Roblox (RBLX) Risk Factors

We are and/or may in the future become subject to legal proceedings and claims that arise in the ordinary course of business, including intellectual property, privacy, biometrics, cybersecurity, data protection, product liability, consumer protection, false and misleading advertising, employment, class action, whistleblower, contract, securities, tort, civil Racketeer Influenced and Corrupt Organizations Act, unfair competition, and other litigation claims, including claims related to our advertising practices and use of generative AI, and governmental and other regulatory investigations and proceedings. As a result of disclosure of information in filings required of a public company, our business and financial condition will become more visible, which may result in threatened or actual litigation, including by competitors. We are and may continue to be subject to legal proceedings asserting claims arising from allegations that we have facilitated gambling by users of our Platform including by minors, that we have misrepresented the safety of our Platform, that our Platform is addictive or otherwise unsafe, that we unlawfully or unfairly benefit from child labor, and that we have misrepresented information about our user base, that we have engaged in copyright infringement, that we have engaged in unlawful employment practices, and suits related to our refund policies. In lawsuits brought on behalf of child users, the court may allow minors to disaffirm or avoid enforcement of our Terms of Use, depending on the circumstances. We have and may continue to be subject to legal proceedings asserting claims on behalf of shareholders related to allegations that discussions of our growth prospects have been misleading and unsustainable due to concerns related to safety and our implementation of parental controls on the Platform and claims that our leadership has engaged in insider trading. In particular, on August 1, 2023, a putative class action was filed against us in the United States District Court for the Northern District of California captioned Colvin v. Roblox asserting various claims arising from allegations that minors used third-party virtual casinos to gamble Robux and on March 14, 2024, Gentry v. Roblox was filed in the United States District Court for the Northern District of California premised on substantially identical allegations as Colvin v. Roblox. The two cases were consolidated on April 18, 2024. Such matters can be time-consuming, divert management's attention and resources, cause us to incur significant expenses or liability, or require us to change our business practices. The expense of litigation and the timing of this expense from period to period are difficult to estimate, subject to change, and could adversely affect our financial condition and results of operations. Because of the potential risks, expenses, and uncertainties of litigation, we may, from time to time, settle disputes, even where we have meritorious claims or defenses, by agreeing to settlement agreements. Any of the foregoing could adversely affect our business, financial condition, and results of operations.

We are subject to a variety of laws and regulations in the U.S. and other countries that involve matters central to our business, including privacy, cybersecurity, and data protection. The regulatory frameworks for these matters worldwide are rapidly evolving and are likely to remain uncertain for the foreseeable future. Certain privacy, biometrics, cybersecurity, and data protection laws and regulations have placed and will continue to place significant privacy, data protection, and cybersecurity obligations on organizations such as ours and may require us to continue to change our policies and procedures. For example, the European Union's ("EU") General Data Protection Regulation ("GDPR") imposes stringent data protection requirements regarding EU personal data, and its provisions include increasing the maximum level of fines that EU regulators may impose for the most serious breaches of noncompliance of €20 million or 4% of annual global revenues of the previous year, whichever is greater. Such fines would be in addition to (i) the rights of individuals to sue for damages in respect of any data privacy breach which causes them to suffer harm, (ii) the right of individual member states to impose additional sanctions over and above the administrative fines specified in the GDPR, and (iii) the ability of supervisory authorities to impose orders requiring companies to modify their practices. If we are found not to be compliant with GDPR or similar requirements, including obligations to comply with data protection requirements when transferring personal data from the European Economic Area ("EEA"), Switzerland, and the United Kingdom ("U.K.") to the U.S., we may be subject to significant fines and the risk of civil litigation. The United Kingdom maintains the Data Protection Act of 2018 and the UK GDPR, which collectively implement and complement the GDPR and provide for penalties for noncompliance of up to the greater of £17.5 million or 4% of annual global revenues of the previous year. On June 28, 2021, the European Commission announced a decision of "adequacy" concluding that the United Kingdom ensures an equivalent level of data protection to the GDPR, which provides some relief regarding the legality of continued personal data flows from the EEA to the U.K. Such adequacy decision must, however, be renewed after four years and may be modified or revoked in the interim. We cannot fully predict how the Data Protection Act, the UK GDPR and other United Kingdom data protection laws or regulations may develop in the medium to longer term, nor the effects of divergent laws and guidance regarding how data transfers to and from the United Kingdom will be regulated. In addition, various local, national, and foreign laws and regulations apply to our operations, including the Children's Online Privacy Protection Act ("COPPA"), in the U.S., Article 8 of the GDPR and similar regulations in other jurisdictions. COPPA imposes strict requirements on operators of websites or online services directed to children under 13 years of age (or 16 years of age under other regulatory regimes). 