issued by Facebook. 76. Because of their advisory, executive, managerial, and directorial positions with Facebook, each of the Individual Defendants had access to adverse, non-public information about the financial condition, operations, and improper representations of Facebook. 77. Each of the Individual Defendants was the agent of each of the other Individual Defendants and of Facebook, and was at all times acting within the course and scope of such agency. B. Conspiracy. Aiding and Abetting, and Concerted Action 78. In committing the wrongful acts alleged herein, the Individual Defendants have pursued, or joined in the pursuit of, a common course of conduct, and have acted in concert with and conspired with one another in furtherance of their wrongdoing. The Individual Defendants further aided and abetted and/or assisted each other in breaching their respective duties. 79. The Individual Defendants collectively and individually initiated a course of conduct that was designed to and did conceal the fact that Facebook’s data protection measures were suffering from several material security vulnerabilities that, if exploited, can provide hackers with access to sensitive consumer data. In furtherance of this plan, conspiracy, and course of conduct, the Individual Defendants collectively and individually took the actions set forth herein. 80. The Individual Defendants engaged in a conspiracy, common enterprise, and/or common course of conduct. The Individual Defendants accomplished their conspiracy, common enterprise, and/or common course of conduct by causing Facebook to conceal from COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 27 of 143 Facebook’s customers and the investing public that that Facebook’s data protection measures were suffering from several material security vulnerabilities that, if exploited, can provide hackers with access to sensitive consumer data. The Individual Defendants also knew or should have known of the Insider Trading Defendants’ trading in the Company’s stock based on material, non-public information but failed to take any action to remedy such insider-trading violations. Because the actions described herein occurred under the authority of the Board, each of the Individual Defendants was a direct, necessary, and substantial participant in the conspiracy, common enterprise, and/or common course of conduct complained of herein. 81 . The purpose and effect of the Individual Defendants’ conspiracy, common enterprise, and/or common course of conduct was, among other things, to conceal from its customers and shareholders the material vulnerabilities in Facebook’s data protection measures. 82. Each Individual Defendant aided and abetted and rendered substantial assistance in the wrongs complained of herein. In taking such actions to substantially assist the commissions of the wrongdoing complained of herein, each Individual Defendant acted with knowledge of the primary wrongdoing, substantially assisted the accomplishment of that wrongdoing, and was aware of his (or her) overall contribution to and furtherance of the wrongdoing. V. ALLEGATIONS ESTABLISHING PLAINTIFF’S INDIVIDUAL RIGHT TO DECLARATORY RELIEF 83. Code of Civil Procedure section 1060 provides that “[a]ny person interested under a written instrument, excluding a will or a trust, or under a contract, or who desires a declaration of his or her rights or duties with respect to another, or in respect to, in, over or upon property, or with respect to the location of the natural channel of a watercourse, may, in cases of actual controversy relating to the legal rights and duties of the respective parties, bring an original action or cross-complaint in the superior court for a declaration of his or her rights and duties in the premises, including a determination of any question of construction or validity arising under the instrument or contract. He or she may ask for a declaration of rights or duties, COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 21 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 28 of 143 either alone or with other relief; and the court may make a binding declaration of these rights or duties, whether or not further relief is or could be claimed at the time. The declaration may be either affirmative or negative in form and effect, and the declaration shall have the force of a final judgment.” Civ. Proc. Code, § 1060. 84. Plaintiff, as a shareholder of Facebook, has an interest under Facebook’s Restated Articles of Incorporation, and desires a declaration of his rights as a shareholder of Facebook in the form of a determination of a question of validity arising under the Restated Articles of Incorporation as to Article IX. In particular, Plaintiff seeks a declaration that a purported forum selection clause in Article IX of Facebook’s Restated Articles of Incorporation is invalid on its face, and as applied to the causes of action for violations of the California Corporations Code asserted in this Complaint, and is unenforceable to the extent it may be asserted as an affirmative defense to this Complaint or any of the causes of action asserted herein, or as a basis for dismissal of this Complaint or any of the causes of action asserted herein, or would prevent Plaintiff from proceeding in California Superior Court and obtaining a judgment from this Court as to violations of the California Corporations Code that are alleged in the Second through Fifth Causes of Action in this Complaint. 85. A judicial determination of the parties’ respective rights and remedies is necessary and appropriate at this time under the circumstances because: (i) the Forum Provision has been asserted by Facebook and/or Individual Defendants as a defense to similar derivative claims against Individual Defendants under the California Corporations Code arising from the same facts and circumstances as this action, and to obtain a dismissal of those claims without prejudice; (ii) Facebook’s Board approved Facebook’s Amended and Restated Bylaws, as amended and restated April 10, 2019, which provide that the Forum Provision is subject to modification, waiver or repeal only by Facebook directors including Individual Defendants; and (iii) Plaintiff is presently asserting causes of action under the California Corporations Code derivatively on behalf of Facebook against the Individual Defendants, as alleged in this COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 29 of 143 Complaint, in this California Superior Court. A judicial determination is necessary to prevent the causes of action alleged herein from being dismissed on the basis of the Forum Provision. 86. Plaintiffs cause of action for declaratory relief is brought individually, rather than derivatively, pursuant to Delaware law holding that challenges to charter and bylaw amendments are individual in nature, because when a board takes actions “that diminish the ability of non-management stockholders to . . . amend the corporation’s charter and bylaws, the resulting injury to the non-management stockholders is independent of and distinct from any injury to the corporation” and “is to the stockholders within the corporate structure that have lost relative power, not to the corporation as an entity[.]” See, e.g., In re Gaylord Container Corp. Shareholders Litig., 747 A.2d 71, 84 (Del. Ch. 1999). A. The Forum Provision is Invalid and Unenforceable in the State of California 87. The Forum Provision is invalid and unenforceable in the State of California /" because it “would substantially diminish the rights of California residents in a way that violates our state’s public policy.” Verdugo v. Alliantgroup, L.P., 237 Cal,App.4th 141, 147 (2015). 88. Furthermore, enforcement of the Forum Provision would be unreasonable, because the Delaware Chancery Court would be unable to accomplish substantial justice as it lacks jurisdiction over the causes of action under the California Corporations Code that are asserted in this Complaint, and “parties may not deprive courts of their jurisdiction over causes by private agreement,” Korman v. Princess Cruise Lines, Ltd., 32 Cal.App.5th 206, 221 (2019) (internal citations and quotations omitted). Delaware has no logical connection with the parties or transactions alleged in this Complaint. 89. Finally, the principles of comity and mutual regard for the jurisdiction of sovereign states allow a state to apply its laws notwithstanding that the laws of another state (Delaware) have been designated as governing by its jurisdiction (or by Defendants under the law of its jurisdiction), where, as here, the designation was without legally valid consent under the laws of the other state (California). The Forum Provision is unconscionable under California law. Plaintiff did not consent to adoption of the Forum Provision, and Facebook’s COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 23 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 30 of 143 minority shareholders were and are unable to meaningfully consent because they cannot vote to modify or repeal the clause. 1. California Has a Strong Interest in Enforcing Its Securities Laws That Significantly Outweighs Delaware’s Attenuated Interest in General Governance Issues Bearing No Connection to This Case 90. In California, enforcement of a forum selection clause “is considered unreasonable where ‘the forum selected would be unavailable or unable to accomplish substantial justice’ or there is no ‘rational basis’ for the selected forum.” Korman, 32 Cal.App.5th, at 218 (citing Drulias v. 1st Century Bancshares, Inc., 30 Cal.App.5th 696, 707 (2018) (internal quotations and citations omitted). Facebook’s Forum Provision fails on both counts. 91 . Plaintiff and many of the Individual Defendants are California residents, and Facebook is a corporation that is headquartered in California. California is the location of the events in question, and Facebook has extensive ties to California, which is where Facebook maintains its principal executive offices (in Menlo Park) and six other offices, including in Fremont, Los Angeles, Mountain View, San Francisco, Sausalito, and Woodland Hills. Thus, approximately one-third of Facebook’s U.S. offices (seven out of a total of twenty) are located in California. 92. By contrast, not a single one of Facebook’s twenty U.S. offices is located in Delaware. Facebook’s absence of connections to Delaware, other than as its state of incorporation, confirm that enforcement of the Forum Provision in this case would be unreasonable, at best. 93. California Corporations Code sections 25402 and 25403 only apply to sales of securities in California, and state and federal courts in California have repeatedly held that California’s interest in enforcing its insider trading statutes supersedes Delaware’s interest in overseeing the general internal governance of Delaware incorporated companies where insider trading has occurred in California. See, e.g., Friese v. Superior Court, 134 Cal.App.4th 693, 704-709 (2005) (explaining that California’s insider trading statutes are part of an overall COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 24 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 31 of 143 scheme supplementing the federal securities laws and have broad implications of statewide interest such that enforcing them does not conflict with the internal affairs of a foreign corporation and distinguishing among other cases); Lidow v. Superior Court, 206 Cal.App.4th 351, 362 (2012) (discussing Fries e, among other cases, and explaining that California “courts are less apt to apply the internal affairs doctrine when vital statewide interests are at stake, such as maintaining the integrity of California security markets and protecting its citizens from harmful conduct”). 94. Further, California has a strong interest in protecting minority shareholders against breaches of fiduciary duty by majority shareholders: “The increasingly complex transactions of the business and financial communities demonstrate the inadequacy of the traditional theories of fiduciary obligations as tests of majority shareholders responsibility to the minority. These theories have failed to afford adequate protection to minority shareholders. . .the comprehensive rule of good faith and inherent fairness to the minority in any transaction where control of the corporation is material properly governs controlling shareholders in this state.” Jones v. H.F. Ahmanson & Co., 460 P.2d 464, 473-474 (Cal. 1969). These interests are not simply as between the litigants but are a matter of public policy in California. See, e.g., Neubauerv. Goldfarb, 108 Cal.App.4th 47, 56-57 (2003) (“the buying and selling of corporate stock are transactions which affect a public interest” and “controlling shareholders possess a decisive advantage of bargaining strength”). 2. The Forum Provision Seeks to Operate as a Prospective Waiver of Plaintiffs Rights and Remedies Under California Law and Is, Therefore, Against Public Policy 95. The Forum Provision is invalid under California law because it impermissibly seeks to prevent Plaintiff (and Facebook’s other minority shareholders that are similarly situated) from effectively vindicating their statutory rights under the California Corporations Code. 96. Where, as here, “the claims at issue are based on unwaivable rights created by California statutes[,] . . . the party seeking to enforce the forum selection clause bears the COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 25 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 32 of 143 burden to show litigating the claims in the contractually-designated forum ‘will not diminish in any way the substantive rights afforded . . . under California law.’” Verdugo v. Alliantgroup, L.P., 237 Cal.App.4th 141, 147-148 (2015). Defendants cannot satisfy their burden here. 97. If enforced, the Forum Provision would bar Plaintiff from asserting the causes of action in this Complaint because the Delaware Chancery Court does not have subject-matter jurisdiction over statutory claims, and personal jurisdiction is also potentially lacking in the Delaware Chancery Court as to Plaintiff and certain Individual Defendants. The Forum Provision therefore seeks to operate as a “choice of law” provision, and as a prospective waiver of Plaintiff s rights to pursue claims and remedies under California law, including in a derivative action on behalf of Facebook. 98. The Forum Provision acts as a waiver of the protections that California law provides for its residents, and for non-residents, from market manipulation, false and misleading statements and insider trading, among other things, as set forth in the Corporations Code sections that Defendants are alleged to have violated in this Complaint. 99. Moreover, a choice of jurisdiction and law should bear a reasonable nexus to the parties and the transaction. Here, it does not. Delaware’s interest in enforcing general corporate governance matters does not bear any nexus to the particular parties and the transaction giving rise to the causes of action asserted in this Complaint. 100. California courts have held that “Delaware’s interest in regulating the activities of its domestic corporations is less substantial where, as here, its only contact with the corporation is in issuing a certificate of incorporation.” Havlicek v. Coast-to-Coast Analytical Servs., Inc., 39 Cal. App. 4th 1844, 1852 (1995) (applying California law to the inspection demand of a shareholder of a Delaware corporation). 101 . Further, as fiduciaries under California law, majority shareholders “may not use their power to control corporate activities to benefit themselves alone or in a manner detrimental to the minority.” Ahmanson, 460 P.2d 464 at 471. California courts have concluded that the fiduciary duty imposed upon majority shareholders limits their exercise of COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 26 l 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 33 of 143 contractual rights, and that such limitations are a fundamental public policy. Thrasher v. Thrasher, 27 Cal.App.3d 23, 26-27 (1972) (“the established requirement of scrupulous fairness permits inquiry into the motives and purpose of the dominant shareholder in his enforcement of [contractual] repayment otherwise properly recoverable by him”); Neubauer, 108 Cal. App. 4th at 57 (“We conclude, therefore, waiver of corporate directors’ and majority shareholders’ fiduciary duties to minority shareholders in private close corporations is against public policy and a contract provision in a buy-sell agreement purporting to effect such a waiver is void”). 102. California’s interest in protecting the rights of minority shareholders, and its residents, trumps whatever interest Delaware might have in providing a forum for derivative actions or in supplying the rule of decision, especially where (as here) it necessarily would apply to the exclusion of applicable California law that provides for different and additional remedies beyond what could be obtained in a shareholder derivative action asserting only claims under Delaware law. 103. Delaware has no interest in preventing, and Delaware law does not permit adoption of a Forum Provision that seeks to prevent, a shareholder derivative action seeking remedies for the Company when it is expressly authorized by California law and is not inconsistent with Delaware law. This is especially true where (as here) the Individual Defendants adopted and are maintaining the Forum Provision that impermissibly seeks to prevent the derivative claims from being brought in any forum based solely on their own disloyal, self-interested purposes. 104. The implied derogation of applicable laws governing securities transactions in the State of California that the Forum Provision seeks to impose is contrary to California’s overriding interests in preventing securities fraud by corporations that are headquartered in the State of California, especially where (as here), the wrongful conduct alleged was committed in or emanated from the State of California, the owner of a majority of the voting shares of Facebook stock is a California resident (defendant Zuckerberg), and the Company has clearly COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 27 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ;ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 34 of 143 availed itself of the benefits and advantages of California’s laws by doing business in California. 105. By contrast, Facebook has minimal or no meaningful connections to Delaware besides its incorporation under the laws of that state. 3. The Forum Provision is Unconscionable Because Plaintiff Did Not Consent to Its Adoption and Facebook’s Minority Shareholders Cannot Vote to Modify or Repeal the Provision 106. The Board’s unilateral decision to adopt and maintain the Forum Provision that exceeds the scope of the applicable Delaware statute is clearly the product of overreaching and a violation of the Individual Defendants’ fiduciary duties. It would, therefore, be inequitable to enforce the Forum Provision under both Delaware and California law. 1 07. Enforcement of the Forum Provision would be unreasonable as it is unconscionable under California law. The Forum Provision was unilaterally adopted by Facebook’s Board and is subject to modification, waiver or repeal only by Facebook directors including Individual Defendants, pursuant to Facebook’s Amended and Restated Bylaws, as amended and restated April 10, 2019, which Facebook’s Board adopted and approved on or about April 10, 2019. 1 08. The Forum Provision and related bylaws prevent Facebook’s minority shareholders from voting to modify or repeal the Forum Provision, and are procedurally 'N unconscionable because they were adopted and approved by Facebook’s Board and are maintained by the Board without the consent of Plaintiff. California state and federal courts have held that such a lack of consent is sufficient, on its own, to invalidate or decline to enforce a contractual provision that designates a particular forum for litigation of disputes arising under the contract. See, e.g., Galaviz v. Berg, 763 F.Supp.2d 1170 (N.D. Cal. 201 1) (denying motion / to dismiss on the basis of a forum selection clause that was unilaterally adopted by the ' corporation’s board of directors in amended bylaws without shareholder’s consent, noting that while a party’s acceptance of an agreement may “serve as consent to all the terms therein, whether or not all of them were specifically negotiated or even read,” a party may not COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 28 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 35 of 143 independently amend or alter the provisions of a contract after the contract has been entered into, and finding that corporation had otherwise failed to demonstrate the effectiveness of its forum selection bylaw to restrict the plaintiffs from pursuing their claims in the California federal court). 109. In Tech. Credit Corp. v. N.J. Christian Academy, Inc., for example, a federal court in California concluded that a forum selection clause was not enforceable because the individual against whom enforcement was sought had not signed the agreement containing the clause, explaining, “defendants have not cited authority addressing the circumstances presented here — where one side seeks to enforce a forum selection clause in a contract (not at issue) against a non-signatory who seeks to enforce a competing forum selection clause in a different contract that is at issue.” 