they will continue to seek new legislative and/or administrative measures to control drug costs. At the state level, legislatures have increasingly enacted legislation and implemented regulations designed to control pharmaceutical and biological product pricing, including price or patient reimbursement constraints, discounts, restrictions on certain product access and marketing cost disclosure and transparency measures, and, in some cases, designed to encourage importation from other countries and bulk purchasing. Outside of the U.S., particularly in the European Union, the pricing of prescription pharmaceuticals is subject to governmental control. In these countries, pricing negotiations with governmental authorities can take considerable time after the receipt of marketing approval for a product. To obtain coverage and reimbursement or pricing approval in some countries, we may be required to conduct a clinical trial that compares the cost-effectiveness of our product candidate to other available therapies. If reimbursement of our products is unavailable or limited in scope or amount, or if pricing is set at unsatisfactory levels, our business could be harmed.
We are subject to stringent and evolving federal, state, local and foreign laws, regulations, rules, contractual obligations, policies, industry standards, and other obligations relating to privacy and data protection laws. Our actual or perceived failure to comply with such obligations could lead to government enforcement actions (which could include civil or criminal penalties), private litigation, and/or adverse publicity and could negatively affect our operating results and business.
In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) personal data and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, data we collect about trial participants in connection with clinical trials, and sensitive third-party data. Additionally, we may obtain health information from third parties (including research institutions from which we obtain clinical trial data). Therefore, we and our collaborators and third-party providers may be subject to federal, state, local and foreign data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security. In the U.S., numerous federal, state, and local laws and regulations, including federal health information privacy laws, state data breach notification laws, state health information privacy laws, federal and state consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws) that govern the processing of health-related and other personal information could apply to our operations or the operations of our collaborators and third-party providers. For example, HIPAA imposes specific requirements relating to the privacy, security, and transmission of individually identifiable health information.
Furthermore, California enacted the California Consumer Privacy Act (“CCPA”), which applies to personal information of California consumers, business representatives, and employees, and gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches. Although the CCPA exempts some data processed in the context of clinical trials, the CCPA increases compliance costs and potential liability with respect to other personal data we maintain about California residents. In addition, the California Privacy Rights Act of 2020 expands the CCPA’s requirements, including by adding a new right for individuals to correct their personal information and establishing a new regulatory agency to implement and enforce the law. Other states, such as Virginia and Colorado, have also passed comprehensive privacy laws, and similar laws are being considered in several other states, as well as the federal and local levels. While these states, like the CCPA, also exempt some data processed in the context of clinical trials, these developments further complicate compliance efforts, and increase legal risk and compliance costs for us and the third parties upon whom we rely.
An increasing number of foreign data protection laws, regulations, and industry standards, including the European Union’s General Data Protection Regulation (“EU GDPR”), the United Kingdom’s GDPR (“UK GDPR” and the EU GDPR and UK GDPR collectively, “GDPR”), and China’s Personal Information Protection Law (“PIPL”) may also apply to health-related and other personal information obtained from individuals outside
50
