numerous federal, state, local, and international laws, directives, and regulations regarding privacy, data protection, and data security and the collection, storing, sharing, use, processing, transfer, disclosure, and protection of personal information and other data, the scope of which are changing, subject to differing interpretations, and may be inconsistent among jurisdictions or conflict with other legal and regulatory requirements. We are also subject to certain contractual obligations to third parties related to privacy, data protection and data security. We strive to comply with our policies and applicable laws, regulations, contractual obligations, and other legal obligations relating to privacy, data protection, and data security to the extent possible. However, the regulatory framework for privacy, data protection and data security worldwide is, and is likely to remain for the foreseeable future, uncertain and complex, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that we do not anticipate or that is inconsistent from one jurisdiction to another, including across the various jurisdictions in which we operate remotely and may conflict with our other legal obligations or our practices. Further, any significant change to applicable laws, regulations or industry practices regarding the collection, use, processing, storage, sharing, transferring, security or disclosure of data, or their interpretation, or any changes regarding the manner in which the consent of shoppers or other data subjects for the collection, use, processing, storage, sharing, transferring, or disclosure of such data must be obtained, could increase our costs and require us to modify our services and features, possibly in a material manner, which we may be unable to complete, and may limit our ability to collect, use, process, store, share, transfer, or disclose shopper data or develop new services and features.
If we were found in violation of any applicable laws or regulations relating to privacy, data protection, or security, in any jurisdiction, including in jurisdictions where we operate remotely (such as by selling to shoppers residing in such jurisdictions), our business may be materially and adversely affected and we would be liable for any damages and regulatory fines and would likely have to change our business practices and potentially the services and features available through our platform. In addition, these laws and regulations could impose significant costs on us and could constrain our ability to use and process data in manners that may be commercially desirable. In addition, if a breach of data security were to occur or to be alleged to have occurred, if any violation of laws and regulations relating to privacy, data protection or data security were to be alleged, or if we had any actual or alleged defect in our safeguards or practices relating to privacy, data protection, or data security, our platform and services may be perceived as less desirable and our business, prospects, financial condition, and results of operations could be materially and adversely affected.
We also expect that there will continue to be new laws, regulations, and industry standards concerning privacy, data protection, and information security proposed and enacted in various jurisdictions. For example, we are subject to the General Data Protection Regulation, or GDPR, which came into effect in May 2018 and imposes stringent operational requirements regarding, among others, data use, sharing and processing, data breach notifications, data subject rights, documentation, and cross-border data transfers for entities collecting and/or processing personal data of European Union, or EU, residents and significant penalties for non-compliance. Failure to comply with the GDPR could result in penalties for noncompliance (including possible fines of up to the greater of €20 million and 4% of our global annual turnover for the preceding financial year for the most serious violations, as well as the right to compensation for financial or non-financial damages claimed by individuals under Article 82 of the GDPR).
In addition to the GDPR, we are subject to the United Kingdom’s privacy regime that imposes obligations and penalties similar to the GDPR including fines up to the greater of £17.5 million or 4% of global turnover. The relationship between the United Kingdom and the EU in relation to certain aspects of data protection law remains unclear, and it is unclear how UK data protection laws and regulations will develop in the medium to longer term. We are also subject to Directive 2002/58 on Privacy and Electronic Communications (the “ePrivacy Directive”), which requires entities to obtain informed and
31