A recent lawsuit against Amazon founder and Executive Chairman Jeff Bezos, CEO Andy Jassy, 11 members of the company board of directors and several other prominent company executives will likely bring greater attention to corporate policies that deal with the use of customer data during the course of business operations.
The lawsuit, filed in May by shareholder Stephen Nelson, is seeking to hold Amazon’s key executives personally accountable for knowingly allowing the misuse of customer data in ways that could cause extensive reputational and financial damage to the company. Collection and analysis of customer data is essential for companies to increase sales, maintain supply chain efficiency, develop new products, and provide greater customer service. However, this lawsuit raises the question of who should be held responsible for determining what customer data can be used for, especially if misuse of the data can damage a company’s reputation and make it liable for legal damages from lawsuits or actions by regulators.
Shareholder Nelson’s lawsuit centers on the use of biometric data, which is new territory for most board members. Amazon has already been accused of using customer’s images without their consent, as well as being cited for breaking state laws that prohibit companies from profiting from the use of customer biometric data, such as fingerprints and facial images. The lawsuit accuses Amazon’s leadership of downplaying the financial risks associated with its use of biometric data and potential violations of state privacy laws. The court filing alleges Amazon is facing 14 class action lawsuits and 75,000 individual cases dealing with misuse of customer data, all of which could have massive financial consequences for the company. Amazon, in a statement, has assured investors that its board is “committed to the responsible use of artificial intelligence and machine learning products and services.”
Finally, the lawsuit asks that Amazon be directed to change its practices around the use of biometric data. If the lawsuit is successful, other companies may face lawsuits targeting their boards and seeking court mandated changes to policies dealing with the use of customer data.
Why is this case important for corporate boards?
• Reevaluate board members and customer base. While Amazon and other tech companies may face a particular challenge dealing with the proper use of customers’ biometric data, the use of customer data by all corporations is only going to increase going forward. This case should remind boards that they have an obligation to prepare strategies that can take advantage of the collection of different types of customer data without placing the company at risk of violating the law.
Boards should determine “Do we have directors who have experience creating strategies that can use customer data in ways that increase profits?” “Do we have directors with experience understanding the laws governing the use of customer data – including privacy laws and cybersecurity laws?” Strengthening the knowledge base regarding privacy and cybersecurity may need to be a higher priority for some boards.
This case should also spur boards to re-examine their current policies and practices governing the collection and use of customer data. Among the questions to ask are: “What types of customer data are we collecting now and how are we making use of it?” “Are there other types of customer data that we are not collecting but should be collecting now and in the future?” “What policies do we have in place to safeguard this data?” And, “What type of internal security measures do we have in place to make sure that only authorized employees access customer data?”
Now that so many people have made changes due to the Covid-19 pandemic and other financial challenges, it is a good time to reevaluate your customer base. Companies may determine that there have been major shifts in customer behavior that the company could benefit from, or customer needs have changed and need to be addressed before market share is lost for good.
• Reassess the risks of dealing with customer data. This case demonstrates how legal liability can shift when shareholders apply pressure to make certain changes. Resisting change can involve legal risks that can damage the company financially, so boards need to determine whether they are operating within the law and whether they have internal policies in place that demonstrate that they have taken the appropriate actions to limit risks that may result from their business policies involving customer data. Bringing in legal experts to review customer data policies may help, especially regarding the handling of customer data by third party or foreign entities.