fuboTV (FUBO) Risk Factors

Various international, federal, and state laws and regulations govern the processing of personal information, including the collection, use, retention, transfer, sharing and security of the data we receive from and about our subscribers and other individuals. The regulatory environment for the collection and processing of data relating to individuals, including subscriber and other consumer data, by online service providers, content distributors, advertisers and publishers is unsettled in the United States and internationally. Privacy groups and government bodies, including the Federal Trade Commission ("FTC"), increasingly have scrutinized issues relating to the use, collection, storage, disclosure, and other processing of data, including data that is associated with personal identities or devices, and we expect such scrutiny to continue to increase. Various federal, state and foreign government bodies and agencies have adopted or are considering adopting laws and regulations limiting, or laws and regulations covering the processing, collection, distribution, use, disclosure, storage, transfer and security of certain types of information. In addition to government regulation, self-regulatory standards and other industry standards may legally or contractually apply to us, be argued to apply to us, or we may elect to comply with such standards or facilitate compliance by content publishers, advertisers, or others with such standards. For example, in the United States, the CCPA became operative on January 1, 2020. The CCPA requires covered businesses to provide new disclosures to California consumers, and to afford such consumers the ability to access and delete their personal information, opt out of certain personal information activities, and receive details about how their personal information is used. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that has increased the likelihood of, and risks associated with, data breach litigation. California voters also approved a modification of the CCPA, the CPRA, which went into effect on January 1, 2023. The CPRA significantly expands the rights granted to consumers under the CCPA. The CCPA and CPRA and other similar state laws may increase our compliance costs and exposure to liability. For example, Virginia, Colorado, Connecticut and Utah adopted information privacy laws that went into effect in 2023. These laws grant consumers certain rights with respect to their personal information, have notice obligations, and require consent in some circumstances, among other things. While there is no private right of action under these laws, they empower the attorneys general in the various states to enforce the laws. As with the CCPA and the CPRA, these laws may increase our compliance costs and exposure to liability. Other U.S. states have passed or are considering adopting and/or enforcing similar laws and regulations and there remains increased interest at the federal level as well. Additionally, our use of subscriber data to deliver relevant advertising on our platform places us and our content publishers at risk for claims under a number of other laws, including but not limited to the Video Privacy Protection Act ("VPPA"), and we have been subject to such claims to date related to our practices with subscriber data. In a recent trend, some content publishers have been engaged in litigation over alleged violations of the VPPA relating to activities on online platforms in connection with advertising provided by unrelated third parties, the results of which may impact our business. Further, as an operator of an online service that is used in part by children, we are subject to the Children's Online Privacy Protection Act ("COPPA"). The FTC rule implementing COPPA (the "COPPA Rule") broadly defines the types of information that are subject to these regulations. The COPPA Rules limit the information that we and, our content publishers and advertisers can collect and use, the content of advertisements and certain channel partner content. We and our content publishers and advertisers could be at risk for violation or alleged violation of these and other laws, regulations, and other standards and contractual obligations relating to privacy, data protection, and information security. More generally, the FTC and various state regulatory agencies are aggressively investigating and bringing enforcement actions that are focused on companies' collection, use, processing and sharing of consumer data, such as browsing information, for various uses, including but not limited to advertising. In the EU and its member states, the GDPR imposes stringent obligations relating to data protection and security for processing the personal data of individuals within the European Economic Area ("EEA") or in the context of our activities within the EEA. Further, the departure of the United Kingdom ("UK") from the EU has created a separate regime with similarly onerous obligations under the United Kingdom General Data Protection Regulation and Data Protection Act 2018 (collectively, the "UK GDPR"). The GDPR and UK GDPR each authorize regulators to impose sanctions, including changes to data processing, and each allow for fines of up to 4% of the global annual revenue or €20 million (£17.5 million) of a noncompliant undertaking, whichever is greater, for certain violations. In addition to fines, a breach of the GDPR or UK GDPR may result in regulatory investigations, reputational damage, orders to cease/ change our data processing activities, enforcement notices, assessment notices (for a compulsory audit) and/ or civil claims (including class actions). Additionally, we may incur expenses, costs, and other operational losses under the GDPR, UK GDPR and the privacy laws of applicable EU Member States in connection with any measures we take to comply with such laws. Although certain legal mechanisms have been designed to allow for the transfer of personal data from the UK, EEA and Switzerland to the United States, uncertainty about compliance with such data protection laws remains and such mechanisms may not be available or applicable with respect to the personal data processing activities necessary to research, develop and market our products. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. As a result, we may have to make certain operational changes and we may have to implement revised standard contractual clauses and other relevant documentation for existing data transfers within required time frames. We are also subject to evolving EU and UK privacy laws on cookies, tracking technologies and e-marketing In the EEA and the UK, under national laws derived from the ePrivacy Directive, informed consent is required for the placement of a cookie or similar technologies on a user's device and for direct electronic marketing. The GDPR also imposes conditions on obtaining valid consent for cookies, such as a prohibition on pre-checked consents and a requirement to ensure separate consents are sought for each type of cookie or similar technology. In addition, European court decisions and regulatory guidance are driving increased attention to cookies and tracking technologies. If the trend of increasing enforcement by regulators of the strict approach to opt-in consent for all but essential use cases, as seen in recent guidance and decisions continues, this could lead to substantial costs, require significant systems changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, and subject us to additional liabilities. Complying with the GDPR / UK GDPR, CCPA/CPRA, VCDPA, VPPA and other laws, regulations, and other obligations relating to privacy, consumer protection, data protection, data localization or security may cause us to incur substantial operational costs or require us to modify our data handling practices. We also expect that there will continue to be new proposed laws and regulations concerning privacy, data protection and information security, and we cannot yet determine the impact such future laws, regulations and standards, or amendments to, expansions of or re-interpretations of, existing laws and regulations, industry standards, or other obligations may have on our business. New laws and regulations, amendments to, expansions of or re-interpretations of existing laws and regulations, industry standards, and contractual and other obligations may require us to incur additional costs and restrict our business operations. Additionally, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of content publishers and advertisers may limit their use and adoption of, and reduce the overall demand for, our platform and advertising on our platform, and content publishers and advertisers may be at risk for violation or alleged violation of laws, regulations, and other standards relating to privacy, data protection, and information security relating to their activities on our platform. More generally, privacy, data protection, and information security concerns, whether or not valid, may inhibit market adoption of our platform, particularly in certain countries. Furthermore, the interpretation and application of laws, regulations, standards, contractual obligations and other obligations relating to privacy, data processing and protection, and information security are uncertain, and these laws, standards, and contractual and other obligations may be interpreted and applied in a manner that is, or is alleged to be, inconsistent with our data management and processing practices, our policies or procedures, or the features of our platform. We may face regulatory investigations, litigation, claims or allegations that we are in violation of these laws, regulations, standards, or contractual or other obligations. We could be required to fundamentally change our business activities and practices or modify our platform or practices to address laws, regulations, or other obligations relating to privacy, data protection, or information security, or claims or allegations that we have failed to comply with any of the foregoing, which could have an adverse effect on our business. We may be unable to make such changes and modifications in a commercially reasonable manner or at all, and our ability to develop new features could be limited. Any actual or perceived inability to adequately address privacy, consumer protection, data protection or security-related concerns, even if unfounded, or to successfully negotiate privacy, consumer protection, data protection or security-related contractual terms with content publishers, card associations, advertisers, or others, or to comply with applicable laws, regulations and other obligations relating to privacy, data protection, and security, could result in additional cost and liability to us.

