Snap (SNAP) Risk Factors

In the ordinary course of business, we collect, store, use, and share personal data and other sensitive information, including proprietary and confidential business data, trade secrets, third-party sensitive information, and intellectual property. Accordingly, we are subject to a variety of laws, regulations, industry standards, policies, contractual requirements, executive actions, and other obligations relating to privacy, security, and data protection. We also are or may in the future be subject to many federal, state, local, and foreign laws and regulations, including those related to privacy, rights of publicity, content, data protection, AI, intellectual property, health and safety, competition, protection of minors, consumer protection, employment, money transmission, import and export restrictions, gift cards, electronic funds transfers, anti-money laundering, advertising, algorithms, encryption, and taxation. Under certain of these laws, we could face temporary or definitive bans on data processing and other corrective actions, substantial monetary fines, or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized to represent their interests. The transfer of personal data continues to be under increased regulatory attention and scrutiny, and certain jurisdictions in which we operate have significantly limited the lawful basis on which personal data can be transferred to other jurisdictions and increased the assessments required to do so. We have attempted to structure our operations in a manner designed to help us partially avoid some of these concerns; however, we still transfer some data using mechanisms that comply with applicable law. Some of these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these mechanisms to lawfully transfer personal data in the future. If there is no lawful manner for us to transfer personal data, or if the requirements for a legally compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors, and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Regulators may seek to restrict our data processing activities if they believe we have violated cross-border data transfer limitations, which would seriously harm our business. Additionally, companies like us that transfer personal data between jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Legislation in certain of the countries in which we operate has imposed extensive obligations, and potential monetary fines, on entities like us that are categorized in various contexts as online service providers (including, as the case may be, social media platforms, electronic communications providers, or other similar categorizations) who enable the sharing of user-generated content, to identify, mitigate, and manage the risks of harm to users from illegal and harmful content, such as terrorism, child sexual exploitation and abuse, and harassment or stalking. In addition, the privacy of teens' personal data collected online, and use of commercial websites, applications, online services, or other interactive platforms, generally, are also becoming increasingly scrutinized. Regulations focused on online safety and protection of teens' privacy online have and may in the future require us to change our services and incur costs to do so. Moreover, various laws to restrict or govern the use of commercial websites, applications, online services, or other interactive platforms by teens have passed or have been proposed, including laws prohibiting showing teens advertising, requiring age verification, limiting the use of minors' personal data, and requiring parental consent or providing for other parental rights. These laws may be, or in some cases already have been, subject to legal challenges and changing interpretations, which may further complicate our efforts to comply with laws applicable to us. These new laws may result in restrictions on the use of certain of our products or services by minors, decrease DAUs or user engagement in those jurisdictions, require changes to our products and services to achieve compliance, and increase legal risk and compliance costs for us and our third-party partners, any of which could seriously harm our business. Laws and regulations focused on privacy, security, and data protection, including data breach notification laws, personal data privacy laws, consumer protection laws, wiretapping laws, invasion of privacy laws, and other similar laws have imposed obligations on companies that collect personal data from users, including providing specific disclosures in privacy notices, expanding the requirements for handling personal data, requiring consents to process personal data in certain circumstances, and affording residents with certain rights concerning their personal data. Such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services, and our inability or failure to obtain consent or otherwise identify a lawful basis for data processing that is acceptable to a regulator, where required, could result in adverse consequences, including class-action litigation, regulatory enforcement, and mass arbitration demands. Certain of these laws also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These laws also allow for statutory fines for noncompliance and, in some instances, provide for civil penalties for violations and a private right of action for data breaches, which may increase the likelihood and cost of data breach litigation, and could seriously harm our business. Additionally, several jurisdictions in which we operate have enacted statutes banning or restricting the collection of biometric information. Certain of these laws provide for substantial penalties and statutory damages and have generated significant class-action activity. Although we maintain the position that our technologies do not collect any biometric information, we have in the past, and may in the future, settle these disputes to avoid potentially costly litigation and have in certain instances made changes to our products in an abundance of caution. We use AI, including generative AI, in consumer-facing features of our products and services, such My AI, and in the operation of our business. The development and use of AI presents various privacy and security risks that may impact our business. AI is subject to privacy and data security laws, as well as increasing regulation and scrutiny. Several countries in which we operate or have users have proposed or enacted, or are considering, laws governing AI, which we are or may be subject to. The legal landscape around intellectual