Our collection, use, storage, disclosure, transfer and other processing of personal information could give rise to significant costs and liabilities, including as a result of governmental regulation, uncertain or inconsistent interpretation and enforcement of legal requirements or differing views of personal privacy rights, which may have a material adverse effect on our reputation, business, financial condition and results of operations.
As part of our normal business activities, we collect, use, store, process, and transmit personal information with respect to our clients and their families and our team members. We share some of this personal information with vendors who assist us with certain aspects of our business. A variety of federal and state laws, regulations industry self-regulatory principles, industry standards or codes of conduct, and regulatory guidance, relating to privacy, data protection, marketing and advertising, and consumer protection apply to the collection, use, retention, protection, disclosure, transfer and other processing of certain types of data. These requirements of such laws, regulations, industry self-regulatory principles, industry standards or codes of conduct, and regulatory guidance may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another or may conflict with other rules or our practices. As a result, our practices may not have complied in the past, or may not comply in the future, with all such laws, regulations, standards, requirements and obligations. Any failure, or perceived failure, by us to comply with our posted privacy policies or with any federal or state privacy or consumer protection-related laws, regulations, industry self-regulatory principles, industry standards or codes of conduct, regulatory guidance, or orders to which we may be subject or other legal obligations relating to privacy or consumer protection could adversely affect our reputation, brand and business, and may result in claims, fines, penalties, proceedings or actions against us by governmental entities, clients, suppliers or others or other liabilities or may require us to change our operations and/or cease using certain data.
In addition, various federal and state legislative and regulatory bodies, or self-regulatory organizations, may expand current laws or regulations, enact new laws or regulations or issue revised rules or guidance regarding privacy, data protection, consumer protection, and advertising, and as the regulatory environment related to information security, data collection and use, and privacy becomes increasingly rigorous, with new and changing requirements applicable to our business. For example, the CCPA, which came into effect in 2020, increases privacy rights for California consumers and imposes obligations on companies that process their personal information. Among other things, the CCPA gives California consumers expanded rights related to their personal information, including the right to access and delete their personal information and receive detailed information about how their personal information is used and shared. The CCPA also provides California consumers the right to opt-out of certain sales of personal information and may restrict the use of cookies and similar technologies for advertising purposes. The CCPA prohibits discrimination against individuals who exercise their privacy rights, and provides for civil penalties for violations enforceable by the California Attorney General as well as a private right of action for certain data breaches that result in the loss of personal information. This private right of action is expected to increase the likelihood of, and risks associated with, data breach litigation. Many of the CCPA’s requirements as applied to personal information of a business’s personnel and related individuals are subject to a moratorium set to expire on January 1, 2023. The expiration of the moratorium may increase our compliance costs and our exposure to public and regulatory scrutiny, costly litigation, fines and penalties. Additionally, in November 2020, California passed the California Privacy Rights Act (the “CPRA”), which expands the CCPA significantly, including by expanding California consumers’ rights with respect to certain personal information and creating a new state agency to oversee implementation and enforcement efforts, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in an effort to comply. Many of the CPRA’s provisions will become effective on January 1, 2023. The costs of compliance with, and the other burdens imposed by, these and other laws or regulatory actions may increase our operational costs, and/or result in interruptions or delays in the availability of systems.
Moreover, Virginia, Colorado, Utah and Connecticut also recently passed comprehensive privacy laws that take effect in 2023 and will impose obligations similar to or more stringent than those we may face under other data protection laws. Once they become enforceable, we must comply with each if our operations fall within the scope of these newly enacted comprehensive mandates, which may increase our compliance costs and potential liability. Similar laws have been proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States. This legislation may add additional complexity, variation in requirements, restrictions and potential legal
34