We are subject to stringent and evolving data privacy and information security laws, regulations, rules, policies, and contractual obligations, and changes in such laws, regulations, rules, policies, contractual obligations and our actual or perceived failure to comply with such requirements could subject us to significant investigations, fines, penalties and claims, any of which may have a material adverse effect on our business, financial condition, results of operations or prospects.
We are subject to, or affected by, numerous federal, state and foreign laws and regulations, as well as regulatory guidance, policies and contractual obligations relating to data privacy and security, governing the collection, use, disclosure, processing, retention, storage, transfer, destruction, and security of personal information. The global data protection landscape is rapidly evolving, and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future and could result in conflicting compliance obligations. This evolution may create uncertainty in our business, affect our or our collaborators’, service providers’ and contractors’ ability to operate in certain jurisdictions or to collect, use, disclose, process, retain, store, transfer, destroy and secure personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us or our collaborators, service providers and contractors to comply with federal, state or foreign laws or regulations, our internal policies and procedures or our contracts governing the processing of personal information could result in negative publicity, diversion of management time and effort and proceedings against us by governmental entities or others. In many jurisdictions, enforcement actions and consequences for noncompliance are rising. Compliance with applicable privacy and data security laws and regulations, as well as regulatory guidance, policies and contractual obligations, is a rigorous and time-intensive process, and we may be required to put in place additional mechanisms to ensure compliance with the new data protection requirements. If we fail to comply with any such obligations, we may face significant investigations, fines, penalties and claims that could adversely affect our business, financial condition and results of operations.
In the U.S., these include rules and regulations promulgated under the authority of the Federal Trade Commission and may include the following laws and regulations: the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the California Consumer Privacy Act of 2018, or the CCPA, and other state and federal laws relating to data privacy and security. The CCPA establishes a privacy framework for covered businesses, including an expansive definition of personal information and data privacy rights for California residents. The CCPA, among other things, authorizes the imposition of potentially severe statutory damages and created a private right of action for data security breaches. The CCPA requires covered businesses to provide new disclosures to California residents and to provide them new ways to opt-out of the sale of personal information. Although there are limited exemptions for clinical trial and other research-related data under the CCPA, the CCPA and other similar laws could impact our business depending on how the CCPA will be interpreted. As we expand our operations, the CCPA may increase our compliance costs and potential liability. In addition, California voters recently approved the California Privacy Rights Act of 2020, or CPRA, that goes into effect on January 1, 2023. It is expected that the CPRA would, among other things, give California residents the ability to limit the use of their sensitive information, provide for penalties for CPRA violations concerning California residents under the age of 16, and establish a new California Privacy Protection Agency to implement and enforce the law. These laws demonstrate our Company’s vulnerability to the evolving regulatory environment related to personal information. Some observers have noted that the CCPA could mark the beginning of a trend toward more stringent privacy legislation in the U.S.
Internationally, our operations abroad may also be subject to increased scrutiny or attention from foreign data protection authorities. For example, our clinical trial programs and research collaborations outside the United States may implicate foreign data protection laws, including in Europe. Many jurisdictions have established or are in the process of establishing privacy and data security legal frameworks with which we, our collaborators, service providers, including our CROs, and contractors must comply. For example, European data protection laws, including, without limitation, the GDPR impose strict requirements for processing the personal information of individuals residing in the European Economic Area, or EEA, Switzerland, and United Kingdom (collectively, “Europe”), including clinical trial data. The GDPR and similar laws increase our obligations with respect to clinical trials conducted in Europe by expanding the definition of personal information to include coded data and requiring changes to informed consent practices and more detailed notices for clinical trial participants and investigators. In addition, the GDPR provides for robust regulatory enforcement and fines of up to €20 million or 4% of the annual global revenue of the noncompliant company, whichever is greater. In addition, the GDPR authorizes penalties for non-compliance (such as an inability to use the relevant personal data) and civil litigation claims.