property rights in AI, and the use, training, implementation, privacy, and safety of AI, is evolving, including ongoing litigation against our peers relating to the use of data protected by global intellectual property and privacy laws. These obligations may make it harder for us to use AI in our products or services, lead to regulatory fines or penalties, or require us to change our business practices, retrain our AI, or prevent or limit our use of AI. We are subject to ongoing investigations by the UK Information Commissioner's Office, or ICO, and other regulatory agencies regarding the use and operation of My AI, and in October 2023 the ICO issued a preliminary enforcement notice regarding our data impact assessment of My AI. Given the current unsettled nature of the legal and regulatory environment surrounding AI, our or our partners' AI features and use, training, and implementation of AI could subject us to regulatory action, product restrictions, fines, litigation, and reputational harm, and require us to expend significant resources, all of which may seriously harm our business. Additionally, if our AI products fail to perform as intended, or produce outputs that are harmful, misleading, inaccurate, or biased, in addition to the risks above, our reputation and user engagement may be harmed, and we may be required to change our business practices, retrain our AI, or limit our use of AI. Furthermore, certain proposed regulations related to AI could, if adopted, impose onerous obligations related to the use of AI-related systems and may require us to change our products or business practices to comply with such obligations. Privacy advocates and industry groups have proposed, and may propose in the future, standards with which we are legally or contractually obligated to comply. Moreover, we are also bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. We also publish privacy policies, marketing materials, and other statements regarding data privacy and security, including statements relied on by our users, advertisers, and business partners. If these policies, materials, or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences, including class-action litigation or mass arbitration demands. The implementation and enforcement, including through private rights of action, of these increasingly complex, onerous, or divergent laws and regulations, and the introduction, interpretation, or revision of any new such laws or regulations, with respect to privacy, security, data protection, and our industry are uncertain and may further complicate compliance efforts, lead to fragmentation of the service, and may increase legal risk and compliance costs for us and our third-party partners. Many of these obligations are becoming increasingly stringent and subject to rapid change and uncertain interpretation. Preparing for and complying with these obligations requires us to devote significant resources, and there is no guarantee that our compliance efforts to date, or in the future, will be deemed compliant or sufficient. These obligations may necessitate changes to our products and services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. In addition, these obligations may require us to change our business model. Our business model materially depends on our ability to process personal data in connection with our advertising offerings, so we are particularly exposed to the risks associated with the rapidly changing legal landscape regarding privacy, security, and data protection. For example, privacy regulators have targeted us and some of our competitors, including by investigating data processing activities and in the past have issued large fines to our competitors. Such enforcement actions may cause us to revise our business plans and operations. Moreover, we believe a number of investigations into other technology companies are currently being conducted by federal, state, and foreign legislative and regulatory bodies. We therefore may be at heightened risk of regulatory scrutiny, as regulators focus their attention on data processing activities of companies like us, and any changes in the regulatory framework or enforcement actions, whether against us or our competitors, could require us to fundamentally change our business model, and seriously harm our business. We may at times fail, or be perceived to have failed, in our efforts to comply with our privacy, security, and data protection obligations. Moreover, despite our efforts, our personnel or third parties on whom we rely may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties on which we rely fail, or are perceived to have failed, to address or comply with applicable privacy, security, or data protection obligations, we could face significant consequences, including government enforcement actions (such as investigations, claims, audits, and penalties), litigation (including class-action litigation) and mass arbitration demands, additional reporting requirements or oversight, bans on processing personal data, negative publicity, and orders to destroy or not use or transfer personal data. Certain regulators may prohibit our use of certain personal data as a result of enforcement actions or similar proceedings. Plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our business, including loss of users and advertisers, inability to process personal data or operate in certain jurisdictions, changes to our business practices, increased cost of operations, and declines in user growth, retention, or engagement, any of which could seriously harm our business. We have in the past been subject to enforcement actions, investigations, proceedings, orders, or various government inquiries regarding our data privacy and security practices and processing. For example, in December 2014, the Federal Trade Commission, or FTC, resolved an investigation into some of our early practices by issuing a final order. That order requires, among other things, that we establish a robust privacy program to govern how we treat user data. During the 20-year term of the order, we must complete biennial independent privacy audits. In addition, in June 2014, we entered into a 10-year assurance of discontinuance with the Attorney General of Maryland implementing similar practices, including measures to prevent minors under the age of 13 from creating accounts and providing annual compliance reports. Violating existing or future regulatory orders or consent decrees could subject us to substantial monetary fines and other penalties that could seriously harm our business.

