LiveRamp Holdings (RAMP) Risk Factors

We operate in a highly competitive and rapidly changing industry. With the introduction of new technologies and the influx of new entrants to the market, we expect competition to persist and intensify in the future, which could harm our ability to increase revenue and operating results. In addition to existing competitors and intermediaries, we may also face competition from new companies entering the market, which may include large established companies, all of which currently offer, or may in the future offer, products and services that result in additional competition. These competitors may be in a better position to develop new products and pricing strategies that more quickly and effectively respond to changes in customer requirements in these markets. These competitors and new products and technologies may be disruptive to our existing platform offerings, resulting in operating inefficiencies and increased competitive pressure. Some of our competitors may choose to sell products or services competitive to ours at lower prices by accepting lower margins and profitability, or may be able to sell products or services competitive to ours at lower prices given proprietary ownership of data, technical superiority or economies of scale. Such introduction of competent, competitive products, pricing strategies or other technologies by our competitors that are superior to or that achieve greater market acceptance than our products and services could adversely affect our business. In such event, we could experience a decline in market share and revenues and be forced to reduce our prices, resulting in lower profit margins for the Company.

With the growth of online advertising and e-commerce, there is increasing awareness and concern among the general public, privacy advocates, mainstream media, governmental bodies and others regarding marketing, advertising, and data privacy matters, particularly as they relate to individual privacy interests and the global reach of the online marketplace. Any unfavorable publicity or negative public perception about us, our industry, including our competitors, or even other data-focused industries can affect our business and results of operations, and may lead to digital publishers changing their business practices or additional regulatory scrutiny or lawmaking that affects us or our industry. For example, in recent years, consumer advocates, mainstream media, elected officials and government officials have increasingly and publicly criticized the data and marketing industry for its collection, storage and use of personal data. Additional public scrutiny may lead to general distrust of our industry, consumer reluctance to share and permit use of personal data and increased consumer opt-out rates, any of which could negatively influence, change or reduce our current and prospective customers' demand for our products and services and adversely affect our business and operating results.

The risk factors in the 2024 Annual Report, as updated above, do not identify all risks that we face.  Our operations could also be affected by factors that are not presently known to us or that we currently consider to be immaterial to our operations.  If any of the identified risks or others not specified in our SEC filings materialize, our business, financial condition, or results of operations could be materially adversely affected. In these circumstances, the market price of our common stock could decline.

Our growth strategy and future success depends in large part on our ability to attract, recruit, onboard, motivate and retain technical, customer services, sales, consulting, research and development, marketing, administrative and management personnel. The complexity of our products, processing functionality, software systems and services requires highly trained professionals. While we presently have a sophisticated, dedicated and experienced team of executives and employees who have a deep understanding of our business, the labor market for these individuals has historically been very competitive due to the limited number of people available with the necessary technical skills and understanding. As our industry continues to become more technologically advanced, we anticipate increased competition for qualified personnel. In addition, many of the companies with which we compete for experienced personnel may be able to offer greater compensation and benefits packages and/or more flexible work alternatives. We may incur significant costs to attract and retain highly trained personnel and we may lose new employees to our competitors or other technology companies before we realize the benefit of our investment in recruiting and training them, and our succession plans may be insufficient to ensure business continuity if we are unable to retain key personnel. Further, volatility or lack of appreciation in our stock price may also affect our ability to attract and retain our key employees. The loss or prolonged absence of the services of highly trained personnel like our current team of executives and employees, or the inability to recruit, attract, onboard and retain additional, qualified employees, could have a material adverse effect on our business, financial position or operating results. In addition, effective succession planning is important to our long-term success. If we do not develop effective succession planning, the loss of one or more of our key executive or employees or groups of executives or employees could seriously harm our business.

The COVID-19 pandemic disrupted the flow of the economy and put unprecedented strains on governments, health care systems, educational institutions, businesses and individuals around the world, and future public health emergencies could result in the same. Similar to the COVID-19 pandemic, future public health emergencies could result in significant disruptions to the global financial markets and economic uncertainty, as well as regional quarantines, labor shortages or stoppages, changes in consumer purchasing patterns, disruptions to service providers to deliver data on a timely basis, or at all, and overall economic instability. Any future public health emergencies could materially and adversely affect our business, our operating results, financial condition and prospects, and the value of our common stock.

