Arlo Technologies (ARLO) Risk Factors

A substantial portion of our sales are on an open credit basis, with typical payment terms of 30 to 60 days in the United States and, because of local customs or conditions, longer in some markets outside the United States. We monitor individual customer financial viability in granting such open credit arrangements, seek to limit such open credit to amounts we believe the customers can pay and maintain reserves we believe are adequate to cover exposure for doubtful accounts. Any bankruptcies or illiquidity among our customer base or sublease counterparties could harm our business and have a material adverse effect on our financial condition and results of operations. To the degree that turmoil in the credit markets makes it more difficult for some customers or sublease counterparties to obtain financing, our customers' or sublease counterparties' ability to pay could be adversely impacted, which in turn could materially and adversely affect our business, results of operations, and financial condition. In June 2021, we entered into a sublease agreement, with a term that runs concurrent with the term of the head lease, for our San Jose office space in light of the COVID-19 pandemic and its impact on the changing nature of office space use by our workforce. We believe we have secured a quality subtenant with appropriate sublease terms. However, if the subtenant default on their sublease obligations with us or otherwise terminate their sublease with us, we may experience a loss of planned sublease rental income, which could result in a material charge against our operating results. If that were to happen, we may be unable to enter into a new sublease on acceptable terms or at all and even if we do, such sublease may result in our incurring liabilities and expenses in future periods or the rent payments we receive from a new subtenant being less than our rent obligations under the head lease. Under these circumstances, we would be responsible for any shortfall.

Our services, including our intelligent cloud and App platform and our Arlo Secure services, are complex, and may not always perform as intended due to outages of our systems or defects affecting our services. Systems outages could be disruptive to our business and damage the reputation of our services and result in potential loss of revenue. Significant defects affecting our services may be found following the introduction of new software or enhancements to existing software or in software implementations in varied information technology environments. Internal quality assurance testing and end-user testing may reveal service performance issues or desirable feature enhancements that could lead us to reallocate service development resources or postpone the release of new versions of our software. The reallocation of resources or any postponement could cause delays in the development and release of future enhancements to our currently available software, damage the reputation of our services in the marketplace, and result in potential loss of revenue. Although we attempt to resolve all errors that we believe would be considered serious by our partners and customers, the software powering our services is not error-free. Undetected errors or performance problems may be discovered in the future, and known errors that we consider minor may be considered serious by our channel partners and end-users. System disruptions and defects in our services could result in lost revenue, delays in customer deployment, or legal claims and could be detrimental to our reputation.