2018 WL 1863358, at *13 (N.D. Cal. Apr. 18, 2018). Here, as in Tech. Credit Corp., Plaintiff is not a signatory to the Restated Articles of Incorporation. Further, given the existence of other potentially other forum selection clauses that Facebook has argued make California the proper venue for similar claims, the Forum Provision should not be enforced in this case. 110. Facebook’s minority shareholders (including Plaintiff) cannot (and did not) meaningfully consent to the Forum Provision. Facebook’s minority shareholders are unable to vote or obtain shares of Facebook Class C stock that are necessary to vote, due to Facebook’s stock class structure and defendant Zuckerberg’s majority voting power. Thus, Facebook’s minority shareholders (including Plaintiff) were and are deprived of any meaningful choice as to whether to adopt or maintain the Forum Provision, because they cannot vote to repeal or modify the Forum Provision; only Defendants can. 111. Further, the Forum Provision is substantively unconscionable because the provision at issue reallocates risks in an objectively unreasonable manner by placing all of the risk, i.e., liability for statutory violations committed by officers and directors of Facebook, on Facebook and its shareholders, and by eliminating the risk to officers and directors of Facebook that they may be held personally liable for damages and other statutory remedies, including COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 29 1 2 3 4 5 6 .7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 36 of 143 under the California Corporations Code. The Forum Provision is, therefore, unreasonably favorable to the Individual Defendants because it would allow them to avoid personal liability to Facebook and its shareholders for the violations of law alleged herein. B. The Forum Provision Is Invalid and Unenforceable Under Delaware Law 112. The Delaware Chancery Court explained in Boilermakers Local 154 Retirement Fund v. Chevron Corp. that “if a plaintiff believes that a forum selection clause cannot be equitably enforced in a particular situation, the plaintiff may sue in her preferred forum and . . . argu[e] that, under [M/S Bremen v. Zapata Off-Shore Co., 407 U.S. 1, 12 (1972)], the forum selection clause should not be respected because its application would be unreasonable. The plaintiff may also argue that, under [Schnell v. Chris-Craft Industries, Inc., 285 A.2d 437, 439 (Del. 1971)], the forum selection clause should not be enforced because the bylaw was being used for improper purposes inconsistent with the directors’ fiduciary duties. . .” 73 A.3d 934, 958—63 (Del. Ch. 2013), judgment entered sub nom. Boilermakers Local 154 Ret. Fund & Key W. Police & Fire Pension Fund v. Chevron Corp. (Del. Ch. 2013). Here, Plaintiff seeks a declaratory judgment that Facebook’s Forum Provision should not be respected because its application would be unreasonable, and Defendants’ adoption and/or refusal to grant a waiver of the Forum Provision constitutes a breach of their fiduciary duties to Facebook and its shareholders. 1. The Forum Provision is Facially Invalid Because It Exceeds the Scope of the Delaware Statute and Impermissibly Seeks to Regulate Other Matters That Are Not “Internal Affairs” 113. Facebook’s Forum Provision is invalid on its face because it does not comply with section 1 15 of the Delaware General Corporation Law, which allows a board of directors of a Delaware corporation to amend or adopt a corporate charter provision or bylaw to include a provision requiring that lawsuits asserting “internal corporate claims” must be brought in a court in the State of Delaware; however, the statute specifically limits the permissible scope of any such provision to include “internal corporate claims” - i.e., claims involving the internal affairs of the corporation. Del. Code tit. 8, § 1 15. The term “internal corporate claims” is COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 30 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 37 of 143 defined to mean claims, including claims in the right of the corporation, (1) that are based upon a violation of a duty by a current or former director or officer or stockholder in such capacity, or (2) as to which the DGCL confers jurisdiction upon the Court of Chancery. Id. 1 14. Facebook’s Forum Provision is facially invalid under Delaware law because it goes beyond the scope of the statute and impermissibly seeks to regulate the Company’s “internal affairs” - and to regulate Facebook’s external relationships and claims under California law. And, it goes even further, because if enforced, the Forum Provision would foreclose and prevent entirely any derivative claims under California statutes (and federal statutes) that (among other things) are properly applicable to the securities transactions alleged to violate the Corporations Code. 115. In Sciabacucchi v. Salzberg CA, the Delaware Chancery Court held that a forum selection provision contained in the certificate of incorporation of a Delaware corporation is invalid to the extent it seeks to “use corporate law to regulate the corporation’s external relationships” - i.e., a claim that “does not turn on the rights, powers, or preferences of the shares, language in the corporation’s charter or bylaws, a provision in the DGCL, or the equitable relationships that flow from the internal structure of the corporation.” Sciabacucchi v. Salzberg , 2018 WL 6719718, at *203 (Del. Ch. Dec. 19, 2018), appeal dismissed , 204 A.3d 841 (Del. 2019). 116. The court in Sciabacucchi explained that claims under the Securities Act of 1933 are “external” claims because federal law, not Delaware law, creates the claim, defines the elements of the claim and specifies who can be a plaintiff or a defendant. And a forum selection clause that seeks to regulate such external claims is invalid, because a corporation’s “state of incorporation cannot use corporate law to regulate the corporation’s external relationships.” Id. at *20. Accordingly, the court held that a “charter-based forum-selection provision” of a Delaware corporation cannot govern claims brought under the federal 1933 Act “because the provision would not be addressing ‘the rights and powers of the plaintiff- stockholder as a stockholder.’” COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 31 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 38 of 143 117. The causes of action under the Corporations Code alleged herein are created by California law, and Facebook’s Forum Provision impermissibly seeks to regulate Facebook’s “external claims” and to prevent such claims from being brought in any forum, as is clear from the fact that the Delaware Chancery Court has no jurisdiction over federal claims. As the Delaware Chancery Court held in Sciabacucchi, “The constitutive documents of a Delaware corporation cannot bind a plaintiff to a particular forum when the claim does not involve rights or relationships that were established by or under Delaware’s corporate law. In this case, the [] Forum Provisions attempt to accomplish that feat. They are therefore ineffective and invalid.” Id. at *3 (emphasis added). The same is true here. 118. Facebook’s Forum Provision is further invalid as applied to the extent Defendants may seek enforcement as to the causes of action for violations of the California Corporations Code alleged herein, because the Delaware Court of Chancery is not an adequate alternative forum, as it does not have jurisdiction over Plaintiffs claims under California law. 2. The Forum Provision is Invalid “As Applied” to This Action Because the Delaware Chancery Court Lacks Jurisdiction 119. The Forum Provision by its own terms only allows for Delaware’s jurisdiction to the extent “permitted by law.” And section 1 1 5 of the DGCL “properly confirms that despite authorizing the inclusion of forum-selection bylaws in the constitutive documents of a corporation, those provisions operate ‘consistent with applicable jurisdictional requirements.’” In re Pilgrim ’s Pride Corporation Derivative Litigation, 2019 WL 1224556, at *14 (Del. Ch. Mar. 19, 2019) (quoting 8 Del. C. § 115). Furthermore, as the Delaware Chancery Court recently noted, “[i]t is not clear . . . that buying or continuing to hold shares in a Delaware corporation with an exclusive-forum provision would constitute a sufficient degree of consent to imbue this court with the power to exercise personal jurisdiction over a stockholder who has no other ties to Delaware and did not otherwise participate in the adoption of the forum- selection clause.” In re Pilgrim ’s Pride, 2019 WL 1224556, at *14. 120. While Facebook’s Forum Provision effectively seeks to operate as a choice of law provision, it does not provide that the underlying allegations in this case “are expressly COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 32 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 39 of 143 provided” by Delaware law, nor does it provide an adequate forum in “federal or state courts” - despite Defendants’ clearly being aware that this is the only appropriate way that such a clause could operate consistent with principles of sovereignty and comity under the laws of either state. This further demonstrates that Facebook’s Board intentionally adopted and has failed to modify the Forum Provision for the improper purpose of foreclosing a federal forum that would have jurisdiction over a far wider scope of claims that may be brought derivatively on behalf of Facebook against its officers and directors, i.e., the Individual Defendants. 121. Indeed, in Boilermakers, the Delaware Chancery Court noted that it had declined to enforce a forum selection clause designating it as the exclusive forum for a contract dispute in the TransAmerican Natural Gas case, because it “did not, as a matter of positive Delaware law, have subject matter jurisdiction over the controversy.” Boilermakers, 73 A.3d at 959. On appeal, the Delaware Supreme Court affirmed the Chancery Court’s holding that the litigation could proceed in the forum that the plaintiff in the non-Delaware action had chosen, which was a court of general jurisdiction. Id. 122. As alleged herein, Facebook’s Forum Provision does not provide a forum for a shareholder to bring a derivative action asserting statutory claims. Accordingly, the Forum Provision cannot be equitably enforced in this particular situation. Facebook cannot assert an exclusive contractual and legal right to litigate claims in a forum that lacks jurisdiction over them. See Helix Generation LLC, 2019 WL 2068659, at *1 (“As a cat may look at a king, so too may the parties to a contract agree to litigate disputes in any court they wish; such election may bind the parties, but can never bind a court, and cannot satisfy the jurisdictional requirements of this Court of limited jurisdiction.”) (finding parties’ contractual agreement was insufficient to confer jurisdiction in the Court of Chancery). 123. In addition, Facebook recently filed a motion to dismiss the Washington D.C. Attorney General complaint alleging that Facebook’s policies violate the D.C. Consumer Protection Procedures Act, arguing that “mere use of a website” is not enough for a federal court to exercise personal jurisdiction over an internet company like Facebook. See District of COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 33 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 40 of 143 Columbia v. Facebook, Inc Civil Action No. 2018 CA 008715 B, Defendant Facebook, Inc.’s Opposed Motion to Dismiss or, in the Alternative, Stay Proceedings (filed Feb. 1, 2019), at 1 . Facebook also argued that that the U.S. District Court for the District of Columbia also lacks jurisdiction because “the consumer contracts underlying the District’s allegations are expressly governed by California law, not D.C. law.” Id. at 1 1 (“Indeed, as courts in the District have recognized, Facebook’s user agreements provide “a particularly weak justification for invoking the D.C. long-arm statute [under Section (a)(2)],” because “‘[b]y [their] terms, [California] law governs, and any litigation shall be brought in the federal or state courts in [California].’”) (citation omitted) (alterations in original). While Facebook’s motion to dismiss was denied on May 30, 2019, its arguments demonstrate that jurisdiction in Delaware Chancery Court is far from certain. 3. Facebook’s Board Adopted and Maintains the Forum Provision for Self-Interested and Disloyal Purposes, and Its Enforcement Would Be Inequitable and Is Not Permitted by Delaware Law 124. The Forum Provision was adopted, has not been waived or modified and/or is maintained by Facebook’s Board, including Individual Defendants who are directors, for self- interested and disloyal purposes that are inconsistent with their fiduciary duties owed to Facebook and its minority shareholders. The Forum Provision cannot be equitably enforced /• because it was adopted and affirmatively approved and is maintained by Facebook’s Board for such improper purposes in violation of their fiduciary duties owed to Facebook. 125. The Forum Provision was expressly or tacitly approved by Facebook’s Board through its adoption of Facebook’s Amended and Restated Bylaws, as amended and restated April 10, 2019, which Facebook’s Board, including Individual Defendants who are directors, adopted and/or approved for an improper purpose that is inconsistent with their fiduciary duties and which constitutes a breach of their fiduciary duties owed to Facebook and its minority shareholders. Facebook’s Amended and Restated Bylaws do not modify or allow for modification of the Forum Provision and impose certain requirements that must be met in order COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 34 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 41 of 143 to modify the Forum Provision that prevent Plaintiff and Facebook’s minority shareholders from voting to modify the Forum Provision. 126. The Forum Provision seeks to prevent derivative claims arising under any state or federal statute from being brought in any forum, including in the Delaware Chancery Court. Accordingly, Defendants would have the Forum Provision apply to actions and claims over which the Delaware Chancery Court does not have jurisdiction, thus foreclosing such claims from ever being brought derivatively on behalf of Facebook, in any forum. 127. It is clear that by adopting and maintaining the Forum Provision, Defendants seek only to avoid their own personal liability, as Facebook’s Forum Provision purports to apply broadly to “any action asserting a claim of . . . wrongdoing by[] any director, officer, employee or agent of [Facebook] ...” (Emphasis added). 128. Moreover, the California statutes alleged herein (and other statutes under various state and federal laws) provide for different and additional remedies that would result in a greater recovery for Facebook than could be obtained in a derivative action asserting only claims under Delaware law. As one federal court noted, “there is no blanket prohibition on the applicability of multiple state securities law to a single transaction.” Silvercreek Management, Inc. v. Citigroup, Inc., 248 F.Supp.3d 428, 455 (S.D.N.Y. 2017) (citing 69A Am. Jur. 2d Securities Regulations — State § 18) (‘“In the area of securities transactions, no conflict-of laws analysis ordinarily applies, and all of the blue sky laws of all of the jurisdictions apply to the transactions that are within the bounds of the statute.’”). 129. By adopting and maintaining the Forum Provision that seeks to prevent causes of action under the California Corporations Code (among other laws) from being brought in a derivative action on Facebook’s behalf, solely because of the directors’ own self-interest in avoiding personal liability to the Company, and by placing the risk of liability for violations of state and federal securities laws solely on Facebook, Facebook’s Board has failed to act in accordance with its fiduciary duties owed to Facebook under Delaware law. Accordingly, the Forum Provision is unenforceable under Delaware law. VI. ALLEGATIONS ESTABLISHING DEFENDANTS ’ LIABILITY FOR COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 35 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 42 of 143 VIOLATIONS OF THE CALIFORNIA SECURITIES LAWS A. Background of the Company and its Business 1 30. Facebook was founded in 2004 by defendant Zuckerberg while he was a student at Harvard University. Today, Facebook operates the world’s leading social media website, www.facebook.com, which attracts over 2 billion daily users from across the globe, including 214 million daily users in the United States alone. Although Facebook’s users are critical to the Company’s business, they are not its customers or the source of its revenue; Facebook is essentially an advertising company that connects its customers - sellers and advertisers of consumer goods and services - with its users, generating revenue primarily through the sale of advertisements that are targeted to Facebook users based on their demographics and various other information. 131. Facebook does not provide investors with segmented information about how the various platforms it operates are performing. Instead, Facebook’s reports publicly filed with the SEC state: “Our chief operating decision-maker is our Chief Executive Officer who makes resource allocation decisions and assesses performance based on financial information presented on a consolidated basis. There are no segment managers who are held accountable by the chief operating decision-maker, or anyone else, for operations, operating results, and planning for levels or components below the consolidated unit level. Accordingly, we have determined that we have a single reportable segment and operating unit structure.” 1 32. Facebook’s success is driven by the Company’s possession of the data uploaded to its platform by billions of Facebook users. Facebook requires users to register and create a personal profile before they can join the website’s “social network” and interact with other users, who they can add as friends. Facebook users may join user groups, message each other, and post status updates or other content that can be viewed by other Facebook users and shared with their friends. Facebook users can also interact with a wide selection of applications including social games or other services like the photo-sharing app Instagram. By doing so, Facebook users provide their personal information to Facebook, including not just their demographic and personal information, but also the people they have “friended,” the pages and COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 36 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 43 of 143 posts they have visited, and those that they have “followed” or “liked.” Together, this data gives Facebook, and marketers in general, insight into the products or services that would interest a particular user. This information allows Facebook to target and market advertising to users most likely to purchase their products and services, giving Facebook’ s targeting advertising business a significant advantage over traditional advertising, and generating billions of dollars in revenue for Facebook. 1. Facebook’s Advertising Business is the Source of Substantially All of Its Revenue 133. Facebook generates revenue by selling advertisement placements over its website and mobile applications to sellers of consumer goods and services to help them reach consumers on the website based on user data appropriated by Facebook. 1 34. Facebook offers advertising services to its customers that include or have included at various points in time, among other things, assisting customers in developing and creating advertisements and advertising strategies, obtaining information about Facebook users from the Company’s website and third party sources, compiling user data and maintaining databases of information about Facebook users, developing a marketing and advertising strategy to target and exclude certain groups of Facebook users from receiving advertisements, tracking and evaluating the effectiveness of advertisements and user targeting strategies, implementing advertising campaigns, and delivering advertisements to Facebook users, including via News Feed. 135. Facebook’s customers (advertisers) can use Facebook’s targeted advertising services to direct their ads to users with specific attributes. Facebook applies its own algorithm to categorize Facebook users and to determine which users and groups of users will be targeted to receive advertisements via its advertising platform. As stated on Facebook’s website: “With our powerful audience selection tools, you can target people who are right for your business. Using what you know about your customers — like demographics, interests and behaviors — you can connect with people similar to them.” COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 37 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Case 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 44 of 143 136. Facebook also provides detailed analytical data to advertisers on how their ad campaigns are performing, including among certain groups of Facebook users with specified attributes and characteristics that the advertiser seeks to target. By monitoring this data and providing this information to its customers on an ongoing basis, Facebook captures consumer behavior, profile, preferences, lifestyle, and other attributes which allow Facebook to run targeted ads. This enables advertisers to specify the groups of users that will be targeted to receive the advertisements. 137. Facebook’s advertising business accounts for substantially all of the Company’s revenue, as shown by the below chart: 138. Given the importance of user data to the success of the Company’s targeted advertisements, Facebook’s financial performance depends on its success in attracting active users to its platform. As the Company acknowledged in its FY17 Form 10-K: “The size of our user base and our users' level of engagement are critical to our success. Our financial performance has been and will continue to be significantly determined by our success in COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 38 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 45 of 143 adding, retaining, and engaging active users of our products, particularly for Facebook and Instagram.” 