circumstances, and similar healthcare laws and regulations in other jurisdictions, including reporting requirements detailing interactions with and payments to healthcare providers.
It is not always possible to identify and deter misconduct, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from government investigations or other actions or lawsuits stemming from a failure to comply with these laws or regulations. Ensuring that our internal operations and future business arrangements with third parties comply with applicable healthcare laws and regulations will also involve substantial costs. If our operations are found to be in violation of any of the laws described above or any other governmental laws and regulations that may apply to us, we may be subject to significant penalties, including civil, criminal and administrative penalties, damages, fines, exclusion from government-funded healthcare programs, such as Medicare and Medicaid or similar programs in other countries or jurisdictions, integrity oversight and reporting obligations to resolve allegations of non-compliance, disgorgement, individual imprisonment, contractual damages, reputational harm, diminished profits and the curtailment or restructuring of our operations. If any of the physicians or other providers or entities with whom we expect to do business are found to not be in compliance with applicable laws, they may be subject to criminal, civil or administrative sanctions, including exclusions from government funded healthcare programs and imprisonment, which could affect our ability to operate our business. Further, defending against any such actions can be costly, time- consuming and may require significant personnel resources. Any of the foregoing could significantly harm our business, financial condition, results of operations and growth prospects.
We are subject to stringent and evolving laws, regulations, rules, contractual obligations, policies and other obligations related to data privacy and security. Our actual or perceived failure to comply with such obligations could lead to regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, reputational harm, loss of revenue or profits, and other adverse business consequences.
In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, “processing”) personal data and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, data we collect about trial participants in connection with clinical trials sensitive third-party data, business plans, transactions, and financial information (collectively, “sensitive data”).
Our data processing activities may subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security.
In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, the California Consumer Privacy Act of 2018 (“CCPA”) applies to personal information of consumers, business representatives, and employees, and requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights. The CCPA provides for civil penalties of up to $7,500 per violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Although the CCPA exempts some data processed in the context of clinical trials, the CCPA increases compliance costs and potential liability with respect to other personal data we maintain about California residents. In addition, the California Privacy Rights Act of 2020 (“CPRA”) expands the CCPA’s requirements, including by adding a new right for individuals to correct their personal information and establishing a new regulatory agency to implement and enforce the law. Other states, such as Virginia and Colorado, have also passed comprehensive privacy laws, and similar laws are being considered in several other states, as well as at the federal and local levels. While these states, like the CCPA, also exempt some data processed in the context of clinical trials, these developments may further complicate compliance efforts, and increase legal risk and compliance costs for us and the third parties upon whom we rely.
Outside the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security and may become applicable to us as we expand. For example, the European Union’s General Data Protection Regulation (“EU GDPR”) and the United Kingdom’s GDPR (“UK GDPR”) impose strict requirements for processing personal data. For example, under the EU GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros or 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests.
In addition, data localization requirements or limitations on cross-border data flows may render us unable to transfer personal data from other jurisdictions to the United States or other countries. For example, Europe and other jurisdictions have enacted laws