In the ordinary course of business, we process personal data about our customers, employees, and others and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, and sensitive third-party data. Our data processing activities may subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security, including with respect to user privacy, rights of publicity, data protection, content, protection of minors, and consumer protection. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping and recording laws). For example, the California Consumer Privacy Act of 2018 ("CCPA") applies to personal information of consumers, business representatives and employees and requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights, such as those noted below. The CCPA provides for civil penalties of up to $7,500 per violation and allows private litigants affected by certain data breaches to recover significant statutory damages. In addition, the California Privacy Rights Act of 2020 ("CPRA"), which became operative January 1, 2023, expands the CCPA's requirements, including by adding a new right for individuals to correct their personal information and establishing a new regulatory agency to implement and enforce the law. Other states, such as Colorado, Connecticut, Virginia and Utah, have also passed comprehensive privacy laws, and similar laws are being considered in several other states, as well as at the federal and local levels. These state laws and the CCPA provide individuals with certain rights concerning their personal information, including the right to access, correct, or delete certain personal information, and opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. These developments further complicate compliance efforts, and increase legal risk and compliance costs for us, the third parties upon whom we rely. Additionally, under various privacy laws and other obligations, we may be required to obtain certain consents to process personal data. For example, some of our data processing practices have in the past and may in the future be challenged under wiretapping laws, because we obtain consumer information from third parties through various methods, including chatbot and session replay providers, or via third-party marketing pixels. These practices may be subject to increased challenges by class action plaintiffs. Our inability or failure to obtain consent for these practices could result in adverse consequences. Outside the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security. For example, the European Union's General Data Protection Regulation ("EU GDPR"), the United Kingdom's GDPR ("UK GDPR"), Australia's Privacy Act 1988 (Privacy Act), and Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and various related provincial laws, as well as Canada's Anti-Spam Legislation ("CASL"), may apply to our operations and impose strict requirements for processing personal data. For example, under the EU GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros or 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. In the ordinary course of business, we may transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area (EEA) and the United Kingdom (UK) have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA and UK's standard contractual clauses, the UK's International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers for relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions (such as Europe) at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have prevented companies from transferring personal data out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. For example, in May 2023, the Irish Data Protection Commission determined that a major social media company's use of the standard contractual clauses to transfer personal data from Europe to the United States was insufficient and levied a 1.2 billion Euro fine against the company and prohibited the company from transferring personal data to the United States. Our employees and personnel use generative artificial intelligence ("AI") technologies to perform their work, and the disclosure and use of personal information in generative AI technologies are subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and consumer lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. We use AI and machine learning ("ML") to assist us in making certain decisions, which are regulated by certain privacy laws. Due to inaccuracies or flaws in the inputs, outputs, or logic of the AI/ML, the model could be biased and could lead us to make decisions that could bias certain individuals (or classes of individuals), and adversely impact their rights, employment, and ability to obtain certain pricing, products, services, or benefits. We also use AI/ML technologies in our products and services. The development and use of AI/ML present various privacy and security risks that may impact our business. AI/ML are subject to privacy and data security laws, as well as increasing regulation and scrutiny. Several jurisdictions around the globe, including Europe and certain U.S. states, have proposed or enacted laws governing AI/ML. For example, European regulators have proposed a stringent AI regulation, and we expect other jurisdictions will adopt similar laws. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal data) and regulate automated decision making, which may be incompatible with our use of AI/ML. These obligations may make it harder for us to conduct our business using AI/ML, lead to regulatory fines or penalties, require us to change our business practices, retrain our AI/ML, or prevent or limit our use of AI/ML. For example, the FTC has required other companies to turn over (or disgorge) valuable insights or trainings generated through the use of AI/ML where they allege the company has violated privacy and consumer protection laws. If we cannot use AI/ML or are restricted in the use of AI/ML, our business may be less efficient, or we may be at a competitive disadvantage. We use identity verification technologies in connection with the "person detection" feature in some of our products and services that may subject us to biometric privacy laws. For example, the Illinois Biometric Information Privacy Act ("BIPA") regulates the collection, use, safeguarding, and storage of biometric information. BIPA provides for substantial penalties and statutory damages and has generated significant class action activity, and the cost of litigating and settling past and any future claims that we have violated BIPA or similar laws could be significant. In addition to litigation, regulators, such as the Federal Trade Commission (FTC), have indicated that use of biometric technologies (including facial recognition technologies) may be subject to additional scrutiny. In addition to data privacy and security laws, we may be contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. For example, we may also be subject to the Payment Card Industry Data Security Standard ("PCI DSS"). The PCI DSS requires companies to adopt certain measures to ensure the security of cardholder information, including using and maintaining firewalls, adopting proper password protections for certain devices and software, and restricting data access. Noncompliance with PCI-DSS can result in penalties ranging from $5,000 to $100,000 per month by credit card companies, litigation, damage to our reputation, and revenue losses. We also rely on vendors to process payment card data, and those vendors may be subject to PCI DSS, and our business may be negatively affected if our vendors are fined or suffer other consequences as a result of PCI DSS noncompliance. We may also be bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. For example, certain privacy laws, such as the GDPR and the CCPA, require our customers to impose specific contractual restrictions on their service providers. We publish privacy policies, marketing materials and other statements, such as compliance with certain certifications or self-regulatory principles, regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators or other adverse consequences. Obligations related to data privacy and security (and consumers' data privacy expectations) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources, which may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. In addition, these obligations may require us to change our business model. Our business model materially depends on our ability to process personal data, so we are particularly exposed to the risks associated with the rapidly changing legal landscape. For example, we may be at heightened risk of regulatory scrutiny, and any changes in the regulatory framework could require us to fundamentally change our business model. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. We have in the past received inquiries and/or been the subject of reports regarding our data privacy and security practices and processing. Moreover, despite our efforts, our personnel or third parties on whom we rely may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties on which we rely fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims); additional reporting requirements and/or oversight; bans on processing personal data; orders to destroy or not use personal data; and imprisonment of company officials. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of customers; interruptions or stoppages in our business operations; inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