139. To provide investors with insight into user engagement, Facebook regularly reports the average number of daily active users (“DAUs”) and monthly active users (“MAUs”) on its platform. As of December 31, 2017, Facebook reported 1 .4 billion DAUs and 2.13 billion MAUs, both of which it said represented 14% growth over the prior year. According to its FY17 Form 10- K, the Company “view[s] DAUs and DAUs as a percentage of MAUs, as measures of user engagement.” DAUs and MAUs, along with average revenue per user (“ARPU”) are identified in Facebook’s annual reports as the key metrics by which the Company measures the success of its business plan. 140. In addition to measuring user engagement in the aggregate, Facebook has created i' it a sophisticated system for monitoring granular data about users’ engagement with Facebook’s platform, such as any action a user takes reacting to, commenting on or sharing an ad, claiming an offer, viewing a photo or video, or clicking on a link. Defendants encourage their customers to review these metrics when making business decisions, and, because customers do, the Executive Defendants paid close attention to and continuously improved these metrics. 2. Facebook’s Platform Was Designed to Allow “Reciprocal” Access to User Data 141. The Facebook Platform was launched in 2007. The platform originally supported only applications created by Facebook for use on Facebook, but soon expanded to allow third party developers to develop their apps using the Facebook Platform. Defendant Zuckerberg announced the expansion of the platform to third party developers in 2008, stating: “With this evolution of Facebook Platform, we’ve made it so that any developer can build the same applications that we can. And by that, we mean that they can integrate their application into Facebook — into the social graph — the same way that our applications like Photos and Notes are integrated.” 142. In a further expansion of the platform, in 2010, defendant Zuckerberg announced the launch of Graph Application 19 Programming Interface (“Graph API”) at Facebook’ s COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 39 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 46 of 143 annual developer conference. Graph API allows developers to read and write data from and to Facebook and to obtain, track, and share information. Through Graph API and later iterations of the “social graph,” Facebook obtains and shares information about users through “features” that third parties can implement on their own websites, such as the “Like” button, the “Share” button, and the “Log in with Facebook” option, among other things. These “social plug-ins” enable Facebook and third-party websites to exchange user information. Facebook obtains information about the websites’ users and activities, including purchases, and the third-party websites can also receive information from Facebook. 143. One of Facebook’s earliest forays into the data-sharing world was Beacon, a program that launched in 2007, which provided Facebook with information about a Facebook user’s purchases from third party websites after the transaction occurred. Facebook then publicized this information to the user’s friends via News Feed, which would include the user’s name, what they did (bought something), what they bought, and where they bought it. 144. TechCrunch reported at the time, “Beacon is the internal project name at Facebook around an effort to work with third parties and gain access to very specific user data.” According to TechCrunch, “third parties supply this data to Facebook “without compensation; what they get in return is a link back in the News Feed (which is effectively a free ad). Facebook, of course, gets incredibly valuable data about the user.” TechCrunch noted that this data could be used to serve targeted ads back to users “in various other places on Facebook and elsewhere.” TechCrunch also noted that there had been “endless speculation around the new advertising network that Facebook will be launching[,]” but that “a leaked Facebook document makes at least one part of the network clear. Facebook is going to be gunning hard to get lots and lots of third party data about its users into its database.” 145. Defendants subsequently expanded Facebook’s access to and use of personal information through partnership agreements and referral services with third party companies. For example, Facebook’s agreements with mobile device manufacturers allowed Facebook to implement its features directly on mobile devices, which enabled Facebook to obtain COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 40 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 2? 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 47 of 143 information about mobile device users, including non-Facebook users, and to track users across devices. 146. Defendants also pursued their strategy of monetizing Facebook’s platform through partnerships with third party companies, utilizing third-party developers to obtain as much user data as possible, and by acquiring competitors. Facebook’s agreements with mobile device manufacturers, for example, allowed Facebook to implement its features directly on mobile devices, which enabled Facebook to obtain information about mobile device users, including non-Facebook users, and to track users across devices. And, Facebook bought WhatsApp in 2014 for $19 billion, when it was the preferred instant messaging platform in the developing world, and substantially increased Facebook’s user base and access to data through messaging. 3. Defendants Transitioned Facebook’s Advertising Business to Mobile Devices Beginning in 2011 and the Company’s Revenues Skyrocketed 147. In 201 1 and 2012, to transition Facebook from its collapsing desktop advertising business to mobile advertising, Zuckerberg and the other Defendants implemented a strategy to leverage user data through though what they called “reciprocity.” It has since been revealed that “reciprocity” meant that Facebook shared user data with over 50 companies, pursuant to agreements that for the most part are still in effect. The plan involved obtaining additional data about Facebook users and non-users from third parties, including data brokers, and leveraging data that Facebook obtained through relationships and agreements with other third party companies. 148. In 2012, most of Facebook’s revenue came from generic banner ads delivered to users visiting the Company’s website on a desktop computer. By the fourth quarter of 2013, fifty-three percent of the Company’s advertising revenue came from targeted advertisements that Facebook delivered to smartphones, tablets, and other mobile devices, with many of those ads highly targeted by gender, age and other user demographics. “I think it’s inarguable that Facebook is a mobile-first company,” Facebook’s chief financial officer said in an interview at the time. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 41 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 48 of 143 1 49. Facebook had total revenue of $2.59 billion in the quarter that ended December 31, 201 3, up from $1.59 billion in the same quarter the previous year. Revenue from advertising was $2.34 billion, up 76 percent from the previous year. Excluding compensation costs related to Facebook’s initial public offering (“IPO”) in 2012, the Company’s profits were up 83 percent. “It’s hard to see any flaws in this quarter,” commented one analyst, Ron Josey of JMP Securities. “They’re seeing demand for their ad product go through the roof.” A. Facebook’s Misleading and Deceptive Practices Respecting User Privacy Were the Subject of an FTC Investigation in 2011. and the Board Was Forced to Agree to a Consent Order to Resolve the FTC Complaint 1 50. In 201 1 , following an investigation by the FTC, Facebook was forced to agree to the terms of a consent order that was subsequently entered by a federal court (the “Consent Order”), in order to resolve the FTC’s complaint against Facebook alleging that the claims Facebook made about its privacy practices were unfair and deceptive, and violated federal law. 151 . According to the FTC complaint, the Company had allegedly failed to disclose to Facebook users that “a user’s choice to restrict profile information to ‘Only Friends’ or ‘Friends of Friends’ would be ineffective as to certain third parties;” that the company’s “Privacy Wizard” tool for controlling access to user information “did not disclose adequately that users no longer could restrict access to their newly-designated (publicly available information) via their Profile Privacy Settings, Friends’ App Settings, or Search Privacy Settings, or that their existing choices to restrict access to such information via these settings would be overridden;” and that, after making changes to its privacy policy, Facebook “failed to disclose, or failed to disclose adequately, that the December Privacy Changes overrode existing user privacy settings that restricted access to a user’s Name, Profile Picture, Gender, Friend List, Pages, or Networks.” 1 52. An early draft of the FTC complaint against Facebook reveals that the FTC investigation found that defendant Zuckerberg was responsible for Facebook’s violations of the FTC Act that gave rise to the FTC Consent Order, and acted together with other officers and/or directors of Facebook who are also liable for such violations, confirming that Zuckerberg’ s COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 42 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 49 of 143 domination and control of Facebook’s Board was a substantial contributing factor to the violations of law that gave rise to the FTC Consent Order and that the other directors will not commence litigation against Zuckerberg, either because it would expose them to personal liability for similar violations of law, or because they will not take any action that may threaten their positions on Facebook’s Board pursuant to which they have received and continue to receive lucrative compensation and benefits, as alleged herein. The caption page of a draft complaint by the FTC that names Zuckerberg as a defendant is depicted below: DRAFT UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION COMMISSIONERS; Jon Lcibowite, Chairman William F~ Kovacic J. Thomas Roseh Edith Ramirez Julie Brill ) ) > ) ) DOCKET NO. ) ) ) ) > 1 _ _ _ ) COMPLAINT The Federal Trade Commission, having reason to believe that Facebook, Inc., a corporation, and Mark Zuckerberg, individually and as a founder, officer, and owner of Facebook, Inc. Htapondents”) lave violated the Federal Trade Commission Act (“FTC Act") and it appearing to the Commission that this proceeding is in the public interest, alleges; 1, Reapuuderii FoveUjuk, Juts. (“Pueetwh"), is a privately-owned, Delaware corporation with its principal office or place of business at 1601 S. California Avenue, Palo Alto, California, 94304, . 2. Respondent Mark Zuckerberg (“Zuckerberg^) founded Facebook and has been its CEO and the company’s largest shareholder from approximately 2004 until the present, lie also is the company’s President, controls the appointment of a majority of its Board of Directors (“Board”), and serves on the Board. Individually, or in concert with others, he has formulated, directed, participated in, controlled, or had authority to control, the policies, acts, or practices of Facebook, including the policies, acts, or practices alleged in this complaint, and has had knowledge of those practices. .3 , The acts and practices of Respondents as alleged in this complaint have been in or 1 COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 43 Jit Alwthrr v/ MCEROOKt INC** * corporation, ind markii xmmEm, individually and 11 a founder, officer, and owner of FACEBOOK* INC* 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 50 of 143 1 53 . The FTC’s complaint listed a number of instances in which Facebook allegedly made promises that it did not keep, including: • In December 2009, Facebook changed its website so certain information that users may have designated as private - such as their Friends List - was made public. Facebook didn’t warn users that this change was coming, or get their approval in advance. • Facebook represented that third-party apps that users installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data - which the apps didn’t need. • Facebook told users they could restrict sharing of data to limited audiences - for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used. • Facebook had a “Verified Apps” program and the Company claimed that it certified the security of participating apps. It didn’t. • Facebook promised users that it would not share their personal information with advertisers. It did. • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts. • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t. 1 54. On November 29, 2011, the FTC announced that Facebook and the agency had reached an agreement on the terms of the Consent Order relating to the FTC’s charges that the company had “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 44 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 51 of 143 155. The FTC Consent Order required that Facebook must not “misrepresent in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information,” including “the extent to which [Facebook] makes or has made covered information accessible to third parties;” that prior to sharing of a user’s nonpublic information, the company will “obtain the user’s affirmative express consent;” and the company would “establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information,” among other stipulations. 156. The FTC Consent Order barred Facebook from making any further deceptive privacy claims, required Facebook to obtain consumers’ approval before it changed the way it shared their data, and required Facebook to obtain periodic assessments of its privacy practices by independent, third-party auditors for 20 years following its entry. 1 57. Facebook has specific obligations under the FTC Consent Order and the Board is duty-bound to oversee Facebook’ s compliance with its terms. Specifically, under the Consent Order, Facebook is: • barred from making misrepresentations about the privacy or security of consumers’ personal information; ' • required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences; • required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account; • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 45 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ;ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 52 of 143 • required, every two years for the next 20 years after entry of the Consent Decree, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected. 158. As FTC Chairman Jon Leibowitz stated in the FTC’s press release announcing the settlement and terms of the Consent Order on November 29, 2011, “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users. . . Facebook’s innovation does not have to come at the expense of consumer privacy. . .” Defendants failed to do so, and permitted Facebook to violate federal law, the laws of various U.S. states, and the laws of other countries, as set forth below. 1 59. The Board was well aware of the FTC Consent Order and the obligations placed on Facebook, as each director personally received a copy of the Consent Order on September 12, 2012, according to the Facebook Compliance Report that was submitted to the FTC by Facebook’s in-house attorneys on November 13, 2012, and the directors who joined the Board after that date also received a copy of the Consent Order within thirty (30) days after their appointment as directors. Moreover, each of the directors is specifically obligated to oversee the Company’s compliance with its terms. B. The Cambridge Analytica Incident Reveals Rampant Privacy Violations at Facebook and That Defendants Failed to Comply With the FTC Consent Order 160. On March 16, 2018, a Facebook Newsroom post reported that an app developer named Aleksandr Kogan had “violated Facebook’s platform policy” by “passing information on” about its users to third parties, including a company called Cambridge Analytica. Facebook said that although Kogan had “gained access to this information in a legitimate way and through the proper channels,” he violated Facebook’s policies when he shared this information with Cambridge Analytica without Facebook users’ consent. As a result, Kogan’s app was removed from Facebook and “all parties” who received the data from Kogan were required to certify that it had been destroyed in 2015 or 2016. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 46 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 53 of 143 161. According to Facebook, “Facebook obtained written certifications from Dr. Kogan, GSR, and other third parties . . . declaring that all such data they had obtained (including derivative data) was accounted for and destroyed.” Facebook stated that in March, 2018 the Company “received information from the media suggesting that the certifications we [Facebook] received may not have been accurate. . . As part of our investigation, we have hired a forensic auditor to understand what information Cambridge Analytica had and whether it has been destroyed.” 1 62. Although Facebook had years to confirm the authenticity and accuracy of the certifications, it was not until the Observer asked Facebook to comment just a few days prior to breaking the news about Cambridge Analytica that Facebook announced that it was (finally) suspending Cambridge Analytica and Kogan from the platform pending further information over misuse of data. Facebook also said it was suspending Christopher Wylie, a Canadian data analytics expert who worked with Cambridge Analytica and Kogan to create the app, from accessing the platform while Facebook carried out its “internal investigation” into the matter. 163. Wylie provided evidence to The Observer, the U.K.’s National Crime Agency’s cybercrime unit, and the Information Commissioner’s Office, of the information that Kogan and Cambridge Analytica had obtained about 50 million Facebook users. Wylie also said that the Company was aware of the volume of data that was obtained by Kogan’s app. “Their security protocols were triggered because Kogan’s apps were pulling this enormous amount of data, but apparently Kogan told them it was for academic uses,” Wylie said. “So they were like: ‘Fine.’” 164. The evidence Wylie supplied to U.K. and U.S. authorities includes a letter from Facebook lawyers sent to him in August 2016, asking him to destroy any data he held that had been collected by GSR, the company set up by Kogan to “harvest” the profiles. “Because this data was obtained and used without permission, and because GSR was not authorized to share or sell it to you, it cannot be used legitimately in the future and must be deleted immediately,” the letter said. According to Wylie, Facebook did not pursue a response when the letter COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 47 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 54 of 143 initially went unanswered for weeks because Wylie was travelling, nor did it follow up with forensic checks on his computers or storage. “That to me was the most astonishing thing. They waited two years and did absolutely nothing to check that the data was deleted. All they asked me to do was tick a box on a form and post it back.” 165. On March 27, 2018, Wylie testified before a U.K. Parliamentary Committee that the data that Kogan’s app had obtained via Facebook formed the “foundational dataset” for Cambridge Analytica and its targeting models. “This is what built the company,” Wylie stated. “This was the foundational dataset that then was modeled to create the algorithms.” 1 66. When asked by the Parliamentary Committee how the data was used by Cambridge Analytica, Wylie said the company’s approach was to target different people for advertising based on their “dispositional attributes and personality traits” — traits it sought to predict via patterns in the data. Wylie explained: [I]f you are able to create profiling algorithms that can predict certain traits — ... and [] if you can create a psychological profile of a type of person who is more prone to adopting certain forms of ideas, conspiracies for example, you can identify what that person looks like in data terms. You can then go out and predict how likely somebody is going to be to adopt more conspiratorial messaging. And then advertise or target them with blogs or websites . . . ... so that advantage of using profiling is you can find the specific group of people who are more prone to adopting that idea as your early adopters.... 167. “That was the basis of a lot of our research [at Cambridge Analytica and sister company SCL],” Wylie added. “How far can we go with certain types of people. And who is it that we would need to target with what types of messaging.” Wylie told the Committee that Kogan’s company was set up exclusively for the purposes of obtaining data for Cambridge Analytica. 168. Wylie’s testimony also suggested Facebook found out about the GSL data harvesting project as early as July 2014 — around the time Kogan had told him that he had spoken to Facebook engineers after his app’s data collection rate had been throttled by the COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 48 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 55 of 143 platform. “He told me that he had a conversation with some engineers at Facebook,” said Wylie. “So Facebook would have known from that moment about the project because he had a conversation with Facebook’s engineers — or at least that’s what he told me. . . Facebook’s account of it is that they had no idea until the Guardian first reported it at the end of 201 5 — and then they decided to send out letters. They sent letters to me in August 2016 asking do you know where this data might be, or was it deleted?” Wylie noted, “[ijt’s interesting that. . . the date of the letter is the same month that Cambridge Analytica officially joined the Trump campaign. So I’m not sure if Facebook was genuinely concerned about the data or just the optics of y’know now this firm is not just some random firm in Britain, it’s now working for a presidential campaign.” 