During the last fiscal year, we received approximately 6% of our revenues from business outside the United States. In those non-U.S. locations where legislation restricting the collection and use of personal data currently exists, less data is available and at a much higher cost. In some foreign markets, the types of products and services we offer have not been generally available and thus are not fully understood by prospective customers. Upon entering these markets, we must educate and condition the markets, increasing the cost and difficulty of successfully executing our business plan in these markets. Additionally, each of our foreign locations is generally expected to fund its own operations and cash flows, although periodically funds may be loaned or invested from the United States to the foreign subsidiaries. Because of such loans or investments, exchange rate movements of foreign currencies may have an impact on our future costs of, or future cash flows from, foreign investments. We have not entered into any foreign currency forward exchange contracts or other derivative instruments to hedge the effects of adverse fluctuations in foreign currency exchange rates. Additional risks inherent in our non-U.S. business activities generally include, among others, the costs and difficulties of managing international operations, potentially adverse tax consequences, and greater difficulty enforcing intellectual property rights. The various risks that are inherent in doing business in the United States are also generally applicable to doing business outside of the United States, but such risks may be exaggerated by factors normally associated with international operations, such as differences in culture, laws and regulations, especially restrictions on collection, management, aggregation, localizations, and use of information. Failure to effectively manage the risks facing our non-U.S. business activities could materially adversely affect our operating results. Also, our business is subject to weak international economic conditions, geopolitical developments, such as existing and potential trade wars, and other events outside of our control that could result in a reduced volume of business by our customers and prospective customers, and the demand for, and use of, our products and services may decline. For example, the military conflicts in Europe and the Middle East could result in regional instability and adversely impact financial markets as well as economic conditions. In addition, when operating in foreign jurisdictions, we must comply with complex foreign and U.S. laws and regulations, such as the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act and other local laws prohibiting corrupt payments to government officials, as well as anti-competition regulations and data protection laws and regulations. Violations of these laws and regulations could result in fines and penalties, criminal sanctions, and restrictions on our business conduct and on our ability to offer our products and services in one or more countries. Such violations could also adversely affect our reputation with existing and prospective customers, which could negatively impact our operating results and growth prospects.

Any of our primary locations may be vulnerable to the adverse effects of climate change. For example, our offices and facilities in California have experienced, and are projected to continue to experience, climate-related events at an increasing frequency, including drought, water scarcity, heat waves, wildfires and resultant air quality impacts and power shutoffs associated with wildfire prevention. Furthermore, it may be more difficult to mitigate the impact of these events on our remote employees working from home. Changing market dynamics, global policy developments and the increasing frequency and impact of extreme weather events on critical infrastructure in the U.S. and elsewhere have the potential to disrupt our business, the business of our third-party suppliers and the business of our customers, and may cause us to experience higher churn, losses and additional costs to maintain or resume operations.

New income, sales, use or other tax laws, statutes, rules, regulations or ordinances could be enacted at any time, which could affect the tax treatment of our domestic and foreign earnings and materially affect our financial position and results of operations. For example, in 2022 the United States passed the Inflation Reduction Act, which provides for a minimum tax equal to 15% of the adjusted financial statement income of certain large corporations, as well as a 1% excise tax on share repurchases, and the Organization for Economic Co-operation and Development issued proposals including the implementation of the global minimum tax under the Pillar Two model rule. Our existing corporate structure and intercompany arrangements have been implemented in a manner we believe is in compliance with current prevailing tax laws. However, due to economic and political conditions, tax rates and tax regimes in various jurisdictions may be subject to significant changes, and the tax benefits that we intend to eventually derive could be impacted by changing tax laws. Any new taxes could adversely affect our domestic and international business operations, and our business and financial performance. Further, existing tax laws, statutes, rules, regulations or ordinances could be interpreted, changed, modified or applied adversely to us, which could have a material adverse effect on our business, cash flow, financial condition or results of operations. Governments are increasingly focused on ways to increase tax revenue, which has contributed to an increase in audit activity, more aggressive positions taken by tax authorities and an increase in tax legislation. Any such additional taxes or other assessments may be in excess of our current tax provisions or may require us to modify our business practices in order to reduce our exposure to additional taxes going forward, any of which could have a material adverse effect on the Company's business, results of operations and financial condition.