39% of our DAUs were under the age of 13 during the three months ended September 30, 2024. COPPA requires companies to obtain verifiable parental consent before collecting personal information from children under the age of 13. Both the U.S. federal government and the states can enforce COPPA and violations of COPPA can lead to significant fines. The FTC has proposed substantial changes to its rules implementing COPPA that, if finalized, would place significant new requirements on covered companies. No assurances can be given that our compliance efforts will be sufficient to avoid allegations of COPPA violations, and any non-compliance or allegations of non-compliance could expose us to significant liability, penalties and loss of revenue, significantly harm our reputation, and could be costly and time consuming to address or defend. To the extent we rely on consent for processing personal data under the GDPR, consent or authorization from the holder of parental responsibility is required in certain cases for the processing of personal data of children under the age of 16, and member states may enact laws that lower that age to 13. Additionally, in certain jurisdictions the law may allow minors to disaffirm their contracts, including our Terms of Use. If minors on our Platform are able to avoid enforcement of our Terms of Use under applicable law, it could have a material adverse impact on our business, financial condition, results of operations, and cash flow. We continue to monitor updated guidance from the United Kingdom's Information Commissioner Office ("ICO") on the Age Appropriate Design Code ("AADC"), which focuses on online safety and protection of children's privacy online. The AADC became effective September 2, 2021, and noncompliance with the AADC may result in audits or other proceedings by the ICO, the regulatory body set up to uphold information rights in the United Kingdom, and other regulators in the EEA or Switzerland, as noncompliance with the AADC may indicate noncompliance with applicable data protection law. Further, the United Kingdom Online Safety Act ("OSA") was enacted in October 2023 and will gradually be implemented as Ofcom publishes its guidance and codes of practice. The OSA introduces, among other things, duties to protect children online, complete risk assessments, and remove illegal content. Noncompliance with the OSA could lead to fines of up to £18 million or 10% of global revenues of the previous year and possible criminal liability on senior managers and company officers, particularly if they fail to safeguard children online. We are also monitoring developments with the EU's Digital Services Act ("DSA"), which became fully applicable on February 17, 2024. The DSA imposes new content moderation obligations, notice and transparency obligations, advertising restrictions and other requirements on digital platforms to protect consumers and their rights online. Noncompliance with the DSA could result in fines of up to 6% of annual global revenues, which are in addition to the ability of civil society organizations and non-governmental organizations to lodge class action lawsuits. We may incur liabilities, expenses, costs, and other operational losses under the GDPR and laws and regulations of applicable EU Member States and the United Kingdom relating to privacy, cybersecurity, and data protection in connection with any measures we take to comply with them. Other jurisdictions have adopted laws and regulations addressing privacy, data protection, and cybersecurity, many of which share similarities with the GDPR. For example, Law no. 13.709/2018 of Brazil, the Lei Geral de Proteção de Dados Pessoais or LGPD, entered into effect on September 18, 2020, authorizing a private right of action for violations. Penalties may include fines of up to 2% of the organization's revenue in Brazil in the previous year or 50M reais (approximately $9.5 million U.S. dollars). The LGPD applies to businesses (both inside and outside Brazil) that process the personal data of users who are located in Brazil. The LGPD provides users with the similar rights as the GDPR regarding their data. A Brazilian Data Protection Authority, Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados) has been established to provide rules and guidance on how to interpret and implement the LGPD's requirements, including regarding notice of processing, data transfer requirements, and other compliance obligations, such as security measures, recordkeeping, training, and governance. Additionally, the Personal Information Protection Law, ("PIPL") of the People's Republic of China ("PRC"), was adopted on August 20, 2021, and went into effect on November 1, 2021. The PIPL shares similarities with the GDPR, including extraterritorial application, data minimization, data localization, and purpose limitation requirements, and obligations to provide certain notices and rights to citizens of the PRC. The PIPL allows for fines of up to 50 million renminbi or 5% of a covered company's revenue in the prior year. Our approach with respect to regimes such as the LGPD, PIPL, and other foreign legislation may be subject to further evaluation and change, our compliance measures may not be fully adequate and may require modification, we may expend significant time and cost in developing and maintaining a privacy governance program, data transfer or localization mechanisms, or other processes or measures to comply with such regimes, and any implementing regulations or guidance under these regimes, and we may potentially face claims, litigation, investigations, or other proceedings or liability regarding such regimes and may incur liabilities, expenses, costs, and other operational losses under such regimes and any measures we take to comply with them. In addition, the CCPA, which established a new privacy framework for covered businesses such as ours, went into effect in January 2020, requiring us to modify our data processing practices and policies and incur compliance related costs and expenses. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches, which may increase the likelihood and cost of data breach litigation. The CCPA was significantly modified and supplemented by the California Privacy Rights Act ("CPRA"), which was approved in November 2020. The CPRA went into effect on January 1, 2023 and, among other things, gives California residents the ability to limit the use of their sensitive information, provides for penalties for CPRA violations concerning California residents under the age of 16, and establishes a new agency to implement and enforce the law. Further, the CCPA has prompted similar legislative developments in other states in the U.S., including laws enacted in Virginia, Colorado, Utah, Connecticut, Florida, Iowa, Indiana, Montana, Tennessee, Oregon, Delaware, Texas, New Hampshire, New Jersey, Kentucky, Maryland, Nebraska, Rhode Island and Minnesota. These developments create the potential for a patchwork of overlapping but different state laws. Other states, including California, Utah and Arkansas, have passed legislation imposing substantial new obligations upon companies that offer online services, products, or features "likely to be accessed" by children 17 years of age or under, or certain types of social media and digital services, respectively. The California legislation includes certain requirements and principles from the AADC including, among other things, data protection impact assessments and the implementation of privacy by design. The laws in Utah, Florida, and Arkansas impose new restrictions and obligations in connection with users who are, or are deemed to be, under 18, including access restrictions and restrictions on abilities for minors to create accounts. Many states have also passed their own laws that require verifiable parental consent before allowing children to create an account or impact companies that process children's personal data. In June 2024, the New York governor signed a bill into law that prohibits covered social media companies from providing individuals under 18 with "addictive feeds," as a significant part of their services and imposes obligations on such companies that prohibits the collection, use, sharing, and sale personal data of individuals under 18 unless it is strictly necessary, or where informed consent is obtained. Some countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity of operating our products and services and other aspects of our business. The impact of these recent regulations and potential future regulations related to privacy, cybersecurity, data protection, and related matters, such as age verification, are far-reaching, create a patchwork of overlapping but different laws, and have required and may continue to require us to, modify practices, policies, features and Platform defaults, incur substantial costs and expenses, and at times restrict our operations. Additionally, requirements for verified parental consent before allowing children to create an account may limit the use of our Platform or reduce our overall demand for our Platform, which could harm our business, financial condition, and results of operations. We believe we take reasonable efforts to comply with all applicable laws, regulations, and other legal obligations and certain industry codes of conduct relating to privacy, cybersecurity, and data protection. However, it is possible that the obligations imposed on us by applicable laws and regulations, industry codes of conduct or other actual or asserted obligations relating to privacy, cybersecurity, data protection, or related matters, may be interpreted and applied in inconsistent manners and may conflict with other rules or our practices in certain jurisdictions. Additionally, due to the nature of our service, we are unable to maintain complete control over cybersecurity or the implementation of measures that reduce the risk of a security breach or incident. For example, our customers may accidentally disclose their passwords or store them on a mobile device that is "SIM swapped," lost, or stolen, creating the perception that our systems are not secure against third-party access. Any failure or perceived failure by us to comply with our privacy policies, our obligations to users or other third parties relating to privacy, cybersecurity, data protection, or related matters, or our other policies or actual or asserted obligations relating to privacy, cybersecurity, data protection, or related matters, or any actual or perceived compromise of security, including any such compromise that results in the unauthorized loss, unavailability, modification, release, transfer, or other processing of personal information or other user, developer or creator data, may result in governmental investigations and enforcement actions, litigation, claims or public statements against us by consumer advocacy groups or others and could cause our developers, creators, and users to lose trust in us, any or all of which could have an adverse effect on our business, financial condition, or results of operations.