Our ability to engage, retain, and increase our user base and to increase our revenue will depend heavily on our ability to successfully create new products, both independently and together with third parties. We may introduce significant changes to, or discontinue, our existing products or develop and introduce new and unproven products and services, including technologies with which we have little or no prior development or operating experience. These new products and updates may fail to increase the engagement of our users, advertisers, or partners, may subject us to increased regulatory requirements or scrutiny, and may even result in short-term or long-term decreases in such engagement by disrupting existing user, advertiser, or partner behavior or by introducing performance and quality issues. For example, in January 2023, we made changes to our advertising platform, which we believe will lay the foundation for future growth, but which have been disruptive to our customers and how some of them utilized our platform. The short- and long-term impact of any major change, or even a less significant change such as a refresh of the application or a feature change, is difficult to predict. Although we believe that these decisions will benefit the aggregate user experience and improve our financial performance over the long term, we may experience disruptions or declines in our DAUs or user activity broadly or concentrated on certain portions of our application. Product innovation is inherently volatile, and if new or enhanced products fail to engage our users, advertisers, or partners, or if we fail to give our users meaningful reasons to return to our application, we may fail to attract or retain users or to generate sufficient revenue, operating margin, or other value to justify our investments, any of which may seriously harm our business in the short term, long term, or both. Because our products created new ways of communicating, they have often required users to learn new behaviors to use our products, or to use our products repeatedly to receive the most benefit. These new behaviors, such as swiping and tapping in the Snapchat application, are not always intuitive to users. This can create a lag in adoption of new products and new user additions related to new products. We believe this has not hindered our user growth or engagement, but that may be the result of a large portion of our user base being in a younger demographic and more willing to invest the time to learn to use our products most effectively. To the extent that future users, including those in older demographics, are less willing to invest the time to learn to use our products, and if we are unable to make our products easier to learn to use, our user growth or engagement could be affected, and our business could be harmed. We may also develop new products or initiatives that increase user engagement and costs without increasing revenue in the short or long term. In addition, we have invested, and expect to continue to invest, in new lines of business, new products, and other initiatives to increase our user base and user activity, and attempt to monetize the platform. For example, in 2020, we launched Spotlight, a new entertainment platform for user-generated content within Snapchat, in 2022, we launched Snapchat+, a subscription product that gives subscribers access to exclusive, experimental, and pre-release features, and Snapchat for Web, a browser-based product that brings Snapchat's signature capabilities to the web, and in 2023, we launched My AI, an artificial intelligence powered chatbot. Such new lines of business, new products, and other initiatives may be costly, difficult to operate and monetize, increase regulatory scrutiny and product liability and litigation risk, and divert management's attention, and there is no guarantee that they will be positively received by our community or provide positive returns on our investment. We frequently launch new products and the products that we launch may have technical issues that diminish the performance of our application, experience product failures, or become subject to product recalls. These performance issues or issues that we encounter in the future could impact our user engagement. In addition, new products or features that we launch may ultimately prove unsuccessful or no longer fit with our priorities, and may be eliminated in the future. Such eliminations may require us to reduce our workforce and incur significant expenses. In certain cases, new products that we develop may require regulatory approval prior to launch or may require us to comply with additional regulations or legislation, including laws that are rapidly changing. There is no guarantee that we will be able to obtain such regulatory approval, and our efforts to comply with these laws and regulations could be costly and divert management's time and effort and may still not guarantee compliance. If we do not successfully develop new approaches to monetization or meet the expectations of our users or partners, we may not be able to maintain or grow our revenue as anticipated or recover any associated development costs, and our business could be seriously harmed.

