our customers, consumers, or other relevant stakeholders. These proceedings or violations could force us to spend money in defense or settlement of these proceedings, result in the imposition of monetary liability or injunctive relief, divert management’s time and attention, increase our costs of doing business, and materially adversely affect our reputation and the demand for our platform. In addition, if our security measures fail to protect credit card information adequately, we could be liable to our partners, our customers and, consumers for their losses. As a result, we could be subject to fines, we could face regulatory or other legal action, and our customers could end their relationships with us. There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from any such liabilities or damages with respect to any particular claim. We also cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims, or that our insurers will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceeds our available insurance coverage, or changes in our insurance policies, including premium increases, or the imposition of large deductible or co-insurance requirements, could have an adverse effect on our business and results of operations. We are subject to stringent and changing privacy laws, regulations and standards, and contractual obligations related to data privacy and security. Our actual or perceived failure to comply with such obligations could harm our reputation, subject us to significant fines and liability, or adversely affect our business. The regulatory framework for privacy and security issues in the United States is rapidly evolving. Laws in all 50 states require us to provide notice to customers when certain sensitive personal information has been disclosed as a result of a data breach. These laws are frequently inconsistent, and compliance in the event of a widespread data breach is costly. Moreover, states regularly enact new laws and regulations, which require us to provide consumers with certain disclosures related to our privacy practices, as well as maintain systems necessary to allow customers to invoke their rights. For example, on January 1, 2020, California adopted the California Consumer Privacy Act of 2018, or CCPA, which provides new data privacy rights for consumers and new operational requirements for covered businesses. The CCPA gives California residents more control over their personal information and includes a statutory damages framework and private right of action imposing civil penalties against businesses that fail to comply with certain security practices. Although the CCPA’s implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, the CCPA may increase our compliance costs and exposure to liability. More so, additional states that adopt privacy laws that differ from the CCPA may require us to do unanticipated and unbudgeted work in order to comply with additional privacy and data security requirements. The costs associated with compliance may impede our development and could limit the adoption of our services. Finally, any failure by our vendors to comply with applicable law or regulations could result in proceedings against us by governmental entities or others. Additionally, virtually every foreign jurisdiction in which our current or potential future customers may operate has established privacy and data security laws, rules, and regulations. The European Union, or E.U., has adopted the General Data Protection Regulation, or GDPR, which went into effect on May 25, 2018. Among other requirements, the GDPR regulates transfers of personally identifiable information from the E.U. to non-E.U. countries, such as the United States. Under the GDPR, fines of up to €20 million or up to 4% of the annual global revenue of the noncompliant company, whichever is greater, could be imposed for violations of certain GDPR requirements. Moreover, individuals can claim damages as a result of GDPR violations. Other jurisdictions outside the E.U. are similarly introducing or enhancing privacy and data security laws, rules, and regulations, which may increase the risks associated with non-compliance. Certain current or potential future customers are subject to the GDPR and we may be required to assist such customers with their compliance obligations. While we are not currently subject to the GDPR ourselves, many of our customers are subject to the GDPR. We may be required to expend resources to assist our customers with such compliance obligations. Assisting our customers in complying with the GDPR or complying with the GDPR ourselves if we expand our business to the E.U. in the future may cause us to incur substantial operational costs or require us to change our business practices to maintain such information in the European Economic Area. We publish privacy policies, self-certifications, such as the E.U.-U.S. Privacy Shield, and other documentation regarding our collection, processing, use and disclosure of personal information, credit card information, and other confidential information. Recently the E.S.-U.S. Privacy Shield was declared insufficient by the Court of Justice of the European Union and the E.U.-U.S. Privacy Shield is no longer a valid mechanism to comply with E.U. data protection requirements relating to data transfers. We do not know when, or if, the E.U.-U.S. Privacy Shield will become an effective mechanism for data transfers. Although we endeavor to comply with our published policies, certifications, and documentation, we may at times fail to do so or may be perceived to have failed to do so. Such failures can subject us to potential international, local, state, and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices, resulting in reputational or financial harm to the company. Globally, there have been numerous lawsuits brought against technology companies related to their 58
Q3 2021 10Q Page 63 Page 65