We compete for users, developers, and creators. We compete to attract and retain our users' attention and their engagement hours with other global technology leaders such as Amazon, Apple, Meta Platforms, Google, Microsoft, and Tencent, global entertainment companies such as Comcast, Disney, ViacomCBS, and Warner Bros Discovery, global gaming companies such as Activision Blizzard (now owned by Microsoft), Electronic Arts, Take-Two, Epic Games, Krafton, NetEase, and Valve, online content platforms including Netflix, Spotify, and YouTube, as well as social platforms such as Facebook, TikTok, Instagram, WhatsApp, Pinterest, X (Twitter), Reddit, Discord and Snap. We also rely on developers and creators to create the content that leads to and maintains user engagement (including maintaining the quality of experiences). We compete to attract and retain developers and engineering talent with gaming and metaverse platforms such as Epic Games, Unity, Meta Platforms, and Valve Corporation, which also give developers the ability to create or distribute interactive content. We do not have any agreements with our developers that require them to continue to use our Platform for any time period. Some of our developers have developed attractive businesses in developing content, including games, on our Platform. In the future, if we are unable to continue to provide value to these developers and they have alternative methods to publish and commercialize their offerings, they may not continue to provide content to our Platform. Should we fail to provide compelling advantages to continued use of our ecosystem to developers, they may elect to develop content on competing interactive entertainment platforms. If a significant number of our developers no longer provide content, or we fail to increase the number of developers using our Platform, we may experience an overall reduction in the quality of our experiences, which could adversely affect users' interest in our Platform and lead to a loss of revenue opportunities and harm our results of operations. We expect competition to continue to increase in the future. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages, such as larger sales and marketing budgets and resources; broader and more established relationships with users, developers, and creators; greater resources to make acquisitions and enter into strategic partnerships; lower labor and research and development costs; larger and more mature intellectual property portfolios; and substantially greater financial, technical, and other resources. Additionally, we depend on the continued services and performance of our Founder, President, CEO and Chair of our Board of Directors, David Baszucki, members of our senior management team, and other key personnel. David Baszucki has been responsible for our strategic vision, and should he stop working for us for any reason, it is unlikely that we would be able to immediately find a suitable replacement. We do not maintain key man life insurance for David Baszucki, and do not believe any amount of key man insurance would allow us to recover from the harm to our business if David Baszucki were to leave the Company for any reason. Similarly, members of our senior management team and other key personnel are highly sought after and others may attempt to encourage these individuals to leave the Company. The loss of one or more of the members of the senior management team or other key personnel for any reason, or the inability to attract new or replacement members of our senior management team, other key personnel, or highly qualified employees could disrupt our operations, create uncertainty among investors, adversely impact employee retention and morale, and significantly harm our business.

