Etsy (ETSY) Risk Analysis

Various laws and regulations govern payments, and these laws are complex, evolving, and subject to change and vary across different jurisdictions in the United States and globally. Moreover, even in regions where such laws have been harmonized, regulatory interpretations of such laws may differ. As a result, we are required to spend significant time and effort determining whether various licensing and registration laws relating to payments apply to us as our business strategy and operations evolve. In addition, our payments activities and/or applicable laws and regulations have evolved and may continue to evolve. For example, to meet emerging regulatory requirements, among other reasons, our subsidiary, Etsy Payments Ireland Limited, received authorization from the Central Bank of Ireland to operate as a regulated payments institution to handle payments for sellers located in the European Economic Area. We also have applied, and may in the future apply, for registration/licensure as a payments service provider in additional jurisdictions. Each authorization as a regulated entity subjects us to additional regulation and oversight. If any of our subsidiaries become licensed as a financial services provider in any additional jurisdictions, we would be subject to additional regulation and oversight of that subsidiary. Any failure or claim of our failure to comply, or any failure by our third-party service providers to comply, could cost us substantial resources, result in liabilities, cause us significant reputational damage, or force us to stop offering our payments services in certain markets. Additionally, changes in payment regulation may occur that could render our payments systems non-compliant and/or less profitable. Further, through our agreements with our third-party payments service providers, we are subject to evolving rules and certification requirements (including, for example, the Payment Card Industry Data Security Standard), and other contractual requirements or expectations that may materially negatively impact our payments business. Failure to comply with these rules or requirements could impact our ability to meet our contractual obligations with our third-party payment processors and could result in potential fines or negatively impact our relationship with our third-party payments processors. We are also subject to rules governing electronic funds transfers. Any change in these rules and requirements, including as a result of a change in our designation by major payment card providers, could make it difficult or impossible for us to comply and could require a change in our business operations. In addition, similar to a potential increase in costs from third-party providers described above, any increased costs associated with compliance with payment card association rules or payment card provider rules could lead to increased fees for us or our sellers, which may negatively impact payments on our platforms, usage of our payments services, and our marketplaces.

We are regularly involved in litigation, arbitration, disputes, and regulatory matters, including those related to intellectual property, consumer protection, product liability, product safety, regulatory compliance, security and privacy, and/or commercial matters, either individually or, where available, on a class-action basis. We have been, are, and may in the future be subject to heightened regulatory scrutiny, inquiries, or investigations, including with respect to our sellers, vendors or third parties, relating to both specific inquiries as well as broad, industry-wide concerns, such as antitrust, product liability, and privacy, that could lead to legal liability, increased expenses, injunctive relief, or reputational damage. Under certain circumstances, we have contractual and other legal obligations to indemnify and to incur legal expenses on behalf of current and former directors, officers, employees, underwriters and other third parties. Any lawsuit or legal action to which we are a party, with or without merit, may result in an unfavorable judgment or settlement, substantial monetary payments or fines, adverse changes to our offerings or business practices, reputational harm, and other consequences. We have in the past settled lawsuits, regulatory actions, and other disputes and may decide in the future to settle such actions, even if non-meritorious. In addition, defending claims is costly and can impose a significant burden on our management. We manage and mitigate certain legal risks through our House Rules, policies, and other terms of use, including through the use of informal dispute resolution, individual arbitration, mass arbitration procedures, limitations of liability, venue selection, choice-of-law, and indemnification requirements. These requirements may be subject to differing interpretations, risks, and legal frameworks in different U.S. federal, state, and foreign courts, and may not be enforceable in some jurisdictions. If certain of our House Rules, policies, and other terms are not enforceable in particular jurisdictions or disputes, we could experience increased costs and expenses, litigation in multiple jurisdictions, inconsistent decisions, and/or forum shopping by third parties seeking jurisdictions amenable to their claims. Lawsuits, enforcement actions, and other legal proceedings brought against us have resulted in judgments and settlements, and may result in injunctions, damages, fines, or penalties, which could have a material adverse effect on our financial condition or results of operations or require changes to our business. Although we establish accruals for our litigation and regulatory matters in accordance with applicable accounting guidance when they present loss contingencies that are both probable and reasonably estimable, there may be a material exposure to loss in excess of any amounts accrued, or in excess of any loss contingencies disclosed as reasonably possible, particularly in more uncertain legal or regulatory environments. Such loss contingencies may not be probable and reasonably estimable until the proceedings have progressed significantly, which could take several years and occur close to resolution of the matter.

