In the U.S., the California Consumer Privacy Act (the CCPA) went into effect on January 1, 2020 and accompanying regulations were issued by the California Office of the Attorney General in June 2020. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and afford such consumers new abilities to access and delete their personal information, and to opt-out of certain sales of personal information. On November 3, 2020, California voters approved the California Privacy Rights and Enforcement Act (the CPRA), which is expected to go into effect on January 1, 2023. The CPRA significantly modifies the CCPA and further aligns California privacy laws with the GDPR.
Similar legislation has been proposed or adopted in other states. For example, on March 2, 2021, Virginia enacted the Virginia Consumer Data Protection Act, a comprehensive privacy statute that becomes effective on January 1, 2023; on June 8, 2021, Colorado enacted the similar Colorado Privacy Act on June 8, 2021, which will become effective on July 1, 2023; on March 24, 2022, Utah enacted the Utah Consumer Privacy Act, which will become effective on December 31, 2023; and on May 10, 2022, Connecticut enacted the Act Concerning Personal Data Privacy and Online Monitoring, which will become effective on July 1, 2023. These state laws in Virginia, Colorado, Utah, and Connecticut share similarities with the CCPA, CPRA, and legislation proposed in other states. Aspects of the CCPA, the CPRA and these other state laws and regulations, as well as their enforcement, remain unclear. Additionally, the U.S. federal government is contemplating privacy legislation.
We will need to closely monitor developments, including enforcement actions or private litigation under the GDPR, CCPA, CPRA, and other laws to determine whether we will need to modify our data processing practices and policies, which may result in us incurring additional costs and expenses in an effort to comply.
We are also subject to the terms of our privacy policies and contractual obligations to third parties related to privacy, data protection, and information security, and may be subject to other actual or asserted obligations, including industry standards, relating to privacy, data protection, and information security. We strive to comply with applicable laws, regulations, policies, and other legal obligations relating to privacy, data protection, and information security to the extent possible. However, the regulatory frameworks for privacy, data protection, and information security worldwide are evolving rapidly, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices.
Any failure or perceived failure by us to comply with our privacy policies, our privacy-related obligations to subscribers or other third parties, applicable laws or regulations, or any of our other legal obligations could materially adversely affect our business.
Additionally, if third parties we work with, such as sub-processors, vendors, or developers, violate applicable laws or regulations, contractual obligations, or our policies - or if it is perceived that such violations have occurred - such actual or perceived violations may also have an adverse effect on our business. Further, any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, disclosure, or other processing of data, or regarding the manner in which the express or implied consent of users for the collection, use, retention, disclosure, or other processing of data is obtained, could increase our costs and require us to modify our business practices.
Risks Related to Our Reliance on Third Parties
We rely on partners and third-party service providers and if such third parties do not perform adequately or terminate their relationships, our costs may increase and our business, financial condition and results of operations could be adversely affected.
Our success depends in part on our relationships with our partners and third-party service providers. For example, we use third-parties to provide housekeeping services, manage our reservation systems, and maintain our subscription platform. If any of our third-party providers terminates their relationship with us or refuses to renew their agreement with us on commercially reasonable terms, we would need to find alternate providers and may not be able to secure similar terms or replace such providers in acceptable time frames. Third-party providers which do not have readily available alternate solutions in the marketplace may require internally developed products in order to maintain current functionality. Moreover, we are limited by exclusivity terms and other restrictions with certain third-party service providers which may limit our ability to enter into relationships with new or alternative third-party service providers.
