Vivid Seats (SEAT) Risk Factors

We receive, transmit and store a large volume of personal data and other user data. Numerous federal, state and international laws address privacy, data protection and the collection, storage, sharing, usage, disclosure and protection of personal data and other user data. Many U.S. states have, and a number of additional states are looking to adopt or expand, data protection legislation requiring companies like ours to consider solutions to meet differing rights, needs and expectations of consumers. For example, the California Consumer Privacy Act (the "CCPA"), which took effect in January 2020, established a new privacy framework for covered businesses such as ours and may require us to further modify our data processing practices and policies and incur additional compliance-related costs and expenses. The CCPA requires companies that process information on California residents to disclose to consumers their data collection, use and sharing practices and grants consumers certain rights, including to opt out of certain data sharing with third parties. The CCPA provides for statutory penalties and a private right of action for data breaches resulting from a failure to implement reasonable security procedures and practices. In addition, the California Privacy Rights Act (the "CPRA"), which went into effect in January 2023, introduced significant amendments to the CCPA and established and funded a dedicated California privacy regulator, the California Privacy Protection Agency, who issued new implementing regulations in March 2023 and proposed additional revisions to the CCPA in December 2023. These revisions, as well as any other future changes, may require us to further modify our data processing practices and policies and to incur additional compliance-related costs and expenses. Further, Virginia enacted the Virginia Consumer Data Protection Act in March 2021, Colorado enacted the Colorado Privacy Act in July 2021, Connecticut enacted the Personal Data Privacy and Online Monitoring Act in July 2023 and Utah has enacted the Utah Consumer Privacy Act in December 2023. These are all comprehensive privacy statutes that share similarities with the CCPA and the CPRA. Similar laws have been proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States, which could increase our potential liability. The enactment of such laws could have potentially conflicting requirements that would make compliance more complex, costly and challenging and may require us to further modify our data processing practices and policies and to incur additional compliance-related costs and expenses. In addition to new regulations, courts around the country continue to evolve their interpretation of applicable data privacy and protection laws, including the CCPA. There has also been a noticeable uptick in class action litigation in the United States in which plaintiffs have utilized a variety of laws, including the Video Privacy Protection Act of 1988 and state wiretapping laws, in relation to the use of tracking technologies, such as cookies and pixels. Such litigation may lead legislatures to consider responsive regulation. Outside the United States, personal and other user data is increasingly subject to legislation and regulations in numerous jurisdictions in which we operate, the intent of which is to protect the privacy of information that is collected, processed and transmitted in or from the governing jurisdiction. Foreign data protection, privacy, information security, user protection and other laws and regulations are often more restrictive and complex than those in the United States. For example, the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA") is a comprehensive privacy and security law for organizations collecting, using or disclosing information about identified individuals for commercial purposes, and may impose obligations upon covered organizations that are greater than what is common in the United States. Certain Canadian provinces have their own data protection regulations as well. Similarly, the United Kingdom, the European Union and countries in the European Economic Area (the "EEA") traditionally have taken broader views on, and have imposed different legal obligations on companies as to, the types of data that are subject to privacy and data protection laws and regulations. For example, the E.U. General Data Protection Regulation (the "GDPR"), which took effect in May 2018, applies to any company established in the EEA and to companies outside the EEA if they collect and use personal data in connection with the offering of goods or services to individuals in the EEA or the monitoring of their behavior. Although we do not