Building and maintaining a strong brand is important to our ability to attract and retain subscribers, as potential subscribers have a number of TV streaming choices. Successfully building a brand is a time-consuming and comprehensive endeavor and can be positively and negatively impacted by any number of factors. Some of these factors, such as the quality or pricing of our platform or our customer service, are within our control. Other factors, such as the quality of the content that our content publishers provide, may be out of our control, yet subscribers may nonetheless attribute those factors to us. Our competitors may be able to achieve and maintain brand awareness and market share more quickly and effectively than we can. Many of our competitors are larger companies with substantial resources to devote to promoting their brands through traditional forms of advertising, such as print media and TV commercials, and have substantial resources to devote to such efforts. Our competitors may also have greater resources to utilize Internet advertising or website product placement more effectively than we can. In addition, as our current and/or future content partners continue to shift content, including sporting events, that were traditionally only broadcasted on linear Pay TV, to their own platform or our competitors' DTC platforms, whether exclusively or at more attractive prices, it could adversely affect our ability to build and differentiate our brand and value proposition to our subscribers. If we are unable to execute on building a strong brand, differentiating our business and platform from our competitors in the marketplace, our ability to attract and retain subscribers may be adversely affected and our business may be harmed.

We currently have a reputation as primarily a live sports streaming service. We are making efforts to expand our content offerings outside live sports streaming, and currently offer a wide selection of news and entertainment content. However, we may not be successful at expanding our content to areas outside our current content offering, or maintaining content from our current content offering, and even if we are able to expand into other content areas and sustain such expansion, we may not be successful in overcoming our reputation as primarily a live sports streaming service.