1 69. When asked whether Facebook made any efforts to retrieve or delete data, Wylie responded, “No they didn’t.” It was not until Facebook’s image was threatened in 2018, “after I went public and then they made me suspect number one” that Wylie said he had heard anything from the Company. Wylie said that he suspected that when Facebook looked at what happened in 2016, “they went if we make a big deal of this this might be optically not the best thing to make a big fuss about. ... So I don’t think they pushed it in part because if you want to really investigate a large data breach that’s going to get out and that might cause problems. So my impression was they wanted to push it under the rug.” He added, “[a]ll kinds of people [had] access to the data. It was everywhere.” 170. These revelations, coupled with the growing concern about Russian involvement in the 2016 presidential campaign - and Facebook’s inattention to Russian fake-news feeds - drew unwanted attention to Facebook’s business model: monetizing personal user data. 171. Instead of accepting the uncomfortable glare of the spotlight and accepting responsibility for any mistakes it might have made, Defendants went into “PR crisis mode,” quickly seizing upon Kogan and Wylie as convenient scapegoats. “This was a scam — and a fraud,” Paul Grewal (“Grewal”), Facebook’s Vice President and Deputy General Counsel, said COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 49 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 56 of 143 in an initial statement to the New York Times. He added that the company was suspending Cambridge Analytica, Wylie and Kogan, a Russian American academic from Facebook. 172. In response to the reports about the misappropriation of user data by Cambridge Analytica, Defendants made and caused to be made on Facebook’ s behalf various other false and misleading statements, including as follows. 173. Paul Grewal, Vice President & Deputy General Counsel of Facebook, stated, in a Facebook News release on March 16, 2018 that “Dr. Aleksandr Kogan lied to us.” 1 74. On March 1 6, 2018, Mr. Grewal intentionally and knowingly misstated the purpose of Dr. Kogan’s app when he stated in the Facebook News release: “In 2015, we learned that a psychology professor at the University of Cambridge named Dr. Aleksandr Kogan lied to us and violated our Platform Policies . . . His app, ‘thisisyourdigitallife,’ offered a personality prediction, and billed itself on Facebook as ‘a research app used by psychologists.’” 175. Alex Stamos, Facebook ’s Chief Security Officer at the time, tweeted on March 17, 2018: “The researcher in question, Aleksandr Kogan, enticed several hundred thousand individuals to use Facebook to login to his personality quiz in 2014. He lied to those users and he lied to Facebook about what he was using that data for.” 176. On March 21, 2018, Zuckerberg told CNN: “You can’t share data in a way that people don’t know or don’t consent to. We immediately banned Kogan’s app.” 177. Zuckerberg wrote, on his own Facebook page, on March 21, 2018: “In 2015, we learned from journalists at The Guardian that Kogan had shared data from his app with Cambridge Analytica. It is against our policies for developers to share data without people’s consent, so we immediately banned Kogan’s app from our platform.” 178. Zuckerberg stated, in an interview with Recode, published on March 22, 2018: “Then there’s going backwards, which is before 2014, what are all the apps that got access to more data than people would be comfortable with? And which of them were good actors, like legitimate companies, good intent developers, and which one of them were scams, right? Like, COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 50 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 57 of 143 what Aleksandr Kogan was doing, basically using the platform to gather a bunch of information, sell it or share it in some sketchy way.” C. Defendants Misrepresented the Impact That the Cambridge Analvtica Scandal and Subsequent Revelations Would Have on Facebook’s Financial Performance 179. Despite the public admissions that Facebook’s privacy and enforcement practices were not what they had been portrayed to be, Defendants assured investors that the disclosures had only minor impacts on user engagement and would not have a material impact on the Company’s financial performance. For example: • When Zuckerberg testified before Congress on April 10-1 1 , 201 8, he represented that Facebook had seen no dramatic declines in the number of Facebook users and no decrease in user interaction on Facebook whatsoever. • When Facebook shareholders formally proposed that the Company explore implementing a “risk oversight committee” and issue related reports due to concerns that “[t]he Cambridge Analytica scandal and the misuse of data to I influence elections around the world,” 20 defendants opposed the requests, assuring investors that Facebook’s existing risk oversight was adequate. The shareholder proposals were not adopted. • When Facebook reported its 1Q18 results on April 25, 2018, defendants said that user activity had increased, advertising effects were de minimis, and increased spending on security in the wake if the Cambridge Analytica scandal was already reflected in the quarterly results. 1 80. On May 3 1 , 201 8, Zuckerberg told investors relatively few users were taking £ advantage of new privacy regulations in Europe requiring users to opt in to data sharing (rather than the historic opt-out procedures), assuring investors that the Company’s business model was not at risk because the “vast majority” of users had opted in to Facebook’s use of their data for advertising and other purposes. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 51 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 58 of 143 181. Buoyed by a favorable first quarter 20 1 8 (“1 Q 1 8”) earnings report and the purported lack of financial impact resulting from the Cambridge Analytica scandal, Facebook’s stock price immediately climbed by more than 9% following the 1Q18 earnings report. Facebook’s stock price continued to climb thereafter, as defendants continued to make positive statements about their response to the recent controversy and the health of Facebook’s business in its wake. By July, Facebook’s stock price was trading well above $200 per share. 1 82. On July 25, 2018, the Company reported its second quarter 2018 (“2Q1 8”) earnings, stunning investors when Facebook finally revealed that its privacy misconduct had in fact hit the Company’s bottom line and seriously impacted its business. Among other things, defendants reported a significant decline in users in Europe, zero user growth in the United States, decelerating worldwide growth of active users (i.e., those most responsible for generating data used in targeted advertising), lower than expected revenues and earnings, ballooning expenses affecting profitability, and reduced guidance going forward. All of this was a direct result of the disclosures concerning Facebook’s true privacy practices, including its misrepresentations about its efforts to prevent and address events like the Cambridge Analytica data breach and the impact of GDPR. Indeed, Zuckerberg opened the July 25, 2018 investor conference call by discussing “all the investments we’ve made over the last 6 months to improve safety, security and privacy across our services,” which had “significantly impacted] our profitability.” 1 83. Market reaction to the Company’s 2Q1 8 earnings report and conference call was swift and severe, causing the price of Facebook’s common stock to drop by nearly 19% on July 26, 2018, for a staggering single-day loss of approximately $100 billion in market capitalization that was the largest such one-day drop in U.S. history. By July 30, 2018, the price of Facebook stock had fallen by 21%, shedding approximately $1 12 billion in market capitalization. 1 84. > By December of 2018, Facebook’s stock price was languishing at around $ 1 23, well below its all-time high just a few months earlier of $21 8 in July of 201 8. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 52 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 59 of 143 185. On January 30, 2019, Facebook announced its financial results for the fourth quarter of 2018, and on January 31, 2019, Facebook filed its Annual Report on Form 10-K for 2018. Facebook reported revenue growth of 26 percent year over year, the Company’s lowest since its 2012 IPO. 186. In February 22, 2019, a BuzzFeed News article entitled “Former Facebook Employees Say The Company’s Recent Prioritization Of Privacy Is All About Optics” reported as follows: Facebook has long portrayed itself as an advocate for user rights. But former employees and critics say the company’s true ethos has often been in opposition to this. Facebook’s communications around privacy have historically been opportunistic and protectionist, deployed to cover up for the last transgression from its “move fast and break things” ideology — from the 2007 Beacon program, which allowed companies to track purchases by Facebook users without their consent, to the 2010 loophole that allowed advertisers to access people’s personal Facebook information without permission. As Facebook dealt with fallout from Cambridge Analytica, compliance with Europe’s new General Data Protection Regulation (GDPR), and renewed attention on how it tracks all internet users following Zuckerberg’s ten hours of congressional testimony in April, the company’s ask-forgiveness-not-permission playbook was in plain view. It took out full-page newspaper apologies, placed its chief executive on podcasts and televised interviews, and sent Sandberg to meet with state attorneys general and lawmakers behind closed doors. “My worry is that Facebook is doing anything it can to gamer goodwill and diffuse concern,” said Ashkan Soltani, the FTC’s chief technologist from October 2014 to November 2015. “I’m not sure of the sincerity of those actions since, historically, the company uses privacy selectively and strategically.” 1 87. Five former employees who spoke with BuzzFeed News said they are skeptical of that goodwill effort, with three noting that the external messaging and marketing around privacy has only become a focus for executives during the last 12 months. “They have a long- running strategy of using communications to disagree and push this counter-narrative against any criticism,” one Facebook employee said. “They’re playing the same game they’ve always played, but the challenge for them is that the world has changed and privacy concerns are increasing dramatically.” COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 53 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 60 of 143 1 88. Two people who used to work at Facebook said that it’s hard to take the company’s apologies and commitments to privacy seriously after witnessing its attempt to get ahead of outlets preparing to publish stories about Cambridge Analytica. Last March, the New York Times, the Guardian, and the Observer were readying stories about a former employee at the political consulting firm who had evidence that Cambridge Analytica had illicitly obtained data on millions of Facebook users and deployed that information for American political campaigns. The outlets, according to multiple people familiar with the situation, had been in communication with Facebook about their stories for at least a week, and the company’s public relations team was well-aware that the pieces would be published on the weekend. In response, Facebook’ s communications team decided to get ahead of the stories, publishing a blog post from the company’s deputy general counsel the preceding Friday about suspending accounts associated with Cambridge Analytica. “We were essentially scooping the news,” one source said, explaining that Facebook was trying to soften the blow of any future story on the matter. 1 89. Another former employee noted that Facebook’s executives historically only took privacy seriously if problems affected the key metrics of daily active users, which totaled 1.52 billion accounts in December, or monthly active users, which totaled 2.32 billion accounts. Both figures increased by about 9% year-over-year in December. “If it came down to user privacy or MAU growth, Facebook always chose the latter,” the person said. That source pointed to internal Facebook emails obtained and released by a UK parliamentary inquiry that showed, among other things, the company’s then-deputy chief privacy officer Yul Kwon discussing how to allow Facebook’s Android app to read a phone’s call logs without triggering a permission pop-up. 190. Ironically, Facebook’s leaders were worried about the public relations scenario that could have occurred if Android’s permissions did appear, as they were intended, to ask users to consent to the app reading their call logs. Instead of asking for less access, however, they sought a workaround so that they could still suck up the data without making people aware that they were doing so. “This is a pretty high risk thing to do from a PR perspective but it COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 54 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 61 of 143 appears that the growth team will charge ahead and do it,” one Facebook employee, Michael LeBeau, wrote in early 2015. “We think the risk of PR fallout here is high.” 191. The fallout, however, came more than three years after those emails, after U.K. parliamentarians obtained them and used them to bolster their case that Facebook operated as a “digital gangster” with little regard for law or scrutiny in a report earlier this month. “It is evident that Facebook intentionally and knowingly violated both data privacy and anti¬ competition laws,” the House of Commons Digital, Culture, Media, and Sport (DCMS) Committee wrote in what is perhaps the strongest rebuke of the company by a governing body to date. 1 92. Many of the former Facebook insiders who spoke with BuzzFeed News struggled to understand why there have been few management changes after that past year. “Certain leaders have been making bad calls,” one said, leaving the company in “crisis after crisis.” Yet aside from an executive shuffle where leaders were reorganized into different positions in May, few people, besides policy and communications head Elliot Schrage, have been shown the door. (And even Schrage still technically remains at the company in a special projects advisory role.) “There’s an abdication of responsibility by the two at the top that runs deep — all the way down to junior leadership looking the other way,” another former employee said. 193. The UK’s DCMS committee agreed. “The management structure of Facebook is opaque to those outside the business and this seemed to be designed to conceal knowledge of and responsibility for specific decisions,” it wrote in December. 194. In April of 2019, the Washington DC attorney general’s complaint against Facebook was made public, revealing that a DC-based Facebook employee had raised issues about the political research firm in September 201 5 — months before The Guardian’s first report on it, in December 2015. Although the exact nature of the employee’s warning is unknown, as the complaint is redacted, the revelation is significant because Defendants had previously represented that Facebook was not aware of the issues surrounding Cambridge Analytica prior to the initial report in December 2015. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 55 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 62 of 143 195. In an earlier statement to The Guardian, Facebook denied that it had “misled anyone about this timeline.” Instead, the Company said, the issues that were raised by an employee back in September 2015 were a “different incident” to the issues that were subsequently reported. “In September 2015 employees heard speculation that Cambridge Analytica was scraping data, something that is unfortunately common for any internet service. In December 2015, we first learned through media reports that [researcher Aleksandr] Kogan sold data to Cambridge Analytica, and we took action. Those were two different things,” the spokesperson said. The spokesperson added: “Facebook was not aware of the transfer of data from Kogan/GSR to Cambridge Analytica until December 2015, as we have testified under oath.” 196. Damian Collins, a British MP and outspoken critic of Facebook, tweeted: “This important new information could suggest that Facebook has consistently mislead the [Parliamentary Digital, Culture, Media and Sport select committee] about what it knew and when about Cambridge Analytica.” 197. On April 24, 2019, Facebook announced its earnings results for the first quarter of 2019 — and announced that it was preparing for a settlement with the FTC in the range of $3-5 billion, which would be the largest ever fine by the FTC. “In the first quarter of 2019, we recorded an accrual of $3 billion in connection with the ongoing inquiry of the FTC,” a Facebook spokesperson said in a statement. “This matter remains unresolved, and we estimate that the associated range of loss is between $3 billion and $5 billion.” Without the accrual, Facebook’s earnings per share would have been $1 .89 — significantly higher than the actual amount of $0.85. 198. In response to the results, one securities analyst stated that the expected FTC fine “hurts now and provides headline risk” but the extent of such risk is unknown, as is the question of “whether or not this is a recurring story.” The analyst noted “Facebook’s massive spending on privacy and security of late” and concluded hopefully that this “makes the odds lower that it will be.” D. Defendants Falsely and Misleadingly Represented That Facebook’s COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 56 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 63 of 143 Policies and Practices Respecting User Privacy and Data Security Complied With Applicable Laws and Regulations- Including the FTC Consent Order 1 99. As a result of Facebook’s failure to respond to the Cambridge Analytica data breach in a manner consistent with its public statements, a massive amount of compromised Facebook data - later estimates would reveal that more than 87 million users were affected - remained in the hands of malicious actors. Moreover, as defendants knew at the time but has only recently been revealed to the public, Facebook’s privacy failures had permitted thousands of other app developers and other third parties to access user data without their knowledge or consent, presenting similar risks violating user privacy rights. 200. By concealing the truth from users and investors, defendants misled the market and concealed material risks regarding the most critical aspect of Facebook’s business - its reputation as a trustworthy platform where users could share and control their private information. Defendants also concealed the true extent of the risks facing Facebook in connection with privacy issues, including the risk of slowing growth resulting from user’s lessening their activity or restricting the data that could be shared as its platform. These risks also included that the Company would have to materially increase spending on privacy measures required to provide the level of protection described in Facebook’s policies and their public statements in response to the Cambridge Analytica scandal. Defendants further knew or recklessly disregarded that the Company was at significant risk and could become subject of increased government oversight and potentially costly fines and regulation. 201 . On March 20, 201 8, the Guardian reported an interview with a former Facebook employee, Sandy Parakilas (“Parakilas”), who was a platforms operations manager at Facebook between 201 1 and 2012. Parakilas said that he had warned senior executives at Facebook about his concerns that developers were regularly violating Facebook’s platform policies on multiple occasions, but that they had essentially ignored his concerns. 202. For example, Parakilas reported that a developer was using Facebook data to automatically generate profiles of children without their (or their parents’) consent, and that another was seeking to gain access to a user’s private Facebook messages and photos. In an COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 57 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 64 of 143 op-ed piece, Parakilas wrote about the response of Facebook management (or lack thereof) to these reports: At a company that was deeply concerned about protecting its users, this situation would have been met with a robust effort to cut off developers who were making questionable use of data. But when I was at Facebook, the typical reaction I recall looked like this: try to put any negative press coverage to bed as quickly as possible, with no sincere efforts to put safeguards in place or to identify and stop abusive developers. When I proposed a deeper audit of developers’ use of Facebook’s data, one executive asked me, “Do you really want to see what you’ll find?” The message was clear: The company just wanted negative stories to stop. It didn’t really care how the data was used. 203. According to Parakilas, Facebook did not conduct regular audits; although his primary responsibilities were over policy and compliance for Facebook apps and data protection, Parakilas said that “during my 16 months in that role at Facebook, I do not remember a single physical audit of a developer’s storage.” 