By: JB Ferguson
September 4, 2022 — Leona Helmsley, the famed hotel business magnate, famously once said, “Only the little people pay taxes.” Although it has always been true that the famous, wealthy, and otherwise powerful can escape the consequences of their actions in a way unavailable to “little people,” public assumption of that unaccountability has accelerated during the past decade.
By contrast, the idea that the law and powerful government agencies matter is a thread underpinning Capstone’s work. The wheels of justice grind slowly, but they eventually get there more often than everyday cynicism would have us imagine.
The rule of law is having something of a moment across several TMT issue areas, including Twitter, privacy, and crypto. In all three cases, dominant players who are used to flouting the letter (if not the spirit) of the law may find themselves up a proverbial creek sans paddle if litigation and enforcement trends continue.
Elon Musk has a long history of frustrating regulators like the Securities and Exchange Commission (SEC) while simultaneously entertaining his millions of online supporters, like with the misleading tweet in 2018 that he had secured funding for a Tesla Inc. take-private at $420 per share. That incident led to a $40 million fine and additional restrictions on his public communications, which he has routinely flouted. Musk takes a similar approach with his public commentary on agencies such as the National Highway Traffic Safety Administration and the Federal Aviation Administration that have direct regulatory authority over his businesses. We think Musk made a fundamental mistake in assuming his “successes” taunting federal agencies without serious consequences would translate to busting his acquisition of Twitter lawsuit in the Delaware Court of Chancery.
There is something raw and fundamental about the world’s richest person being sued in a court with 220 years of history and a laser focus on the technicalities of dealmaking. Musk waived nearly all his protections when he made the offer back in April and is in the unenviable position of having to show that he was somehow defrauded or that Twitter was materially mismanaged after the deal was announced. We think the bar to prove either condition is set very high and, in our view, at odds with shares’ current 40% discount to the $54.20 offer price.
In a series of notes, Capstone has outlined why Musk’s chances of escaping the deal are remarkably low (7% probability). The tone and tenor of Delaware Court Chancellor Kathaleen McCormick’s adjudication of the case so far only reinforces that position. The bombshell allegations from Peiter “Mudge” Zatko of Twitter’s cybersecurity mismanagement is a mixed bag for Musk, as the details provide some material on which to prove fraud but completely derail his primary contention about the measurement of Twitter’s user base.
We think privacy law is on a much slower timeline but has similar dynamics. The most direct analog is in Europe, where the text of the General Data Protection Regulation (GDPR) and subsequent interpretations by the Court of Justice of the European Union (CJEU). The core conflict is between GDPR’s requirement for “specific, informed consent” and the low-friction nature of industry-standard cookie popups. The plain text of GDPR clearly calls into question the viability of the real-time bidding market for advertising, as consent is extremely difficult and impractical to establish for the hundreds of potential receivers of a user’s personal information. Despite the industry’s commitment to common frameworks for low-friction consent handling, including the Internet Advertising Bureau’s (IAB) Trust and Consent Framework, European Union Member State and CJEU decisions against IAB, Google, adtech firm Criteo, and others are chipping away at their feasibility. We expect this elimination of various “industry best practices” for compliance to continue as advocates’ complaints wind their way through EU Member States’ data protection authorities and the CJEU.
Privacy law in the US may face a similar fate, especially if preemptive legislation such as the American Data Privacy and Protection Act is not passed. California privacy law requires businesses to honor opt-out signals sent by browsers, generally referred to as a “global privacy control” (GPC). Beginning in 2023, any GPC signal must be honored across data sales and sharing data for ad personalization. In its first public online privacy enforcement action (against cosmetics giant Sephora), the state attorney general highlighted the company’s lack of GPC handling.
In our private equity due diligence, we have yet to see even one firm honor GPC signals despite the law’s clear requirement. While the initial impact is additional development and some changes to privacy policies, should Apple Inc. (or, less likely, Google) decide to implement GPC opt-out signals by default, half of the addressable web traffic in the US will disappear overnight. Much like Apple’s move to require true opt-in to app behavior tracking (App Tracking Transparency, or ATT), we do not expect antitrust concerns to override the perceived privacy benefits.
Lastly, there is an analogous mix of inattention and hubris developing in the crypto space. A forthcoming change to the Ethereum blockchain and its native token ether will put large swaths of the crypto economy on a collision course with the SEC’s longstanding definition of a security. Ethereum has relied on one speech made in 2018 by an SEC Commissioner in his private capacity to justify its status as a commodity rather than a security, and the chain is effectively viewed as “too big to regulate” by exchanges and investors. For years the SEC has seemed content to leave it alone and focus on easier enforcement targets like token ICOs, but the thin thread of ether’s commodity status has never been strengthened. The shift from proof-of-work (PoW) to proof-of-stake (PoS) between September 10th and 20th could catalyze the SEC to assert that ether is an unregistered security.
We think it extremely likely that commission Chair Gary Gensler will believe the PoS version of ether is a security. PoS requires network operators (“validators”) to post collateral (“stakes”), guaranteeing performance to earn fees for processing transactions. PoS stakes are arguably an investment of money in a common enterprise, with a reasonable expectation of profits to be derived from the efforts of a validator in line with the criteria set by the Howey precedent in 1946. An SEC claim that the new PoS tokens are a security will likely force US exchanges to drop the token and call into question other products, including NFTs, built on top of Ethereum. Such a move would be incredibly damaging for the US crypto industry, counterbalanced only by the likely improved chances for pro-crypto legislation in the next Congress.
In all three areas above, the law says what it says, and the responsible enforcers have made clear both their interpretations of the law and their intent to follow through on that interpretation. We expect them to make good on those promises.