We previously relied upon the EU-U.S. Privacy Shield program to legitimize certain transfers of personal data from the EU and EEA to the United States pursuant to the GDPR. However, on July 16, 2020, the Court of Justice of the European Union, or the CJEU, invalidated the EU-U.S. Privacy Shield program. As a result of this decision, companies that previously relied upon Privacy Shield will be required to use another GDPR-approved method to legitimize transfers of personal data to the United States and other third countries in compliance with the GDPR. Although in its ruling about the Privacy Shield, the CJEU deemed that the Standard Contractual Clauses, or SCCs, approved by the European Commission for transfers of personal data between EU controllers and non-EU processors, such as us, are valid, the CJEU also noted that transfers made pursuant to the SCCs need to be analyzed on a case-by-case basis to ensure EU standards of data protection are met in the jurisdiction where the data importer is based, and there continue to be concerns about whether the SCCs will face additional challenges. On June 4, 2021, the European Commission published new versions of the SCCs, which seek to address the issues identified by the CJEU’s decision and provide further details regarding the transfer assessments that the parties are required to conduct when implementing the new SCCs. However, there continue to be concerns about whether the SCCs and other mechanisms will face additional challenges. Until the remaining legal uncertainties regarding how to legally continue these transfers are settled, and despite not being currently subject to the GDPR, we will continue to face uncertainty as to whether efforts to comply with European transfer restrictions will be sufficient. This and other future developments regarding the flow of data across borders could increase the cost and complexity of delivering our products and services in some markets and may lead to governmental enforcement actions, litigation, fines and penalties or adverse publicity, which could have an adverse effect on our reputation and business. We publish privacy policies, self-certifications, such as the EU-U.S. Privacy Shield, and other documentation regarding our collection, processing, use and disclosure of personal information, credit card information, and other confidential information. Although we endeavor to comply with our published policies, certifications, and documentation, we may at times fail to do so or may be perceived to have failed to do so. Such failures can subject us to potential international, local, state, and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices, resulting in reputational or financial harm to us. Globally, there have been numerous lawsuits brought against technology companies related to their privacy and data security practices. If those lawsuits are successful, it could increase the risk that we may be exposed to liability for similar practices. Furthermore, if customer concerns regarding data security increase, customers may be hesitant to provide us with the data necessary to provide our service effectively. This could generally limit the adoption of our product and the growth of our company. Payment transactions processed on our platform and through the Olo Pay module may subject us to regulatory requirements and the rules of payment card networks, and other risks that could be costly and difficult to comply with or that could harm our business. The payment card networks require us to comply with payment card network operating rules, including special operating rules that apply to us as a “payment service provider” that provides payment processing-related services to merchants and payment processors. The payment card networks set these network rules and have discretion to interpret them and change them. We are also required by our payment processors to comply with payment card network operating rules and we have agreed to reimburse our payment processors for any fines they are assessed by payment card networks as a result of any rule violations by us or our customers. Any changes to or interpretations of the network rules that are inconsistent with the way we and the payment processors and merchants currently operate may require us to make changes to our business that could be costly or difficult to implement. If we fail to make such changes or otherwise resolve the issue with the payment card networks, the networks could fine us, cancel or suspend our registration as a payment service provider, or prohibit us from processing payment cards, which could have an adverse effect on our business, financial condition, and operating results. In addition, violations of the network rules or any failure to maintain good standing with the payment card networks as a payment service provider could impact our ability to facilitate payment card transactions on our platform, increase our costs, or otherwise harm our business. If we were unable to facilitate payment card transactions on our platform, or were limited in our ability to do so, our business would be materially and adversely affected. We released a beta version of our Payment solution, Olo Pay, to select restaurants brands in October 2020. We expect to begin commercially offering Olo Pay in the first quarter of 2022, which could lead to more payment transactions processed. If we fail to comply with the rules and regulations adopted by the payment card networks, we would be in breach of our contractual obligations to our payment processors, financial institutions, or partners. Such failure to comply may subject us to fines, penalties, damages, higher transaction fees and civil liability, and could eventually prevent us from processing or accepting payment cards or could lead to a loss of payment processor partners, even if there is no compromise of customer or 34
2022 10K Page 40 Page 42