Our reputation and ability to attract, retain and serve our subscribers is dependent upon the reliable performance and security of our computer networks and information technology systems and those of third parties that we utilize in our operations. These systems have been in the past, and may in the future be, subject to attack, damage or interruption from, among other things, earthquakes, adverse weather conditions, other natural disasters, terrorist attacks, war, sophisticated nation-state and nation-state supported-actors, employee theft or misuse or employees who are inattentive or careless and cause security vulnerabilities, fraud, power loss, telecommunications failures, or cybersecurity risks (for example, ransomware). Interruptions in these systems, or with the Internet in general, could make our service unavailable or degraded or otherwise hinder our ability to deliver our service. Service interruptions, errors in our software or the unavailability of information technology systems used in our operations could diminish the overall attractiveness of our subscription to existing and potential subscribers. Our information technology systems and those of third parties we use in our operations are subject to cybersecurity threats, including cyber-attacks such as computer viruses, and malware, malicious code, denial or degradation of service attacks, hacking, phishing attacks and other social engineering schemes, physical or electronic break-ins and similar disruptions. These systems periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of personal information and other data, content, confidential information, trade secrets or intellectual property. Additionally, outside parties may attempt to induce employees or subscribers to disclose sensitive or confidential information, or to take advantage of software or hardware bugs and vulnerabilities, in order to gain access to data. Any attempt by hackers to obtain our data (including subscriber and corporate information) or intellectual property (including digital content assets), disrupt our service, or otherwise access our systems, or those of third parties we use could harm our business, be expensive to remedy and damage our reputation. We and certain of our third-party providers regularly experience cyberattacks and other incidents, some of which have led to unauthorized access to subscriber data, and we expect such attacks and incidents to continue. As previously disclosed, we suffered one such incident on December 14, 2022, when we experienced service outage as a result of a criminal cyber-attack. Once we detected the attack, we took steps to contain the incident and worked to restore service to users as quickly as possible. Though service was temporarily disrupted, we were able to restore service on the evening of December 14, 2022. We reported the incident to law enforcement and engaged an industry-leading incident response firm to assist with our response. Though as of the date of this filing this incident has been resolved, we could be subject to future similar attacks. We use third-party cloud computing services in connection with our business operations. We also use third-party content delivery networks to help us stream content to our subscribers over the Internet. Problems faced by us or our third-party cloud computing or other network providers, including technological or business-related disruptions, as well as cybersecurity threats and regulatory interference, could adversely impact the experience of our users. We have implemented certain systems and processes designed to thwart hackers and protect our data and systems, but the techniques used to gain unauthorized access to data, systems, and software are constantly evolving, and we may be unable to anticipate or prevent unauthorized access, and we may be delayed in detecting unauthorized access or other security breaches and other incidents. There is no assurance that hackers may not have a material impact on our service or systems in the future or that security breaches or other incidents may not occur due to these or other causes. Efforts and technologies to prevent disruptions to our service and unauthorized access to our systems are expensive to develop, implement and maintain. These efforts require ongoing monitoring and updating as technologies change and efforts to overcome security measures by circumventing controls, evading detection and obfuscating forensic evidence become more sophisticated and may limit the functionality of or otherwise negatively impact our service offering and systems. Additionally, disruption to our service and data security breaches and other incidents may occur as a result of employee or contractor error. Any significant disruption to our service or access to our systems or any data that we or those who provide services for us maintain or otherwise process, or the perception that any of these have occurred, could result in a loss of subscriptions, harm to our reputation, and adversely affect our business and results of operations. Further, a penetration of our systems or a third-party's systems on which we depend or any loss of or unauthorized access to, use, alteration, destruction, or disclosure of personal information or other data could subject us to business, regulatory, contractual, litigation and reputation risk, which could have a negative effect on our business, financial condition and results of operations. With the increase in remote work during the COVID-19 pandemic and continued hybrid working environment, we and the third parties we use in our operations face increased risks to the security of infrastructure and data, and we cannot guarantee that our or their security measures will prevent security breaches. We also may face increased costs relating to maintaining and securing our infrastructure and data that we maintain and otherwise process. Additionally, we cannot be certain that our insurance coverage will be adequate for data security liabilities actually incurred, will cover any indemnification claims against us relating to any incident, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.

