Government Regulation
We are subject to many varying laws and regulations in the United States, Canada, the United Kingdom (the “UK”), the European Union (the “EU”) and throughout the world, including those related to data privacy, data protection, data breach notification, content regulation, foods and dietary supplements, imports and exports, intellectual property, consumer protection, e-commerce, multi-level marketing, advertising, messaging, rights of publicity, health and safety, employment and labor, product liability, accessibility, competition, and taxation. These laws often require companies to implement specific information security controls to protect certain types of information, such as personal data, “special categories of personal data” or health data. While we strive to comply and remain compliant with each of these laws and regulations, they are constantly evolving and may be interpreted, applied, created, or amended in a manner that could require a change to our current compliance footprint, or harm our current or future business and operations. In addition, it is possible that certain governments may seek to block or limit our products and services or otherwise impose other restrictions that may affect the accessibility or usability of any or all of our products and services for an extended period of time or indefinitely.
With respect to data privacy and protection laws and regulations, in the EU, the General Data Protection Regulation, (the “GDPR”), became effective in 2018. The GDPR is intended to create a single legal framework for privacy rights that applies across all EU member states, including France, which is currently the only country in the EU in which we operate. The GDPR created more stringent operational requirements for controllers and processors of personal data, including, for example, requiring enhanced disclosures to data subjects about how personal data is processed (including information about the profiling of individuals and automated individual decision-making), limiting retention periods of personal data, requiring mandatory data breach notification, and requiring additional policies and procedures to comply with the accountability principle under the GDPR. Similarly, other jurisdictions are instituting privacy and data security laws, rules, and regulations, which could increase our risk and compliance costs. As a result of Brexit, for example, we will need to continue compliance with the UK Data Protection Act of 2018 for privacy rights across the United Kingdom, the legal requirements of which largely follow the GDPR.
We are also subject to laws, rules, and regulations regarding cross-border transfers of personal data, including laws relating to the transfer of personal data outside the European Economic Area, (“EEA”), and the UK. We rely on transfer mechanisms permitted under these laws, including the standard contract clauses and intracompany data transfer agreements, which mechanisms have been subject to regulatory and judicial scrutiny. If these existing mechanisms for transferring personal data from the EEA, the United Kingdom, or other jurisdictions are unavailable, we may be unable to transfer personal data of employees or customers in those regions to the United States.
In addition to European data privacy rules, we are subject to privacy laws in the U.S. and Canada, including the California Privacy Rights Act and California Consumer Privacy Act (collectively, “California Privacy Laws”). The California Privacy Laws require us to provide clear notice to consumers about what data is collected about them, honor requests to opt-out of the sale or sharing of their personal data and comply with certain requests related to their personal data, such as the right to access or delete their personal data.
Additionally, along with our contract manufacturers, distributors and ingredients and packaging suppliers, we are subject to laws and regulations related to our food and nutritional products. In the United States, the federal agencies governing the manufacture, distribution and advertising of our products include, among others, the Federal Trade Commission, the Food and Drug Administration (“FDA”), the United States Department of Agriculture (“USDA”), the U.S. Environmental Protection Agency and similar state and local agencies. Under various statutes, these agencies, among other things, prescribe the requirements and establish the standards for labeling, manufacturing, quality, and safety and regulate marketing and advertising to consumers. Certain of these agencies, in certain circumstances, must not only enforce regulations that apply to our food and nutritional products, but also review the manufacturing processes and facilities used to produce these products to ensure compliance with applicable regulations in the United States.
56