currently trigger the application of the GDPR, if we materially alter our operations such that we become established in the European Union and/or the United Kingdom (e.g., by employing individuals in those locations), begin monitoring individuals in the European Union and/or the United Kingdom or demonstrate an intention to offer goods and services to individuals in the European Union and/or the United Kingdom, we may be required to comply with EEA and/or U.K. data protection laws, such as the GDPR and the U.K. General Data Protection Regulation, which took effect in January 2021. If we are required to comply with PIPEDA or EEA or U.K. data privacy laws, it may significantly increase our operational costs and our overall risk exposure. In addition, the Canadian Parliament has debated a new privacy and security law, proposed to replace PIPEDA, which may impose new or additional obligations upon covered companies. The proposed new privacy and security bill was introduced in June 2022 and is subject to further debate and amendment. If PIPEDA is replaced with a new privacy and security law in the future, it may require us to further modify our data processing practices and policies and incur additional compliance-related costs and expenses. The Japanese Act on the Protection of Personal Information No. 57 of 2003, which also governs the handling of personal information, may impose obligations on covered entities that are in addition to, or differ from, those in other jurisdictions (for example, it differs from the GDPR with respect to its approach to notifications and the cross-border transfer of personal data). The interpretation and application of many privacy and data protection laws are, and will likely remain, uncertain, and it is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing data management practices, policies or product features. If so, in addition to the possibility of fines, lawsuits and other claims and penalties, we could be required to fundamentally change our business activities and practices or modify our practices, policies or products, which could adversely affect our business. In addition to government regulation, privacy advocacy and industry groups may propose new and different self-regulatory standards that legally or contractually apply to us. Any inability to adequately address privacy, data protection and data security concerns or comply with applicable privacy, data protection or data security laws, regulations, policies and other obligations could result in additional cost and liability to us and adversely affect our reputation, sales and business. Our failure, and/or the failure by our various service providers and partners, to comply with applicable privacy policies, laws, regulations or other obligations relating to privacy, data protection or information security, or any compromise of security that results in the unauthorized access, acquisition or release of personal or other user data, or the perception that any such failure or compromise has occurred, could harm our brand and reputation, result in a loss of ticket sellers, buyers or partners, discourage potential ticket sellers, buyers or partners from using our platform and result in fines and proceedings by governmental agencies and users, any of which could adversely affect our business, financial condition and results of operations. In addition, U.S., Canadian and Japanese laws require, and laws in other jurisdictions in which we may operate in the future may in certain circumstances require, businesses to notify affected individuals, governmental entities and/or credit reporting agencies of certain cybersecurity incidents affecting personal information. Certain of our contractual obligations contain similar requirements. Such requirements are inconsistent, and compliance in the event of a widespread cybersecurity incident may be complex, costly and difficult to implement. These risks may increase not only as we expand our operations in new jurisdictions, but also as our business continues to involve greater numbers of ticket buyers, sellers and partners. Our existing general liability and cyber liability insurance policies may not cover, or may cover only a portion of, any response and remediation costs and potential claims related to cybersecurity incidents to which we are exposed or may be inadequate to indemnify us for all or any portion of liabilities that may be imposed. There can be no assurance that our existing insurance coverage will continue to be available on acceptable terms or in amounts sufficient to cover the potentially significant losses that may result from a cybersecurity incident or that the insurer will not deny coverage of any future claim.

