demand for our platform. In addition, if our security measures fail to protect credit card information adequately, we could be liable to our partners, our customers, and consumers for their losses. As a result, we could be subject to fines, we could face regulatory or other legal action, and our customers could end their relationships with us. There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims, or that our insurers will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceeds our available insurance coverage, or changes in our insurance policies, including premium increases, or the imposition of large deductible or co-insurance requirements, could have an adverse effect on our business and results of operations. We are subject to stringent and changing privacy laws, regulations and standards, and contractual obligations related to data privacy and security. Our actual or perceived failure to comply with such obligations could harm our reputation, subject us to significant fines and liability, or adversely affect our business. The regulatory framework for privacy and security issues in the United States is rapidly evolving. Laws in all 50 states require us to provide notice to customers when certain sensitive personal information has been disclosed as a result of a data breach. These laws are frequently inconsistent, and compliance in the event of a widespread data breach is costly. Moreover, states regularly enact new laws and regulations, which require us to provide consumers with certain disclosures related to our privacy practices, as well as maintain systems necessary to allow customers to invoke their rights. For example, on January 1, 2020, California adopted the California Consumer Privacy Act of 2018, or CCPA, which provides new data privacy rights for consumers and new operational requirements for covered businesses. The CCPA gives California residents more control over their personal information and includes a statutory damages framework and private right of action imposing civil penalties against businesses that fail to comply with certain security practices. Although the CCPA’s implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, the CCPA may increase our compliance costs and exposure to liability. More so, additional states that adopt privacy laws that differ from the CCPA may require us to do unanticipated and unbudgeted work in order to comply with additional privacy and data security requirements. We anticipate that more states may enact legislation similar to the CCPA, providing consumers around the United States with new privacy rights and increasing the privacy and security obligations of entities handling certain personal information of such consumers. The CCPA has already prompted a number of proposals for new federal and state-level privacy legislation. Such proposed legislation, if enacted, may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. Additionally, these costs may impede our development and could limit the adoption of our services. Finally, any failure by our vendors to comply with applicable law or regulations could result in proceedings against us by governmental entities or others. Additionally, a new California ballot initiative, the California Privacy Rights Act, or the CPRA, was passed in November 2020. Effective starting on January 1, 2023, the CPRA imposes additional obligations on companies covered by the legislation and will significantly modify the CCPA, including by expanding consumers’ rights with respect to certain sensitive personal information. The CPRA also creates a new state agency that will be vested with authority to implement and enforce the CCPA and the CPRA. The effects of the CCPA and the CPRA are potentially significant and may require us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply and increase our potential exposure to regulatory enforcement and litigation. Additionally, virtually every foreign jurisdiction in which our current or potential future customers may operate has established privacy and data security laws, rules, and regulations. The European Union, or EU, has adopted the General Data Protection Regulation, or GDPR, which went into effect on May 25, 2018. Among other requirements, the GDPR regulates transfers of personally identifiable information from the EU to non-EU countries, such as the United States. Under the GDPR, fines of up to €20 million or up to 4% of the annual global revenue of the noncompliant company, whichever is greater, could be imposed for violations of certain GDPR requirements. Moreover, individuals can claim damages as a result of GDPR violations. Other jurisdictions outside the EU are similarly introducing or enhancing privacy and data security laws, rules, and regulations, which may increase the risks associated with non-compliance . Certain current or potential future customers are subject to the GDPR and we may be required to assist such customers with their compliance obligations. While we are not currently subject to the GDPR ourselves, many of our customers are subject to the GDPR. We may be required to expend resources to assist our customers with such compliance obligations. Assisting our customers in complying with the GDPR, or complying with the GDPR ourselves if we expand our business to the EU in the future, may cause us to incur substantial operational costs or require us to change our business practices to maintain such information in the European Economic Area. 33
2022 10K Page 39 Page 41