and we cannot provide any assurances as to whether such actions will occur or the form that they may take. To the extent that our sales or profitability are negatively affected by any such tariffs or other trade actions, our business and results of operations may be materially adversely affected.
We are subject to governmental export controls that could impair our ability to compete in international markets due to licensing requirements and subject us to liability if we are not in compliance with applicable laws.
Exports of our products are subject to export controls and sanctions laws and regulations imposed by the U.S. government and administered by the U.S. Departments of State, Commerce and Treasury. U.S. export control laws may require a license or other authorization to export products to certain destinations and end users. In addition, U.S. economic sanctions laws include restrictions or prohibitions on the sale or supply of certain products to U.S. embargoed or sanctioned countries, governments, persons and entities. Obtaining export licenses can be difficult, costly and time-consuming and we may not always be successful in obtaining necessary export licenses, and our failure to obtain required export approval for our products or limitations on our ability to export or sell our products imposed by export control or sanctions laws may harm our revenues and adversely affect our business, financial condition, and results of operations. Noncompliance with these laws could have negative consequences, including government investigations, penalties and reputational harm.
We are subject to stringent and changing U.S. and foreign laws, regulations, rules, contractual obligations, policies and other obligations related to data privacy and security. Our actual or perceived failure to comply with such obligations could lead to adverse business consequences.
In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) personal information and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, data previously collected about clinical trial participants, and sensitive third-party data collected under confidentiality agreements with our customers and potential customers, including scientific plans (collectively, sensitive information). Our data processing activities subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations that govern the processing of personal information in the jurisdictions in which we operate.
In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal information privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, HIPAA, as amended by HITECH, imposes specific requirements relating to the privacy, security, and transmission of individually identifiable health information. In addition, the CCPA applies to personal information of consumers, business representatives, and employees, and requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain rights related to their personal information. The CCPA allows for statutory fines for noncompliance (up to $7,500 per violation) and allows private litigants affected by certain data breaches to recover significant statutory damages. Although the CCPA exempts some data processed in the context of clinical trials, the CCPA increases compliance costs and potential liability with respect to other personal information we maintain about California residents. In addition, the CPRA, expanded the CCPA’s requirements, including by adding a new right for individuals to correct their personal information and establishing a new regulatory agency, the California Privacy Protection Agency, to implement and enforce the law, which could increase the risk of enforcement. Other states, such as Virginia, Colorado, Connecticut and Utah, have enacted comprehensive data privacy laws, and similar laws have been proposed in several other states, as well as at the federal, state, and local levels — while some of these also exempt data processed in the context of clinical trials, these data privacy laws could nonetheless further complicate compliance efforts.
Outside the United States, an increasing number of laws, regulations, and industry standards apply to data privacy and security. For example, the EU GDPR, the UK GDPR, and China’s Personal Information Protection Law (“PIPL”) impose strict requirements for processing personal information. Under the EU and UK GDPR, government regulators