We view DAUs as a critical measure of our user engagement, and adding, maintaining, and engaging users has been and will continue to be necessary to our continued growth. Our DAU growth rate has fluctuated in the past and may slow in the future due to various factors including: the introduction of new or updated experiences or virtual items on our Platform, performance issues with our Platform, the availability of our Platform across markets and user demographics, which may be impacted by regulatory or legal requirements, including the use of verified parental consent, changes to the default settings on our Platform overall or for specific user groups, higher market penetration rates and competition from a variety of entertainment sources for our users and their time. In addition, our strategy seeks to expand the age groups and geographic markets that make up our users. If and when we achieve maximum market penetration rates among any particular user cohort overall and in particular geographic markets, future growth in DAUs will need to come from other age or geographic cohorts, which may be difficult, costly or time consuming for us to achieve. Accessibility to the internet and bandwidth or connectivity limitations as well as regulatory requirements, may also affect our ability to further expand our user base in a variety of geographies. If our DAU growth rate slows or becomes stagnant, or we have a decline in DAUs, or we fail to effectively monetize new or existing users, our financial performance could be significantly harmed. Our business plan assumes that the demand for interactive entertainment offerings will increase for the foreseeable future. However, if this market shrinks or grows more slowly than anticipated or if demand for our Platform does not grow as quickly as we anticipate, whether as a result of competition, product obsolescence, budgetary constraints of our developers, creators, and users, technological changes, unfavorable economic conditions, uncertain geopolitical or regulatory environments or other factors, we may not be able to increase our revenue and bookings sufficiently to ever achieve profitability and our stock price would decline. Moreover, a large number of our users are under the age of 13. This demographic may be less brand loyal and more likely to follow trends, including viral trends, than other demographics. These and other factors may lead users to switch to another entertainment option rapidly, which can interfere with our ability to forecast usage or DAUs and would negatively affect our user retention, growth, and engagement. We also may not be able to penetrate other demographics in a meaningful manner to compensate for the loss of DAUs in this age group. Falling user retention, growth, or engagement rates could seriously harm our business.

Our Platform hosts a number of experiences intended for audiences of varying ages, a significant percentage of which are designed to be experienced by children. As a user-generated content platform, it is relatively easy for developers, creators, and users to upload content that can be viewed broadly. Although illicit activities are in violation of our terms and policies, and we attempt to block objectionable material, we are unable to prevent all such violations from occurring. We continue to make significant efforts to provide a safe, civil and enjoyable experience for users of all ages. We invest significant technical and human resources to prevent inappropriate content on our Platform by using a range of tools and policies, including several aimed at reviewing all images, audio, video, and 3D models at the time of upload in order to block inappropriate content before users have a chance to encounter it on our Platform. Notwithstanding our efforts, from time to time, inappropriate content is successfully uploaded onto our Platform and can be viewed by others prior to being identified and removed by us. Moreover, measures intended to make our Platform more attractive to an older, age verified audience, such as less highly moderated or unmoderated chat and the introduction of experiences with mature content, and new methods of communication could fail to gain sufficient market acceptance by its intended audience and may create the perception that our Platform is not safe for younger users. In addition, the introduction of experiences for users who are 17 years of age and older may create the perception that our Platform is not safe for younger users and may cause some operating system providers, application stores, or regulatory agencies to require a higher age rating for our Platform, which could cause us to become less available to younger users and harm our business, financial condition, and results of operations. Further, children may attempt to evade our age verification system, which could lead them to be exposed to inappropriate content or behavior by participating in experiences that are not age-appropriate or that feature spatial voice chat. While we have introduced experience guidelines that allow developers to label more mature content in their experiences, and are updating our parental controls, users have been from time to time, notwithstanding