Ziff Davis, Inc. (ZD) Risk Factors

The EU has traditionally imposed strict obligations under data privacy laws and regulations. Individual EU member countries have had discretion with respect to their interpretation and implementation of EU data privacy laws, resulting in a variation of privacy standards from country to country. The GDPR harmonizes EU data privacy laws and contains significant obligations and requirements that have resulted in a greater compliance burden with respect to our operations and data use in Europe, which will continue to increase our costs. The CCPA, in its original form and as amended under the CPRA, similarly contains significant obligations and requirements that have resulted in a greater compliance burden with respect to our operations and data usage of California residents, which will continue to increase our costs. Additionally, government authorities will have more power to enforce compliance and impose substantial penalties for any failure to comply. In addition, individuals have the right to compensation under the GDPR, and individuals may have the right to file a class action under the CCPA in certain circumstances. In the event we fail to maintain compliance, we could be exposed to material damages, costs and/or fines if an EU government authority, an EU resident, the California Attorney General or a California resident commenced an action. Failure to comply or maintain compliance could cause considerable harm to us and our reputation (including requiring notification to customers, regulators, and/or the media), cause a loss of confidence in our products and services, and deter current and potential customers from using our services. Any of these events could have a material adverse effect on our business, prospects, financial condition, operating results, and cash flows.

We are subject to laws and regulations affecting its domestic and international operations in a number of areas. These U.S. and foreign laws and regulations affect our activities in areas including, but not limited to, labor, advertising, digital content, consumer protection, real estate, billing, e-commerce, promotions, quality of services, telecommunications, mobile communications and media, television, intellectual property ownership and infringement, tax, import/export and sanctions requirements, anti-corruption, foreign exchange controls and cash repatriation restrictions, data privacy and data localization requirements, anti-competition, climate, environmental, health, and safety. Compliance with these laws, regulations and similar requirements may be onerous and expensive, and they may be inconsistent from jurisdiction to jurisdiction, further increasing the cost of compliance and doing business. Any such costs, which may rise in the future as a result of changes in these laws and regulations or in their interpretation, could individually or in the aggregate make our products and services less attractive to our customers, delay the introduction of new products in one or more regions, or cause us to change or limit our business practices. We have implemented policies and procedures designed to ensure compliance with applicable laws and regulations, but there can be no assurance that our employees, contractors, or agents will not violate such laws and regulations or our policies and procedures.