In the ordinary course of business, we collect, store, use, and share personal data and other sensitive information, including proprietary and confidential business data, trade secrets, third-party sensitive information, and intellectual property (collectively, sensitive information). Our efforts to protect our sensitive information, including information that our users, advertisers, and partners have shared with us, may be unsuccessful due to the actions of third parties, including traditional "black hat" hackers, nation states, nation-state supported groups, organized criminal enterprises, hacktivists, and our personnel and contractors (through theft, misuse, or other risk). We and the third parties on which we rely are subject to a variety of evolving threats, including social-engineering attacks (for example by fraudulently inducing employees, users, or advertisers to disclose information to gain access to our sensitive information, including data or our users' or advertisers' data, such as through the use of deep fakes, which may be increasingly more difficult to identify as fake), malware, malicious code, hacking, credential stuffing, denial of service, and other threats, including attacks enhanced or facilitated by artificial intelligence. While certain of these threats have occurred in the past, they have become more prevalent and sophisticated in our industry, and may occur in the future. Because of our prominence and value of our sensitive information, we believe that we are an attractive target for these sorts of attacks. In particular, severe cyber extortion incidents, including ransomware attacks, are becoming increasingly prevalent. To alleviate the financial, operational, and reputational impact of these incidents, it may be preferable to make extortion payments, but we may be unwilling or unable to do so, including, for example, if applicable laws or regulations prohibit such payments. And, even if we make such payments, cyber threat actors may still disclose data, engage in further extortion, or otherwise harm our systems or data. Moreover, for certain employees we permit a hybrid work environment, which has increased risks to our information technology systems and data, as our employees utilize network connections, computers, and devices outside our premises or network, including working at home, while in transit and in public locations. In addition, cyber threat actors have also increased the complexity of their attempts to compromise user and advertiser accounts, despite our defenses and detection mechanisms to prevent these account takeovers. User credentials may be obtained on- or off-platform, including through breaches of third-party platforms and services, password stealing malware, social engineering, or other tactics and techniques like credential harvesting, and used to launch individual, group, or coordinated enterprise-wide attacks. Some of these attacks may be hard to detect, including if they are at scale, and may result in cyber threat actors using our service to spam or abuse other users, access user personal data, further compromise additional user accounts, or engage in fraudulent advertising. Some of these attacks could also compromise employee credentials or involve socially engineering employees into granting access to systems or otherwise enabling or assisting in the cyber threat actors' goals. We rely on third parties and technologies to operate critical business systems to process sensitive information in a variety of contexts, including cloud-based infrastructure, data center facilities, AI, encryption and authentication technology, employee email, content delivery, and other functions. We may also rely on third parties to provide other products or services to operate our business or enable features in our platform. Additionally, some advertisers and partners store sensitive information that we share with them. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place despite their contractual representations to implement such measures and our third-party service provider vetting process. If these third parties fail to implement adequate data security practices or fail to comply with our terms, policies, or contractual obligations, our sensitive information may be improperly accessed or disclosed, and we may experience adverse consequences. And even if these third parties take all of these steps, their networks may still suffer a breach, which could compromise our sensitive information. We or our third-party providers may also experience failures or malfunctions of hardware or software, the loss of technology assets, or the loss of data that, while not caused by threat actors, may have a similar impact and risk to our business. While we may be entitled to damages if the third parties on whom we rely fail to satisfy their privacy or security-related obligations to us, or cause the loss of our data or prolonged downtime, any award may be insufficient to cover our damages, or we may be unable to recover such award. Moreover, supply chain attacks have increased in frequency and severity, and we cannot guarantee that third parties in our supply chain have not been compromised or that their systems, networks, or code are free from