Our ability to attract and retain ticket buyers, sellers and partners depends in large part on our ability to provide a user-friendly and effective platform, develop and improve our platform and introduce compelling new solutions and enhancements. Our industry is characterized by rapidly changing technology, service and product introductions and changing demands of ticket buyers, sellers and partners. We spend substantial time and resources understanding and responding to such parties' needs. Building new solutions is costly and complex, and the timetable for commercial release is difficult to predict and may vary from our historical experience. In addition, after development, ticket buyers, sellers and partners may not be satisfied with our enhancements or perceive that our enhancements do not adequately meet their needs. The success of a new solution or enhancement to our platform can depend on several factors, including timely completion and delivery, competitive pricing, adequate quality testing, integration with our platform, user awareness and overall market acceptance and adoption. If we do not continue to maintain and improve our platform or develop successful new solutions and enhancements or improve existing ones, our business, financial condition and results of operations could be adversely affected.

Due to the nature of our business, we process, store, use, transfer and disclose certain personal or sensitive information about our customers and employees. Penetration of our network or information systems or other misappropriation or misuse of personal or sensitive information and data, including credit card information and other personally identifiable information, could cause interruptions in our operations and subject us to increased costs, litigation, investigations and enforcement actions from governmental authorities, as well as financial or other liabilities. In addition, cybersecurity incidents or the inability to protect information could lead to increased incidents of ticketing fraud and counterfeit tickets. Cybersecurity incidents could also significantly damage our reputation with sellers, buyers, partners and other third parties, and could result in significant costs related to remediation efforts, including incident response and restoration and credit or identity theft monitoring. Such incidents may occur in the future, resulting in unauthorized, unlawful or inappropriate access to, inability to access, or disclosure or loss of, the sensitive, proprietary and confidential information that we handle. Although we have developed systems, practices and policies that are designed to protect customer and employee information and to prevent cybersecurity incidents (which could result in data loss or other harm or loss), such measures cannot provide absolute security or certainty. It is possible that advances in computer and threat actor capabilities, new variants of malware, the development of new penetration methods and tools, inadvertent violations of our practices or policies or other developments could result in a compromise of, or a breach of the technology and cybersecurity processes that are used to protect, customer and employee information. The techniques used to obtain unauthorized access, disable or degrade service or sabotage systems may change frequently and, as a result, may be difficult for our business to detect for extended periods of time. We have expended and will continue to expend significant capital and other resources to protect against and remedy such potential cybersecurity incidents and their consequences. However, despite our efforts, we may be unaware of or unable to anticipate these techniques or implement adequate preventative measures. We also face risks associated with cybersecurity incidents affecting third parties with which we are affiliated, partnered or otherwise conduct business. In particular, hardware, software or applications we develop or procure from third parties may contain design or manufacturing defects and/or pose cybersecurity risks that could unexpectedly compromise information security. Ticket sellers, buyers and partners are generally concerned with the security and privacy of the internet, and any publicized cybersecurity incidents affecting our business or third parties may discourage such sellers, buyers or partners from doing business with us and harm our reputation, which could adversely affect our business, financial condition and results of operations. For more information on cybersecurity-related legal and regulatory risks, see "Risks Related to Government Regulation and Litigation - The processing, storage, use and disclosure of personal or sensitive information could give rise to liabilities and additional costs as a result of governmental regulation, litigation and conflicting legal requirements, including those relating to personal privacy rights" above.

Our business faces significant competition from other national, regional and local primary and secondary ticketing service providers to secure new and retain existing ticket buyers, sellers and partners on a continuous basis. We also face competition in the resale of tickets from other professional ticket resellers. The intense competition that we face in the ticketing industry could cause the volume of our ticketing business to decline, which could adversely affect our business, financial condition and results of operations. Other competitive variables that could lead to a decrease in ticket orders, ticket prices, fees and/or profit margins that could adversely affect our financial performance include: competitors' offerings that may include more favorable terms or pricing; competitors' increase in marketing spending; technological changes and innovations that we are unable to adopt or are late in adopting; other entertainment options or ticket inventory selection and variety that we do not offer; increased pricing in the primary ticket marketplace, which could result in reduced profits for secondary ticket sellers; primary ticket marketplaces trying to restrict ticket sales by secondary marketplaces; and increased search engine marketing costs as competitors increase bid prices. In addition, competition within the fantasy sports and gaming industry is significant, and our existing and potential Vivid Picks users may elect to use competing daily fantasy sports products.