We are subject to a variety of tax and tax collection obligations in the United States and in numerous other foreign jurisdictions. We record tax expense, including indirect taxes, based on current tax payments and our estimates of future tax payments, which may include reserves for estimates of probable or likely settlements of tax audits. We may recognize additional tax expense and be subject to additional tax liabilities, including tax collection obligations, due to changes in tax law, regulations, administrative practices, principles, and interpretations related to tax, including changes to the global tax framework, competition, and other laws and accounting rules in various jurisdictions. An increasing number of jurisdictions are considering or have adopted laws or administrative practices that impose new tax measures, including revenue-based taxes, such as digital services taxes or online sales taxes, targeting online commerce and the remote selling of goods and services. These include new obligations to withhold or collect sales, consumption, value added, or other taxes on online marketplaces and remote sellers, or other requirements that may result in liability for third-party obligations. For example, several jurisdictions have proposed or enacted taxes on online advertising and marketplace service revenues. Proliferation of these or similar unilateral tax measures may continue unless broader international tax reform is implemented. Our effective tax rate, results of operations and cash flows have at times been,and could in the future be, materially and adversely affected by additional taxes imposed on us prospectively or retroactively. We may also be subject to increased requirements for marketplaces to report, collect, remit, and hold liability for their customers' direct and indirect tax obligations, as a result of changes to regulations, administrative practices, outcomes of court cases, and changes to the global tax framework. Our effective tax rate and cash taxes paid in a given financial statement period may be adversely impacted by results of our business operations including changes in the mix of revenue among different jurisdictions, acquisitions, investments, entry into new geographies, the relative amount of foreign earnings, changes in foreign currency exchanges rates, changes in our stock price, intercompany transactions, changes to accounting rules, expectation of future profits, changes in our deferred tax assets and liabilities and our assessment of their realizability, and changes to our ownership or capital structure. Fluctuations in our tax obligations and effective tax rate could adversely affect our business. In the ordinary course of our business, there are numerous transactions and calculations for which the ultimate tax determination is uncertain. Although we believe that our tax positions and related provisions reflected in the financial statements are fully supportable, we recognize that these tax positions and related provisions may be challenged by various tax authorities. These tax positions and related provisions are reviewed on an ongoing basis and are adjusted as additional facts and information become available, including progress on tax audits, changes in interpretation of tax laws, developments in case law, and closing of statute of limitations. To the extent that the ultimate results differ from our original or adjusted estimates, our effective tax rate can be adversely affected. The (provision) benefit for income taxes involves a significant amount of management judgment regarding interpretation of relevant facts and laws in the jurisdictions in which we operate. Future changes in applicable laws, including any implementation of the Organization for Economic Cooperation and Development ("OECD") "two pillar" project, projected levels of taxable income, and tax planning could change the effective tax rate and tax balances recorded by us. In addition, tax authorities periodically review income tax returns filed by us and raise issues regarding filing positions, timing and amount of income and deductions, and the allocation of income among the jurisdictions in which we operate. A significant period of time may elapse between the filing of an income tax return and the ultimate resolution of an issue raised by a revenue authority with respect to that return. Any adjustments as a result of any examination may result in additional taxes or penalties against us. If the ultimate result of these audits differs from original or adjusted estimates, they could have a material impact on our effective tax rate and tax liabilities. At any one time, we typically have multiple tax years subject to audit by various taxing jurisdictions. As a result, we could be subject to higher than anticipated tax liabilities as well as ongoing variability in our quarterly tax rates as audits close and exposures are re-evaluated.

