changes in laws and regulations as they develop, and we or our employees, contractors, partners, and agents may fail to maintain compliance with applicable laws and regulations. Any violations could result in enforcement actions, fines, civil and criminal penalties, damages, injunctions, or reputational harm. If we are unable to comply with these laws and regulations or manage the complexity of our global operations successfully, our business, results of operations, and financial condition could be adversely affected.
We store personal information and other customer data, which subjects us to various data privacy laws, governmental regulations, and other related legal obligations, and any actual or perceived failure to comply with such requirements could harm our business.
We store personal information and other customer data, as well as use certain cookies on our website, that are subject to numerous federal, state, local, and foreign laws regarding privacy and the storing and protection of personal information and other customer data, and disclosure requirements regarding the use and certain breaches of such laws. For example, we are subject to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act of 2020 (CPRA), among other laws and regulations around the world. Other comprehensive data privacy or data protection laws or regulations requiring local data residency and/or restricting the international transfer of data have been passed or are under consideration in other jurisdictions. In addition, some industries have industry-specific requirements relating to compliance with certain security and regulatory standards, such as those required by the Health Insurance Portability and Accountability Act (HIPAA). For example, HIPAA imposes privacy, security, and breach reporting obligations with respect to individually identifiable health information upon “covered entities” (e.g., health plans, health care clearinghouses, and certain health care providers), and their respective business associates, individuals, or entities that create, receive, maintain or transmit protected health information in connection with providing a service for or on behalf of a covered entity. Such laws give rise to an increasingly complex set of compliance obligations on us regarding our ability to gather, use, and store customer data and customer account data.
These privacy and data protection laws are subject to rapid change and differing interpretations, may require limited timeframes to implement changes, and can be inconsistent among regulatory frameworks or conflict with other rules or our business practices. We strive to comply with all applicable laws, policies, legal obligations, and industry codes of conduct relating to privacy and data protection to the extent possible. Our efforts to comply with the complex matrix of data privacy laws around the world subjects us to increasing costs to review and comply with such laws, including updating our policies, procedures, and business practices to address such evolving privacy laws. We also make public statements and commitments regarding our use and disclosure of personal information through our privacy policy, information provided on our website, and data processing agreements with customers and other third parties. Because the interpretation and application of data protection laws, regulations, standards, and other obligations are often uncertain and in flux, and sometimes contradictory, it is possible that the scope and requirements of these laws and other obligations may be interpreted and applied in a manner that is inconsistent with our practices, and our efforts to comply with rapidly evolving data protection laws and obligations may be unsuccessful. For example, we previously relied on the EU-US Privacy Shield framework, which was invalidated by a European court in July 2020. As a result of such a decision, we have had to take additional steps to comply with applicable EU data protection requirements, including implementation of standard contractual clauses.
Any failure, or perceived failure, by us to comply with applicable privacy and security laws, policies, or related contractual obligations, or any compromise of security that results in unauthorized access, or the use or transmission of personal information or other customer data, could result in a variety of claims against us, including governmental enforcement actions and investigations, audits, inquiries, whistleblower complaints, class action privacy litigation in certain jurisdictions, and proceedings by data protection authorities. For example, under the GDPR we may be subject to fines of up to €20 million or up to 4% of the total worldwide annual group turnover of the preceding financial year, as well as potentially face claims from individuals. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss
S-22