204. Parakilas also said that when he told his superiors that “more audits of developers and a more aggressive enforcement regime” were needed, they did not directly respond, because “[essentially, they did not want to do that.” According to Parakilas, “the company felt that it would be in a worse legal position if it investigated and understood the extent of abuse, and it did not.” 205. In his testimony to the DCMS Committee, Parakilas declined to identify the Facebook executives he warned publicly by name when asked. The DCMS Committee Chair I commented, “it sounds like they turned a blind eye because they did not want to find out that truth.” Parakilas agreed, stating, “That was my impression, yes.” 206. On March 20, 2018, former FTC Commissioner Terrell McSweeny issued the following statement regarding recent news reports of allegedly unauthorized use of Facebook user information by a data analytics firm: “The FTC takes the allegations that the data of millions of people were used without proper authorization very seriously. The allegations also highlight the limited rights Americans have to their data. Consumers need stronger protections COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 58 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 65 of 143 for the digital age such as comprehensive data security and privacy laws, transparency and accountability for data brokers, and rights to and control over their data.” 207. A Facebook representative also said at that time that the Company expected to receive questions from the FTC related to potential violations of the 201 1 Consent Order. “We remain strongly committed to protecting people’s information,” Facebook’s deputy chief privacy officer, Rob Sherman, said in a statement. “We appreciate the opportunity to answer questions the FTC may have.” 208. Just a few days later, the FTC announced it was investigating Facebook for violations of the 201 1 Consent Decree. On March 26, 2018, Tom Pahl, Acting Director of the Federal Trade Commission’s Bureau of Consumer Protection, issued the following statement regarding reported concerns about Facebook’s privacy practices: The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers. Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act. Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices. 209. In an April 4, 2018 Washington Post article, David Vladeck, who was the Director of the FTC’s Bureau of Consumer Protection when the Consent Decree issued, stated that Facebook is “likely grossly out of compliance with the FTC consent decree,” adding, “I don’t think that after these revelations they have any defense at all.” In an April 8, 2018 article, Vladeck, was reported as saying that Facebook may face fines of $1 billion or more for failing to comply with the Consent Decree, and that “[t]he agency will want to send a signal . . . that the agency takes its consent decrees seriously.” 210. On May 12, 2018, FTC Commissioner Chopra issued a memorandum to all FTC staff and commissioners regarding “Repeat Offenders” that specifically addresses the obligations that corporate officers and directors have to remedy the issues that a consent order COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 59 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 66 of 143 is intended to address, noting that the FTC’s “orders not only bind a firm, but also its officers.” The Commissioner suggested in his recent memorandum that where a company violates a consent order, “a fair[] allocation of liability might include specific recoveries from executives” and that “it may be important for the violating company’s board to exercise any rights it may have to claw back bonuses and order the forfeiture of certain unvested stock options and grants.” The Commissioner also noted that “executive compensation arrangements may need to be amended to reflect a . . . commitment to compliance with the law.” 211. The Commissioner noted in his memorandum that “[wjhile these aggressive remedies are typically applied [only] in fraud cases, [the FTC] should not hesitate to apply them against repeat offender corporations and their executives^] [r]egardless of their size and clout[.]” 212. On June 4, 2018, Senators Markey and Blumenthal sent a letter to the FTC and noted that Facebook may have violated the FTC Consent Decree. “The American people deserve to fully understand with whom and under what conditions Facebook provides access to user data[,]” they stated. Also on June 4, 201 8, Cicilline and New York Attorney General Barbara Underwood sent a letter to defendant Zuckerberg that raised the issue of whether Facebook’s data-sharing practices violate the Consent Decree. E. Defendants’ Public Statements to Users and Investors Alike Were Materially False and Misleading With Respect to the Company’s Data Security and Privacy Policies 213. Throughout the relevant period, Defendants emphasized the “security” of Facebook user accounts and expressly denied any “breach” of Facebook’s systems had occurred that allowed unauthorized persons to obtain user data, and promised that users would be notified of any “breach” of Facebook’s systems or other attack that compromised Facebook’s platform. 214. For example, an October 16, 2015 post by Alex Stamos (“Stamos”), Facebook’s Chief Information Security Officer, stated: The security of people’s accounts is paramount at Facebook, which is why we constantly monitor for potentially malicious activity and offer many options to COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 60 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 67 of 143 proactively secure your account. Starting today, we will notify you if we believe your account has been targeted or compromised by an attacker suspected of working on behalf of a nation-state. * * * While we have always taken steps to secure accounts that we believe to have been compromised, we decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored. We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts. > It’s important to understand that this warning is not related to any compromise of Facebook’s platform or systems, and that having an account compromised in this manner may indicate that your computer or mobile device has been infected with malware. Ideally, people who see this message should take care to rebuild or replace these systems if possible. To protect the integrity of our methods and processes, we often won’t be able to explain how we attribute certain attacks to suspected attackers. That said, we plan to use this warning only in situations where the evidence strongly supports our conclusion. We hope that these warnings will assist those people in need of protection, and we will continue to improve our ability to prevent and detect attacks of all kinds against people on Facebook. 215. Defendants also publicly represented in statements to various media outlets that were often attributed to an anonymous “Facebook representative’’ or an unidentified Company “spokesman” in response to a request for comment by the Company that Facebook monitored and enforced violations of its policies. “[Misleading people or misusing their information is a direct violation of our policies and we will take swift action against companies that do, including banning those companies from Facebook and requiring them to destroy all improperly collected data,” a Facebook spokesman said in a statement to the Guardian in 2015. 216. Facebook’s public filings with the SEC indicate that the Company posts material that it considers to be disclosures that are required to comply with SEC regulations and are subject to federal securities laws because they are communications to investors, on Facebook’s “social networking” website including in the “Facebook Newsroom” and on “Mark Zuckerberg’s Facebook page.” COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 61 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 68 of 143 217. These communications to investors are posted on Facebook’s “social networking” website, the same website that the Company uses to communicate with its users, as opposed to the “Facebook for Developers” website that the Company uses to communicate with app developers, or the “Facebook for Business” website that the Company uses to communicate with marketers and advertisers. 218. Throughout the relevant period, Defendants made, caused or allowed statements to be made by or on behalf of Facebook that emphasized the “security” of Facebook’s social networking website, and expressly or impliedly represented that the Company’s privacy program and policies protected user privacy and complied with the FTC Consent Order. 219. Defendants were forced to acknowledge that Facebook had learned about the misappropriation of user data by Cambridge Analytica by at least 2015. Yet, Defendants’ statements suggested there had not been “any compromise of Facebook’s platform or systems” in 2015, and Facebook told its users that they would be notified if and when the Company “believe[s] your account has been targeted or compromised[.]” 220. Defendants’ initial statements in response to reports in 2018 also emphatically denied that any “breach” of Facebook’s systems or violation of its policies had occurred with respect to the data that was obtained (through Kogan) by Cambridge Analytica. 221 . Although Kogan may have used the data in a manner that Facebook later claimed violated its policies (by sharing the data with Cambridge Analytica), Defendants’ statements described above were materially false and/or misleading, as were other statements by Defendants that omitted and failed to disclose material facts, including the following information that was necessary to make their statements not misleading in the context in which they were made: • Facebook’s platform and systems were designed and intended to allow “reciprocal” access to user data; • Defendants favored “full reciprocity” and the Company monitored whether third party apps complied with Facebook’s policy of “reciprocity” - i.e., developers obtained COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 62 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 69 of 143 information from Facebook about its users (and non-users) and were required to share the information they obtained, via apps on Facebook’s platform, through Facebook’s API and features like Facebook login; • Facebook did not have procedures in place for auditing and enforcing compliance with its policies respecting user privacy; • Even if user data was obtained in accordance with Facebook’s policies, the Company was unable to ensure that the data was not shared with unauthorized third parties, and had no control over the data or how it was used, after it was transferred; • Facebook’s policies were not sufficient to inform its users of the type of data it considered “personally identifying information” and that was “public on Facebook”; and • Asa result of the foregoing, Facebook’s platform and its policies allowed unauthorized persons to obtain user data without their knowledge and informed consent. 222. Defendants’ statements suggesting that Facebook complied with, or had not violated, the FTC Consent Order were materially false and misleading for at least the following reasons: 223. First, the public statements of Defendants and others do not comply with Section I of the Order, which prohibits Facebook from misrepresenting any of its privacy settings. The FTC evaluates misrepresentations based on what consumers reasonably understand. In its Complaint, the FTC found that Facebook had misrepresented the extent of access that third- party apps had to user data. After the Order went into effect, Facebook continued to grant third-party apps the same level of access to user data as it had before, without ever correcting its misrepresentation. GSR, the company that transferred data to Cambridge Analytica, acquired its data from Facebook in June 2014, two years after the Order went into effect. 224. Second, the Board failed to implement and revise Facebook’s policies and terms of use to ensure they complied with Section II of the Order, which required Facebook to obtain affirmative express consent and give its users clear and prominent notice before disclosing their previously collected information with third parties in a way that exceeds the restrictions COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 63 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 70 of 143 imposed by their privacy settings. As the FTC found, Facebook granted third-party apps access to user data by overriding users’ privacy settings. After the Order went into effect, Facebook never clearly and prominently disclosed this practice to users and did not retroactively seek users’ express affirmative consent to continue disclosing their previously-collected data to third-party apps. 225. On April 1 9, 2018, Senator Blumenthal sent a letter to the FTC, noting that Facebook by default continued to provide access to personal and non-public data to third-party apps even after the consent decree. As he did at the April 10 Senate hearing, Senator Blumenthal specifically called out Facebook for failing to notice that Kogan submitted terms of service for his app that explicitly stated that he reserved the right to sell user data and would collect profile information from the friends of those who downloaded the app. “Even the most rudimentary oversight would have uncovered these problematic terms of service,” Blumenthal wrote. “This willful blindness left users vulnerable to the actions of Cambridge Analytica.” 226. PwC, the supposedly “independent” auditor that Facebook retained to conduct the audits that are required under Section VI of the Order, prepared reports about Facebook’ s Privacy Program. According to PwC’s Initial Assessment Report, which is based on assertions by management (“Management Assertions”), Facebook’s Privacy Program is routinely monitored, reviewed, and improved. The report states, in relevant part: Monitoring Activities: Members of Facebook’s Legal team periodically review the Privacy Program to ensure it, including the controls and procedures contained therein, remains effective. These legal team members also will serve as point of contacts for control owners and will update the Privacy Program to reflect any changes or updates surfaced. Monitoring: Facebook’s Privacy Program is designed with procedures for evaluating and adjusting the Privacy Program in light of the results of testing and monitoring of the program as well as other relevant circumstances. The Privacy XFN Team assesses risks and controls on an on-going basis through weekly meetings and review processes. Members of Facebook’s legal team support the Privacy Program and serve as points of contact for all relevant control owners to communicate recommended adjustments to the Privacy Program based on regular monitoring of the controls for which they are responsible, as well as any internal or external changes that affect those controls. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 64 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 71 of 143 227. The “Management Assertions” and other statements in PwC’s reports about * Facebook’s Privacy Program are misleading and contradict Defendants’ own representations. For example, defendant Sandberg admitted in an interview with Recode Media on May 30, 2018 that Facebook had not audited Cambridge Analytica to ensure they had actually deleted the data. “Looking back, we definitely wish we had put more controls in place. We got legal certification that Cambridge Analytica didn’t have the data, we didn’t audit them,” she said. 228. Third. Facebook was required under Section IV of the Order to establish a “comprehensive privacy program” that would: “(1) address privacy risks related to the development and management of new and existing products and services, and (2) protect the privacy arid confidentiality of covered information.” The privacy program must be designed to prevent “unauthorized collection, use, or disclosure of covered information.” PwC’s Initial Assessment Report, which is based on Management Assertions, states that “Facebook has implemented technical, physical, and administrative security controls designed to protect user data from unauthorized access, as well as to prevent, detect, and respond to security threats and vulnerabilities.” But defendant Zuckerberg admitted in testimony before Congress and the British Parliament that Facebook failed to read the terms and conditions of the GSR app which sold the data to Cambridge Analytica. 229. Senator Blumenthal, in his letter to the FTC sent on April 1 9, 2018, noted that although the FTC explicitly put Facebook on notice about the privacy risks of third-party apps with the 201 1 consent decree, the Company has “continued to turn a blind eye” to other outside parties that collect data from its users, and its procedures for verifying that new apps comply with it remain “murky,” Senator Blumenthal said in his letter. Indeed, as the New York Times reported on June 3, 2018, Facebook continued to allow others besides “third party apps” to access the same user data that the Company purportedly banned when it revised its policy in 2015. 230. Fourth, the Consent Decree prohibits Facebook from misrepresenting the privacy or security of “covered information” - broadly defined to include “photos and videos.” COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 65 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 72 of 143 The Order also requires Facebook to “give its users a clear and prominent notice and obtain their affirmative express consent” before disclosing previously-collected information. EPIC and other consumer privacy groups have alleged that since early 2018, Facebook has been routinely scanning photos, posted by users, for biometric facial matches without the consent of either the image subject or the person who uploaded the photo, in violation of these provisions (among other laws). 23 1 . Defendants not only had the ability (and responsibility) to change Facebook’s policies and practices with respect to third party developer access to user information, they were also well aware of, and facilitated, this activity through Facebook’s unlawful business practices and inadequate privacy policies which they knew could cause substantial damage to Facebook and potential violations of the FTC Consent Decree. 232. FTC Commissioner Chopra noted in a recent memorandum to FTC staff that going forward, “[wjhen orders are violated, a key question [the FTC] will evaluate .... is whether the proposed remedies address the underlying causes of the noncompliance.” Chopra said the FTC will “hold individual executives accountable for order violations in which they participated, even if these individuals were not named in the original orders[,]” noting that “[t]his relief is expressly contemplated by Fed. R. Civ. P. 65(d), which provides that an injunction against a corporation binds its officers.” Moreover, Chopra explained, “this relief is important, because it ensures that individual executives who control the operation of the firm - and not just shareholders - bear the costs of noncompliance.” 233. Fifth, in certifying the adequacy of F acebook’ s privacy program and related internal controls and procedures, PwC simply relied on “Management Assertions” about Facebook’s privacy program and certified, based on these representations, that Facebook’s monitoring procedures, policies and internal controls were effective. 234. Thus far, PwC has prepared three assessments that Facebook has submitted to the FTC certifying that Facebook’s privacy program meets or exceeds the requirements of the 201 1 Consent Order. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 66 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 73 of 143 235. In all three audit reports that Facebook has submitted to the FTC, PwC certified that Facebook’ s privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the reporting periods. 236. PwC’s certifications are based on purported facts, called “assertions” in the audit reports, which are actually management’s own assertions that were admittedly provided to PwC by Facebook for the purpose of the supposedly “independent” audits. These “assertions” were assumed true for purposes of the audit and were not determined in the course of an independent audit conducted by PwC or confirmed by PwC based upon reasonable auditing procedures developed independently of Facebook’s management. Defendants failed to disclose these “Management Assertions” and that PwC, in relying on them, took them as “fact,” without conducting an appropriate investigation and review of the information that was provided to determine whether it was sufficiently reliable and supported by Facebook’s records, documentation, or other evidence. 237. According to the audit report for the period February 12, 2015 to February 1 1, 2017, Facebook constantly enhances or updates its program to protect individual/users information, and Facebook’s Privacy XFN Team assists the chief officers and his team to review and provide feedback on new product proposals and any material changes to existing products from a privacy perspective. 238. The audit report for the period August 15, 2012 to February 11, 2013 indicates that Facebook’s Privacy Program was defined by the following assertions: responsibility for the Facebook Privacy Program, privacy Risk Assessment, Privacy and Security awareness, notice, choice, consent, collection and assess, security for privacy, third-party developers, service provider, and on-going monitoring of the privacy program. These assertions are based on the following “facts” that were not independently verified by PwC: COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 67 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 74 of 143 • Facebook provides notices to users regarding its privacy policies and procedures, identifies the purposes for which personal information is collected, used, retained and disclosed. • Without users/individuals’ explicit or implicit authorization, Facebook would not disclose users’ information to any-third parties/developers; • Facebook collects personal information only for the purposes identified in the notice and Facebook provides tools for users/individuals to manage their personal information. 