We receive, transmit and store a large volume of personal information and other data relating to users on our platform, as well as personal information and other data relating to individuals such as our employees. Numerous local, municipal, state, federal and international laws and regulations address privacy and the collection, storing, sharing, use, disclosure and protection of certain types of data, including the California Online Privacy Protection Act, Canada's Personal Information Protection and Electronic Documents Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, Canada's Anti-Spam Legislation, the EU ePrivacy Directive, the EU General Data Protection Regulation, or GDPR, the Telephone Consumer Protection Act (restricting telemarketing and the use of automated SMS text messaging), Section 5 of the Federal Trade Commission Act and the California Consumer Privacy Act, or the CCPA, and the California Privacy Rights and Enforcement Act of 2020, or the CPRA. These laws, rules and regulations evolve frequently and their scope may continually change, through new legislation, amendments to existing legislation and changes in enforcement and may be inconsistent from one jurisdiction to another.
For example, the GDPR, which became effective on May 25, 2018, has resulted and will continue to result in significant compliance burdens and costs for companies like ours. The GDPR regulates our collection, use, and other processing of personal data of European Union residents, referred to as personal data, and imposes stringent data protection requirements with significant penalties and the risk of civil litigation, for noncompliance. Failure to comply with the GDPR may result in fines of up to 20 million Euros or up to 4% of annual global revenue, whichever is greater. It may also lead to civil litigation, with the risks of damages or injunctive relief, or regulatory orders adversely impacting the ways in which our business can use personal data.
In addition, the United Kingdom has implemented legislation similar to the GDPR, referred to as the UK GDPR, which provides for fines of up to the greater of 17.5 million British Pounds and 4% of global turnover. The relationship between the United Kingdom and the EU in relation to certain aspects of data protection law remains unclear, and these changes will lead to additional costs and increase our risk exposure. On June 28, 2021, the European Commission announced a decision of "adequacy" concluding that the United Kingdom ensures an equivalent level of data protection to the GDPR, providing some relief regarding the legality of continued personal data flows from the European Economic Area, or EEA, to the United Kingdom. This adequacy determination must be renewed after four years and may be modified or revoked in the interim.
Additionally, we are or may become subject to laws, rules and regulations regarding cross-border transfers of personal data, including those relating to transfer of personal data outside the EEA, Switzerland, and the United Kingdom. Recent legal developments have created complexity and uncertainty regarding transfers of personal data from these regions to the United States and other jurisdictions; for example, on July 16, 2020, the Court of Justice of the European Union, or CJEU, invalidated the EU-U.S. Privacy Shield Framework, or the Privacy Shield, under which personal data could be transferred from the EEA to U.S. entities that had self-certified under the Privacy Shield scheme. While the CJEU upheld the adequacy of the standard contractual clauses (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism), it noted that reliance on them may not necessarily be sufficient in all circumstances. In addition to other mechanisms (particularly standard contractual clauses), in limited circumstances we may rely on Privacy Shield certifications of third parties (for example, vendors and partners). On June 4, 2021, the European Commission issued new SCCs that are required to be implemented, and on February 2, 2022, the United Kingdom's Information Commissioner's Office issued new standard contractual clauses to support personal data transfers from the United Kingdom. Continually evolving requirements have created uncertainty and increased the risk around our international operations. We may, in addition to other impacts, be required to review and amend the legal mechanisms by which we make or receive personal data transfers to the United States and other jurisdictions, to engage in new contract negotiations with third parties that aid in processing personal data on our behalf or localize certain personal data, to localize certain personal data, and to incur additional costs associated with increased compliance burdens.
Further, in the EEA, the Austrian and the French data protection authorities recently indicated that use of Google Analytics by European website operators involves the unlawful transfer of personal data to the United States. As the enforcement landscape further develops, and depending on the impacts of these rulings, we could suffer additional costs, complaints and/or regulatory investigations or fines, have to stop using certain tools and vendors and make other operational changes and/or if we are otherwise unable to transfer personal information between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could materially adversely affect our business, results of operations and financial condition.
The CCPA, which went into effect on January 1, 2020, among other things, requires covered companies to provide disclosures to California consumers and affords such consumers abilities to opt out of certain sharing and sales of personal information. The law also prohibits covered businesses from discriminating against consumers for exercising their CCPA rights. The CCPA imposes severe statutory damages as well as a private right of action for certain data breaches. This private right of action is expected to increase the likelihood of, and risks associated with, data breach litigation. In November 2020, California voters passed the California Privacy Rights and Enforcement Act of 2020, or the CPRA. The CPRA further expands the CCPA with additional data privacy compliance requirements that may impact our business and establishes a regulatory agency dedicated to enforcing those requirements. In addition, on March 2, 2021, Virginia enacted the Virginia Consumer Data Protection Act, or VCDPA, which will take effect on January 1, 2023, and the Colorado Privacy Act, passed on June 8, 2021, will take effect July 1, 2023. Both laws emulate the CCPA and the CPRA in many respects but include their own compliance requirements.
Aspects of the interpretation and enforcement of these laws remain uncertain. Comprehensive privacy laws have also been proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States, with potentially greater penalties and more rigorous compliance requirements relevant to our business. The effects of such laws are significant and may require us to modify our data processing practices and policies and incur substantial compliance-related costs and expenses. Additionally, many laws and regulations relating to privacy and the collection, storing, sharing, use, disclosure, protection, and other processing of certain types of data are subject to varying degrees of enforcement and new and changing interpretations by courts. Current or new laws or regulations, or evolving interpretations of their requirements, may require significant changes to our operations and our platform, or prevent us from providing our platform in jurisdictions in which we currently operate and in which we may operate in the future.
Additionally, we have incurred and may continue to incur significant expenses in an effort to comply with privacy, data protection and information security standards and protocols imposed by law, regulation, industry standards, or contractual obligations. For example, increased regulation and regulatory scrutiny could force us to change how we use cookies and other tracking technologies, limit the effectiveness of our marketing activities, divert technology personnel resources, increase costs, and subject us to additional liabilities. Furthermore, publication of our privacy statement and other policies regarding privacy, data protection and data security may subject us to investigation or enforcement actions by regulators if those statements or policies are found to be deficient, lacking transparency, deceptive, unfair, or misrepresentative of our practices. We are also bound by contractual obligations related to privacy, data protection and data security and our efforts to comply with such obligations may not be successful or may have other negative consequences. Such efforts may not be successful or may have other negative consequences. In particular, with such laws and regulations imposing new and relatively burdensome obligations and with substantial uncertainty over the interpretation and application of these and other laws and regulations, we may face challenges in addressing their requirements and making necessary changes to our policies and practices and may incur significant costs and expenses in an effort to do so.
Despite our efforts to comply, it is possible that our interpretations of the law, practices, or platform could be inconsistent with, or fail or be alleged to fail to meet all requirements of, applicable laws, regulations, or obligations. Our failure, or the failure by our third-party providers, pet parents, or pet care providers on our platform, or consequences associated with our efforts to comply with applicable laws or regulations or any other obligations relating to privacy, data protection, or information security, or any compromise of security that results in unauthorized access to, or use or release of data relating to service providers, pet parents. or other individuals, or the perception that any of the foregoing types of failure or compromise has occurred, could damage our reputation, discourage new and existing service providers and pet parents from using our platform, or result in fines, investigations, or proceedings by governmental agencies and private claims and litigation, any of which could adversely affect our business, financial condition and operating results. Even if not subject to legal challenge, the perception of privacy concerns, whether or not valid, may harm our reputation and brand and adversely affect our business, financial condition and operating results.