Maintaining and enhancing our reputation and brand as a differentiated ticketing marketplace serving ticket buyers, sellers and partners is critical in our ability to retain existing, and attract new, relationships with ticket buyers, sellers and partners. The successful promotion of our brand attributes depends on a number of factors, including many that are outside of our control. The promotion of our brand requires us to make substantial expenditures and management investment, which may increase as our marketplace continues to expand and become more competitive. To the extent these activities yield increased revenue, it may not offset the increased expenses we incur. If we do not successfully maintain and enhance our brand and differentiate our marketplace from competitive products and services, our business may not grow, we may be unable to compete effectively and we could lose existing, or fail to attract new, ticket buyers, sellers or partners, all of which would adversely affect our business, financial condition and results of operations. There are also factors outside of our control that could undermine and/or harm our reputation and brand. A negative perception of our marketplace may adversely affect our business, including as a result of complaints or negative publicity, our inability to timely comply with applicable laws, regulations and/or consumer protection-related guidance, the use of our platform to sell fraudulent or counterfeit tickets, our responsiveness to issues or complaints,the timing of refunds and/or reversal of payments through our platform, actual or perceived disruptions or defects in our platform, cybersecurity incidents, a lack of awareness of our policies or changes to our policies that third parties perceive as overly restrictive, unclear or inconsistent with our values. If we are unable to maintain a reputable platform that provides valuable solutions and desirable events, our ability to attract and retain ticket buyers, sellers and partners could be impaired and our reputation, brand and business could be adversely affected.

Inflation has the potential to adversely affect our business, financial condition, including liquidity, and results of operations by increasing our overall cost structure, particularly if we are unable to achieve commensurate increases in our revenues. The existence of inflation in the economy has resulted in, and may continue to result in, high interest rates and capital costs, increased costs of labor, weakening exchange rates and other similar effects. As a result of inflation, we have experienced and may continue to experience cost increases. Although we may take measures to mitigate the impacts of inflation, these measures may not be effective and our business, financial condition, including liquidity, and results of operations could be adversely affected. Even if such measures are effective, there could be a difference in timing between the impacts of inflation and the effects of the mitigating actions we take.

We have operations in Canada and Japan, and we may continue to expand our international operations. Accordingly, our business is subject to risks associated with doing business internationally, including, but not limited to: complying with multiple, conflicting and changing laws and regulations, including those relating to privacy, data protection, anti-bribery, anti-corruption and anti-money laundering, in the jurisdictions in which we now or may in the future operate; obtaining governmental approvals, permits and licenses; obtaining and enforcing intellectual property rights; staffing and managing foreign operations; financial risks such as longer payment cycles, difficulty collecting accounts receivable, the impact of local and regional financial crises and exposure to foreign currency exchange rate fluctuations; preferences by local consumers for local competitors; and political and economic instability. We may also have difficulty expanding our international operations because of limited brand recognition, leading to delayed or limited acceptance of our services by ticket buyers, sellers and partners in new markets and increased marketing and other costs associated with establishing our brand. If we are unable to successfully expand internationally or manage the risks associated therewith, our business, financial condition and results of operations could be adversely affected.

Our success depends upon the continued service of our senior management team and key technical employees, as well as our ability to continue to identify, attract, hire, integrate, develop, motivate and retain highly skilled personnel for all areas of our organization. Each of our executive officers, key technical personnel and other employees could terminate his or her relationship with us at any time. The loss of any member of our senior management team or key personnel could significantly delay or prevent the achievement of our business objectives and/or harm our business and relationships. As such, effective succession planning and the execution of smooth personnel transitions is important to our long-term success. Competition in our industry for qualified employees is intense. In addition, our compensation arrangements, such as our equity award programs, may not always be successful in attracting, hiring, motivating and retaining employees. We face significant competition for personnel. To attract top talent, we have needed, and will continue to need, to offer competitive compensation and benefits packages. We may also need to increase our employee compensation levels in response to competition and inflation. If we fail to effectively manage our hiring needs or successfully integrate new hires, our efficiency and ability to meet forecasts, as well as employee morale, productivity and retention, could suffer, which may adversely affect our business.