exploitable defects or bugs that could result in a breach of or disruption to our platform, systems, and networks or the systems and networks of third parties that support us and our services. We are also reliant on third-party and open source software to operate our platform and to assist in the operation of our business, which software may contain, now or in the future, bugs, vulnerabilities, or errors that could be discovered or disclosed publicly before a patch or fix is available and exploited by internal or external cyber threat actors. While we have implemented security measures designed to protect against security incidents, there can be no assurance that these measures will be effective. We take steps designed to detect and remediate vulnerabilities in our information systems (such as our hardware and software, including that of third parties upon which we rely), and we work with security researchers through our bug bounty program to help us identify vulnerabilities. We may not, however, detect, become aware of, and remediate all such vulnerabilities including on a timely basis, and there is no guarantee security researchers will disclose all vulnerabilities they become aware of or do so responsibly. Further, we may experience delays in developing or deploying remedial measures and patches designed to address identified vulnerabilities. Vulnerabilities could be exploited and result in a security or privacy incident. If any of these or similar events occur, our or our third-party partners' sensitive information and information technology systems could be accessed, acquired, modified, destroyed, lost, altered, encrypted, or disclosed in an unauthorized, unlawful, accidental, or other improper manner, resulting in a security incident or other interruption. We may expend significant resources or modify our business activities to adopt additional measures designed to protect against security incidents. Certain data privacy and security obligations may require us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our systems and sensitive information. While we have implemented security measures designed to protect against security incidents, there can be no assurance that these measures will be effective. We have previously suffered the loss of sensitive information related to employee error, insider threats, and vendor breaches. Any security incident experienced by us or our third-party partners could damage our reputation and our brand, and diminish our competitive position. Applicable privacy and security obligations may require us to notify relevant stakeholders, including affected individuals, customers, regulators, and investors, of security incidents. Such disclosures are costly and the failure to comply with these legal requirements could lead to adverse consequences. Governments and regulatory agencies (including the Securities and Exchange Commission, or the SEC) have and may continue to enact new disclosure requirements for cybersecurity events. In addition, affected users or government authorities could initiate legal or regulatory action against us, including class-action claims, mass arbitration demands, investigations, penalties, and audits, which could be time-consuming and cause us to incur significant expense and liability or result in orders or consent decrees forcing us to modify our business practices. We could also experience loss of user or advertiser confidence in the security of our platform, additional reporting requirements or oversight, restrictions on processing sensitive information, claims by our partners or other relevant parties that we have failed to comply with contractual obligations or our policies, and indemnification obligations. We could also spend material resources to investigate or correct the incident and to prevent future incidents. Maintaining the trust of our users is important to sustain our growth, retention, and user engagement. Concerns over our privacy and security practices, whether actual or unfounded, could damage our reputation and brand and deter users, advertisers, and partners from using our products and services. Any of these occurrences could seriously harm our business. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. We cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

We face significant competition in almost every aspect of our business both domestically and internationally, especially because our products and services operate across a broad list of categories, including camera, visual messaging, content, and augmented reality. Our competitors range from smaller or newer companies to larger, more established companies such as Alphabet (including Google and YouTube), Apple, ByteDance (including TikTok), Kakao, LINE, Meta (including Facebook, Instagram, Threads, and WhatsApp), Naver (including Snow), Pinterest, Tencent, and X (formerly Twitter). Our competitors also include platforms that offer, or will offer, a variety of products, services, content, and online advertising offerings that compete or may compete with Snapchat features or offerings. For example, Instagram, a competing application owned by Meta, has incorporated many of our features, including a "stories" feature that largely mimics our