Pursuant to the master separation agreement entered into between us and NETGEAR and certain other agreements with NETGEAR, NETGEAR has agreed to indemnify us for certain liabilities. The master separation agreement provides for cross-indemnities principally designed to place financial responsibility for the obligations and liabilities of our business with us and financial responsibility for the obligations and liabilities of NETGEAR's business with NETGEAR. Under the intellectual property rights cross-license agreement entered into between us and NETGEAR, each party, in its capacity as a licensee, indemnifies the other party, in its capacity as a licensor, as well as its directors, officers, agents, successors and subsidiaries against any losses suffered by such indemnified party as a result of the indemnifying party's practice of the intellectual property licensed to such indemnifying party under the intellectual property rights cross-license agreement. Also, under the tax matters agreement entered into between us and NETGEAR, each party is liable for, and indemnifies the other party and its subsidiaries from and against any liability for, taxes that are allocated to such party under the tax matters agreement. In addition, we have agreed in the tax matters agreement that each party will generally be responsible for any taxes and related amounts imposed on us or NETGEAR as a result of the failure of the Distribution, together with certain related transactions, to qualify as a transaction that is generally tax-free, for U.S. federal income tax purposes, under Sections 355 and 368(a)(1)(D) and certain other relevant provisions of the Code, to the extent that the failure to so qualify is attributable to actions, events or transactions relating to such party's respective stock, assets or business, or a breach of the relevant representations or covenants made by that party in the tax matters agreement. The transition services agreement generally provides that the applicable service recipient indemnifies the applicable service provider for liabilities that such service provider incurs arising from the provision of services other than liabilities arising from such service provider's gross negligence, bad faith or willful misconduct or material breach of the transition services agreement, and that the applicable service provider indemnifies the applicable service recipient for liabilities that such service recipient incurs arising from such service provider's gross negligence, bad faith or willful misconduct or material breach of the transition services agreement. Pursuant to the registration rights agreement, we have agreed to indemnify NETGEAR and its subsidiaries that hold registrable securities (and their directors, officers, agents and, if applicable, each other person who controls such holder under Section 15 of the Securities Act) registering shares pursuant to the registration rights agreement against certain losses, expenses and liabilities under the Securities Act, common law or otherwise. NETGEAR and its subsidiaries that hold registrable securities similarly indemnify us but such indemnification will be limited to an amount equal to the net proceeds received by such holder under the sale of registrable securities giving rise to the indemnification obligation. However, third parties could also seek to hold us responsible for any of the liabilities that NETGEAR has agreed to retain, and we cannot assure that an indemnity from NETGEAR will be sufficient to protect us against the full amount of such liabilities, or that NETGEAR will be able to fully satisfy its indemnification obligations in the future. Even if we ultimately succeed in recovering from NETGEAR any amounts for which we are held liable, we may be temporarily required to bear these losses. Each of these risks could materially and adversely affect our business, results of operations, and financial condition.

Our operations are routinely subject to audit by tax authorities in various countries. Many countries have indirect tax systems where the sale and purchase of goods and services are subject to tax based on the transaction value. These taxes are commonly referred to as value-added tax ("VAT") or goods and services tax ("GST"). In addition, the distribution of our products subjects us to numerous complex customs regulations, which frequently change over time. Failure to comply with these systems and regulations can result in the assessment of additional taxes, duties, interest, and penalties. While we believe we are in compliance with local laws, we cannot assure that tax and customs authorities will agree with our reporting positions and upon audit such tax and customs authorities may assess additional taxes, duties, interest, and penalties against us. Adverse action by any government agencies related to indirect tax laws could materially and adversely affect our business, results of operations and financial condition.

To successfully evolve our product offerings of smart security devices to appeal to our consumers, we will be required to predict, understand, and react to the rapidly changing tastes of consumers and provide appealing products in a timely manner. New product models that we introduce may not be successful with consumers or our brand may fall out of favor with consumers. If we are unable to anticipate, identify, or react appropriately to changes in consumer preferences, our revenue may decrease, our brand image may suffer, our operating performance may decline, and we may not be able to execute our growth plans. We have increased the rate of new product and service introductions, including new lines of Arlo cameras, smart lights, and doorbell products, and we may encounter difficulties that we did not anticipate during the product development stage. If we are not able to efficiently manufacture new products in quantities sufficient to support wholesale, retail, and e-commerce distribution, we may not be able to recover our investment in the development of new product and service iterations and product lines, and we would continue to be subject to the risks inherent to having a limited product line. Even if we develop and manufacture new products and services that consumers find appealing, the ultimate success of any new products or services may depend on our pricing. We may not provide the appropriate level of marketing in order to educate the market and potential consumers about our new products and services. Achieving market acceptance will require us to exert substantial product development and marketing efforts, which could result in a material increase in our research and development and sales and marketing expenses. There can be no assurance that we will have the resources necessary to undertake such efforts effectively or that such efforts will be successful or that we will dedicate our limited marketing resources to the right product lines and services. Failure to gain market acceptance for new products and services could impede our ability to maintain or grow current revenue levels, reduce profits, adversely affect the image of our brand, erode our competitive position, and result in long-term harm to our business and financial results.