We receive, store and process personal information and other data from and about consumers in addition to our customers, employees, and services providers. Our handling of this data is subject to a variety of federal, state, and foreign laws and regulations and is subject to regulation by various government authorities. Our data handling also is subject to contractual obligations and may be deemed to be subject to industry standards. The U.S. federal and various state and foreign governments have adopted or proposed limitations on the collection, distribution, use and storage of data relating to individuals, including the use of contact information and other data for marketing, advertising and other communications with individuals and businesses. In the U.S., various laws and regulations apply to the collection, processing, disclosure, and security of certain types of data. Additionally, the FTC and many state attorneys general are interpreting federal and state consumer protection laws as imposing standards for the online collection, use, dissemination and security of data. In addition, the European Union has been developing new requirements related to the use of data, including in the Digital Services Act, that may impose additional rules and restrictions on the use of the data. The regulatory framework for data privacy issues worldwide is currently evolving and is likely to remain uncertain for the foreseeable future. For example, in the U.S., in August 2022 the FTC released an advance notice of proposed rulemaking concerning commercial surveillance and data security and sought comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. In addition, a potential federal data privacy law remains the subject of active discussion, and, in April 2024, a bipartisan pair of lawmakers unveiled a draft bill that would substantially impact the online advertising ecosystem if passed. The occurrence of unanticipated events often rapidly drives the adoption of legislation or regulation affecting the use, collection or other processing of data and manners in which we conduct our business. Restrictions could be placed upon the collection, management, aggregation and use of information, which could result in a material increase in the cost of collecting or otherwise obtaining certain kinds of data and could limit the ways in which we may use or disclose information. In particular, interest-based advertising, or the use of data to draw inferences about a user's interests and deliver relevant advertising to that user, and similar or related practices, such as cross-device data collection and aggregation, steps taken to de-identify or pseudonymize personal data and to use and distribute the resulting data, including for purposes of personalization and the targeting of advertisements, have come under increasing scrutiny by legislative, regulatory, and self-regulatory bodies in the U.S. and abroad that focus on consumer protection or data privacy. Much of this scrutiny has focused on the use of cookies and other technology to collect information about Internet users' online browsing activity on web browsers, mobile devices, and other devices, to associate such data with user or device identifiers or pseudonymous identifiers across devices and channels. In addition, providers of Internet browsers have engaged in, or announced plans to continue or expand, efforts to provide increased visibility into, and certain controls over, cookies and similar technologies and the data collected using such technologies. For example, in January 2020 Google announced that at some point in the following 24 months the Chrome browser would block third-party cookies. In April 2021, Google began releasing software updates to its Chrome browser with features intended to phase out third-party cookies. In May 2023, Google stated that it would deprecate third-party cookies by mid-2024 and in January 2024 started by deprecating third-party cookies for 1% of users globally. In April 2024, Google announced that the deprecation of third-party cookies will not be completed in 2024. Because we, and our customers, rely upon data, including that collected through cookies and similar technologies, it is possible that Google's efforts may have a substantial impact on the ability to collect and use data from Internet users, and it is essential that we monitor developments in this area domestically and globally, and engage in responsible privacy practices, including providing consumers with notice of the types of data we collect and how we use that data to provide our services. In the U.S., the U.S. Congress and state legislatures, along with federal regulatory authorities have recently increased their attention on matters concerning the collection and use of consumer data. In the U.S., non-sensitive consumer data generally may be used under current rules and regulations, subject to certain restrictions, so long as the person does not affirmatively "opt-out" of the collection or use of such data. If an "opt-in" model were to be adopted in the U.S., less data would be available, and the cost of data would be higher. For example, California enacted legislation, the California Consumer Privacy Act ("CCPA"), that became operative on January 1, 2020 and came under California Attorney General ("AG") enforcement on July 1, 2020. The CCPA requires covered companies to, among other things, provide new disclosures to California consumers and afford such consumers new abilities to opt-out of certain sales of personal information, a concept that is defined broadly. The CCPA is the subject of regulations issued by the California AG. In November 2020 California voters also approved the ballot initiative known as the California Privacy Rights Act of 2020 ("CPRA"). Pursuant to the CPRA, effective January 1, 2023, the CCPA was amended by creating additional privacy rights for California consumers and additional obligations on businesses, which could subject us to additional compliance costs as well as possible fines, individual claims and commercial liabilities for certain compliance failures. Since the CCPA, sixteen other state legislatures so far have passed comprehensive privacy legislation, including Virginia, Colorado, Connecticut, Utah, Indiana, Iowa, Tennessee, Montana, Florida, Oregon, Texas, Delaware, Nebraska, New Hampshire, New Jersey and Kentucky and other states have passed sector or data-specific legislation, such as Illinois, Washington, Nevada and Maryland. Together with the CCPA and CPRA, these are referred to throughout as "State Consumer Privacy Acts." Each of these State Consumer Privacy Acts have gone, or will go, into effect on or before January 1, 2026. Many other states currently have comprehensive and/or sector or data-specific bills winding their way through their legislatures. We cannot yet predict the full impact of the State Consumer Privacy Acts on our business or operations, but they may require us to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to comply. The State Consumer Privacy Acts have prompted a number of proposals for federal and other state privacy legislation that, if enacted, could increase our exposure to potential liability, add