The application of existing domestic and international laws and regulations to us relating to issues such as defamation, pricing, advertising, taxation, promotions, billing, consumer protection, accessibility, content regulation, data privacy, export restrictions and sanctions, intellectual property ownership and infringement, and accreditation, in many instances, is unclear or unsettled. In addition, we will also be subject to any new laws and regulations directly applicable to our domestic and international activities. Further, the application of existing laws to us or our subsidiaries regulating or requiring licenses for certain businesses of our advertisers including, for example, distribution of pharmaceuticals, alcohol, or other regulated substances, adult content, tobacco, or firearms, as well as insurance and securities brokerage, and legal services, can be unclear. Internationally, we may also be subject to laws regulating our activities in foreign countries and to foreign laws and regulations that are inconsistent from country to country. Our Digital Media and Cybersecurity and Martech businesses utilize contractors, freelancers and/or staff from third-party outsourcers to provide content and other services. However, in the future, arrangements with such individuals may not be deemed appropriate by a relevant government authority, which could result in additional costs and expenses. We may incur substantial liabilities for expenses necessary to defend such litigation or to comply with these laws and regulations, as well as potential substantial penalties for any failure to comply. Compliance with these laws and regulations may also cause us to change or limit our business practices in a manner adverse to our business. The use of consumer data by online service providers and advertising networks is a topic of active interest among federal, state, and international regulatory bodies, and the regulatory environment is unsettled and evolving. Federal, state, and international laws and regulations govern the collection, use, retention, disclosure, sharing, and security of data that we receive from and about our users. Our privacy and cookie policies and practices concerning the collection, use, and disclosure of user data are posted on our websites. A number of U.S. federal laws, including those referenced below, impact our business. The Digital Millennium Copyright Act ("DMCA") is intended, in part, to limit the liability of eligible online service providers for listing or linking to third-party websites that include materials that infringe copyrights or other rights of others. Portions of the Communications Decency Act ("CDA") are intended to provide statutory protections to online service providers who distribute third-party content. We rely on the protections provided by both the DMCA and the CDA in conducting our business. If these or other laws or judicial interpretations are changed to narrow their protections, or if international jurisdictions refuse to apply similar provisions in international lawsuits, we will be subject to a greater risk of liability, our costs of compliance with these regulations or to defend litigation may increase, or our ability to operate certain lines of business may be limited. The Children's Online Privacy Protection Act ("COPPA") is intended to impose restrictions on the ability of online services to collect some types of information from children under the age of 13. In addition, the Providing Resources, Officers, and Technology to Eradicate Cyber Threats to Our Children Act of 2008 ("PROTECT Act") requires online service providers to report evidence of violations of federal child pornography laws under certain circumstances, as well as other federal, state or international laws and legislative efforts designed to protect children on the internet may impose additional requirements on us. U.S. export control laws and regulations impose requirements and restrictions on exports to certain nations and persons and on our business. In certain instances, we may be subject to enhanced privacy obligations based on the type of information we store and process. While we believe we are in compliance with the relevant laws and regulations, we could be subject to enforcement actions, fines, forfeitures, and other adverse actions. The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the "CAN-SPAM Act"), which allows for penalties that run into the millions of dollars, requires commercial emails to include identifying information from the sender and a mechanism for the receiver to opt out of receiving future emails. Several states have enacted additional, more restrictive and punitive laws regulating commercial email. Foreign legislation exists as well, including Canada's Anti-Spam Legislation and the European laws that have been enacted pursuant to the GDPR and European Union Directive 2002/58/EC and its amendments. We use email as a significant means of communicating with our existing and potential users. We believe that our email practices comply with the requirements of the CAN-SPAM Act, state laws, and applicable foreign legislation. If we were ever found to be in violation of these laws and regulations, or any other laws or regulations, our business, financial condition, operating results, and cash flows could be materially adversely affected. Many third parties are examining whether the Americans with Disabilities Act ("ADA") concept of public accommodation also extends to websites and to mobile applications. Generally, some plaintiffs have argued that websites and mobile applications are places of public accommodation under Title III of the ADA and, as such, must be equipped so that individuals with disabilities can navigate and make use of subject websites and mobile applications. The issue is currently under litigation and there is a split in the federal court of appeals circuits as to what the ADA requires. Certain appellate circuits have found that websites standing alone are subject to the ADA and therefore must be accessible to people with disabilities. Other circuits have found that in order for websites to be places of public accommodation, and therefore subject to the ADA, there must be both a nexus between the website and the goods and services the website provides as well as a physical brick and mortar location for consumers. We cannot predict how the ADA will ultimately be interpreted as applied to websites and mobile applications. We believe we are in compliance with relevant law. If the law changes or if certain courts find that our website and mobile applications must comply with the ADA, then any adjustments or requirements to implement any changes prescribed by the ADA could result in increased costs to our business, we may become subject to injunctive relief, plaintiffs may be able to recover attorneys' fees, and it is possible that, while the ADA does not provide for monetary damages, we become subject to such damages through state consumer protection or other laws. It is possible that these potential liabilities could cause a material adverse effect on our operations and harm our business reputation. Native advertising is an increasing part of our Digital Media business's online advertising revenue. On December 22, 2015, the FTC issued Guidelines and an Enforcement Policy Statement on native advertising, described by the FTC as, in part, ads which often "resemble the design, style, and functionality of the media in which they are disseminated". We believe we are compliant with the requirements of these guidelines on our current practices and offerings. However, we will continue to monitor what effect this guideline and other related government regulations, and how the FTC enforces it, could have on our native advertising and branded content business. In addition, the timing and extent of any enforcement by the FTC with regard to our native advertising practices, or others', could reduce the revenue we generate from this line of business. The United Kingdom similarly has issued guidelines on native advertising in the United Kingdom Code of Non-broadcast Advertising and Direct & Promotional Marketing ("CAP Code") and is regulated, in part, by the Advertising Standards Authority. We believe we are compliant with the requirements of the CAP Code on our current practices and offerings and will continue to monitor the effect of these and other related governmental regulations. As of May 25, 2018, certain data transfers from and between the European Union ("EU") are subject to the GDPR. As discussed in more detail below, the GDPR prohibits data transfers from the EU to other countries outside of the EU, including the United States, without appropriate security safeguards and practices in place. Previously, for certain data transfers from and between the EU and the United States, we, like many other companies, had relied on what is referred to as the "EU-U.S. Safe Harbor", in order to comply with privacy obligations imposed by EU countries. The European Court of Justice invalidated the EU-U.S. Safe Harbor. Additionally, other countries that relied on the EU-U.S. Safe Harbor that were not part of the EU have also found that data transfers to the United States are no longer valid based on the European Court of Justice ruling. Although United States and EU policymakers approved a new framework known as "Privacy Shield" that would allow companies like us to continue to rely on some form of a safe harbor for the transfer of certain data from the EU to the United States, on July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as "invalid" the European Commission's Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield, rendering it invalid. We cannot predict how or if these issues will be resolved nor can we evaluate any potential liability at this time. Additionally, on March 25, 2022, the U.S. and European Commission announced that they had agreed in principle to a new Trans-Atlantic Data Privacy Framework (the "TDPF") to enable trans-Atlantic data flows and address the concerns raised in the Schrems II decision. To implement the commitments of the U.S. under the TDPF, in October 2022, President Biden signed an Executive Order on Enhancing Safeguards for the United States Signals Intelligence Activities (the Executive Order). This subsequently prompted the European Commission to formally launch the process to adopt an adequacy decision based on the Executive Order in December 2022, and the adequacy decision was adopted on July 10, 2023. However, the TDPF is likely to be subject to legal challenges and may be struck down by the EU courts. We have put into place various alternative frameworks and grounds on which to rely in order to be in compliance with relevant law for the transfer of data from overseas locations to the United States, including reviewing our data collection process and procedures and putting into place Data Processing Agreements that incorporate Standard Contractual Clauses as well as supplementary measures with vendors, partners and other third parties. Some independent data regulators have adopted the position that other forms of compliance are also invalid, though the legal grounds for these findings remain unclear at this time. We cannot predict at this time whether the alternative grounds that we continue to implement will be found to be consistent with relevant laws nor can we evaluate what, if any, potential liability may be at this time. On June 28, 2018, the California legislature enacted the CCPA, which took effect on January 1, 2020 and became enforceable starting July 1, 2020. The CCPA, which covers businesses that obtain or access personal information of California resident consumers, grants consumers enhanced privacy rights and control over their personal information and imposes significant requirements on covered companies with respect to consumer data privacy rights. The CCPA provides consumers with the right to opt out of the sale of their personal information including the requirement to include a "Do Not Sell" link on our websites and applications that sell personal data of California resident consumers. Based on the final implementation regulations released by the California Attorney General in August 2020, we believe we have implemented such links where necessary, we action consumer opt outs and other subject rights when requested, and our privacy policies have been updated and posted on our websites. In addition, in November 2020 California voters adopted the California Privacy Rights Act ("CPRA") that amends the CCPA, including creating a new agency to implement and enforce the law. The CPRA took effect on January 1, 2023 and is subject to a number of required rule-makings. We believe we comply with the CPRA and are continuing to evaluate the impact to our business, if any. Other states have enacted or are considering enacting similar privacy laws, which may subject us to additional requirements and restrictions that could have an impact on our business. Comprehensive privacy laws in Colorado, Connecticut, and Virginia also came into effect in 2023. Indiana, Iowa, Montana, Tennessee, Texas, and Utah have similarly enacted broad laws relating to privacy, data protection, and information security that will come into effect, and Delaware and Oregon have passed comprehensive privacy laws that are awaiting enactment, further complicating our privacy compliance obligations through the introduction of increasingly disparate requirements across the various U.S. jurisdictions in which we operate. Additionally, Washington state has enacted a health and location data privacy law, and other states are considering similar legislation. Congress is considering legislation that may preempt some or all of such U.S. state privacy laws, providing a more robust private right of action. The evolving complexity of privacy and data security legislation in the United States may complicate our compliance efforts and further increase our risk of regulatory enforcement, penalties, and litigation. Further, failure or perceived failure by us to comply with our policies, applicable requirements, or industry self-regulatory principles related to the collection, use, sharing, or security of personal information, or other privacy, data-retention or data protection matters could result in a loss of user confidence in us, damage to our brands, and ultimately in a loss of users and advertising partners, which could adversely affect our business. Changes in these or any other laws and regulations or the interpretation of them could increase our future compliance costs, limit the amount and type of data we can collect, transfer, share, or sell, make our products and services less attractive to our users, or cause us to change or limit our business practices. Further, any failure on our part to comply with any relevant laws or regulations may subject us to significant civil or criminal liabilities. Moreover, our Everyday Health Group business may be subject to additional government oversight or regulation by Congress, the FTC, the United States Food and Drug Administration ("FDA"), the U.S. Department of Health and Human Services and state legislatures and regulatory agencies. In addition, certain services provided by Everyday Health Group constituent businesses are also subject to private regulation both directly by accrediting bodies and indirectly by industry codes followed by commercial supporters and providers of continuing education programs for healthcare professionals. If we are subject to burdensome laws or regulations or if we fail to adhere to the requirements of public or private regulations, our business, financial condition, and results of operations could suffer.