239. In its Biennial Report for the period from February 12, 2015 to February 1 1, 2017, PwC stated that there were no material weaknesses in Facebook’s internal controls and determined that Facebook’s privacy program was sufficient to comply with the FTC Consent Order. 240. Defendants’ statements were materially false and misleading because they failed to disclose that Defendants continued to operate Facebook’s business in essentially the same manner that led to the Consent Order being entered in the first place and were known to have previously made - and broken - their promises with regard to Facebook’s user privacy practices. 241 . The fact that PwC found no deficiencies in Facebook’s internal controls following the WhatsApp acquisition in 2014 is similarly egregious, given that the FTC specifically warned Defendants in 2014 about their obligations to protect the privacy of their users in light of the proposed acquisition.1 242. Defendants knew (or should have known) that once the data was exfiltrated by a third party, there was no way for Facebook to recover the data or to ensure it would not be 1 See Fed. Trade Comm’n Press Release, FTC Notifies Facebook, WhatsApp of Privacy Obligations in Light of Proposed Acquisition, Apr. 10, 2014, available at https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-facebook-whatsapp- privacy-obligations-light-proposed. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 68 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 75 of 143 further exposed or compromised in the future. Even if there was, Defendants did not even attempt to secure Facebook’s user data and failed to implement any auditing or enforcement procedures. Instead, Defendants turned a blind eye to obvious violations of Facebook’s policies, failed to ensure that the Company’s privacy program was effective and that their statements about Facebook’s data security and user privacy practices were not misleading. 243. In Facebook’s written responses to Congress, Defendants confirmed that they had not taken action against any third party apps for similar data-sharing and extrication practices as Kogan and Cambridge Analytica, and only went after those that posed a threat to Facebook’s competitive position. In response to a request for “a list of developers that Facebook has taken legal action against for violations of Facebook’s developer policy[,]” the Company responded: We use a variety of tools to enforce Facebook policies against violating parties, including developers. We review tens of thousands of apps per year and regularly disapprove noncompliant apps as part of our proactive review process. We also use tools like cease-and-desist letters, account suspensions, letter agreements, and civil litigation. For example, since 2006, Facebook has sent over 1,150 cease-and-desist letters to over 1,600 targets. In 2017, we took action against about 370,000 apps, ranging from imposing certain restrictions to removal of the app from the platform. Moreover, we have required parties who have procured our data without authorization to delete that data. We have invested significant resources in these efforts. Facebook is presently investigating apps that had access to large amounts of information before we changed our platform policies in 2014 to significantly reduce the data apps could access. As of early June 2018, around 200 apps (from a handful of developers: Kogan, AIQ, Cube You, the Cambridge Psychometrics Center, myPersonality, and AIQ) have been suspended — pending a thorough investigation into whether they did in fact misuse any data. Additionally, we have suspended an additional 14 apps, which were installed by around one thousand people. They were all created after 2014, after we made changes to more tightly restrict our platform APIs to prevent abuse. However, these apps appear to be linked to AIQ, which was affiliated with Cambridge Analytica. So, we have suspended them while we investigate further. Any app that refuses to take part in or fails our audit will be banned. 1. Defendants’ Statements Omitted and Failed to Disclose That Facebook’s Platform and Policies Allowed Third Parties to Obtain COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 69 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 76 of 143 Users’ Personal Information and Data Without Their Consent 244. Throughout the relevant period, Defendants emphasized that Facebook’s business depended upon maintaining user trust and falsely assured Facebook users and investors that the Company maintained effective data security practices and internal controls that protected user privacy by preventing their personal information and data from being obtained by third parties without their knowledge and consent. 245. Facebook’s Data Use Policy in 2013 stated, in relevant part: Granting us permission to use your information not only allows us to provide Facebook as it exists today, but it also allows us to provide you with innovative features and services we develop in the future that use the information we receive about you in new ways. While you are allowing us to use the information we receive about you, you always own all of your information. Your trust is important to us, which is why we don’t share information we receive about you with others unless we have: □ received your permission □ given you notice, such as by telling you about it in this policy; or □ removed your name and any other personally identifying information from it. 246. Despite this policy, until 2014, developers could generally launch apps on the Facebook Platform without affirmative approval or review by Facebook. Facebook allowed third-party app developers to use the Facebook API to download a user’s friends and friendships. 247. Oh May 22, 2014, Facebook announced an expanded “privacy checkup” tool that would enable users to review the privacy of “key pieces of information” on their profiles, as well as a change to the default sharing setting for new members’ first post from “public” to “friends. First-time posters would also see a reminder to choose an audience for their first post, although the company stressed that the new default “friend” setting would apply even if they didn’t make an audience choice. “Users will also still be able to change the intended audience of a post at any time, and can change the privacy of their past posts as well,” Facebook’s website post added. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 70 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 77 of 143 248. Defendants represented in statements on Facebook’s website that the Company had “elected” to make these changes on its own, which was untrue. Facebook’s changes to the privacy practices were prompted by a contested $20 million settlement that required the Company to make changes to its policies in order to give minor and adult users more information about how their names and likenesses are employed in connection with ads displayed through the site’s Sponsored Stories program. 249. Further, when Facebook expanded Facebook’s Graph API and developer policies in 2014, it was not for the protection of its users. Defendants failed to disclose that this change allowed app developers to obtain a “read mailbox” permission that allowed access to a user’s inbox. That was just one of a series of extended permissions granted to developers under version 2.0 of the Graph API. A Facebook spokesperson confirmed to The Register that “[i]n 2014, Facebook’s platform policy allowed developers to request mailbox permissions,” but tried to downplay the significance of the eyebrow-raising revelation by claiming that the permission only granted access to a user’s inbox with their express consent, and was mainly used for apps offering a combined messaging service. “At the time when people provided access to their mailboxes - when Facebook messages were more of an inbox and less of a real¬ time messaging service - this enabled things like desktop apps that combined Facebook messages with messages from other services like SMS so that a person could access their messages all in one place,” the spokesperson said. 2. Defendants’ Statements Omitted and Failed to Disclose Material Facts About the Acquisition and Monetization of WhatsApp 250. On February 19, 2014, Facebook announced that the Company would acquire WhatsApp, a messaging platform that was co-founded by defendant Koum, WhatsApp’s CEO and a Facebook director until 2018, for approximately $16 billion. However, the true cost to the Company was closer to $19 billion, if not higher, as the $16 billion purchase price, consisting of $4 billion in cash and 184 million shares of Facebook stock worth approximately $12 billion, did not include the 46 million restricted stock units (“RSUs”) that Facebook gave WhatsApp employees and its founders (including defendant Koum), which were worth COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 71 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 78 of 143 approximately $3 billion and represented 7.9% of Facebook shares then outstanding. On a conference call with securities analysts held the same day as the announcement, Facebook’ s then-CFO, David Ebersman, stated that “[t]he deal was unanimously approved by the Boards of Directors of both companies[.]” 251 . Defendants Zuckerberg and Koum discussed the acquisition of WhatsApp on the February 19, 2014 conference call, and Zuckerberg’s comments on the call made clear that the increased competition Facebook perceived or was facing from WhatsApp was a primary motivating factor behind the acquisition. Zuckerberg stated: In fact, WhatsApp is the only widely used app we’ve ever seen that have more engagement in a higher percent of people using it daily than Facebook itself. After doubling in size from the last year, more than 450 million people now use WhatsApp monthly and more than one million new people are signing up every day. Based on our experience of building global services with strong growth and engagement, we believe WhatsApp is on a path to reach over one billion people worldwide in the next few years. Internet services that reach a billion people are all incredibly valuable, and we believe WhatsApp will be as well. * * * We expect them to bring the same quality and innovation they bring to the rest of the products, and the successful subscription model they already have in place is the product in start. As Facebook works to connect the entire world and to build the infrastructure for global community, WhatsApp will clearly help accelerate our progress. Jan and the team have built the product with a simple, fast, reliable and a really great experience for people. It’s a great model for our own mobile development process. WhatsApp also complements our services and will add a lot of new value to our community. People use WhatsApp as a replacement for SMS to communicate with their contacts as well as small groups of people. Our communication product like Facebook Messenger and Chat are used mostly for chatting with your Facebook friends and often sending messages that aren’t necessarily real-time. * * * Overall, I am very excited about this deal. And I think it will be great for Facebook and WhatsApp community, as well as for both companies. WhatsApp had every option in the world, certainly thrilled that they chose to work with us. 252. Both defendants Zuckerberg and Koum promised that WhatsApp’s practices with respect to user data would not change following the acquisition. For example, Zuckerberg stated, “We’re committed to building and operating WhatsApp independently. Their product COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 72 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 79 of 143 roadmap is very exciting and it’s not going to change.” Koum apparently trusted Zuckerberg, stating, “I believe that WhatsApp will continue to operate independently and autonomously. It’s important for all of us that the team keep working with the pace and energy of a start-up. We will also assume that confidence that Facebook calls for in a process innovation will be great good [ph] for us.” 253. The focus on maintaining WhatsApp’s practices after the acquisition was vague, yet it was telling in that it suggested Defendants knew they most likely were the reason that WhatsApp’s “user engagement” was increasing significantly and was greater than Facebook’s. However, defendant Zuckerberg downplayed WhatsApp’s practices that were focused on user privacy in his comments. < 254. In response to a question about “the competitive dynamics” of the acquisition, Zuckerberg stated: Yes, messaging is a very competitive space as you’re saying. I mean WhatsApp I think is the clear global leader at this. If you go country-by-country, there are countries like in Korea or Japan where another messaging service is bigger, but if you look across the world, I think WhatsApp is in most countries. It’s right across Europe, in Latin America, India, like lot of places in Asia. It’s kind of the clear leader. And I think a lot of this gets down to the details that Jan was talking about in early answer, where these guys just obsessively focused on simplicity and speed and reliability. But when they go into a country, I mean they don’t rest until their service is faster than SMS, and as reliable with obviously all the disadvantages that come with going over the data network instead of the voice network. So that’s I think the technical advantage that these guys have. It’s a company of really hardcore engineers, who are obsessing over perfecting messaging, not adding a lot of bloated features into a messaging app. And I think that’s like the way that - that’s the right strategy. I think that’s what people want. And over time, I think people are going to pay for that, and then want to pay for it, and will be happy to pay for the best one. (Emphasis added). 255. In response to a question about plans with regard to monetization, defendant Koum promised that “[mjonetization is not going to be a priority for us.” He and defendant Zuckerberg also stated: COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 73 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 2ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 80 of 143 Zuckerberg: So let me start off, and then I guess Jan is going to jump in. Our explicit strategy is for the next several years to focus on growing and connecting everyone in the world. And then we believe that once we get to being a service that has billion, two billion, maybe even three billion people one day, that there are many clear ways that we can monetize, but the right strategy we believe, is to continue focusing on growth and the product and succeeding in building the best communication tools in the world. So that’s actually one of the big reasons why it makes sense for WhatsApp to join us is that, as an independent company, they wouldn’t have been able to purely focus on growth, whereas now we can really help them out a lot with that. But I’ll hand it over to, Jan, to talk about monetization. I don’t personally think that ads are the right way of monetized messaging services. And I know, Jan, shares this philosophy. So why don’t you go into that? Koum: Yes, absolutely. I think I’ve talked to Mark about it number of times. And I have talked about it in our blog. We think that for our product for messaging, advertisement is not going to serve as the right thing to go. We feel that we actually have a very solid monetization system in place that helps us create a direct relationship with our user and our customer. And WhatsApp really focuses on growth. Monetization is not going to be a priority for us. And this is why I actually respect Mark and his vision that he thinks a very long-term on everything they do at Facebook. They focus on something that has - not just tomorrow, but something that is five or 10 years from now. And that’s the same with our company. When we’re talking about where mobile is going to be, not today, not next year, but in 2020 or in 2025, and as we look forward to the next five, 10 years, five billion people will have a smartphone. And we hold potential to have five billion users potentially given us money through the subscription model. So we really are excited about the growth today as a potential of where it’s going to be, five, 10 years from now. And we’re not really concerned about monetization today. We’re focused on the growth. (Emphasis added). a. The FTC Warned Facebook About Potential Violations of the Consent Order In Connection with the WhatsApp Acquisition COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 74 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 81 of 143 256. On February 9, 2014, Facebook issued a press release announcing the acquisition of WhatsApp, which defendant Koum co-founded in 2009. In the press release, defendant Zuckerberg stated, “I’ve known Jan [Koum] for a long time and I’m excited to partner with him and his team to make the world more open and connected.” Defendant Koum said, “WhatsApp’ s extremely high user engagement and rapid growth are driven by the simple, powerful and instantaneous messaging capabilities we provide. We’re excited and honored to partner with Mark and Facebook as we continue to bring our product to more people around the world.” 257. Defendant Koum stayed on as WhatsApp’s CEO after the acquisition, and according to Facebook’s website, he was “responsible for setting the overall direction and strategy for WhatsApp.” 258. In a letter to Facebook and WhatsApp general counsel sent on April 10, 2014, Jessica Rich, Director of the FTC’s Bureau, of Consumer Protection, noted that WhatsApp has made clear privacy promises to consumers, and that both companies have told consumers that after any acquisition, WhatsApp will continue its current privacy practices. “We want to make clear that, regardless of the acquisition, WhatsApp must continue to honor these promises to consumers. Further, if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC’s order against Facebook,” the letter states.2 259. The FTC specifically noted that the Consent Order applies equally to “Facebook and its subsidiaries” and instructed that “[b]efore changing WhatsApp’s privacy practices in connection with, or following, any acquisition, you must take steps to ensure that you are not in violation of the law or the FTC’s order. First, if you choose to use data collected by WhatsApp 2 See Fed. Trade Comm’n Press Release, FTC Notifies Facebook, WhatsApp of Privacy Obligations in Light of Proposed Acquisition, Apr. 10, 2014, available at https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-facebook-whatsapp- privacy-obligations-light-proposed. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 75 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 82 of 143 in a manner that is materially inconsistent with the promises WhatsApp made at the time of collection, you must obtain consumers’ affirmative consent before doing so. Second, you must not misrepresent in any manner the extent to which you maintain, or plan to maintain, the privacy or security of WhatsApp user data. ... Finally, if you choose to change how you collect, use, and share newly collected WhatsApp data, we recommend that you offer consumers an opportunity to opt out of such changes[.]” 260. “Following the announcement of the proposed acquisition of WhatsApp, Facebook chief executive Mark Zuckerberg was quoted as saying ‘We are absolutely not going to change plans around WhatsApp and the way it uses user data.’ Similarly, a Facebook spokesperson stated that ‘As we have said repeatedly, WhatsApp will operate as a separate company and will honor its commitments to privacy and security.’” The FTC concluded that Facebook had “promised consumers that it would not change the way WhatsApp uses customer information” and specifically advised that “any use of WhatsApp ’s subscriber information that violates these privacy promises, by either WhatsApp or Facebook, could constitute a deceptive or unfair practice under the FTC Act” and “could violate the FTC’s order against Facebook.” 261. On March 12, 2018, WhatsApp attorneys signed an “undertaking” with the Information Commissioner responsible for enforcement of the Irish Data Protection Act (“DP A”), acknowledging that WhatsApp’s “sharing] any personal data with the Facebook family of companies” would be a violation of the DPA because WhatsApp had: (i) “not identified] a lawful basis of processing for any such sharing of personal data”; (ii) “fail[e]d to provide adequate fair processing information to users in relation to any such sharing of personal data”; and (iii) “[i]n relation to existing users, such sharing . . . involved the processing of personal data for a purpose that is incompatible with the purpose for which such data were obtained.” WhatsApp “committed]” not to engage in these practices only with respect to users in the European Union, and WhatsApp and Facebook continue to share the personal data of U.S. users with each other and with other third party companies. b. Defendant Koum Resigned From Facebook’s Board and as WhatsApp’s CEO in the Midst of the Scandal COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 76 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 83 of 143 262. The acquisition of WhatsApp was made on the foundation of “no ads, no games, and no gimmicks.” However, defendant Zuckerberg broke his promise and reportedly pressured WhatsApp’s founders to change its business model in order to generate more advertising revenue. When defendant Koum complained that he “didn’t have enough people” to implement the project, Zuckerberg dismissed him with, “I have all the people you need,” according to one person familiar with the conversation. 263. On April 30, 2018, defendant Koum publicly announced his departure from WhatsApp and resignation from Facebook’s board of directors. “Koum’s exit is highly unusual at Facebook,” the Washington Post reported. “The inner circle of management, as well as the board of directors, has been fiercely loyal during the scandals that have rocked media giant. In addition, Koum is the sole founder of a company acquired by Facebook to serve on its board. Only two other Facebook executives, Zuckerberg and Chief Operating Officer Sheryl Sandberg, are members of the board.” 