Stories feature and may be directly competitive. Meta has introduced, and likely will continue to introduce, more private ephemeral products into its various platforms which mimic other aspects of Snapchat's core use case. We also compete for users and their time, so we may lose users or their attention not only to companies that offer products and services that specifically compete with Snapchat features or offerings, but to companies with products or services that target or otherwise appeal to certain demographics, such as Discord or Roblox. Moreover, in emerging international markets, where mobile devices often lack large storage capabilities, we may compete with other applications for the limited space available on a user's mobile device. We also face competition from traditional and online media businesses for advertising budgets. We compete broadly with the products and services of Alphabet, Apple, ByteDance, Meta, Pinterest, and X (formerly Twitter), and with other, largely regional, social media platforms that have strong positions in particular countries. As we introduce new products, as our existing products evolve, or as other companies introduce new products and services, we may become subject to additional competition. Many of our current and potential competitors have significantly greater resources and broader global recognition, and occupy stronger competitive positions in certain market segments, than we do. These factors may allow our competitors to respond to new or emerging technologies and changes in market requirements better than we can, undertake more far-reaching and successful product development efforts or marketing campaigns, or adopt more aggressive pricing policies. In addition, ongoing changes to privacy and data protection laws and mobile operating systems have made it more difficult for us to target and measure advertisements effectively, and advertisers may prioritize the solutions of larger, more established companies. As a result, our competitors may, and in some cases will, acquire and engage users or generate advertising or other revenue at the expense of our own efforts, which would negatively affect our business. Advertisers may use information that our users share through Snapchat to develop or work with competitors to develop products or features that compete with us. Certain competitors, including Alphabet, Apple, and Meta, could use strong or dominant positions in one or more market segments to gain competitive advantages against us in areas where we operate, including by: - integrating competing social media platforms or features into products they control such as search engines, web browsers, artificial intelligence services, advertising networks, or mobile operating systems;- making acquisitions for similar or complementary products or services; or - impeding Snapchat's accessibility and usability by modifying existing hardware and software on which the Snapchat application operates. Certain acquisitions by our competitors may result in reduced functionality of our products and services, provide our competitors with valuable insight into the performance of our and our partners' businesses, and provide our competitors with a pipeline of future acquisitions to maintain a dominant position. As a result, our competitors may acquire and engage users at the expense of our user base, growth, or engagement, which may seriously harm our business. We believe that our ability to compete effectively depends on many factors, many of which are beyond our control, including: - the usefulness, novelty, performance, and reliability of our products compared to our competitors' products;- the number and demographics of our DAUs;- the timing and market acceptance of our products, including developments and enhancements of our competitors' products;- our ability to monetize our products and services, including new products and services;- the availability of our products to users;- the effectiveness of our advertising and sales teams;- the effectiveness of our advertising products;- our ability to establish and maintain advertisers' and partners' interest in using Snapchat;- the frequency, relative prominence, and type of advertisements displayed on our application or by our competitors;- the effectiveness of our customer service and support efforts;- the effectiveness of our marketing activities;- actual or proposed legislation, regulation, executive actions, or litigation, including settlements and consent decrees, some of which may have a disproportionate effect on us;- acquisitions or consolidation within our industry segment;- our ability to attract, retain, and motivate talented team members, particularly engineers, designers, and sales personnel;- our ability to successfully acquire and integrate companies and assets;- the security, or perceived security, of our products and data protection measures compared to our competitors' products;- our ability to cost-effectively manage and scale our operations; and - our reputation and brand strength relative to our competitors. If we cannot effectively compete, our user engagement may decrease, which could make us less attractive to users, advertisers, and partners and seriously harm our business.