The success of our business depends, in part, on the capacity, affordability, reliability, and prevalence of wireless data networks provided by wireless telecommunications operators and on which our IoT hardware products and solutions operate. Growth in demand for wireless data access may be limited if, for example, wireless telecommunications operators cease or materially curtail operations, fail to offer services that customers consider valuable at acceptable prices, fail to maintain sufficient capacity to meet demand for wireless data access, delay the expansion of their wireless networks and services, fail to offer and maintain reliable wireless network services, or fail to market their services effectively.

Any shortage or delay in the supply of key product components would harm our ability to meet scheduled product deliveries. Many of the components used in our products are specifically designed for use in our products, some of which are obtained from sole source suppliers. These components include lens, lens-sensors, and passive infrared sensors that have been customized for the Arlo application, as well as custom-made batteries that provide power conservation and safety features. In addition, the components used in our end products have been optimized to extend battery life. Our third-party manufacturers generally purchase these components on our behalf, and we do not have any contractual commitments or guaranteed supply arrangements with our suppliers. If demand for a specific component increases, we may not be able to obtain an adequate number of that component in a timely manner or at all. In addition, if worldwide demand for the components increases significantly, the availability of these components could be limited. Further, our suppliers may experience financial or other difficulties as a result of uncertain and weak worldwide economic conditions. Other factors that may affect our suppliers' ability or willingness to supply components to us include internal management or reorganizational issues, such as roll-out of new equipment which may delay or disrupt supply of previously forecasted components, or industry consolidation and divestitures, which may result in changed business and product priorities among certain suppliers. It could be difficult, costly, and time consuming to obtain alternative sources for these components, or to change product designs to make use of alternative components. In addition, difficulties in transitioning from an existing supplier to a new supplier could create delays in component availability that would have a significant impact on our ability to fulfill orders for our products. We generally provide our third-party manufacturers with a rolling forecast of demand, which they use to determine our material and component requirements. Lead times for ordering materials and components vary significantly and depend on various factors, such as the specific supplier, contract terms, and demand and supply for a component at a given time. Some of our components have long lead times, such as wireless local area network chipsets, physical layer transceivers, connector jacks, and metal and plastic enclosures. If our forecasts are not timely provided or are lower than our actual requirements, our third-party manufacturers may be unable to manufacture products in a timely manner or at all. If our forecasts are too high, our third-party manufacturers will be unable to use the components they have purchased on our behalf. The cost of the components used in our products tends to drop rapidly as volumes increase and the technologies mature. Therefore, if our third-party manufacturers are unable to promptly use components purchased on our behalf, our cost of producing products may be higher than our competitors due to an oversupply of higher-priced components. Moreover, if they are unable to use components ordered at our direction, we will need to reimburse them for any losses they incur. If we are unable to obtain a sufficient supply of components, or if we experience any interruption in the supply of components, our product shipments could be reduced or delayed or our cost of obtaining these components may increase. In addition, sole suppliers of highly specialized components may provide, or have provided components that were either defective or did not meet the criteria required by us or our manufacturers, retailers, distributors, or other channel partners, resulting in delays, lost revenue opportunities, and potentially substantial write-offs.

If we are unable to properly monitor, control, and manage our sales channel inventory and maintain an appropriate level and mix of products with our distributors and within our sales channels, we may incur increased and unexpected costs associated with this inventory. We generally allow distributors and traditional retailers to return a limited amount of our products in exchange for other products. Under our price protection policy, if we reduce the list price of a product, we are often required to issue a credit in an amount equal to the reduction for each of the products held in inventory by our wholesale distributors and retailers. If our wholesale distributors and retailers are unable to sell their inventory in a timely manner, we might lower the price of the products, or these parties may exchange the products for newer products. Also, during the transition from an existing product to a new replacement product, we must accurately predict the demand for the existing and the new product. We determine production levels based on our forecasts of demand for our products. Actual demand for our products depends on many factors, which makes it difficult to forecast. We have experienced differences between our actual and our forecasted demand in the past and expect differences to arise in the future. If we improperly forecast demand for our products, we could end up with too many products and be unable to sell the excess inventory in a timely manner, if at all, or, alternatively, we could end up with too few products and not be able to satisfy demand. This problem is exacerbated because we attempt to closely match inventory levels with product demand, leaving limited margin for error. If these events occur, we could incur increased expenses associated with writing off excessive or obsolete inventory, lose sales, incur penalties for late delivery, or have to ship products by air freight to meet immediate demand, thereby incurring incremental freight costs above the sea freight costs, a preferred method, and suffering a corresponding decline in gross margin.