our efforts, and may continue to be exposed to content that may not be age-appropriate. In addition, as more of our brand partners, developers, and creators offer physical products for sale through our Platform, younger users may be able to purchase products that may not be age-appropriate. Unintentional access to content or physical products could cause harm to our audience and to our reputation of providing a safe environment for younger users. If we are unable to limit, or are perceived as not being able to sufficiently limit, all or substantially all age-inappropriate content and physical products to only users who have been verified as being the appropriate age for such content or goods, then parents and children could lose their trust in the safety of our Platform, which would harm our overall acceptance by these audiences and would likely result in significantly reduced revenue, bookings, profitability, and ultimately, our ability to continue to successfully operate our Platform. In addition to limiting content to age-appropriate audiences and blocking other inappropriate content, we have statutory obligations under U.S. federal law to block or remove child pornography and report offenses to the National Center for Missing and Exploited Children. While we have dedicated technology and trained human moderator staff that can detect and remove sexual content involving children, there have been instances where such content has been uploaded, and any unforeseen future non-compliance by us or allegations of non-compliance by us with respect to U.S. federal laws on child pornography or the sexual exploitation of children could significantly harm our reputation, create criminal liability, and could be costly and time consuming to address or defend. We may also be subject to additional criminal liability related to child pornography or child sexual exploitation under other domestic and international laws and regulations. We believe that maintaining, protecting, and enhancing our reputation and brand is critical to grow the number of developers, creators, and users on our Platform, especially given the safe and civil atmosphere that we strive to achieve for our users, many of whom are children. Maintaining, protecting, and enhancing our brand will depend largely on our ability to continue to provide reliable high-quality, engaging, and shared experiences on our Platform. If users, developers, or creators do not perceive our Platform to be reliable or of high quality, the value of our brand could diminish, thereby decreasing the attractiveness of our Platform. Further, we have faced and are currently defending allegations that our Platform has been used by criminal offenders to identify and communicate with children and to possibly entice them to interact off-Platform, outside of the restrictions of our moderated chat, content blockers, and other on-Platform safety measures. While we devote considerable resources to prevent this from occurring, we are unable to prevent all such interactions from taking place. We have also received and expect to continue to receive a high degree of media coverage, alleging the use of our Platform for illicit or objectionable ends. For example, we have experienced negative media publicity from traditional media sources and self-described short seller investors, related to the age of some of our developers, the content that developers produce, our operating metrics and disclosures, the strength of our moderation practices, and the conduct of users on our Platform that may be deemed illicit, explicit, profane, or otherwise objectionable. Additional unfavorable publicity has covered our privacy, cybersecurity or data protection practices, terms of service, product changes, product quality, litigation or regulatory activity, our use of generative AI, the actions of our users, and the actions of our developers or creators whose products are integrated with our Platform. Our reputation and brand could also be negatively affected by the actions of developers, contractors and users that are hostile, inappropriate, or illegal, whether on or off our Platform. Actual or perceived incidents or misuses of user data or other privacy or security incidents, the substance or enforcement of our community standards, the quality, integrity, characterization and age-appropriateness of content shared on our Platform, or the actions of other companies that provide similar services to ours, have and could adversely affect our reputation and lead to scrutiny and inquiries from governments and regulators. Any criminal incidents or allegations involving Roblox, whether or not we are directly responsible, could adversely affect our reputation as a safe place for children and hurt our business. Any negative publicity could create the perception that we do not provide a safe online environment and may have an adverse effect on the size, engagement, and loyalty of our developer, creator, and user community, which would adversely affect our business and financial results. Maintaining, protecting, and enhancing our reputation and brand may require us to make substantial investments, and these investments may not be successful.

