We are subject to stringent and evolving U.S. and foreign laws, regulations, rules, contractual
obligations, policies and other obligations related to data privacy and security. Our actual or perceived failure to comply with such obligations could lead to adverse business consequences.
Our data processing activities may subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance,
industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security.
In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach
notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, the California Consumer Privacy Act of 2018
(CCPA) requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights. The CCPA provides for civil penalties of up to $7,500 per violation and allows
private litigants affected by certain data breaches to recover significant statutory damages. In addition, the California Privacy Rights Act of 2020 (CPRA), which becomes effective January 1, 2023, will expand the CCPAs
requirements, including applying to personal information of business representatives and employees and establishing a new regulatory agency to implement and enforce the law.
Other states, such as Virginia and Colorado, have also passed comprehensive privacy laws, and similar laws are being considered in several
other states, as well as at the federal and local levels. Additionally, several states and localities have enacted measures related to the use of artificial intelligence and machine learning in products and services. These developments may further
complicate compliance efforts, and may increase legal risk and compliance costs for us, the third parties upon whom we rely, and our customers.
Outside the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security. For
example, the European Unions General Data Protection Regulation (EU GDPR), the United Kingdoms GDPR (UK GDPR), Brazils General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or
LGPD) (Law No. 13,709/2018), and Chinas Personal Information Protection Law (PIPL) impose strict requirements for processing personal data.
For example, under the EU GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up
to 20 million Euros or 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their
interests. Additionally, we also target customers in Asia and may be subject to new and emerging data privacy regimes in Asia, including Chinas Personal Information Protection Law, Japans Act on the Protection of Personal Information,
and Singapores Personal Data Protection Act.
In addition, we may be unable to transfer personal data from Europe and other
jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of
personal data to other countries. In particular, the European Economic Area (EEA) and the United Kingdom (UK) have significantly restricted the transfer of personal data to the United States and other countries whose privacy
laws it believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal
data from the EEA and UK to the United States in compliance with law, such as the EEA and UKs standard contractual clauses, these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these
measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK, or other jurisdictions to the United States, or if the requirements for a legally-compliant
transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at
significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of
personal data necessary to operate our business. Some European regulators have prevented companies from transferring personal data out of Europe for allegedly violating the GDPRs cross-border data transfer limitations.
In addition to data privacy and security laws, we may be contractually subject to industry standards adopted by industry groups and may become
subject to such obligations in the future. We may also be bound by other contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, certain privacy laws, such as
the GDPR and CCPA, require our customers to impose specific contractual restrictions on their service providers. Additionally, some of our customers may require us to host personal data locally.
We may publish privacy policies, marketing materials, and other statements, such as compliance with certain certifications or self-regulatory
principles, regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement
actions by regulators, or other adverse consequences.
Obligations related to data privacy and security are quickly changing, becoming
increasingly stringent, and creating regulatory uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with
these obligations requires us to devote significant resources and may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf.
63