We are subject to industry standards, governmental laws and regulations, contractual obligations, industry standards, policies, and other obligations governing privacy, data protection and information security, and any actual or perceived failure to comply with such obligations could harm our business.
In the ordinary course of business, we process personal data and other sensitive information, including proprietary and confidential business data, intellectual property, and sensitive third-party data. Our data processing subjects us to various federal, state, provincial and foreign laws and regulations, as well as other obligations including contractual obligations, industry standards and internal and external policies related to privacy, data protection, and information security.
In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 and the Telephone Consumer Protection Act of 1991 (“TCPA”) impose specific requirements on communications with customers. For example, the TCPA imposes various consumer consent requirements and other restrictions on certain telemarketing activity and other communications with consumers by phone, fax or text message. TCPA violations can result in significant financial penalties, including penalties or criminal fines imposed by the Federal Communications Commission or fines of up to $1,500 per violation imposed through private litigation or by state authorities.
In the past few years, numerous U.S. states—including California, Virginia, Colorado, Connecticut, and Utah—have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, “CCPA”), applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages for certain data breaches. A number of other proposals are being considered or have passed at the federal, state, and local levels, and we expect more states to pass similar laws in the future. Many foreign countries and governmental bodies, including Canada, the United Kingdom (“UK”), and the European Union (“E.U.”) and other relevant jurisdictions where we conduct business, have laws and regulations concerning the processing of personal information. For example, in Canada, the federal Personal Information Protection and Electronic Documents Act, or PIPEDA and various related provincial laws may apply to our operations. Further, Canada has robust anti-spam legislation, the Anti-Spam Legislation, or CASL. The penalties for non-compliance under CASL are significant. In addition, the E.U.’s General Data Protection Regulation, or the EU GDPR, and the United Kingdom’s GDPR, or UK GDPR (collectively, “GDPR”), may also apply to our operations. The GDPR provides for substantial penalties for noncompliance. For example, under the GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR, 17.5 million pounds sterling under the UK GDPR or, in each case, 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests.
We may be subject to new laws governing the privacy of consumer health data. For example, Washington’s My Health My Data Act broadly defines consumer health data, places restrictions on processing consumer health data (including imposing stringent requirements for consents), provides consumers certain rights with respect to their health data, and creates a private right of action to allow individuals to sue for violations of the law. Other states are considering and may adopt similar laws. We are also bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, certain privacy laws, such as the CCPA, require our customers to impose specific contractual restrictions on their service providers.
In the ordinary course of business, we may transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting
