We collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, processing), a large volume of personal data and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, sensitive third-party data, business plans, transactions, and financial information (collectively, sensitive data). Our data processing activities subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security.
Outside the United States, an increasing number of laws, regulations, and industry standards govern data privacy and security. For example, the EU GDPR and the UK GDPR impose strict requirements for processing personal data. In Canada, the PIPEDA and various related provincial laws, as well as Canada's Anti-Spam Legislation, may apply to our operations. Violation of PIPEDA can lead to a court action brought by individuals or by the Office of the Privacy Commissioner of Canada. In addition, under the EU GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros or 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. Other jurisdictions may adopt similar data protection regulations.
In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, the CCPA applies to personal information of consumers, business representatives, and employees, and requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights. The CCPA provides for civil penalties of up to $7,500 per violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Moreover, California voters approved the CPRA, which significantly modifies the CCPA, creating additional obligations relating to consumer data effective as of January 1, 2023. Other states, such as Virginia, Connecticut, Utah, and Colorado, have also passed comprehensive privacy laws, and similar laws are being considered in several other states, as well as at the federal and local levels. These developments may further complicate compliance efforts and increase legal risk and compliance costs for us and the third parties upon whom we rely.
In the ordinary course of business, we may transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area ("EEA") and the UK have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA and UK's standard contractual clauses, these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of Europe for allegedly violating the GDPR's cross-border data transfer limitations.
In addition to data privacy and security laws, we are also bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. We also publish privacy policies, marketing materials and other statements regarding data privacy and security. If these policies, materials, or statements are found to be deficient, lacking in transparency, deceptive, unfair, or not representative of our practices, we may be subject to investigation, enforcement actions by regulators or other adverse consequences.
We could be adversely affected if legislation or regulations are expanded to require changes in our business practices or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively affect our business, results of operations, or financial condition. For example, federal, state, and international governmental authorities continue to evaluate the privacy implications inherent in the use of third-party "cookies" and other methods of online tracking for behavioral advertising and other purposes. The United States and foreign governments have enacted, have considered, or are considering legislation or regulations that could significantly restrict the ability of companies and individuals to engage in these activities, such as by regulating the level of consumer notice and consent required before a company can employ cookies or other electronic tracking tools or the use of data gathered with such tools. For example, in the EEA and the UK, regulators are increasingly focusing on compliance with requirements related to the targeted advertising ecosystem. European regulators have issued significant fines in certain circumstances where the regulators alleged that appropriate consent was not obtained in connection with targeted advertising activities. It is anticipated that the ePrivacy Regulation and national implementing laws will replace the current national laws implementing the ePrivacy Directive, which may require us to make significant operational changes. In the United States, the CCPA, for example, grants California residents the right to opt-out of a company's sharing of personal data for advertising purposes in exchange for money or other valuable consideration and requires covered businesses to honor user-enabled browser signals from the Global Privacy Control. Additionally, some providers of consumer devices and web browsers have implemented, or announced plans to implement, means to make it easier for Internet users to prevent the placement of cookies or to block other tracking technologies, which could, if widely adopted, result in the use of third-party cookies and other methods of online tracking becoming significantly less effective. Regulation of the use of these cookies and other online tracking and advertising practices, or a loss in our ability to make effective use of services that employ such technologies, could increase our costs of operations, and limit our ability to track trends, optimize our services, or acquire new guests on cost-effective terms and consequently, materially adversely affect our business, financial condition and operating results. As a result, we may be required to change the way we market our accommodations and services.
Regulators and legislatures at the local, state, and national level are also taking an increased interest in regulating the collection and use of biometric data, which plays an important role in our trust and safety processes. Specifically, the third parties that provide the identity verification process for us use facial geometry data to verify that a guest's selfie picture matches the photograph on the government-issued identification provided by the guest, similar to a front desk worker at a traditional hotel visually comparing a guest's government identification to the guest's face. Legislation such as the EU GDPR and the Illinois Biometric Information Privacy Act ("BIPA"), as well as other U.S. and foreign laws and regulations, place tight regulation on the collection, use and sharing of biometric information, as well as requirements for notice and consent from individual data subjects. Violations of these laws may result in significant fines, damages, and other penalties. For example, BIPA provides for substantial penalties and statutory damages and has generated significant class action activity, and the cost of litigating and settling any claims that we have violated BIPA or similar laws could be significant. New laws and regulations regarding the collection, use, and sharing of biometric data have also recently been proposed or enacted in other states, and the eventual impact of those laws and regulations on Sonder's operations remains uncertain. A failure, or alleged or perceived failure, by us to comply with these requirements could adversely affect our reputation, brand and business, and may result in claims, proceedings, or actions against us by governmental entities or private litigants or require us to change our operations and/or our ability to ensure the safety of our guests, which could adversely affect our reputation or require us to make significant investments in new technologies or processes.
While we have invested and continue to invest resources to comply with privacy and data security obligations, including the EU GDPR, the UK GDPR, the CCPA/CPRA, and other privacy regulations and obligations, as applicable, these obligations are quickly changing, becoming increasingly stringent, and creating regulatory uncertainty. Additionally, these obligations may be extremely complex, and subject to different and inconsistent applications and interpretations. Preparing for and complying with these obligations requires us to devote significant resources, which may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties on whom we rely may fail to comply with such obligations, which could negatively impact our business operations. Any failure, or perceived or alleged failure, by us or the third parties on which we rely to comply with any federal, state, local or international laws, regulations, industry self-regulatory principles, industry standards or codes of conduct, regulatory guidance, orders to which we may be subject, or other actual or asserted legal or contractual obligations relating to privacy, data protection, information security, or consumer protection could have significant consequences, including (but not limited to) government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims); additional reporting requirements and/or oversight; indemnification obligations; bans on processing personal data or credit cards; and orders to destroy or not use personal data. For example, in August 2023, a purported class action lawsuit was filed against the Company asserting claims based on the Company's alleged failure to secure and safeguard the personally identifiable information of the putative class. For a discussion of this lawsuit, see the section entitled "Legal Proceedings" herein. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of guests; inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize new features, amenities, or services; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.