Failure to comply with current or future federal, state, local and foreign laws, regulations, rules and industry standards relating to privacy, data protection, cybersecurity and consumer protection could adversely affect our business, financial condition, results of operations and prospects.
Laws, regulations, rules and industry standards relating to privacy, data protection, cybersecurity and consumer protection are evolving and subject to potentially differing interpretations. These requirements may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another or may conflict with other rules or our practices. As a result, our practices may not have complied or may not comply in the future with all such laws, regulations, rules, standards, requirements and obligations.
We are subject to a variety of laws, regulations, rules and industry standards in the U.S. and abroad that involve matters central to our business, including privacy and data protection. Many of these laws, regulations, rules and industry standards are still evolving and being tested in courts and could be interpreted or applied in ways that could harm our business, particularly in the new and rapidly evolving industry in which we operate. It is difficult to predict how existing laws, regulations, rules and industry standards, and new laws, regulations, rules and industry standards to which we may become subject, will be applied to our business, and it is possible that they may be interpreted and applied in a manner that is inconsistent with our current operating practices. Existing and proposed laws, regulations, rules and industry standards can be costly to comply with and can delay or impede the development of new products and services, significantly increase our operating costs, require significant time and attention of management and technical personnel and subject us to inquiries or investigations, claims or other remedies, including fines or demands that we modify or cease existing business practices.
In the United States, there are numerous federal, state and local privacy and data protection laws, regulations and rules governing the collection, sharing, retention, disclosure, security, transfer, storage and other processing of personal information. For example, at the federal level, Section 5 of the Federal Trade Commission Act prohibits unfair or deceptive practices in or affecting commerce, which extends to privacy and data protection practices. There is also discussion in Congress of a new federal privacy and data protection law to which we may become subject if it is enacted. At the state level, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the “CCPA”) requires companies that process information relating to California residents to implement additional data protection measures and to make new disclosures to consumers about their data collection, use and sharing practices, and allows consumers to opt out of certain data sharing with third parties. In addition, the CCPA provides for civil penalties and a private right of action for California residents in the event of certain data breaches. Similar laws have passed in a number of other states, complicating the compliance landscape, and additional privacy and data protection laws have been proposed in other states and at the federal level. If passed, such laws may have potentially conflicting requirements that would make compliance challenging. Moreover, laws in all 50 U.S. states require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a data breach.
We also are, or may become, subject to applicable laws, regulations and rules relating to privacy, data protection, cybersecurity and consumer protection in the foreign jurisdictions in which we do business. For example, the European Economic Area (“EEA”), composed of the European Union (“EU”) member states and Iceland, Liechtenstein and Norway, and the United Kingdom (“UK”) have imposed greater legal and regulatory obligations under the EU General Data Protection Regulation (“EU GDPR”) and UK General Data Protection Regulation (“UK GDPR”), respectively, on companies regarding the collection, sharing, retention, disclosure, security, transfer, storage and other processing of personal data. While the EU GDPR and UK GDPR remain substantially similar for the time being, the UK government has announced that it would seek to chart its own path on privacy and data protection and reform its relevant laws, including in ways that may differ from the EU GDPR. While these developments increase uncertainty with regard to privacy and data protection regulation in the U.K., even in their current, substantially similar form, the EU GDPR and UK GDPR can expose businesses to divergent parallel regimes that may be subject to potentially different interpretations and enforcement actions for certain violations and related certainty. Administrative fines of up to the greater of €20 million (or £17.5 million under the UK GDPR) and 4% of our global turnover can be imposed for breaches of the EU GDPR and UK GDPR.
39