264. Defendant Koum did not give any reasons for his exit. Nevertheless, he explained that he deeply cared about the privacy of communication in 2014 when he sold WhatsApp to Facebook, stating in a blog post, “respect for your privacy is coded into our DNA, and we built WhatsApp around the goal of knowing as little about you as possible. . . If partnering with Facebook meant that we had to change our values, we wouldn’t have done it.” 265. The split between Facebook and WhatsApp is considered messy and expensive, according to The Wall Street Journal. “Behind the dishiness, however, is a very important story that pretty much clears up any doubt as to whether Mark Zuckerberg is a trustworthy man who keeps his promises - or a profit-obsessed machine who’s much stronger on greed than he is on morals.” While Zuckerberg told stock analysts that he and Koum agreed that advertising wasn’t the right way to make money from messaging apps, it was Zuckerberg’ s decision alone, but he broke his promise. 266. According to the Washington Post, which spoke to “people familiar with internal discussions” over Koum’s departure, there were tensions with Facebook over WhatsApp’s end- COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 77 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 2ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 84 of 143 to-end encryption, which ensures that messages can’t be intercepted and read by anyone outside of the conversation, including by WhatsApp or Facebook. Koum and other WhatsApp executives believed that Facebook’ s desire to make it easier for businesses to use its tools would require weakening some of the encryption. 267. Brian Acton (“Acton”), who co-founded WhatsApp with Koum in 2009, left Facebook in November of 2017, according to the New York Times. Acton later became the executive chairman of the Signal Foundation, the nonprofit that has run the encrypted communication app Signal, and he personally invested $50 million into the project that focus on the development of privacy- focused apps. On March 20, 2018, Acton wrote on twitter five days after the Cambridge Analytica scandal, “It is time. #deletefacebook” to support the chorus of the #deletefacebook movement, Techcrunch reported. 268. Both Acton and defendant Koum are purportedly big believers in privacy, and that’s the reason why WhatsApp insisted no ads and operated independently even though Facebook scrapped the 99-cent annual charge to prevent WhatsApp from generating revenue, according to the Washington Post. 269. Former Facebook manager Parakilas told the New York Times, “Jan and Brian’s departures mean that Facebook, WhatsApp and Instagram are all controlled even more tightly by a single person - Mark Zuckerberg; this centralized control is bad for the users of all of these products.” 3. Defendants’ Statements Omitted and Failed to Disclose Facebook’s Secret Agreements With Device Manufacturers 270. On June 3, 2018, an article published by The New York Times reported that Facebook had entered into agreements over the past decade with at least 60 device makers, including Apple, Amazon, BlackBerry, Microsoft and Samsung, that allowed them to access vast amounts of Facebook information, including data about users’ friends who had blocked such third-party access. These data-sharing partnerships, which Facebook entered into as early as 2007, gave these companies the ability to offer “features” of the social network, such as messaging, “like” buttons, and friends (contacts) lists, on their own websites and mobile COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 78 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 85 of 143 devices. The Times reported that Facebook provided mechanisms for certain phone and device manufacturers to build software accessing user data, supposedly to integrate Facebook features before app markets came into widespread use. 271 . The following day, the Times reported that Facebook has similar data-sharing agreements Chinese telecommunications companies, including Huawei, Lenovo, OPPO, and TCL. Notably, Facebook and its subsidiaries Instagram and WhatsApp have been blocked by the Chinese government since 2009, and the Pentagon has recently banned the use of devices made by Huawei on U.S. military bases, citing national security concerns. 272. Facebook’s Vice President of Product Partnerships, hne Archibong (“Archibong”), also addressed the agreements in a Facebook Newsroom post titled “Why We Disagree With The New York Times.” According to Archibong, “in the early days of mobile,” Facebook had built a set of private APIs that allowed companies like Apple, Amazon and HTC to “recreate Facebook-like experiences for their individual devices or operating systems” for users who weren’t able to put a Facebook app on their device. 273. The Company’s representatives claimed that Facebook had already decided to start winding down these arrangements in April 2018, but did not explain why they had never previously been disclosed, particularly during defendant Zuckerberg’s testimony before Congress. He also disputed the assertion that this access went beyond what users had agreed to or were expecting. 274. Indeed, defendant Zuckerberg did not even mention the contracts with other third party companies in his testimony. There are two kinds of arrangements that Facebook has that are supposedly “winding down” because both appear, unsurprisingly, to violate Defendants’ promises to protect user privacy (and perhaps, the Consent Decree). 275. In PwC’s Initial Assessment Report, Facebook’s Control Activity with regard to Service Providers states, “The privacy policies of Facebook and Instagram contain a section that ‘informs users that the information Facebook and Instagram receive ipay be shared with service organizations when a user signs up for Facebook and Instagram accounts.” The COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 79 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 86 of 143 unredacted portions of the report do not disclose that Facebook apparently referred to but did not disclose that these multinational corporations are the “service providers” with which Facebook maintained data sharing agreements. 276. Although other companies are also referred to in the report, they are “Facebook Experience application developers” that “must read and sign-off on the Extended API Addendum (the ‘Addendum’), or . . . the terms and conditions for a developer’s adherence to Facebook’s Platform Policies, Statement of Rights and Responsibilities and data policies and procedures” that apply to third party app developers like Kogan, who were supposedly required to follow the same policies that Defendants did not enforce. 277. Mobile device manufacturers like Apple and Huawei, however, are subject to different “Service Provider Contracts” that, according to the Initial Assessment Report, “may be terminated if Facebook identifies misuse of user information (based on violations of the Statement of Rights and Responsibilities and/or the vendor security policy).” 278. Defendants failed to disclose Facebook’s secret agreements with mobile device manufacturers that have been in effect since 2012. Defendants also did not disclose that they failed to enforce Facebook’s platform policies, which would similarly provide users with essentially no protection from the exfiltration of their data. 279. Defendants’ data sharing agreements with third party companies may have exposed Facebook to liability for violating the Consent Decree. Under the Consent Decree, Facebook is required to obtain permission before sharing a user’s private information in a way that exceeds that user’s existing privacy settings. The Consent Decree defines “third party” to include a host of other individual entities, but it exempts “service providers]” who help Facebook carry out basic functions of its site. 280. PwC’s reports to the FTC indicate that the Company’s Privacy Program encompasses these “service providers.” The Initial Assessment Report states, in relevant part: Service Providers: Facebook has implemented controls with respect to third-party service providers, including implementing policies to select and retain service providers capable of appropriately protecting the privacy of covered information received from Facebook. Facebook’s Security team has a process for conducting COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 80 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 87 of 143 due diligence on service providers who may receive covered information in order to evaluate whether their data security standards are aligned with Facebook’s commitments to protect covered information. As part of the due diligence process, Facebook asks prospective service providers to complete a security architecture questionnaire or vendor security questionnaire to assess whether the provider meets Facebook’s functional security requirements to protect the privacy of user data. Based upon the service provider’s response to the vendor security questionnaire and other data points, Facebook’s Security team determines whether further security auditing is required. Facebook partners with an outside security consulting firm to conduct security audits, which may include testing of the service provider’s controls, a vulnerability scanning program, a web application penetration test, and/or a code review for security defects. Facebook also has a contract policy which governs the review, approval, and execution of contracts for Facebook. 281 . Accordingly, after it was revealed that Facebook has data sharing agreements with companies like Apple and Huawei, Facebook representatives attempted to distinguish those agreements from the developer policies that allowed third party apps to obtain Facebook information and user data. According to The New York Times, Facebook officials called the Company’s partnerships with device manufacturers “private data channels” and said they did not violate the Consent Order because “the company viewed its hardware partners as ‘service providers,’ akin to a cloud computing service paid to store Facebook data or a company contracted to process credit card transactions.” 4. Defendants’ Statements Omitted and Failed to Disclose Facebook’s Adjudicated Violations of Law a. The German Supreme Court Declared Facebook’s “Friend Finder” Feature Unlawful in 2016 282. In February 2016, the German Supreme Court declared the Friend Finder feature on Facebook to be unlawful. The court found that the service, which allows the social networking giant to access users’ contacts and send emails to non-users, was not adequately explained to consumers and amounted to harassing advertising. 283 . Facebook’s users did not provide the same information to Facebook that was ultimately used for targeting advertisements - while it was developed with user data, this data was aggregated and ultimately new information was generated through Facebook’s algorithm COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 81 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 88 of 143 that was used for targeting purposes. Because this was not the same information that Facebook users had provided, they did not (and could not) know the information existed, let alone was being shared or used for any purpose. Facebook’s users did not, because they could not, consent to such information being shared with third parties or used for targeted advertising. Thus, Facebook’s users did not implicitly or explicitly consent to Facebook’s practices. b. The Spanish Agency for Data Protection Fined Facebook €1.2 Million Euros in 2017 284. On September 1 1, 2017, the Spanish Agency for Data Protection (“AEPD”) announced that it had fined Facebook €1 .2 million euros for violating data protection regulations following its investigation to determine whether the data processing carried out by the Company complied with the data protection regulations. The AEPD stated that its investigation made it possible to verify that Facebook does not inform the users in a comprehensive and clear way about the data that it will collect and the treatments that it will carry out with them, but that it is limited to giving some examples. In particular, the AEPD found that Facebook collects other data derived from the interaction carried out by users on the platform and on third-party sites without them being able to clearly perceive the information that Facebook collects about them or with what purpose they are going to use it. 285. The AEPD also found that the privacy policy of Facebook contains generic and unclear expressions, and requires access to a multitude of different links to know it. Further, the AEPD concluded that the Company makes an inaccurate reference to the use it will make of the data it collects, so that a Facebook user with an average knowledge of the new technologies does not become aware of the data collection or storage and subsequent treatment, or what they will be used for. c. The French Data Protection Authority Fined Facebook its Maximum Allowable Fine in 2017 286. In May 2017, the French data protection authority fined Facebook its maximum allowable fine of €150,000 for similar violations claimed by the Spanish authorities. Facebook had built up “a massive compilation of personal data of internet users in order to display COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 82 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 89 of 143 targeted advertising,” complained the Commission Nationale de Hnformatique et des Libertes. “It collected data on the browsing activity of internet users on third-party websites, via the ‘datr’ cookie, without their knowledge.” d. A German Court Found Facebook’s Default Settings are Illegal and Facebook’s Terms of Service are Invalid to Obtain Consent in 2018 287. On February 12, 201 8, a German court found that Facebook’s failure to obtain users’ informed consent before collecting their data was illegal. The Berlin Regional Court found that Facebook flouted Germany’s data protection law by turning data sharing settings on by default. One preactivated setting on Facebook’s smartphone app shared users’ locations to the people they are chatting with, the court said. The Company also preticked a box authorizing search engines to show links to user profiles in search results, making it easier for anyone to find someone’s personal profile, the ruling said. 288. The court found that eight clauses in Facebook’s terms of service were invalid, f including a declaration that users consented to the company using their names and profile pictures “for commercial, sponsored or related content” or sending their data to the United States. e. Facebook Was Ordered to Stop Tracking Internet Usage and Faces Up to €100 Million in Fines 289. On February 16, 2018, a Belgian court ordered Facebook to stop tracking Belgian citizens’ online activity on third-party websites — or face up to €100 million ($125 million) in fines. Facebook tracks the movements of visitors to outside websites by installing cookies, social plug-ins like its “like” button, or so-called pixels, which are invisible to the naked eye, the Belgian Privacy Commission said. The software tracks even those who do not have Facebook accounts, the privacy watchdog alleged in a suit filed in 2015. 290. The Brussels Court of First Instance sided with the commission, ruling that Facebook “insufficiently” discloses what kind of data it collects, what it does with the data and how long it stores it. Facebook does not do enough to get users’ consent, the court said in a Dutch-language statement. The court threatened Facebook with fines of up to €250,000 a day, COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 83 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 90 of 143 or up to €100 million in total, if it does not stop tracking Belgians and delete all data it has already gathered using the illegal methods. VII. DEFENDANTS AUTHORIZED MANIPULATIVE SHARE REPURCHASES AND FALSE AND MISLEADING STATEMENTS THAT ARTIFICIALLY INFLATED FACEBOOK’S STOCK PRICE 291 . California Corporations Code section 25400 prohibits conduct designed to manipulate stock price through fraudulent practices that are intended to mislead investors by artificially creating market activity in a security. Specifically, section 25400 makes it unlawful for any person in California “[t]o effect, alone or with one or more other persons, a series of transactions in any security creating actual or apparent active trading in such security or raising or depressing the price of such security, for the purpose of inducing the purchase or sale of such security by others” and “to make, for the purpose of inducing the purchase or sale of such security by others, any statement which was, at the time and in the light of the circumstances under which it was made, false or misleading with respect to any material fact, or which omitted to state any material fact necessary in order to make the statements made, in the light of the circumstances under which they were made, not misleading, and which he knew or had reasonable ground to believe was so false or misleading.” Corp. Code, § 25400. 292. Section 25500 further provides that “Any person who willfully participates in any act or transaction in violation of Section 25400 shall be liable to any other person who purchases or sells any security at a price which was affected by such act or transaction for the damages sustained by the latter as a result of such act or transaction.” Corp. Code, § 25500. 293. California Corporations Code section 25401 similarly prohibits misrepresentations in connection with the purchase or sale of securities that occurs in the State of California, and section 25501 provides that “[a]ny person who violates Section 25401 shall be liable to the person who purchases a security from him or sells a security to him, . . . either for rescission or for damages . . ., unless the defendant proves that the plaintiff knew the facts concerning the untruth or omission or that the defendant exercised reasonable care and did not COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 84 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 91 of 143 know (or if he had exercised reasonable care would not have known) of the untruth or omission.” Corp. Code, § 25501. 294. Throughout the relevant period, Defendants issued, and caused the Company to issue, statements that, in light of the practices detailed above, were materially false or misleading when made. Defendants’ misrepresentations artificially inflated the price of Facebook shares, causing the Company to purchase shares at artificially inflated prices, through its share repurchase program and subsequent authorizations that were approved by Facebook’s Board. A. Facebook’s Board Approved Facebook’s Share Repurchases and Increased Authorizations Totaling More Than $24 Billion 295. On November 18, 2016, with full knowledge of the exfiltration and unauthorized use of user data and the undisclosed deviation of its policies, as described above, Facebook’s Board authorized the Company to repurchase $6 billion of its own shares of Class A common stock. The share repurchases that took place pursuant to the authorization began in 2017, and were the first in Facebook’s history since becoming a public company. 296. According to Facebook’s 2017 Annual Report, Facebook repurchased approximately 1 3 million Class A common shares for an aggregate amount of approximately $2.07 billion in 2017. Defendants subsequently disclosed that the Company “completed repurchases under the original authorization to purchase up to $6.0 billion of our Class A common stock during the second quarter of 2018” - i.e., Facebook repurchased nearly 4 billion worth of its shares in just a few months - right before the Cambridge Analytica incident was publicly revealed at the end of March 2018. 297. Facebook’s Board increased the authorization for the share repurchases by an additional $9 billion in April 2018, which were completed before the year’s end. 298. Facebook’s Board then authorized yet another $9 billion of share repurchases in December 2018, as disclosed in the Company’s 2018 Annual Report on Form 10-K filed with the SEC on January 31, 2019 (the “2018 Form 10-K”). COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 85 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 92 of 143 299. By the end of 2018, Facebook had repurchased shares of its Class A common stock which were completed during the fourth quarter of 2012. 300. The 2018 Form 10-K, which was signed by all of the Individual Defendants on Facebook’s Board at the time, disclosed the following regarding the share repurchase program: In November 2016, our board of directors authorized a share repurchase program that commenced in January 2017 and does not have an expiration date. We completed repurchases under the original authorization to purchase up to $6.0 billion of our Class A common stock during the second quarter of 2018. In April 2018, the authorization for the repurchase of our Class A common stock was increased by an additional $9.0 billion, and we completed repurchases under this authorization during the fourth quarter of 201 8. In December 2018, our board of directors authorized an additional $9.0 billion of repurchases under this program, all of which remained available for future repurchases as of December 31, 2018. The timing and actual number of shares repurchased depend on a variety of factors, including price, general business and market conditions, and other investment opportunities, and shares may be repurchased through open market purchases or privately negotiated transactions, including through the use of trading plans intended to qualify under Rule 10b5-l under the Exchange Act. 301. Defendants also disclosed in the 2018 Form 1 0-K that substantially all of Facebook’s “cash used in financing activities during 2018“ and the majority in 2017 was spent on share repurchases. Specifically: Cash used in financing activities during 2018 consisted of $12.88 billion paid for repurchases of our Class A common stock, and $3.21 billion of taxes paid related to net share settlement of equity awards, offset by a $500 million overdraft in cash pooling entities. The increase in cash used in financing activities during 2018 compared to 2017 was mostly due to an increase in repurchases of our Class A common stock, partially offset by an increase in overdraft balances in cash pooling entities. Cash used in financing activities during 2017 mostly consisted of $3.25 billion of taxes paid related to net share settlement of equity awards, and $1.98 billion paid for repurchases of our Class A common stock. The increase in cash used in financing activities during 2017 compared to 2016 was mostly due to taxes paid related to net share settlement of equity awards and repurchases of our Class A common stock that commenced in 2017. 