We are also subject to other laws and regulations governing our international operations, including regulations administered by the governments of the United Kingdom and the United States, and authorities in the European Union, including applicable export control regulations, economic sanctions and embargoes on certain countries and persons, anti-money laundering laws, import and customs requirements and currency exchange regulations, collectively referred to as the Trade Control laws.
There is no assurance that we will be completely effective in ensuring our compliance with all applicable anti-corruption laws, including the Bribery Act, the FCPA or other legal requirements, including Trade Control laws. If we are not in compliance with the Bribery Act, the FCPA and other anti-corruption laws or Trade Control laws, we may be subject to criminal and civil penalties, disgorgement and other sanctions and remedial measures, and legal expenses, which could have an adverse impact on our business, financial condition, results of operations and liquidity. Likewise, any investigation of any potential violations of the Bribery Act, the FCPA, other anti-corruption laws or Trade Control laws by the United Kingdom, United States or other authorities could also have an adverse impact on our reputation, our business, results of operations and financial condition.
We are subject to stringent and evolving U.S. and foreign laws, regulations, rules, contractual obligations, industry standards, policies and other obligations related to data privacy and security. Our actual or perceived failure to comply with such obligations could lead to regulatory investigations or actions, litigation (including class claims), fines and penalties, disruptions of our business operations, reputational harm, loss of revenue or profits, and other adverse business consequences.
In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) personal data and other sensitive or confidential information, including proprietary and confidential business data, trade secrets, intellectual property, data we collect about trial participants in connection with clinical trials, and sensitive third-party data. Our data processing activities may subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security.
In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, HIPAA, as amended by HITECH, imposes specific requirements relating to the privacy, security, and transmission of individually identifiable health information. In the past few years, numerous U.S. states—including California, Virginia, Colorado, Connecticut, and Utah—have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. To the extent applicable, the exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, (collectively, “CCPA”) applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA allows for fines for noncompliance (of up to $7,500 per intentional violation) and allows private litigants affected by certain data breaches to recover significant statutory damages. Although the CCPA exempts some data processed in the context of clinical trials, the CCPA increases compliance costs and potential liability with respect to other personal data maintained by covered entities about California residents. Similar laws are being considered in several other states, as well as at the federal and local levels, and we expect more states to pass similar laws in the future, and these developments may further complicate compliance efforts and may increase legal risk and compliance costs for us and the third parties upon whom we rely.
Outside of the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security. For example, the European Union’s General Data Protection Regulation, or EU GDPR, and the
