Table of Contents
segregation of our relevant systems and operations, and could adversely affect our business, financial condition and results of operations.
We and our third-party providers are also subject to evolving laws, including in Europe, relating to cookies, tracking technologies and e-marketing. Recent litigation, decisions and guidance are
driving increased attention to cookies, tracking technologies and online advertising. In addition, there has been a noticeable increase in class actions in the United States where plaintiffs have utilized a
variety of laws, including state wiretapping laws, in relation to the use of cookies and other tracking technologies. Any changes to laws relating to cookies, tracking technologies and e-marketing or the
interpretation of relevant laws, including if the trend of increased enforcement by European regulators of the strict approach to consent for the placement of non-essential cookies and tracking
technologies in recent guidance and decisions continues, could disrupt and harm our business.
The interpretation and application of many privacy, data protection, consumer protection and e-marketing laws are, and will likely remain, uncertain, and it is possible that these laws may be
interpreted and applied in a manner that is inconsistent with our existing data management practices or product features. Any failure or perceived failure by us and/or various third-party service
providers and partners with which we do business to comply with or take steps to address such laws and other requirements relating to privacy, data security or the processing of personal data, or any
cybersecurity incident, could damage our reputation, lead to an erosion of trust, result in a loss of creators or consumers, inhibit sales, discourage potential creators and consumers from trying our
platform, result in fines, lawsuits (including class actions) and other claims and penalties, or require us to fundamentally change our business activities and practices or modify our products, any of
which could harm our business, financial condition and results of operations. In addition, given the breadth and depth of changes in data protection obligations, ongoing compliance with evolving
interpretations of applicable U.S. state data protection and privacy laws, the GDPR and other laws and requirements requires time and resources and a review of the technology and systems currently
in use against such requirements. In addition to government regulation, privacy advocacy and industry groups may propose new and different self-regulatory standards that either legally or
contractually apply to us, and complying with such regulatory standards could result in additional costs.
Our acquisition strategy to date, and going forward, often results in the winding down of the acquired platforms over a lengthy period of time while the existing creators migrate to our platform.
The focus often shifts away from these legacy platforms to meeting the needs of migrated creators on our platform. The existence of these legacy platforms within a shifting landscape regarding
privacy, data protection and data security may result in regulatory liability or exposure to fines. A cybersecurity incident on a legacy platform may harm our reputation and our brand and may
adversely affect our business, including the migration of existing creators to our platform. See the risk factor below titled “If we or our third-party providers fail to protect information, including
personal data or sensitive information about creators, consumers or employees and/or IT systems and operations against software or hardware vulnerabilities, service interruptions, data loss,
ransomware, attacks or other cybersecurity incidents, we could experience a loss of creators or consumers, exposure to liability, or an adverse impact on our reputation, brand, business, financial
condition or results of operations”. We may also become exposed to potential liabilities and our attention and resources may be diverted as a result of differing privacy regulations pertaining to our
applications.
If we or our third-party providers fail to protect information, including personal data or sensitive information about creators, consumers or employees and/or IT systems and operations against
software or hardware vulnerabilities, service interruptions, data loss, ransomware, attacks or other cybersecurity incidents, we could experience a loss of creators or consumers, exposure to
liability, or an adverse impact on our reputation, brand, business, financial condition or results of operations.
As an online platform, we rely on computer systems, hardware, software, technology infrastructure and online sites and networks for both internal and external operations that are critical to our
business. Despite the implementation of security measures, we and our third-party providers are vulnerable to power outages, telecommunications failures, interruptions or shutdowns of our platform
and catastrophic events, as well as cybersecurity risks that threaten the confidentiality, integrity and availability of our and third party providers’ information systems and confidential information
(including information about our creators, consumers, employees and others, intellectual property and proprietary information such as trade secrets), including through computer viruses, break-ins,
intentional or accidental actions or inaction by employees or others with authorized access to our or our providers’ networks, social engineering/phishing attacks, denial-of-service attacks, malicious or
destructive code, malware, ransomware attacks, and other cyber attacks, data breaches and cybersecurity incidents.
Cyber attacks and security incidents (including through security breaches, computer malware and computer hacking attacks) upon information systems are increasing in their frequency, levels of
persistence, intensity and sophistication, and threat actors are using rapidly changing techniques and tools – including artificial intelligence – that circumvent security controls, evade detection and
remove forensic evidence, and are being conducted by diverse threat actors, including
15