We have developed a brand that we believe has contributed to our success. We also believe that maintaining and enhancing our brand is critical to expanding our user base, advertisers, and partners. Because many of our users join Snapchat on the invitation or recommendation of a friend or family member, one of our primary focuses is on ensuring that our users continue to view Snapchat and our brand favorably so that these referrals continue. Maintaining and enhancing our brand will depend largely on our ability to continue to provide useful, novel, fun, reliable, trustworthy, and innovative products, which we may not do successfully. We may introduce new products, make changes to existing products and services, or require our users to agree to new terms of service related to new and existing products that users do not like, which may negatively affect our brand in the short term, long term, or both. Additionally, our partners' actions may affect our brand if users do not appreciate what those partners do on Snapchat. We may also fail to adequately support the needs of our users, advertisers, or partners, which could erode confidence in our brand. Maintaining and enhancing our brand may require us to make substantial investments and these investments may not be successful. If we fail to successfully promote and maintain our brand or if we incur excessive expenses in this effort, our business may be seriously harmed. In the past, we have experienced, and we expect that we will continue to experience, media, legislative, and regulatory scrutiny. Negative public perception regarding us (including regarding our privacy or security practices, products, illicit use of our products, litigation, or employee matters, or regarding the actions of our founders, our partners, our users, or other companies in our industry) or unfavorable legislative, litigation, or regulatory actions could seriously harm our reputation and brand, and result in decreased revenue, fewer application installs (or increased application un-installs), or declining engagement or growth rates. For example, new laws may increase the minimum age at which individuals are able to access our products or require parental consent for the use of our products. In addition, parental or general public perception of our industry or Snapchat in particular could adversely affect the size, demographics, engagement, and loyalty of our user base, any of which could seriously harm our business.

Manufacturing processes are highly complex, require advanced and costly equipment, and must be continuously modified to improve yields and performance. We largely rely on third-party suppliers and contract manufacturers in connection with the production of our own physical products and components. We and our contract manufacturers are all vulnerable to capacity constraints and reduced component availability, and have limited control over delivery schedules, manufacturing yields, and costs, particularly when components are in short supply, or if we introduce a new product or feature. In addition, we have limited control over our suppliers' and manufacturers' quality systems and controls, and therefore must rely on them to meet our quality and performance standards and specifications. Delays, component shortages, including custom components that are manufactured for us at our direction, global trade conditions and agreements, and other manufacturing and supply problems could impair the distribution of our products and ultimately our brand. For example, the United States has threatened tougher trade terms with China and other countries, leading to the imposition, or potential future imposition, of substantially higher U.S. Section 301 tariffs on certain imports from China, which may adversely affect our products and seriously harm our business. Furthermore, any adverse change in our suppliers' or contract manufacturers' financial or business condition or our relationship with them could disrupt our ability to supply our products. If we change our suppliers or contract manufacturers, or shift to more internal manufacturing operations, we may lose revenue, incur increased costs, and damage our reputation and brand. Qualifying and commencing operations with a new supplier or contract manufacturer is expensive and time-consuming. In addition, if we experience increased demand for our products, we may need to increase our material or component purchases, internal or contract-manufacturing capacity, and internal test and quality functions. The inability of our suppliers or contract manufacturers to provide us with adequate high-quality materials and products could delay our order fulfillment, and may require us to change the design of our products to meet this increased demand. Any redesign may require us to re-qualify our products with any applicable regulatory bodies or customers, which would be costly and time-consuming. This may lead to unsatisfied customers and users and increase costs to us, which could seriously harm our business. As we increase or acquire additional manufacturing capacity, we are subject to many complex and evolving environmental, health, and safety laws, regulations, and rules in each jurisdiction in which we operate. If we fail to comply with any such laws and regulations, then we could incur regulatory penalties, fines, and legal liabilities, suspension of production, significant compliance requirements, alteration of our manufacturing processes, or restrictions on our ability to modify or expand our facilities, any of which could seriously harm our business. In addition, any errors or defects in any parts or technology incorporated into our products could result in product failures or recalls that could seriously harm our business. Further, any defect in manufacturing, design, or other could cause our products to fail or render them permanently inoperable. As a result of such product failures or recalls, we may have to replace or offer refunds for these products at our sole cost and expense, face litigation, including class-action lawsuits, or be subject to other liabilities. Should we have a widespread problem of this kind, the reputational damage and the cost of replacing these products, or other liabilities, could seriously harm our business.

