may adopt laws and regulations regarding the collection, use, storage and disclosure of such personal information. In addition, HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act, and its implementing regulations, applies to our benefit administration solution, BeneFLEX, as a business associate. The costs of compliance with, and other burdens imposed by, such laws and regulations that are applicable to our clients’ businesses may limit the use and adoption of our modules and reduce overall demand, or lead to significant fines, penalties or liabilities for any noncompliance with such privacy laws. Even the perception of privacy concerns, whether or not valid, may inhibit market adoption of our solutions.
Additionally, we expect that existing laws, regulations, and standards may be interpreted in new and differing manners in the future, and may be inconsistent among jurisdictions. Future laws, regulations, standards, and other obligations, and changes in the interpretation of existing laws, regulations, standards, and other obligations could result in increased regulation, increased costs of compliance and penalties for non-compliance, and limitations on data collection, use, disclosure, and transfer for Paylocity and our clients. For example, in 2016, the European Union (“EU”) and United States agreed to a framework for data transferred from the EU to the United States, called the Privacy Shield, but this new framework has been challenged by private parties and may face additional challenges by national regulators or additional private parties. Additionally, in 2016 the EU adopted a new regulation governing data privacy called the General Data Protection Regulation (“GDPR”), which became effective in May 2018. The GDPR establishes new requirements applicable to the handling of personal data and imposes penalties for non-compliance of up to 4% of worldwide revenue. California also recently enacted legislation, the California Consumer Privacy Act of 2018 (“CCPA”), effective as of January 1, 2020, that affords California residents expanded privacy protections and a private right of action for security breaches affecting their personal information. While California legislators recently amended the CCPA and the California Attorney General released draft implementing regulations for public comment, there remains uncertainty in how the CCPA will be interpreted and enforced, and privacy advocates are calling for changes to the law through a voter ballot initiative and additional amendments to the CCPA. In addition, the Illinois Biometric Information Privacy Act regulates the collection, use, safeguarding and storage of “biometric identifiers” or “biometric information” by private entities, and provides a private right of action for persons who are aggrieved by violations of the regulation. All of these legislative and regulatory initiatives may adversely affect our clients’ ability to process, handle, store, use and transmit demographic and personal information regarding their employees and family members, which could reduce demand for our solutions.
In addition to government activity, privacy advocacy groups and the technology and other industries are considering various new, additional or different self-regulatory standards that may place additional burdens on us. If the processing of personal information were to be curtailed in this manner, our products would be less effective, which may reduce demand for our modules and adversely affect our business.
If third parties we work with violate applicable laws or regulations or our policies, such violations may also put our clients’ content at risk and could in turn have an adverse effect on our business. Any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, or disclosure of our clients’ content, or regarding the manner in which the express or implied consent of clients for the collection, use, retention, or disclosure of such content is obtained, could increase our costs and require us to modify our services and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to store and transmit client data or develop new services and features.
Our business could be adversely affected if we do not effectively implement and service our solutions or if we are unable to accommodate increased demand for our implementation and client services resulting from growth in our business.
Our ability to deliver our payroll and HCM solutions depends on our ability to effectively implement and to transition to, and train our clients on, our solutions. We generally do not recognize any revenue from new clients until they process their first payroll. Further, the majority of our agreements with our clients are generally terminable by the clients on 60 days’ or less notice. If a client is not satisfied with our implementation services, the client could terminate its agreement with us before we have recovered our costs of implementation services, which would adversely affect our results of operations and cash flows. In addition, negative publicity related to our client relationships, regardless of its accuracy, may further damage our business by affecting our ability to compete for new business with current and prospective clients.