Users access health-related content through our Everyday Health Group properties, including information regarding particular medical conditions, diagnosis and treatment, and possible adverse reactions or side effects from medications. If our content, or content we obtain from third parties, contains inaccuracies, it is possible that consumers or professionals who rely on that content or others may make claims against us with various causes of action. Although our properties contain terms and conditions, including disclaimers of liability, that are intended to reduce or eliminate our liability, third parties may claim that these online agreements are unenforceable. Our editorial and other quality control procedures may not be sufficient to ensure that there are no errors or omissions in our content offerings or to prevent such errors and omissions in content that is controlled by our partners. Even if potential claims do not result in liability to us, investigating and defending against these claims could be expensive and time consuming and could divert management's attention away from our operations.

We are subject to income taxes in the United States (both federal and state) and in certain foreign jurisdictions. Due to economic and political conditions, tax rates in various jurisdictions may be subject to significant change, with or without notice. New tax laws, regulations and administrative practices could be enacted or adopted at any time, and existing tax laws, regulations and administrative practices could be interpreted, modified, or applied adversely to us, possibly with retroactive effect. These changes may adversely impact our effective tax rate and harm our financial position and results of operations. We are currently under or subject to examination by the U.S. Internal Revenue Service ("IRS") and other domestic and foreign tax authorities and government bodies for both direct and indirect taxes. We regularly assess the likelihood of adverse outcomes resulting from these examinations to determine the adequacy of our income tax and other tax reserves. If our reserves are not sufficient to cover these contingencies, such inadequacy could materially adversely affect our business, prospects, financial condition, operating results, and cash flows. In addition, due to the global nature of the internet, it is possible that various states or foreign countries might attempt to impose additional or new taxes or regulations on our business. Tax authorities at the international, federal, state, and local levels are currently reviewing the appropriate treatment of companies engaged in e-commerce and online advertising. The application of existing, new, or revised taxes on our business would likely increase the cost of doing business online and decrease the attractiveness of selling products and advertising over the internet. The application of these taxes on our business could also create significant increases in internal costs necessary to capture data and collect and remit taxes. Any of these events could have a material adverse effect on our business, financial condition, and operating results. Furthermore, much of our Digital Media e-commerce revenue comes from arrangements in which we are paid by retailers to promote their digital product and service offers on our sites. Certain states have implemented regulations that require retailers to collect and remit sales taxes on sales made to residents of such states if a publisher, such as us, that facilitated that sale is a resident of such state. Paid retailers in our marketplace that do not currently have a sales tax nexus in any state that subsequently passes similar regulations and in which we have operations, employees, or contractors now or in the future, may significantly alter the manner in which they pay us, cease paying us for sales we facilitate for that retailer in such state, or cease using our marketplace, each of which could adversely impact our business, financial condition, and operating results.

Our ability to grow revenue from our Digital Media business is dependent on our ability to demonstrate to marketers that their marketing campaigns with us provide a meaningful return on investment ("ROI") relative to offline and other online opportunities. Certain of the marketing campaigns with respect to our Digital Media business are designed such that the revenues received are based entirely upon the ROI delivered for customers. Our Digital Media business has invested significant resources in developing its research, analytics, and campaign effectiveness capabilities and expects to continue to do so in the future. Our ability, however, to demonstrate the value of advertising and sponsorship on Digital Media business properties depends, in part, on the sophistication of the analytics and measurement capabilities, the actions taken by our competitors to enhance their offerings, whether we meet the ROI expectations of our customers, and a number of other factors. If we are unable to maintain sophisticated marketing and communications solutions that provide value to our customers or demonstrate our ability to provide value to our customers, our financial results will be harmed.

In most cases, our agreements with advertisers have a term of one year or less and may be terminated at any time by the advertiser or by us without penalty. We believe that advertising on the internet, as in traditional media, fluctuates significantly as a result of a variety of factors, many of which are outside of our control. Some of these factors include (a) budget constraints of our advertisers, (b) cancellations or delays of projects by our advertisers due to numerous factors, including but not limited to, supply chain issues, (c) the cyclical and discretionary nature of advertising spending, (d) general economic, internet-related, and media industry conditions, (e) tax and other legislation and regulation, as well as (f) extraordinary events, such as war, acts of terrorism or aggression, extreme weather events including as exacerbated by climate change, and pandemics or other public health crises. The state of the global economy and availability of capital has impacted and could further impact the advertising spending patterns of existing and potential advertisers. Continued reduction in spending by, or loss of, existing or potential advertisers would negatively impact our revenue and operating results. Further, we may be unable to adjust our expenses and capital expenditures quickly enough to compensate for any unexpected revenue shortfall.

A significant part of our revenues depends on prompt and accurate billing processes. Customer billing is a highly complex process, and our billing systems must efficiently interface with third-party systems, such as those of credit card processing companies. Our ability to accurately and efficiently bill our customers is dependent on the successful operation of our billing systems and the third-party systems upon which we rely, such as our credit card processor, and our ability to provide these third parties the information required to process transactions. In addition, our ability to offer new services or alternative-billing plans is dependent on our ability to customize our billing systems. Any failures or errors in our billing systems or procedures could impair our ability to properly bill our current customers or attract and service new customers, and thereby could materially and adversely affect our business and financial results.

A significant number of our paid Cybersecurity and Martech subscribers and certain Digital Media subscribers pay for our services through credit and debit cards. Weakness in certain segments of the credit markets and in the U.S. and global economies could result in increased numbers of rejected credit and debit card payments. We believe this could result in increased customer cancellations and decreased customer signups. Rejected credit or debit card payments, customer cancellations and decreased customer sign up may adversely impact our revenues and profitability.

A significant number of our paid Cybersecurity and Martech subscribers and certain Digital Media subscribers authorize us to bill their credit card accounts directly for all service fees charged by us. If people pay for these services with stolen credit cards, we could incur substantial unreimbursed third-party vendor costs. We also incur losses from claims that customers did not authorize credit card transactions to purchase our services. If the numbers of unauthorized credit card transactions become excessive, we could be assessed substantial fines for excess chargebacks and could lose the right to accept credit cards for payment. In addition, we are subject to Payment Card Industry ("PCI") data security standards, which require periodic audits by independent third parties to assess our compliance. PCI standards are a comprehensive set of requirements for enhancing payment account data security. Failure to comply with the security requirements or rectify a security issue may result in fines or a restriction on accepting payment cards. Credit card companies may change the standards required to utilize their services from time to time. If we are unable to meet these new standards, we could be unable to accept credit cards. Further, the law relating to the liability of providers of online payment services is currently unsettled and states may enact their own rules with which we may not comply. Substantial losses due to fraud or our inability to accept credit card payments, which could cause our paid subscriber base to significantly decrease, could have a material adverse effect on our business, prospects, financial condition, operating results and cash flows.

Our brand recognition has significantly contributed to the success of our business. Strengthening our current brands and launching competitive new brands will be critical to achieving widespread commercial acceptance of our products and services. This will require our continued focus on active marketing, the costs of which have been increasing and may continue to increase. In addition, substantial initial investments may be required to launch new brands and expand existing brands to cover new geographic territories and technology fields. Accordingly, we may need to spend increasing amounts of money on, and devote greater resources to, advertising, marketing, and other efforts to cultivate brand recognition and customer loyalty. In addition, we are supporting an increasing number of brands, each of which requires its own investment of resources. Brand promotion activities may not yield increased revenues and, even if they do, increased revenues may not offset the expenses incurred. A failure to launch, promote, and maintain our brands, or the incurrence of substantial expenses in doing so, could have a material adverse effect on our business. Our brand recognition depends, in part, on our ability to protect our trademark portfolio and establish trademark rights covering new brands and territories. Some regulators and competitors have taken the view that certain of our brands are descriptive or generic when applied to the products and services offered by our Cybersecurity and Martech business. Nevertheless, we have obtained U.S. and foreign trademark registrations for our brand names, logos, and other brand identifiers. If we are unable to obtain, maintain or protect trademark rights covering our brands across the territories in which they are or may be offered, the value of these brands may be diminished, competitors may be able to dilute, harm, or take advantage of our brand recognition and reputation, and our ability to attract subscribers may be adversely affected. We hold domain names relating to our brands, in the U.S. and internationally. The acquisition and maintenance of domain names are generally regulated by governmental agencies and their designees. The regulation of domain names may change. Governing bodies may establish additional top-level domains, appoint additional domain name registrars, or modify the requirements for holding domain names. As a result, we may be unable to acquire or maintain all relevant domain names that relate to our brands. Furthermore, international rules governing the acquisition and maintenance of domain names in foreign jurisdictions are sometimes different from U.S. rules, and we may not be able to obtain all of our domains internationally. As a result of these factors, we may be unable to prevent third parties from acquiring domain names that are similar to, infringe upon or otherwise decrease the value of our brands, trademarks or other proprietary rights. In addition, failure to secure or maintain domain names relevant to our brands could adversely affect our reputation and make it more difficult for users to find our websites and services.

Technologies have been developed and are likely to continue to be developed that can block internet or mobile display advertising. Most of our Digital Media business revenues are derived from fees paid by advertisers in connection with the display of advertisements or clicks on advertisements on web pages or mobile devices. As a result, such technologies and tools are reducing the number of display advertisements that we are able to deliver or our ability to serve our interest-based advertising and this, in turn, could reduce our advertising revenue and operating results. Adoption of these types of technologies by more of our users could have a material impact on our revenues. We have implemented third-party products to combat these ad-blocking technologies and are developing other strategies to address advertisement blocking. However, our efforts may not be successful to offset the potential increasing impact of these advertising blocking products.