302. In conducting these share repurchases, Defendants falsely signaled to the public that they believed Facebook shares were undervalued and that the repurchases were the best COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 86 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 93 of 143 use of the Company’s cash. The share repurchases also had the effect of growing the Company’s earnings per share — as share repurchases lower the number of shares outstanding, on which earnings per share are based — as well as its return on assets, return on equity, and other metrics. Together, these actions helped inflate Facebook’s share price. B. Defendants’ Materially False and Misleadin2 Statements and Omissions Caused Facebook’s Stock to Trade at Artificially Inflated Prices. Which the Company (Over) Paid to Repurchase Its Shares 303. During the time of the share repurchases, Defendants knowingly or recklessly made materially false or misleading statements and/or failed to disclose material information regarding the Company’s user privacy practices and the Cambridge Analytica incident. 304. Defendants also made false or misleading statements or omissions relating to its internal controls and risks in Facebook’s SEC filings. For example, Facebook’s 2015, 2016 and 2017 Annual Reports signed by Defendants each contain approximately 20 pages of risk disclosures, yet the only reference to the unauthorized use of user information refers to the mere risk of it happening in the future, obfuscating the fact that such unauthorized use had already occurred and on a massive scale impacting tens of millions of Facebook users. The Annual Reports falsely contain certifications that Facebook’s internal controls are effective. Defendants’ SEC filings also falsely represented that Facebook maintained robust privacy policies and risk management system to protect user data, and that the Board and senior executives had overall and ultimate responsibility for the management of risk. 305. Defendants’ statements (including those contained in Facebook’s SEC filings described above) were materially false and misleading, and failed to disclose material information, for the reasons stated above, including the fact that Facebook had already experienced the unauthorized access and use of user information, deviated from its own policy to restrict access to user information, and failed to implement and maintain adequate risk controls at the Company. 306. In repurchasing shares in connection with the stock repurchase program, Facebook relied on Defendants’ false or misleading statements, which were reflected in the COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 87 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 2ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 94 of 143 stock price of Facebook’s shares that were trading in the market, and Facebook paid the market price for shares of Facebook stock that the Company repurchased during the relevant period pursuant to the stock repurchase program and authorizations that were approved by Facebook’s Board. 307. The price of Facebook’s common stock was artificially inflated as a result of Defendants’ materially false and misleading statements and omissions identified above. Defendants engaged in a scheme to deceive the market and a course of conduct that operated as a fraud or deceit on Facebook, which repurchased shares at artificially inflated prices. When Defendants’ prior misrepresentations and fraudulent conduct were disclosed and became apparent to the market, the price of Facebook stock fell as the prior artificial inflation dissipated. 308. On February 1 , 201 8, Facebook filed with the SEC a Registration Statement on Form S-8 which registered 42,000,000 shares of Facebook Class A common stock that were reserved for issuance under Facebook’s 2012 Equity Incentive Plan for sale at a proposed maximum offering price per share of $1 85.01, which was estimated based on the average of the high and low prices of Facebook common stock as reported on NASDAQ on January 30, 3018, for a proposed maximum aggregate offering price of $7,770,420,000.00. The Registration Statement stated that it “shall also cover any additional shares of Facebook Class A common stock that become issuable in respect of the securities identified [in the Registration Statement] by reason of any stock dividend, stock split, recapitalization or other similar transaction effected without [Facebook’s] receipt of consideration that results in an increase in the number of the outstanding shares of the [Facebook] Class A common stock.” 309. Facebook’s 2018 Form 10-K further stated that the Company’s “shares may be repurchased through open market purchases or privately negotiated transactions, including through the use of trading plans intended to qualify under Rule 10b5-l under the Exchange Act.” VIII. AT THE SAME TIME FACEBOOK WAS REPURCHASING ITS SHARES, DEFENDANTS ZUCKERBERG, SANDBERG AND KOUM SOLD THEIR COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 88 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 95 of 143 SHARES AT PRICES THEY KNEW WERE ARTIFICIALLY INFLATED 310. Corporations Code section 25402 provides that “[i]t is unlawful for . . . any person who is an officer, director or controlling person of an issuer or any other person whose relationship to the issuer gives him access, directly or indirectly, to material information about the issuer not generally available to the public, to purchase or sell any security of the issuer in this state at a time when he knows material information about the issuer gained from such relationship which would significantly affect the market price of that security and which is not generally available to the public, and which he knows is not intended to be so available, unless he has reason to believe that the person selling to or buying from him is also in possession of the information.” Corp. Code, § 25402. 311. At the same time F acebook was repurchasing shares of its stock in 20 1 7, 20 1 8, and/or 2019, certain of the Individual Defendants took advantage of the artificial inflation of Facebook’s shares caused by the false and misleading statements and omissions described above, selling over $1 billion worth of their own personally held shares, as set forth herein. 312. At the time of these stock transactions, each of the Individual Defendants was in possession of and had access to material, non-public information regarding, among other things: (i) Facebook’s violations and/or potential violations of various state, federal and foreign laws; (ii) Facebook’s failure to comply with the terms of the FTC consent order; (iii) Facebook’s policies relating to user privacy and the use of Facebook’s platform, changes to those policies and the reasons for such changes, violations of those policies, and the Company’s failure to monitor compliance with those policies and to enforce those policies; (iv) Facebook’s undisclosed data collection practices and its use of user data for targeted advertising and other commercial purposes; (v) Facebook’s platform design and the ability of third party apps to obtain user and non-user data via Facebook’s platform; (vi) Facebook’s data-sharing agreements with third party companies and device manufacturers, and the ability of those companies to obtain user and non-user data via Facebook’s platform; and (vii) Facebook’s targeted advertising business and revenues derived therefrom. Thus, the Individual Defendants’ knew or should have known that Facebook’s stock was artificially inflated due to COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 89 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 96 of 143 the failure to disclose material information regarding the foregoing, at the time the Insider Selling Defendants sold their shares of Facebook stock and Facebook repurchased shares of its stock, pursuant to the program and increased authorizations that the Individual Defendants approved and/or effectuated, as alleged herein. 313. Defendants were required to disclose to shareholders “material information,” the kind of information that an investor would want to know to protect their investment. The SEC issued guidance on public reporting of cybersecurity incidents, noting that the commission “encourages companies to continue to use Form 8-K or Form 6-K to disclose material information promptly, including disclosure pertaining to cybersecurity matters.” 314. In the 2017 and 2018 Proxy Statements, Facebook did not mention the Cambridge Analytica incident, and also did not mention these facts in any of its Form 8-K or Form 6-K filings. Instead, Facebook made general statements in their most recent proxy statement and annual report on Form 10-K about potential, not actual, user privacy and data security risks, and certified that the Company’s internal controls were adequate and complied with applicable laws (which necessarily include the FTC Consent Order). 315. In addition, the financial statements and information in Facebook’s public filings with the SEC, including in the 2018 Proxy Statement, were materially false and misleading because Facebook’s revenue and other financial metrics were overstated due to Defendants’ omissions of material information and failure to sufficiently and/or accurately account for stock-based compensation expense, amounts that were significant and material to understanding Facebook’s true financial condition. 316. In addition to the $22 billion purchase price, the WhatsApp merger agreement provided for an additional $3 billion in restricted stock units (“RSUs”) to be granted to WhatsApp ’s founders and employees, including defendant Koum, that would vest over four years subsequent to closing. The Class A common stock and RSUs issued to WhatsApp shareholders and employees upon closing represented approximately 7.9% of Facebook shares then outstanding. COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 90 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 97 of 143 317. Defendant Koum was granted approximately 24.9 million RSUs in connection with the merger agreement, including approximately 7 million unvested shares that were granted to Koum as an “inducement award” that remained unvested as of March 31, 2018. 318. The unvested RSUs that were granted to Koum were set to vest incrementally until late 2018, with 1.9 million shares to vest on May 15, 2018 and in August 2018, plus a final tranche of 2. 1 million shares that would be issued in November 201 8, and were contingent on him still being employed through those dates. 319. According to Facebook’s Form 8-K dated April 30, 2018, defendant Koum informed the Board in connection with his resignation as CEO of WhatsApp that he would not stand for re-election to the Board at the 2018 Annual Meeting. 320. Accordingly, at the time of his resignation in April 2018, defendant Koum would have forfeit 5.8 million shares, worth approximately $997.5 million as of the date of the announcement. However, the “inducement award” was “subject to acceleration if [Koum’s] employment is terminated without ‘cause’ or if the [he] resigns for ‘good reason’.” 321. According to Facebook’s Form 10-Q for the quarterly period ending March 31, 2018, as of that date, Facebook had $10.82 billion of unrecognized share-based compensation expense, substantially all of which was related to RSUs. Included in this amount were 7 million unvested shares that had been granted to defendant Koum as the “inducement award” in connection with the WhatsApp acquisition in 2014. The “inducement award” was subject to acceleration pursuant to the terms of Koum’s employment agreement. 322. During the relevant period of conduct alleged to violate the Corporations Code, Defendants knew that the material facts and information described above were not publicly disclosed and that Facebook’s minority shareholders and the public had no way of knowing that Facebook’s financial statements and public filings were materially false and misleading and, as a result, shares of Facebook’s Class A common stock were trading at artificially inflated prices. While these and other material facts were concealed from Facebook COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 91 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 :ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 98 of 143 shareholders and the public, the Insider Selling Defendants sold or otherwise disposed of their shares of Facebook common stock, thereby violating section 25402 of the Corporations Code. 323. According to Facebook’s 2018 Proxy Statement filed with the SEC on April 13, 2018 (the “2018 Proxy Statement”), defendant Koum held approximately 14.2 million shares of Facebook Class A common stock. Beginning in 2017, at the same time when Facebook was / repurchasing shares of its Class A common stock in the open market, defendant Koum sold more than twice that amount, or approximately 34.2 million shares of his personally held Facebook stock, at an average price of $158.52 per share, as set forth in the chart below: ■^xdajeMM Shares sold? laiiiispipfii SfillRibESli 2/14/2017 647,390 133.85 2/20/2017 595,284 133.36 2/20/2017 149,978 133.35 2/23/2017 997,450 n/a 2/23/2017 1,396,457 n/a 2/23/2017 1,094,915 n/a 3/14/2017 3,300 140.00 3/15/2017 1,717,077 140.01 3/16/2017 402,925 140.07 3/19/2017 88,332 140.01 3/20/2017 199,347 141.54 3/20/2017 16,100 142.15 3/20/2017 128,990 140.39 3/22/2017 65,353 140.05 3/23/2017 200 141.00 3/23/2017 178,376 140.37 4/27/2017 2,935,336 150.18 4/27/2017 264,664 151.24 5/14/2017 648,427 150.33 5/15/2017 29,913 150.11 5/15/2017 564,333 149.71 5/17/2017 1,328,491 n/a 5/17/2017 1,041,957 n/a 5/17/2017 1,257,120 n/a 7/13/2017 3,490,137 160.02 COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 92 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 99 of 143 7/16/2017 31,663 160.38 7/17/2017 18,218 162.61 7/17/2017 29,045 161.48 7/17/2017 7,184 163.21 7/17/2017 23,753 160.49 8/9/2017 1,110,879 n/a 8/9/2017 1,110,879 n/a 8/14/2017 648,427 170.75 8/15/2017 688,985 170.53 8/15/2017 5,507 171.28 8/15/2017 2,259,000 170.05 8/29/2017 63,629 170.02 8/30/2017 367,363 171.64 8/30/2017 5,228 172.09 8/30/2017 204,534 170.75 10/29/2017 804,555 180.08 10/30/2017 1,795,445 180.09 11/14/2017 648,428 178.07 11/15/2017 455,023 179.26 11/15/2017 139,223 179.63 2/12/2018 1,168,777 n/a 2/12/2018 934,766 n/a 2/14/2018 1,231,441 179.52 2/19/2018 371,500 175.65 2/19/2018 580,736 176.60 2/19/2018 301,670 177.41 IBflWHi nmm Average During Period: $158.52 324. According to the 2018 Proxy Statement, defendant Sandberg held approximately 3.5 million shares of Facebook stock, including 1 .5 million shares of Class A common stock held indirectly through a trust, and an additional 2 million shares of Facebook Class B stock. Beginning in 2017, at the same time when Facebook was repurchasing shares of its Class A common stock in the open market, defendant Sandberg sold almost twice that amount, or nearly 7 million shares of her personally held Facebook stock, at an average price of $155.78 per share, as set forth in the chart below: COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 93 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 100 of 143 SHARES SOLD SHARES HELD V'..-vVVy V . 1/4/2017 20,890 $119.13 2,906,666 1/4/2017 7,821 $120.71 2,870,960 1/4/2017 26,482 $119.78 2,934,731 1/4/2017 27,885 $119.79 2,878,781 1/4/2017 18,747 $119.12 2,961,213 1/4/2017 7,175 $120.72 2,927,556 1/14/2017 39,104 $128.34 2,906,796 1/17/2017 9,294 $127.96 2,850,200 1/17/2017 47,302 $127.49 2,859,494 1/17/2017 4,877 $128.03 2,906,796 1/17/2017 47,527 $127.52 2,911,673 1/19/2017 2,850,200 n/a n/a 2/14/2017 22,539 $133.85 2,870,854 2/14/2017 6,799 $133.85 2,877,084 2/15/2017 157,212 $133.39 2,877,084 2/15/2017 169,788 $133.39 2,707,296 2/27/2017 81,598 $135.58 2,625,698 2/27/2017 80,276 $136.16 2,707,296 2/27/2017 76,936 $135.58 .2,787,572 2/27/2017 88,190 $136.15 2,537,508 3/14/2017 54,530 $139.77 2,367,720 3/14/2017 108,469 $139.03 2,586,251 3/14/2017 48,743 $139.78 2,537,508 3/14/2017 48,743 $139.78 2,537,508 3/29/2017 141,490 $140.37 2,226,230 3/29/2017 100 $142.90 2,367,720 3/29/2017 130,910 $142.41 2,367,820 4/14/2017 39,104 $139.39 2,262,066 4/17/2017 66,306 $141.20 2,274,366 4/17/2017 7,700 $141.77 2,177,172 4/17/2017 12,300 $141.73 2,262,066 4/17/2017 77,194 $141.22 2,184,872 5/10/2017 82,694 $149.92 2,094,478 5/10/2017 1,830 $150.53 2,177,172 5/10/2017 2,200 $150.51 2,092,278 5/10/2017 76,776 $149.92 2,179,002 5/14/2017 22,539 $150.33 2,119,162 5/14/2017 6,799 $150.33 2,098,508 COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 94 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 5/18/2017 23,824 n/a n/a 5/23/2017 45,662 $149.83 2,058,092 5/23/2017 37,675 $149.23 2,183,917 5/23/2017 40,931 $149.84 2,142,986 5/23/2017 39,232 $149.22 2,103,754 6/5/2017 19,006 $152.99 2,117,692 6/5/2017 20,894 $153.00 2,037,198 6/5/2017 64,000 $153.98 1,973,198 6/5/2017 59,600 $153.98 2,058,092 6/18/2017 48,564 $152.50 1,924,634 6/18/2017 21,315 $153.01 1,973,198 6/18/2017 41,899 $152.47 1,994,513 6/18/2017 19,722 $153.04 1,904,912 7/14/2017 39,104 $159.97 1,940,748 7/30/2017 590,000 n/a 1,350,748 8/14/2017 6,800 $170.75 1,356,978 8/14/2017 6,800 $170.75 1,356,978 10/14/2017 39,105 $173.74 1,413,468 11/14/2017 6,799 $178.07 1,440,352 11/14/2017 22,539 $178.07 1,434,122 2/13/2018 12,525 $177.14 1,463,727 2/13/2018 6,300 $176.54 1,476,252 2/13/2018 12,875 $179.32 1,440,352 2/13/2018 10,500 $178.32 1,453,227 2/13/2018 10,900 $174.97 1,482,552 2/13/2018 1,900 $173.46 1,493,452 2/13/2018 12,525 $177.14 1,463,727 2/13/2018 6,300 $176.54 1,476,252 2/13/2018 12,875 $179.32 1,440,352 2/13/2018 10,500 $178.32 1,453,227 2/13/2018 10,900 $174.97 1,482,552 2/13/2018 1,900 $173.46 1,493,452 2/14/2018 8,185 $179.52 1,472,803 2/14/2018 6,461 $179.52 1,464,480 2/14/2018 233 n/a n/a 2/14/2018 17,038 $179.52 1,457,911 2/14/2018 233 n/a n/a 2/14/2018 17,038 $179.52 1,457,911 3/1/2018 11,080 $174.51 1,498,523 COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORP( 95 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 3/1/2018 22,236 $175.49 1,476,287 3/1/2018 18,200 $173.62 1,509,603 3/1/2018 3,484 $176.48 1,472,803 3/14/2018 26,134 $183.51 1,472,803 3/14/2018 28,866 $182.79 1,498,937 4/1/2018 2,400 $158.54 1,472,803 4/1/2018 16,870 $154.95 1,510,933 4/1/2018 3,500 $157.65 1,475,203 4/1/2018 20,620 $155.60 1,490,313 4/1/2018 11,610 $156.67 1,478,703 4/17/2018 40,261 $166.66 1,487,542 4/17/2018 14,739 $167.32 1,472,803 5/29/2018 37,308 $187.72 1,505,021 5/29/2018 5,200 $186.80 1,542,329 5/29/2018 12,492 $185.88 1,547,529 8/28/2018 34,371 $175.44 1,557,868 8/28/2018 20,629 $176.04 1,537,239 10/31/2018 334,300 n/a 1,202,939 11/13/2018 23,034 $143.09 1,223,727 11/13/2018 3,934 $145.06 1,202,939 11/13/2018 16,854 $144.11 1,206,873 11/13/2018 11,178 $142.08 1,246,761 11/14/2018 8,186 $144.22 1,235,157 11/14/2018 6,461 $144.22 1,226,834 11/14/2018 17,039 $144.22 1,220,265 3/12/2019 28,451 $172.92 1,298,676 3/12/2019 26,549 $173.58 1,272,127 3/24/2019 10,471 $166.09 1,272,127 3/24/2019 18,398 $164.46 1,282,598 3/24/2019 6,372 $162.72 1,320,755 3/24/2019 19,759 $163.83 1,300,996 4/3/2019 24,694 $177.10 1,278,190 4/3/2019 24,243 $176.05 1,302,884 4/3/2019 6,063 $177.71 1,272,127 ctI-O I Average During Period: $155.78 1,882,506 325. According to Facebook’s Form 10-Q filed with the SEC on P defendant Zuckerberg indirectly held approximately 1 1 .92 million Class A COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORP( 96 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 103 of 143 C series of funds. On July 25, 2018, while Facebook’s stock price was trading at around its all- time high, Zuckerberg sold 240,000 shares of Facebook Class A common stock at an average price of $216.71 per share, near its all-time high of approximately $223 per share earlier that month, for total proceeds of just over $52 million. 326. Defendant Zuckerberg’s stock sales have dramatically risen in the last five years, as demonstrated by the chart below. In the last 5 years, Zuckerberg has sold 41 ,734,748 shares of his Facebook stock, 36% of which (1 5,1 36,652 shares) were sold in the last 12 months: 327. The Insider Selling Defendants’ sales of their Facebook shares described above were unusual in timing and/or amount, particularly in that they occurred at the same time as Facebook was repurchasing shares of its common stock in the open market. 328. Throughout the relevant period in 2017, 2018 and 2019 when Facebook was repurchasing its shares, the Company’s stock price was trading at prices that were artificially inflated by the materially false and misleading statements and omissions described above, as shown in the following charts: COMPLAINT FOR DECLARATORY JUDGMENT; VIOLATIONS OF CORPORATIONS CODE 97 1 2 3 4 5 6 7 8 9 10 1 1 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ase 4:18-cv-01792-HSG Document 124-2 Filed 08/01/19 Page 104 of 143 FACEBOOK, INC. STOCK PRICE CHART $250.00 $200.00 $150.00 $100.00 $50.00 $0.00 /■ lA cy A cy & £y -A ,cy sy a kcy A V y -A\v ^ A A y kcy