market for our services and technologies or impose burdensome requirements on our services and/or customers’ use of our services, thereby rendering our business unprofitable.
Some features of our services may trigger the data protection requirements of certain foreign jurisdictions, such as the EU General Data Protection Regulation (the “GDPR”), and the EU ePrivacy Directive. In addition, our services may be subject to regulation under current or future laws or regulations. For instance, the EU ePrivacy Directive is soon to be replaced in its entirety by the ePrivacy Regulation, which will bring with it an updated set of rules relevant to many aspects of our business. If our treatment of data, privacy practices or data security measures fail to comply with these current or future laws and regulations in any of the jurisdictions in which we collect and/or process information, we may be subject to litigation, regulatory investigations, civil or criminal enforcement, financial penalties, audits or other liabilities in such jurisdictions, or our customers may terminate their relationships with us. In addition, data protection laws, such as the GDPR, foreign court judgments or regulatory actions could affect our ability to transfer, process and/or receive transnational data that is critical to our operations, including data relating to users, customers, or partners outside the United States. For instance, the GDPR restricts transfers of personal data outside of the European Economic Area, including to the United States, subject to certain requirements. Such data protection laws, judgments or actions could affect the manner in which we provide our services or adversely affect our financial results if foreign customers and partners are not able to lawfully transfer data to us.
This area of the law is currently under intense government scrutiny and many governments, including the U.S. government, are considering a variety of proposed regulations that would restrict or impact the conditions under which data obtained from individuals could be collected, processed, stored, transferred, sold or shared with third parties. In addition, regulators such as the Federal Trade Commission and the California Attorney General are continually proposing new regulations and interpreting and applying existing regulations in new ways. For example, in June 2018, California passed the California Consumer Privacy Act (the “CCPA”), which provides new data privacy rights for consumers and new informational, disclosure and operational requirements for companies, effective January 2020. Fines for non-compliance may be up to $7,500 per violation. The burdens imposed by the GDPR and CCPA, and changes to existing laws or new laws regulating the solicitation, collection, processing, or sharing of personal and consumer information, and consumer protection could affect our customers’ utilization of our services and technology and could potentially reduce demand, or impose restrictions that make it more difficult or expensive for us to provide our services.
In addition, ongoing legal challenges in Europe to the mechanisms allowing companies to transfer personal data from the European Economic Area to the United States could result in further limitations on the ability to transfer data across borders, particularly if governments are unable or unwilling to reach new or maintain existing agreements that support cross-border data transfers, such as the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and the European Commission’s Model Contractual Clauses, each of which are currently under particular scrutiny. Additionally, certain countries have passed or are considering passing laws requiring local data residency. The costs of compliance with, and other burdens imposed by, privacy laws, regulations and standards may limit the use and adoption of our services, reduce overall demand for our services, make it more difficult to meet expectations from or commitments to customers, lead to significant fines, penalties or liabilities for noncompliance, impact our reputation, or slow the pace at which we close sales transactions, any of which could harm our business.
Furthermore, the uncertain and shifting regulatory environment and trust climate may cause concerns regarding data privacy and may cause our customers or our customers’ customers to resist providing the data necessary to allow our customers to use our services effectively. Even the perception that the privacy of personal information is not satisfactorily protected or does not meet regulatory requirements could inhibit sales of our products or services and could limit adoption of our cloud-based solutions.
If our customers fail to abide by applicable privacy laws or to provide adequate notice and/or obtain any required consent from end users, we could be subject to litigation or enforcement action or reduced demand for our services.
Our customers utilize our services and technologies to track connected devices anonymously and we must rely on our customers to implement and administer notice and choice mechanisms required under applicable laws. If we or our customers fail to abide by these laws, it could result in litigation or regulatory or enforcement action against our customers or against us directly.
Any actual or perceived failure to comply with our privacy policy or legal or regulatory requirements in one or multiple jurisdictions could result in proceedings, actions or penalties against us.
Any failure or perceived failure to comply with federal, state or foreign laws or regulations, industry standards, contractual obligations or other legal obligations, or any actual or suspected security incident, whether or not resulting in unauthorized access to, or acquisition, release or transfer of personal data or other data, may result in governmental enforcement actions and prosecutions, private litigation, fines and penalties or adverse publicity and could cause our customers to lose trust in us, which could have an adverse effect