We believe that our future success is highly dependent on the talents and contributions of Edgar Bronfman, our Executive Chairman, David Gandler, our Co-Founder and Chief Executive Officer, other members of our executive team, and other key employees, such as engineering, finance, legal, research and development, marketing, and sales personnel. Our future success depends on our continuing ability to attract, develop, motivate, and retain highly qualified and skilled employees. All of our employees, including our senior management, are free to terminate their employment relationship with us at any time, and their knowledge of our business and industry may be difficult to replace. Qualified individuals are in high demand, particularly in the digital media industry, and we may incur significant costs to attract them. We use equity awards to attract talented employees, but if the value of our common stock declines significantly and remains depressed, that may prevent us from recruiting and retaining qualified employees. If we are unable to attract and retain our senior management and key employees, we may not be able to achieve our strategic objectives, and our business could be harmed. In addition, we believe that our key executives have developed highly successful and effective working relationships. We cannot ensure that we will be able to retain the services of any members of our senior management or other key employees. If one or more of these individuals leave, we may not be able to fully integrate new executives or replicate the current dynamic and working relationships that have developed among our senior management and other key personnel, and our operations could suffer.

Our financial performance is subject to worldwide economic conditions, including rising levels of inflation, and their impact on levels of advertising spending. Expenditures by advertisers generally tend to reflect overall economic conditions, and to the extent that the economy continues to stagnate, reductions in spending by advertisers could have a material adverse impact on our business. Historically, economic downturns have resulted in overall reductions in advertising spending. Economic conditions may adversely impact levels of consumer spending, which could adversely impact the number of subscribers to our platform. Consumer purchases of discretionary items generally decline during recessionary periods and other periods in which disposable income is adversely affected. To the extent that overall economic conditions continue to reduce spending on discretionary activities, our ability to retain current and obtain new subscribers could be hindered, which could reduce our revenue and negatively impact our business.

We currently generate the vast majority of our revenue in the United States and have limited experience marketing, selling, licensing, running or monetizing our platform outside the United States. In addition, we have limited experience managing the administrative aspects of a global organization. Outside of the United States, we operate in Canada, Spain, and, through our acquisition of Molotov, we also operate in France. We also have offices and employees based in India through our acquisition of Edisn Inc. in December 2021. While we intend to explore additional opportunities to expand our business in international markets in which we see compelling opportunities, we may not be able to create or maintain international market demand for our platform. Operating in international markets requires significant resources and management attention and subjects us to economic, political, regulatory and other risks that may be different from or incremental to those in the United States. In addition to the risks that we face in the United States, our international operations involve risks that could adversely affect our business, including: - differing legal and regulatory requirements, including country-specific data privacy and security laws and regulations, consumer protection laws and regulations, tax laws, trade laws, labor regulations, tariffs, export quotas, custom duties on cross-border movements of goods or data flows, extension of limits on TV advertising minutes to OTT advertising, local content requirements, data or data processing localization requirements, or other trade restrictions;- slower adoption and acceptance of streaming services in other countries;- the need to adapt our content and user interfaces for specific cultural and language differences, including delivering support and training documentation in languages other than English;- our ability to deliver or provide access to popular streaming channels or content to users in certain international markets;- different or unique competitive pressures as a result of, among other things, the presence of local consumer electronics companies and the greater availability of free content on over-the-air channels in certain countries, such as France;- challenges inherent in efficiently staffing and managing an increased number of employees over large geographic distances, including the need to implement appropriate systems, policies, compensation and benefits, and compliance programs;- political or social unrest, including the ongoing war between Russia and Ukraine, conflicts in the Middle East and economic instability;- compliance with laws such as the Foreign Corrupt Practices Act, UK Bribery Act and other anti-corruption laws, export controls and economic sanctions, and local laws prohibiting corrupt payments to government officials;- compliance with various privacy, data transfer, data protection, accessibility, consumer protection and child protection laws in the European Union and other international markets that we operate in;- difficulties in understanding and complying with local laws, regulations and customs in foreign jurisdictions, including local ownership requirements for streaming content providers and laws and regulations relating to privacy, data protection and information security, and the risks and costs of non-compliance with such laws, regulations and customs;- regulatory requirements or government action against our service, whether in response to enforcement of actual or purported legal and regulatory requirements or otherwise, that results in disruption or non-availability of our service or particular content in the applicable jurisdiction;- adverse tax consequences such as those related to changes in tax laws or tax rates or their interpretations, and the related application of judgment in determining our global provision for income taxes, deferred tax assets or liabilities or other tax liabilities given the ultimate tax determination is uncertain;- differing legal and court systems, including limited or unfavorable intellectual property protection;- fluctuations in currency exchange rates could impact our revenue and expenses of our international operations and expose us to foreign currency exchange rate risk;- profit repatriation and other restrictions on the transfer of funds;- differing payment processing systems;- working capital constraints; and - new and different sources of competition. If we invest substantial time and resources to expand our international operations and are unable to do so successfully and in a timely manner, our business and financial condition may be harmed. Our failure to manage any of these risks successfully could harm our international operations and our overall business and results of our operations.