Our Impact strategy focuses on Etsy's mission to "Keep Commerce Human" and the positive impact we want our business to have. We have announced a number of goals and initiatives and elected to publicly report on a significant number of environmental and social metrics that we monitor (our "ESG metrics") and include them in our Annual Report. As a result, our business may face heightened scrutiny for these activities. For more information see Part I, Item I, "Business-ESG Reporting: Our Impact Goals, Strategy, & Progress" (our "Impact Goals"). While selected metrics receive limited assurance from an independent third party, this is inherently a less rigorous process than the reasonable assurance sought in connection with a financial statement audit and such review process may not identify errors and may not protect us from potential liability under the securities laws or other applicable laws. In addition, for some of the metrics we report, the methodology of computation and/or the scope of our value chain assessed continues to evolve from year to year. As a result, period over period comparisons may not be meaningful. The implementation of our Impact strategy, including our Impact investing strategy and other initiatives intended to help us meet our Impact Goals, requires considerable investments, and our goals, with all of their contingencies, dependencies, and in certain cases, reliance on third-party verification and/or performance, are complex and ambitious, and we are not always able to achieve them. If we do not demonstrate progress against our Impact strategy or if our Impact strategy is not perceived to be adequate or appropriate, our reputation could be harmed. We could also damage our reputation and the value of our brands if we or our vendors fail to act responsibly in the areas in which we report, or we fail to demonstrate that our commitment to our Impact strategy enhances our overall financial performance. There can be no assurance that our current programs, reporting frameworks, and principles will be in compliance with any new environmental and social laws and regulations that may be promulgated in the United States and elsewhere. Additionally, the costs and business impact of changing our current practices to comply with current and future regulatory requirements, including those from the SEC, European Union, and California, including those relating to carbon offset disclosure requirements, may be substantial. Furthermore, industry and market practices may further develop to become even more robust than what is required under any new laws and regulations, and we may have to expend significant efforts and resources to keep up with market trends and stay competitive among our peers. While many of the recently introduced environmental and social laws are designed to promote more robust transparency and enhance resiliency, laws, regulations, and administrative actions have also been proposed and implemented in the United States to limit, restrict, or prohibit company activities on environmental and social issues. As a result, our Impact strategy and ESG metrics may subject us to heightened scrutiny, litigation or regulatory proceedings, or reputational damage. Any harm to our reputation resulting from setting public goals or our failure or perceived failure to meet such goals could impact employee engagement and retention, the willingness of our buyers and sellers and our partners and vendors to do business with us, or investors' willingness to purchase or hold shares of our common stock, any of which could adversely affect our business and financial performance.

We regularly receive claims, notices, and other allegations that items listed on our marketplaces, or other user-generated content posted on our platforms, infringe upon third-party copyrights, trademarks, patents, or other intellectual property or personal rights, or that such items are otherwise harmful, dangerous, or unlawful. We have procedures in place for third parties to report these claims, including our notice-and-takedown process for intellectual property. We also have tools and procedures in place to take action against potentially violative content, which may include the removal of listings, content, sellers, or shops that violate our policies. At the same time, our tools and procedures are subject to gaps, limitations, resourcing constraints, human and machine error, and other shortcomings, and may not effectively mitigate the risks we face in hosting user-generated content as part of our business. While we benefit from certain protections and safe-harbors from liability, such as the Digital Millennium Copyright Act § 512 et seq., those protections are limited, vary across jurisdictions, and may diminish as lawmakers, courts, and regulators across the globe continue to reexamine the legal liability of platforms for the content and actions of their third-party users. We have been and may continue to be subject to allegations, litigation and/or regulatory claims seeking to hold us liable for the content and actions of our third-party sellers, including in the areas of intellectual property, consumer protection, product liability, privacy and data protection, content compliance, and criminal laws. If we are alleged or found to be liable for our sellers' content or actions, or if new laws or court decisions expand the obligations or liability of marketplace platforms, we could be forced to pay monetary damages, civil or criminal penalties and attorneys' fees, change or restrict our business practices or services, restrict certain types of content from our marketplaces, and/or suffer reputational or other harm. Any of these, or similar, consequences could have a material adverse impact on our business, including by making our platform less attractive to buyers or sellers, reducing our revenue, or increasing our costs. Regardless of the validity of any claims made against us, we may incur significant costs and efforts to defend against or settle them. Moreover, any public perception that unlicensed, counterfeit, harmful, or unlawful items are commonly offered by sellers in our marketplaces, even if factually incorrect, could result in negative publicity and damage to our reputation.

