We are subject to governmental regulation and other legal obligations, particularly related to privacy, data protection and information security, and our actual or perceived failure to comply with such obligations could harm our business.
We, our reseller partners and our customers are subject to a number of domestic and international laws and regulations that apply to cloud services and the internet generally. These laws, rules and regulations address a range of issues including data privacy and cyber security, breach notification and restrictions or technological requirements regarding the collection, processing, use, storage, protection, disclosure, retention or transfer of data. The regulatory framework for online services, data privacy and cyber security issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. Many federal, state, local and foreign government bodies and agencies have adopted or are considering adopting laws, rules and regulations regarding the collection, processing, use, storage and disclosure of information, web browsing and geolocation data collection, data analytics, facial recognition, cyber security and breach response and notification procedures. Furthermore, existing laws and regulations are constantly evolving, and new laws and regulations that apply to our business are being introduced at every level of government in the United States, as well as internationally. As we seek to expand our business, we are, and may increasingly become subject to various laws, regulations, and standards, and may be subject to contractual obligations relating to data privacy and security in the jurisdictions in which we operate. Any significant change to applicable laws, regulations or industry practices regarding the use or disclosure of personal information, or regarding the manner in which the express or implied consent of customers for the use and disclosure of personal information is obtained, could require us to modify our products and features, possibly in a material manner and subject to increased compliance costs, which may limit our ability to develop new products and features that make use of the personal information that our customers voluntarily share. Any failure, or perceived failure, by us to comply with any federal or state privacy or security laws, regulations, industry self-regulatory principles, or codes of conduct, regulatory guidance, orders to which we may be subject, or other legal obligations relating to data privacy or security could adversely affect our reputation, brand and business, and may result in claims, liabilities, proceedings or actions against us by governmental entities, customers or others. Any such claims, proceedings or actions could hurt our reputation, brand and business, force us to incur significant expenses in defense of such proceedings or actions, distract our management, increase our costs of doing business, result in a loss of customers and result in the imposition of monetary penalties.
In the United States, there are numerous federal and state data privacy and security laws, rules, and regulations governing the collection, use, disclosure, retention, security, transfer, storage, and other processing of personal data, including federal and state data privacy laws, data breach notification laws, and consumer protection laws. For example, the FTC and many state attorneys general are interpreting federal and state consumer protection laws to impose standards for the online collection, use, dissemination, and security of data. Such standards require us to publish statements that describe how we handle personal data and choices individuals may have about the way we handle their personal data. If such information that we publish is considered untrue or inaccurate, we may be subject to government claims of unfair or deceptive trade practices, which could lead to significant liabilities and consequences. Moreover, according to the FTC, violating consumers’ privacy rights or failing to take appropriate steps to keep consumers’ personal data secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. State consumer protection laws provide similar causes of action for unfair or deceptive practices.
There are also laws and regulations governing the collection and use of biometric information, such as fingerprints and face prints. For example, Illinois Biometric Information Privacy Act (“BIPA”) applies to the collection and use of “biometric identifiers” and “biometric information” which include finger and face prints. A business required to comply with BIPA is not permitted to sell, lease, trade or otherwise profit from biometric identifiers or biometric information it collects, and is also under obligations to have a written policy with respect to the retention and destruction of all biometric identifiers and biometric information; ensure that it informs the subject of the collection and the purpose of the collection and obtains consent for such collection; and obtain consent for any disclosure of biometric identifiers or biometric information. Individuals are afforded a private right of action under BIPA and may recover statutory damages equal to the greater of $1,000 or actual damages and reasonable attorneys’ fees and costs. Several class action lawsuits have been brought under BIPA, as the statute is broad and still being interpreted by the courts. Additionally, a number of other proposals exist for new federal and state privacy legislation that, if passed, could increase our potential liability,