additional complexity to compliance in the U.S. market and increase our compliance costs. For example, other states have enacted or are considering legislation similar to that of the State Consumer Privacy Act statutory frameworks, including legislation that would require individuals to "opt-in" to the collection of certain consumer data. Decreased availability and increased costs of information could adversely affect our ability to meet our customers' requirements and could result in decreased revenues. In addition, the FTC Chair has called for a new approach to consumer data protection, such as the notice and consent framework in which consumers are asked to agree to privacy policies. The FTC has also articulated and demonstrated its intention to use its authority under Section 5 of the Federal Trade Commission Act to focus on data privacy through investigations and enforcement actions (for unfair and deceptive actions), particularly in the areas of sensitive data, such as health, location, and children's data, and has begun to demonstrate that with significant consent decrees. Further modifications and regulations under the State Consumer Privacy Acts, enforcement actions and guidance, or new rules promulgated by the FTC, could create additional liability and require costly expenditures to ensure continued compliance. The Consumer Financial Protection Bureau (CFPB) has announced that it will issue proposed rules under the Fair Credit Reporting Act to address business practices used by companies that assemble and monetize data. These rule changes may create additional liability, expenses, and risk to revenue. In Europe, the European General Data Protection Regulation ("GDPR") took effect on May 25, 2018 and applies to products and services that we provide in Europe, as well as the processing of personal data of EU citizens, wherever that processing occurs. The GDPR includes operational requirements for companies that receive or process personal data of residents of the European Union. For example, the GDPR requires offering a variety of controls to individuals in Europe before processing data for certain aspects of our service. In addition, the GDPR includes significant penalties for non-compliance of up to the greater of €20 million or 4% of an enterprise's global annual revenue. Further, the European Union is expected to replace the EU Cookie Directive governing the use of technologies to collect consumer information with the ePrivacy Regulation. The replacement ePrivacy Regulation may impose burdensome requirements around obtaining consent and impose fines for violations that are materially higher than those imposed under the European Union's current ePrivacy Directive and related EU member state legislation. In addition, some countries are considering or have passed legislation or interpretations implementing data protection requirements or requiring local storage and processing of data or similar requirements that could increase the cost and complexity of delivering our services. Any failure to achieve required data protection standards may result in lawsuits, regulatory fines, or other actions or liability, all of which may harm our operating results. We are also subject to laws, regulations and other restrictions that dictate whether, how, and under what circumstances we can transfer, process and/or receive certain data that is critical to our operations, including data shared between countries or regions in which we operate, and data shared among our products and services. For example, in 2016, the European Union and the U.S. agreed to an alternative transfer framework for data transferred from the European Union to the U.S., called the Privacy Shield. On July 16, 2020, however, the European Court of Justice invalidated the Privacy Shield and companies may no longer rely on it as a valid mechanism to comply with European Union data protection requirements. In July 2023, the EU adopted an adequacy decision for the EU-U.S. Data Privacy Framework ("DPF"), allowing the DPF to facilitate the transfer of data from Europe to the U.S., and with the U.K. Extension, also from the U.K. to the U.S. In addition, the other bases upon which we rely to legitimize the transfer of such data, such as Standard Contractual Clauses, have been subjected to regulatory and judicial scrutiny. If any of the legal bases upon which we currently rely for transferring data from Europe to the U.S. are invalidated, if we are unable to transfer data between and among countries and regions in which we operate, or if we are prohibited from sharing data among our products and services, it could affect the manner in which we provide our services or adversely affect our financial results. In addition to government regulation, privacy advocacy and industry groups may propose new and different self-regulatory standards that either legally or contractually apply to us or our customers. We are members of self-regulatory bodies that impose additional requirements related to the collection, use, and disclosure of consumer data. Under the requirements of these self-regulatory bodies, in addition to other compliance obligations, we are obligated to provide consumers with notice about our use of cookies and other technologies to collect consumer data and of our collection and use of consumer data for certain purposes, and to provide consumers with certain choices relating to the use of consumer data. Some of these self-regulatory bodies have the ability to discipline members or participants, which could result in fines, penalties, and/or public censure (which could in turn cause reputational harm). Additionally, some of these self-regulatory bodies might refer violations of their requirements to the Federal Trade Commission or other regulatory bodies. Because the interpretation and application of privacy and data protection laws, regulations and standards are uncertain, it is possible that these laws, regulations and standards may be interpreted and applied in manners that are, or are asserted to be, inconsistent with our data management practices or the technological features of our solutions. If so, in addition to the possibility of fines, investigations, lawsuits and other claims and proceedings, it may be necessary or desirable for us to fundamentally change our business activities and practices or modify our products and services, which could have an adverse effect on our business. We may be unable to make such changes or modifications in a commercially reasonable manner or at all. Any inability to adequately address privacy concerns, even if unfounded, or any actual or perceived failure to comply with applicable privacy or data protection laws, regulations, standards or policies, could result in additional cost and liability to us, damage our reputation, decrease the availability of and increase costs for information, inhibit sales and harm our business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, standards and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our platform. Privacy concerns, whether valid or not valid, may inhibit market adoption of our platform particularly in certain industries and foreign countries.