Our intellectual property is an essential asset of our business. To establish and protect our intellectual property rights, we rely on a combination of copyright, trademark, and patent laws, as well as confidentiality procedures and contractual provisions. We also rely on trade secret protection for parts of our technology and intellectual property. The efforts we have taken to protect our intellectual property may not be sufficient or effective. We generally do not elect to register our copyrights, relying instead on the laws protecting unregistered intellectual property, which may not be sufficient. We rely on both registered and unregistered trademarks, which may not always be comprehensive in scope. In addition, our copyrights, trademarks, and patents may be held invalid or unenforceable if challenged, and may be of limited territorial reach. While we have obtained or applied for patent protection with respect to some of our intellectual property, patent filings may not be adequate alone to protect our intellectual property, and may not be sufficiently broad to protect our proprietary technologies. Additionally, it is expensive to maintain these rights, both in terms of application and maintenance costs, and the time and cost required to defend such rights, if necessary. From time to time, we acquire intellectual property from third parties, but these acquired assets, like our internally developed intellectual property, may lapse, be abandoned, be challenged or circumvented by others, be held invalid, be unenforceable, or may otherwise not be effective in protecting our platforms. In addition, we may not be effective in policing unauthorized use of our intellectual property and authorized uses may not have the intended effect. Even when we do detect violations, enforcing our rights may require us to engage in litigation, use of takedowns and similar procedures, or licensing. Any enforcement efforts we undertake, including litigation, could be time-consuming and expensive and could divert our management's attention. In addition, our efforts may be met with defenses and counterclaims challenging the validity and enforceability of our intellectual property rights or may result in a court determining that our intellectual property rights are unenforceable. If we are unable to adequately prevent unauthorized use or misappropriation of our intellectual property by third parties, the value of our brand and other intangible assets may be diminished and customers may lose trust in Etsy. Any of these events could have an adverse effect on our business. We attempt to protect our intellectual property and confidential information in part through confidentiality, non-disclosure, and invention assignment agreements with employees, advisors, service providers and other third parties who develop intellectual property on our behalf, or with whom we share information. However, we cannot guarantee that we have entered into such agreements with each party that has developed intellectual property on our behalf or that has or may have had access to our confidential information, trade secrets and other intellectual property. These agreements may also be breached, or may not effectively prevent unauthorized use, disclosure, or misappropriation of our confidential information or intellectual property. Moreover, these agreements may not provide an adequate remedy for breaches or in the event of unauthorized use or disclosure of our confidential information or infringement of our intellectual property. The legal framework surrounding protection of intellectual property changes frequently throughout the world, particularly as to technologies used in e-commerce, and these changes may impact our ability to protect our intellectual property and defend against third-party claims. If we are unable to cost-effectively protect our intellectual property rights, our business could be harmed.

Like all online services, we are vulnerable to power outages, telecommunications failures, and catastrophic events, as well as computer viruses, break-ins, intentional or accidental actions or inaction by employees or others with authorized access to our networks, phishing attacks, denial-of-service attacks, malicious or destructive code, malware, ransomware or other extortion attacks, and other cyber attacks, breaches and security incidents. We regularly experience cyber-related events that may result in technology disruptions and/or security breaches, including intentional, inadvertent, or social engineering breaches occurring through Etsy or third-party service provider technical issues, vulnerabilities, or employees. Any of these occurrences could lead to interruptions or shutdowns of one or more of our platforms, loss of data, unauthorized disclosure of personal or financial information of our members or employees, or theft of our intellectual property or user data. Furthermore, if our employees, contractors, or third-party service providers fail to comply with our internal security policies and practices, member or employee data may be improperly accessed, used, or disclosed. Additionally, employees, contractors, or service providers have and may inadvertently misconfigure resources or misdirect certain communications in manners that may lead to security incidents, which could be expensive and time-consuming to correct. As we strive to reignite growth in our business, expand internationally, and gain greater public visibility, we may continue to face a higher risk of being targeted by cyber attacks. Although we have integrated a variety of processes, technologies, and controls to assist in our efforts to assess, identify, and manage material cybersecurity-related risks, these are not exhaustive, and we cannot assure that they will be adequate to prevent or detect service interruption, system failure, data loss or theft, or other material adverse consequences, directly or through our vendors. Additionally, these measures have not always been in the past, and in the future may not be, sufficient to prevent or detect a cyber attack, system failure, or security breach particularly given the increasingly sophisticated tools and methods used by hackers, state actors, organized cyber criminals, and cyber terrorists. The costs and effort to respond to a security breach and/or to mitigate any security vulnerabilities that may be identified could be significant, our efforts to address these problems may not be successful, and these problems could result in unexpected interruptions, delays, cessation of service, negative publicity, negative seller or buyer sentiment, and other harm to our business and our competitive position. We could be required to fundamentally change our business activities and practices in response to a security breach or related regulatory actions or litigation, which would have an adverse effect on our business. Our production systems rely on internal technology, along with cloud services and software provided by our third-party service providers (and other entities in our supply chain). In the event of a cyber-related incident, even partial unavailability of our production systems could impair our ability to serve our customers, manage transactions, or operate our marketplaces. We have implemented disaster recovery mechanisms, including systems to back up key data and production systems, but these systems may be inadequate or incomplete. For example, these disaster recovery systems may be