affect our ability to operate our business and our results of operations.
We are subject to stringent and evolving privacy and information security laws, regulations, rules, policies, and contractual obligations, and changes in such laws, regulations, rules, policies, contractual obligations and our actual or perceived failure to comply with such requirements could subject us to significant investigations, fines, penalties and claims, any of which may have a material adverse effect on our business, financial condition, results of operations or prospects.*
We are subject to, or affected by, various federal, state and foreign laws, rules, directives, and regulations, as well as regulatory guidance, policies and contractual obligations relating to privacy and information security, governing the acquisition, collection, access, use, disclosure, processing, modification, retention, storage, transfer, destruction, protection, and security (collectively, “processing”) of personal information and other sensitive information about individuals. The global privacy and information security landscape is evolving rapidly, and implementation standards and enforcement practices are likely to continue to develop for the foreseeable future and may result in conflicting or inconsistent compliance obligations. Legislators and regulators are increasingly adopting or amending privacy and information security laws, rules, directives, and regulations that may create uncertainty in our business, affect our or our collaborators’, service providers’ and contractors’ ability to operate in certain jurisdictions or to process personal information, transfer data internationally, necessitate the acceptance of more onerous obligations in our contracts, result in enforcement actions, litigation or other liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us or our collaborators, service providers and contractors to comply with federal, state or foreign laws or regulations, our internal policies and procedures or our contracts governing the processing of personal information could result in negative publicity, diversion of management time and effort and proceedings against us by governmental entities or others. In many jurisdictions, enforcement actions, litigation, and other consequences for noncompliance with privacy and information security laws and regulations are rising. Compliance with applicable privacy and information security laws and regulations, as well as regulatory guidance, policies and contractual obligations, is a rigorous and time-intensive process, and we may be required to put in place additional mechanisms to ensure compliance with the new privacy and information security requirements. If we fail to comply with any such obligations, we may face significant investigations, fines, penalties and claims that could materially and adversely affect our business, financial condition, results of operations, ability to process personal information and income from certain business initiatives.
In the US, these obligations include various federal, state, and local statutes, rules, and regulations relating to privacy and data security. The Federal Trade Commission (FTC) has authority under Section 5 of the FTC Act to regulate unfair or deceptive or practices, and has used this authority to initiate enforcement actions against companies that implement inadequate controls around privacy and information security in violation of their externally facing policies. The FTC has recently brought several cases alleging violations of Section 5 of the FTC Act with respect to health information, and has proposed rulemaking on privacy and data security, including with respect to the Health Breach Notification Rule. Additionally, the FTC published an advance notice of proposed rulemaking in 2022 on commercial surveillance and data security, and may propose regulation concerning the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in the coming years. Additionally, the US federal government has also enacted statutes to address privacy and information security issues impacting particular industries or activities, including the following laws and regulations: the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act (HIPPA), the Health Information Technology for Economic and Clinical Health Act, the Telephone Consumer Protection Act, the CAN-SPAM Act, and other laws and regulations.
In addition, state legislatures have enacted statutes to address privacy and information security issues, including the California Consumer Privacy Act of 2018 (the CCPA). For example, the CCPA, as amended by the California Privacy Rights Act (CPRA) in 2020, establishes a privacy framework applicable to for-profit entities that are doing business in California, including an expansive definition of personal information and data privacy rights for California residents, and authorizes potentially severe statutory damages and creates a private right of action for certain data security breaches. The CCPA also requires businesses subject to the law to provide disclosures to California residents and to provide them with rights with respect to their personal information, including the right to opt out of the sale of such information. Moreover, the CPRA, among other things, impose new requirements relating to data minimization and correction, and gives California residents additional rights over their personal information, including the right to opt-out of the use of their personal information in online behavioral advertising and to opt-out of certain types of consumer