We rely on third-party providers to support our payment methods, as ticket buyers primarily use credit or debit cards to purchase tickets on our marketplace. Nearly all our revenue is associated with payments processed through a single provider, which relies on banks and payment card networks to process transactions. If this provider or any of its vendors do not operate well with our platform or suffer any failures, our payments systems and business could be adversely affected. If this provider does not perform adequately or determines that certain types of transactions are prohibited, if this provider's technology does not interoperate well with our platform or if our relationships with this provider (or the bank or the payment card networks on which it relies) were to terminate or be suspended unexpectedly, ticket buyers may find our platform more difficult to use and, as a result, use our platform less. Our payment processing partner requires us to comply with payment card network operating rules, which are set and interpreted by the payment card networks. The payment card networks could adopt new operating rules or interpret or re-interpret existing rules in ways that might prohibit us from providing certain services to some ticket buyers or sellers, be costly to implement or difficult to follow. We are required to reimburse our payment processor for fines assessed by payment card networks if we, or ticket buyers or sellers using our platform, violate these rules, such as our processing of various types of transactions that may be interpreted as a violation of certain payment card network operating rules. Changes to these rules and requirements, or any change in our designation by payment card networks, could require a change in our business operations and result in limitations on or loss of our ability to accept payment cards, any of which could negatively impact our business. We are also subject to the Payment Card Industry ("PCI") Data Security Standard, which is designed to protect credit card account data as mandated by payment card industry entities. We rely on vendors to handle PCI matters and to ensure PCI compliance. Despite our compliance efforts, we may become subject to claims that we have violated the PCI Data Security Standard based on past, present and/or future business practices. Our actual or perceived failure to comply with the PCI Data Security Standard could subject us to fines, termination of banking relationships and increased transaction fees. Under current credit, debit and payment card practices and network rules, we are liable for fraudulent activity on the majority of our credit and debit card transactions. We are also exposed to financial crime risk, against which we do not currently carry insurance. Additionally, while we deploy sophisticated technology to detect fraudulent purchase activity, we may incur losses if we fail to prevent the use of fraudulent payment information on transactions. Fraud schemes are becoming increasingly sophisticated and common, and our ability to detect and combat fraudulent schemes may be negatively impacted by the adoption of new payment methods and technology platforms. If we or our payment processing provider fail to identify fraudulent activity or are unable to effectively combat the use of fraudulent payments on our platform, or if we otherwise experience increased levels of disputed credit card payments or transactions, our business, financial condition and results of operations could be adversely affected. In addition, our failure to adequately mitigate this risk could adversely affect our business, financial condition and results of operations, as well as our brand, reputation and ability to accept payments. Payment card networks and our payment processing partner could increase the fees or interchange they charge us for their services or to accept or process transactions, which would increase our operating costs and reduce our margins. Any such increase in fees could adversely affect our business, financial condition and results of operations. Finally, the laws and regulations that govern payment methods and processing are complex and subject to change, and we may be required to expend considerable time and effort to determine the applicability of such laws and regulations. There can be no assurance that we will be able to meet all compliance obligations, including obtaining any required licenses in the jurisdictions we service, and, even if we are able to do so, there could be substantial costs and potential product changes involved in complying with such laws, which could adversely affect our business. Any actual or alleged noncompliance by us in relation to existing or new laws and regulations could result in reputational damage, litigation, increased costs or liabilities, damages or require us to stop offering payment services in certain markets. Failure to predict how a given law or regulation with respect to money transmission, prepaid access or similar requirements will be applied to us could result in licensure or registration requirements, administrative enforcement actions and/or materially interfere with our ability to offer certain payment methods or to conduct our business in particular jurisdictions. We cannot predict what actions the U.S. or other governments may take, or what restrictions they may impose, that will affect our ability to process payments or to conduct our business in particular jurisdictions. Further, we may become subject to changing payment regulations and requirements that could affect the compliance of our current payment processes and increase the operational costs we incur to support payments. The foregoing could impose substantial additional costs, involve considerable delay to the development or provision of our solutions, require significant and costly operational changes or prevent us from providing our solutions in any given market.