susceptible to cyber-related events if insufficiently distributed across locations, not sufficiently separated from primary systems, not comprehensive, or not at a scale sufficient to replace our primary systems. Insufficient production and disaster recovery systems could, in the event of a cyber-related incident, harm our growth prospects, our business, and our reputation for maintaining trusted marketplaces. Cyber attacks aimed at disrupting our and our third-party service providers' services regularly occur, and we expect they will continue to occur in the future. If we or our third-party service providers (and other entities in our supply chain) experience any cyber attacks or other security breaches or incidents that result in marketplace performance or availability problems or loss, compromise or unauthorized disclosure or use of personal data or other sensitive information, or if we fail to respond appropriately to any security breaches or incidents that we may experience, people may become unwilling to provide us the information necessary to set up an account with us. We also rely on the security practices of our third-party service providers, which may be outside of our direct control. Additionally, some of our third-party service providers, such as identity verification and payment processing providers, regularly have access to payment card information and other confidential and sensitive member data. We may have contractual and regulatory obligations to supervise the security and privacy practices of our third-party service providers. Despite our best efforts, if these third parties fail to adhere to adequate security practices, or, as has occurred from time to time in the past, experience a cyber-related event or attack such as a breach of their networks, our members' data may be rendered unavailable, improperly accessed, used, or disclosed. More generally, our third-party service providers may not have adequate security and privacy controls, may not properly exercise their compliance, regulatory or notification requirements, including as to personal data, or may not have the resources to properly respond to an incident. Many of our service providers continue to operate in a partial or fully remote work environment and may, as a result, be more vulnerable to cyber attacks. Consequently, a security incident at any of such service providers or others in our supply chain could result in the loss, compromise, or unauthorized access to or disclosure of sensitive or personal data of our buyers or sellers. In addition, the industry has generally moved to online remote infrastructure for core work and, as a result, we and our partners may be more vulnerable to cyber attacks. If a natural disaster, power outage, connectivity issue, or other event that impacted our employees' ability to work remotely were to occur, it may be difficult or, in certain cases, impossible, for us to operate our business for a substantial period of time. The prevalence of remote working for employees, vendors, or contractors may also result in increased consumer privacy, IT security, and fraud concerns or increased administrative costs. A successful cyber attack could occur and persist for an extended period of time before being detected. Because the techniques used by hackers change frequently, we may be unable to anticipate these techniques or implement adequate preventive measures. In addition, because any investigation of a cybersecurity incident would be inherently unpredictable, the extent of a particular cybersecurity incident and the path of investigating the incident may not be immediately clear. It may take a significant amount of time before an investigation can be completed and full and reliable information about the incident is known. While an investigation is ongoing, we may not necessarily know the extent of the harm or how best to remediate it, certain errors or actions could be repeated or compounded before they are discovered and remediated, and communication to the public, regulators, members of our communities, and other stakeholders may be inaccurate or incomplete, any or all of which could further increase the costs and consequences of a cybersecurity incident. Applicable rules regarding how to respond, required notices to users, and reporting to regulators and investors vary by jurisdiction, and may subject us to additional liability and reputational harm. If we experience, or are perceived to experience, security breaches that result in marketplace performance or availability problems or the loss, compromise or unauthorized disclosure of personal data or other sensitive information, or if we fail to respond appropriately to any security breaches that we may experience, or are perceived to do so, people may become unwilling to provide us the information necessary to set up an account with us to become a new seller or buyer. Existing sellers and buyers may also stop listing new items for sale, decrease their purchases, or close their accounts altogether. We could also face damage to our reputation, potential liability, regulatory investigations in multiple jurisdictions, and costly remediation efforts and litigation, which may not be adequately covered by, and which may impact our future access to, insurance. Any of these results could harm our growth prospects, our business, and our reputation for maintaining trusted marketplaces.

Our business operations depend upon a number of third-party service providers, such as cloud service providers, marketing platforms and providers, payments and shipping providers, contingent labor teams, and network and mobile infrastructure providers. Any disruption in the services provided by third parties, any failure on their part to deliver their services in accordance with our scale and expectations, or any failure on our part to maintain appropriate oversight on these third-party providers during the course of our engagement with them, or appropriate redundancies, could significantly harm our business. We are unable to exercise significant oversight over some of these providers, which increases our vulnerability to their financial conditions and to problems with the services they provide, such as technical failures, deprecation of key services, privacy and/or security concerns, and we have from time to time experienced such problems with the services provided by one or more third parties. Our efforts to update our infrastructure or supply chain may not be successful as we may not sufficiently distribute our risk across providers or geographies or our efforts to do so may take longer than anticipated. If we experience failures in our technology infrastructure or supply chain or do not expand our technology infrastructure or supply chain successfully, then our ability to run our marketplaces could be significantly impacted, which could harm our business. In addition, our sellers rely on continued and unimpeded access to postal services and shipping carriers to deliver their goods reliably and timely to buyers. Our sellers have at times experienced transportation service disruptions and delays in the delivery of their goods. If these shipping delays continue or worsen, or if shipping rates increase significantly, our sellers may have increased costs, and/or our buyers may have a poor purchasing experience and may lose trust in our marketplaces, which could negatively impact our business, financial performance, and growth prospects.