We depend on the continued services and performance of our key personnel, including Mr. Spiegel and Mr. Murphy. Although we have entered into employment agreements with Mr. Spiegel and Mr. Murphy, the agreements are at-will, which means that they may resign or could be terminated for any reason at any time. Mr. Spiegel and Mr. Murphy are high profile individuals who have received threats in the past and are likely to continue to receive threats in the future. Mr. Spiegel, as Chief Executive Officer, has been responsible for our company's strategic vision and Mr. Murphy, as Chief Technology Officer, developed the Snapchat application's technical foundation. Should either of them stop working for us for any reason, it is unlikely that the other co-founder would be able to fulfill all of the responsibilities of the departing co-founder nor is it likely that we would be able to immediately find a suitable replacement. The loss of key personnel, including members of management and key engineering, product development, marketing, and sales personnel, could disrupt our operations, adversely impact employee retention and morale, and seriously harm our business. We cannot guarantee we will continue to attract and retain the personnel we need to maintain our competitive position. We face significant competition in hiring and attracting qualified engineers, designers, and sales personnel, and the change by companies to offer a remote or hybrid work environment may increase the competition for such employees from employers outside of our traditional office locations. In February 2023, we implemented our return to office plan that requires greater in-office attendance. While we intend to continue offering flexible work arrangements based on the different needs of teams across our company on a case-by-case basis, we may face difficulty in hiring and retaining our workforce as a result of this shift to have greater in-office attendance. Further, labor is subject to external factors that are beyond our control, including our industry's highly competitive market for skilled workers and leaders, inflation, other macroeconomic uncertainties, and workforce participation rates. In addition, if our reputation were to be harmed, whether as a result of our strategic decisions or media, legislative, or regulatory scrutiny or otherwise, it could make it more difficult to attract and retain personnel that are critical to the success of our business. Further, negative perception of our DEI initiatives, whether due to our perceived over- or under-pursuit of such initiatives, may result in issues hiring or retaining employees, as well as potential litigation or other adverse impacts. As we continue to adapt and update our business model and priorities, or if our stock price declines, our equity awards may not be as effective an incentive to attract, retain, and motivate team members. Stock price declines may also cause us to offer additional equity awards to our existing team members to aid in retention. Furthermore, if we issue significant equity to attract and retain team members, we would incur substantial additional stock-based compensation expense and the ownership of our existing stockholders would be further diluted. If we do not succeed in attracting, hiring, and integrating excellent personnel, or retaining and motivating existing personnel, we may be unable to grow or effectively manage our business and our business could be seriously harmed.

Google and Amazon provide distributed computing infrastructure platforms for business operations, commonly referred to as a "cloud" computing service. We currently run the vast majority of our computing on Google Cloud and AWS and have built our software and computer systems to use computing, storage capabilities, bandwidth, and other services provided by Google and AWS. Our systems are not fully redundant on the two platforms. Any transition of the cloud services currently provided by either Google Cloud or AWS to the other platform or to another cloud provider would be difficult to implement and would cause us to incur significant time and expense. Given this, any significant disruption of or interference with Google Cloud or AWS, whether temporary, regular, or prolonged, would negatively impact our operations and our business would be seriously harmed. If our users or partners are not able to access Snapchat or specific Snapchat features, or encounter difficulties in doing so, due to issues or disruptions with Google Cloud or AWS, we may lose users, partners, or advertising revenue. The level of service provided by Google Cloud and AWS or similar providers may also impact our users', advertisers', and partners' usage of and satisfaction with Snapchat and could seriously harm our business and reputation if the level of service decreases. Hosting costs also have and will continue to increase as our user base and user engagement grows and may seriously harm our business if we are unable to grow our revenues faster than the cost of utilizing the services of Google Cloud, AWS, or similar providers. In addition, Google or Amazon may take actions beyond our control that could seriously harm our business, including: - discontinuing or limiting our access to its cloud platform;- increasing pricing terms;- terminating or seeking to terminate our contractual relationship altogether;- establishing more favorable relationships or pricing terms with one or more of our competitors; or - modifying or interpreting its terms of service or other policies in a manner that impacts our ability to run our business and operations.