We are subject to stringent and evolving U.S. and foreign laws, regulations, rules, contractual obligations, policies and other obligations related to data privacy and security. Our actual or perceived failure to comply with such obligations could lead to adverse business consequences.
Our data processing activities may subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security.
In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, the California Consumer Privacy Act of 2018 (“CCPA”) requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights. The CCPA provides for civil penalties of up to $7,500 per violation and allows private litigants affected by certain data breaches to recover significant statutory damages. In addition, the California Privacy Rights Act of 2020 (“CPRA”), which becomes effective January 1, 2023, will expand the CCPA’s requirements, including applying to personal information of business representatives and employees and establishing a new regulatory agency to implement and enforce the law.
Other states, such as Virginia and Colorado, have also passed comprehensive privacy laws, and similar laws are being considered in several other states, as well as at the federal and local levels. Additionally, several states and localities have enacted measures related to the use of artificial intelligence and machine learning in products and services. These developments may further complicate compliance efforts, and may increase legal risk and compliance costs for us, the third parties upon whom we rely, and our customers.
Outside the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security. For example, the European Union’s General Data Protection Regulation (“EU GDPR”), the United Kingdom’s GDPR (“UK GDPR”), Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or “LGPD”) (Law No. 13,709/2018), and China’s Personal Information Protection Law (“PIPL”) impose strict requirements for processing personal data.
For example, under the EU GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros or 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. Additionally, we also target customers in Asia and may be subject to new and emerging data privacy regimes in Asia, including China’s Personal Information Protection Law, Japan’s Act on the Protection of Personal Information, and Singapore’s Personal Data Protection Act.
In addition, we may be unable to transfer personal data from Europe and other jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area (“EEA”) and the United Kingdom (“UK”) have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA and UK’s standard contractual clauses, these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Some European regulators have prevented companies from transferring personal data out of Europe for allegedly violating the GDPR’s cross-border data transfer limitations.
In addition to data privacy and security laws, we may be contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. We may also be bound by other contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, certain privacy laws, such as the GDPR and CCPA, require our customers to impose specific contractual restrictions on their service providers. Additionally, some of our customers may require us to host personal data locally.
We may publish privacy policies, marketing materials, and other statements, such as compliance with certain certifications or self-regulatory principles, regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences.
Obligations related to data privacy and security are quickly changing, becoming increasingly stringent, and creating regulatory uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources and may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf.
63