The United States, Europe, and other key global markets have recently experienced historically high levels of inflation. If the inflation rate continues to increase, it will likely affect all of our expenses, including, but not limited to, employee compensation expenses and energy expenses and it may reduce consumer discretionary spending, which could affect the buying power of our users, developers, and creators and lead to a reduced demand for our Platform. Geopolitical developments, such as the war in Ukraine, the conflict in the Middle East stemming from the Hamas attack against Israel, and tensions with China, and the responses by central banking authorities to control inflation, can increase levels of political and economic unpredictability globally and increase the volatility of global financial markets. Adverse macroeconomic conditions, including lower consumer confidence, persistent unemployment, wage and income stagnation, slower growth or recession, changes to fiscal and monetary policy, inflation, changes in interest rates, currency fluctuations, economic and trade sanctions, the availability and cost of credit, and the strength of the economies in which we and our users are located, have adversely affected and may continue to adversely affect our condensed consolidated financial condition and results of operations. Additionally, we maintain cash balances at third-party financial institutions in excess of the Federal Deposit Insurance Corporation (the "FDIC") insurance limit. If the financial conditions affecting the banking industry and financial markets cause additional banks and financial institutions to enter receivership or become insolvent, our ability to access our existing cash, cash equivalents and investments, or to draw on our existing lines of credit, may be threatened and could have a material adverse effect on our business and financial condition.

We operate our Platform throughout the world and are subject to risks and challenges associated with international business. For the three months ended September 30, 2024, approximately 78% of our DAUs and 36% of our revenue was derived from outside the U.S. and Canada region. We intend to continue to expand internationally, and this expansion is a critical element of our future business strategy. However, as we continue to expand internationally, including into developing countries where consumer discretionary spending is relatively weak, while our DAUs increase, the growth rate of our bookings could decelerate due to weaker spending by users from those regions, and our ABPDAU has been and may continue to be negatively impacted. While we have a number of developers, creators, and users outside of the U.S., we have limited offices located outside of the U.S. and Canada, and there is no guarantee that our international expansion efforts will be successful. The risks and challenges associated with expanding our international presence and operations include: - greater difficulty in enforcing contracts and accounts receivable collection, and longer collection periods;- higher costs of doing business internationally, including increased accounting, travel, infrastructure, legal and compliance costs;- double taxation of our international earnings and potentially adverse tax consequences due to changes in the tax laws of the U.S. or the foreign jurisdictions in which we operate;- compliance with multiple, ambiguous, or evolving laws and regulations, including those relating to employment, tax, content regulation, privacy, data protection, anti-corruption, import/export, customs, anti-boycott, sanctions and embargoes, antitrust, data transfer, storage and security, content monitoring, preclusion, and removal, online entertainment offerings, advertising and consumer protection in general, and industry-specific laws and regulations, particularly as these rules apply to interactions with users under the age of 18;- expenses related to monitoring and complying with differing labor and employment regulations, especially in jurisdictions where labor and employment laws may be more favorable to employees than in the U.S.;- increased exposure to fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business;- challenges inherent to efficiently recruiting and retaining qualified employees in foreign countries and maintaining our company culture and employee programs across all of our offices;- management communication and integration problems resulting from language or cultural differences and geographic dispersion;- the uncertainty of protection for intellectual property in some countries;- the uncertainty of our exposure to third-party claims of intellectual property infringement and the availability of statutory safe harbors in some countries;- foreign exchange controls that might prevent us from repatriating cash earned outside the U.S.;- risks associated with trade restrictions and foreign legal requirements, and greater risk of unexpected changes in regulatory requirements, tariffs and tax laws, trade laws, and export and other trade restrictions;- risks relating to the implementation of exchange controls, including restrictions promulgated by the Office of Foreign Asset Control ("OFAC"), and other similar trade protection regulations and measures;- exposure to regional or global public health issues, and to travel restrictions and other measures undertaken by governments in response to such issues;- general economic and political conditions in these foreign markets, including political and economic instability in some countries and regions;- localization of our services, including translation into foreign languages and associated expenses and the ability to monitor our Platform in new and evolving markets and in different languages to confirm that we maintain standards, including trust and safety standards, consistent with our brand and reputation;- regulatory frameworks or business practices favoring local competitors;- changes in the perception of our Platform by governments in the regions where we operate or plan to operate;- uncertainty regarding the imposition of and changes in the U.S.' and other governments' trade regulations, trade wars, tariffs, other restrictions or other geopolitical events, including, without limitation, the evolving relations between the U.S. and China, evolving relations with Russia due to Russia's invasion of Ukraine, and the conflict in the Middle East stemming from Hamas' attack against Israel; and - natural disasters, acts of war, and terrorism, and resulting changes to laws and regulations, including changes oriented to protecting local businesses. These and other factors could harm our ability to generate revenue and bookings outside of the U.S. and, consequently, adversely affect our business, financial condition and results of operations. We may not be able to expand our business and attract users in international markets and doing so will require considerable management attention and resources. International expansion is subject to the particular challenges of supporting a business in an environment of multiple languages, cultures, customs, legal systems, alternative dispute systems, regulatory systems and commercial infrastructures. We may not be able to offer our Platform in certain countries, and expanding our international focus may subject us to risks that we have not faced before or increase risks that we currently face. For example, in August 2024 we learned that our platform was blocked in Turkey and we are working with the local authorities with the goal of resolving it.

Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce, and the global economy, and thus could harm our business. We have our headquarters and a large employee presence in San Mateo, California, an area which in recent years has been increasingly susceptible to fires, severe weather events, and power outages, any of which could disrupt our operations, and which contains active earthquake zones. In the event of a major earthquake, hurricane, or catastrophic event such as fire, power loss, rolling blackouts or power loss, telecommunications failure, pandemic, geopolitical conflict such as the Russian invasion of Ukraine and the conflict in the Middle East stemming from Hamas' attack against Israel , cyber-attack, war, other physical security threats or terrorist attack, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our Platform development, lengthy interruptions in our Platform, breaches of security, and loss of critical data, all of which would harm our business, results of operations, and financial condition. Acts of terrorism and similar events would also cause disruptions to the internet or the economy as a whole. Global climate change could also result in natural disasters occurring more frequently or with more intense effects, which could cause business interruptions. The long-term effects of the COVID-19 pandemic and recovery from it on society and developer, creator, and user engagement remain uncertain, and a subsequent health crisis or pandemic, as well as the actions taken by various governmental, business and individuals in response, will impact our business, operations and financial results in ways that we may not be able to accurately predict. In addition, the insurance we maintain would likely not be adequate to cover our losses resulting from disasters or other business interruptions. Our disaster recovery plan may not be sufficient to address all aspects of any unanticipated consequence or incident, we may not be able to maintain business continuity at profitable levels or at all, and our insurance may not be sufficient to compensate us for the losses that could occur.

As we continue to expand our international operations, we become more exposed to the effects of fluctuations in currency exchange rates. We generally collect revenue from our international markets in the local currency. For the three months ended September 30, 2024, approximately 78% our DAUs and 36% of our revenue was derived from outside the U.S. and Canada region. While we periodically adjust the price of Robux to account for the relative value of this local currency to the U.S. dollar, these adjustments are not immediate nor do they typically exactly track the underlying currency fluctuations. As a result, rapid appreciation of the U.S. dollar against these foreign currencies has harmed and may in the future harm our reported results and cause the revenue derived from our foreign users and overall revenue to decrease. In addition, even if we do adjust the cost of our Robux in foreign markets to fluctuations in the U.S. dollar, such fluctuations could change the costs of purchasing Robux to our users outside of the U.S., which may adversely affect our business, results of operations and financial condition, or improve our financial performance. We also incur expenses for employee compensation and other operating expenses at our non-U.S. locations in the local currency. Additionally, global events as well as geopolitical developments, including conflict in Europe and inflation have caused, and may in the future cause, global economic uncertainty, and uncertainty about the interest rate environment, which could amplify the volatility of currency fluctuations. Fluctuations in the exchange rates between the U.S. dollar and other currencies could result in the dollar equivalent of our expenses being higher which may not be offset by additional revenue earned in the local currency. This could impact our reported results of operations. To date, we have not engaged in any hedging strategies and any such strategies, such as forward contracts, options, and foreign exchange swaps related to transaction exposures that we may implement in the future to mitigate this risk may not eliminate our exposure to foreign exchange fluctuations. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.