We are, and may increasingly become, subject to various laws and regulations, as well as contractual obligations and mandatory industry standards, relating to data privacy and security in the jurisdictions in which we operate and/or offer our goods and/or services. The regulatory environment related to data privacy and security is increasingly rigorous, with new and constantly changing requirements potentially applicable to our business, and some enforcement practices are likely to remain uncertain for the foreseeable future. These laws and regulations may be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible that they will be interpreted and applied in ways that may have a material adverse effect on our business, financial condition, results of operations and prospects. As an example, the HIPAA privacy regulations govern the use and disclosure of protected health information by covered healthcare providers, as well as health insurance plans. They also set forth certain rights that an individual has with respect to his or her protected health information maintained by a covered plan, including the right to access or amend certain records containing protected health information or to request restrictions on the use or disclosure of protected health information. The HIPAA security regulations establish requirements for safeguarding the confidentiality, integrity and availability of protected health information that is electronically transmitted or electronically stored. HIPAA violations are subject to civil and criminal penalties. In the United States, various federal and state regulators, including governmental agencies like the FTC, have adopted, or are considering adopting, laws and regulations regarding the processing of personal information, privacy and/or data security. According to the FTC, failing to take appropriate steps to keep consumers' personal information secure or using or disclosing personal information in violation of a company's privacy notice may constitute unfair or deceptive acts or practices, in or affecting commerce in violation of the FTC Act. The FTC generally expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business and the cost of available tools to improve security and reduce vulnerabilities. On the state specific level, several state laws generally require data owners to implement reasonable security measures to protect the personal information collected from residents. These laws generally require a data owner to implement reasonable security procedures and practices appropriate to the nature of the information, and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. As state laws are changing rapidly, we may also become subject to additional data privacy and security laws and regulations in the future, and we anticipate that states and potentially, the federal government, could enact new or amended legislation to strengthen data privacy and security standards, which may cause us to incur additional costs and expenses to maintain compliance and could subject us to fines, penalties and negative publicity in the event of a breach or violation under any such law or regulation. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to personal information than federal, international or other state laws, and such laws may differ from each other, all of which may complicate compliance efforts. For example, the California Consumer Privacy Act of 2018, which provides comprehensive consumer privacy rights for California residents and imposes obligations on companies that process their personal information and meet certain revenue or volume processing thresholds, came into effect on January 1, 2020, and was further amended by the CPRA, effective January 1, 2023. The CCPA is also subject to extensive regulations, which are still being finalized. Among other things, the CCPA requires covered companies to provide certain disclosures to California residents and provide such residents consumer privacy rights, including the ability to opt-out of certain sales of their personal information, as well as to be able to delete or access personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches. This limited private right of action may increase the likelihood of, and risks associated with, data breach litigation, including class action litigation. In addition, laws in all 50 U.S. states require businesses to provide notice to individuals, and in some states, to regulators and consumer reporting agencies, in the event of a data breach. Notification triggers and exceptions vary by state. Generally, all states with breach notification laws require notice if the information breached includes a state resident's name in combination with: a Social Security number, state ID or driver's license number, or financial account information. Some states include other types of personal information as a trigger, such as health information, biometrics, login credentials, tax ID or date of birth. The majority of state data security breach notification laws also provide a safe harbor from the laws' notification requirements if the personal information affected by the security breach was encrypted and the encryption key was not affected by the security breach. International laws, regulations and standards in many jurisdictions apply to certain collection, use, retention, security, disclosure, transfer, marketing and other processing of personal information. For example, the GDPR, which became effective in May 2018, increased the jurisdictional reach of data protection laws of the European Economic Area and introduced new requirements for handling personal data. EU member states are tasked under the GDPR to enact, and have enacted, certain implementing legislation that adds to and/or further interprets the GDPR requirements and potentially extends our obligations and potential liability for failing to meet such obligations. The GDPR, together with national legislation, regulations and guidelines of the EU member states governing the processing of personal data, impose strict obligations and restrictions on the ability to collect, use, retain, protect, disclose, transfer and otherwise process personal data. In particular, the GDPR includes requirements to establish a legal basis for processing, higher standards for obtaining consent from individuals to process certain types of personal data, more robust disclosures to individuals, a strengthened individual data rights regime, requirements to implement safeguards to protect the security and confidentiality of personal data, data breach notification obligations to appropriate data protection authorities or individuals, limitations on retention and secondary uses of personal information, increased requirements pertaining to health data and other sensitive types of personal data, and additional obligations when entities contract with third-party processors to process personal data, including personal data transfer restrictions. The GDPR allows for fines for certain serious violations of up to 4% of global annual revenue or €20 million, whichever is greater, and other administrative penalties. Following the withdrawal of the United Kingdom from the European Union, data privacy and security laws that are substantially similar to the GDPR are in effect in the United Kingdom, which carry similar risks and authorize similar fines for certain violations. Certain legal regimes outside of the United States, including in the United Kingdom and under the GDPR in the European Economic Area, restrict the transfer of personal data to the United States unless certain measures are in place, including, for example, executing Standard Contractual Clauses through certification to the Data Privacy Framework. Due to evolving regulatory guidance, we are continuing to evaluate the validity of the data transfer mechanisms and we may need to invest in additional technical, legal and organizational safeguards in the future to avoid disruptions to data flows within our business and to and from our customers and service providers. We use third-party credit card processors to process payments from our customers. Through our agreements with our third-party credit card processors, we are subject to payment card association operating rules, including the PCI-DSS, which governs a variety of areas, including how consumers and customers may use their cards, the security features of cards, security standards for processing, data security and allocation of liability for certain acts or omissions, including liability in the event of a data breach. Any change in these rules or standards and related requirements could make it difficult or impossible for us to comply. Additionally, any data breach or failure to hold certain information in accordance with PCI-DSS may have an adverse effect on our business and its operations. All of these evolving compliance and operational requirements impose significant costs, such as costs related to organizational changes, implementing additional protection technologies, training employees and engaging consultants and legal advisors, which are likely to increase over time. In addition, such requirements may require us to modify our data processing practices and policies, utilize management's time or divert resources from other initiatives and projects, all of which could have a material adverse effect on our business, financial condition, results of operations and prospects. Any failure or perceived failure by us to comply with any applicable federal, state or similar non-U.S. laws and regulations relating to data privacy and security could result in damage to our reputation, as well as proceedings or litigation by governmental agencies or other third parties, including class action privacy litigation in certain jurisdictions, which could subject us to significant fines, sanctions, awards, injunctions, penalties or judgments. Any of the foregoing could have a material adverse effect on our business, financial condition, results of operations and prospects.