Bath & Body Works (BBWI) Risk Factors

The retail industry is highly competitive. We compete for sales with a broad range of other retailers, including individual and chain specialty stores, department stores and discount retailers. In addition to the traditional store-based retailers, we also compete with direct marketers or retailers that sell similar lines of merchandise and who target customers through online channels. Brand image, marketing, design, price, service, assortment, quality, image presentation and fulfillment are all competitive factors in both the store-based and online channels. Some of our competitors may have greater financial, marketing and other resources available and trends across our product categories may favor our competitors. We rely to a greater degree than some of our competitors on physical locations in retail centers. Therefore, declines in traffic to such locations may affect us more significantly than our competitors. Some of our competitors sell their products in stores that are located in the same retail centers as our stores. In addition to competing for sales, we compete for favorable site locations and lease terms in retail centers. Increased competition, combined with declines in store and/or online website traffic, could result in price reductions, increased marketing expenditures and loss of pricing power and market share, any of which could have a material adverse effect on our results of operations, financial condition and cash flows.

We are, and may increasingly become, subject to various laws, directives, industry standards and regulations, as well as contractual obligations, relating to data privacy and security in the jurisdictions in which we operate. The legal and regulatory environment related to data privacy and security is increasingly rigorous, with new and constantly changing requirements applicable to our business, and enforcement practices are likely to remain uncertain for the foreseeable future. These laws and regulations may be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible that they will be interpreted and applied in ways that may have a material adverse effect on our results of operations, financial condition and cash flows. In the U.S., privacy and data protection are regulated at federal, state, and local levels. Various federal and state regulators, including governmental agencies like the Consumer Financial Protection Bureau and the Federal Trade Commission, have adopted, or are considering adopting, laws and regulations concerning personal information and data security and have prioritized privacy and information security violations for enforcement actions. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to personal information than federal, international or other state laws, and such laws may differ from each other, all of which may complicate compliance efforts. Laws range from the “sectoral” variety (i.e. laws that govern specific practices, services, or technologies) to omnibus laws (i.e. laws that comprehensively seek to govern all aspects of data processing practices). As an online and brick-and-mortar retailer, we are subject to both. In North America, we are subject to sectoral laws that impose different enforcement regimes, whether via government agencies or class-action litigants, with fines and statutory damages that can result in significant exposure when applied to large customer segments. Illustrative of the sectoral variety are laws that govern telephonic communications (e.g., the Federal Telephone Consumer Protection Act), email communications (e.g., the Federal Controlling the Assault of Non-Solicited Pornography and Marketing Act, and Canada’s Anti-Spam Legislation), the use of biometric technology (e.g., the Illinois Biometric Information Privacy Act), the printing of payment card digits on a store receipt (e.g., the Federal Fair and Accurate Credit Transactions Act), the use of call recordings (e.g., Federal and state laws governing consent for recordings), the collection of consumer information at retail point of sale (e.g., the California Song-Beverly Act), and the collection of driver’s license information (e.g., state laws governing the scanning of government ID’s). We are further subject to omnibus privacy and data protection laws. For example, the California Consumer Privacy Act (“CCPA”), which broadly governs data privacy practices, increases privacy rights for California residents and imposes obligations on companies that process their personal information, went into effect on January 1, 2020. Among other things, the CCPA requires covered companies to provide new disclosures to California consumers and provide such consumers new data protection and privacy rights, including the ability to opt-out of certain data sharing arrangements of personal information, and the ability to access and delete personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of certain classifications of personal information. This private right of action may increase the likelihood of, and risks associated with, data breach litigation. Furthermore, in November 2020, California voters passed the California Privacy Rights Act of 2020 (“CPRA”). Effective beginning January 1, 2023, the CPRA imposes additional obligations on companies covered by the legislation and will significantly modify the CCPA, including by expanding California residents’ rights with respect to certain sensitive personal information. The CPRA also creates a new state agency that will be vested with authority to implement and enforce the CCPA and CPRA. Other states and countries have passed comprehensive data privacy laws that are similar to the CCPA and CPRA, further complicating the legal landscape, and similar legislation is pending in more states. In addition, laws in all 50 U.S. states require businesses to provide notice to consumers (and, in some cases, to regulators) when certain classifications of personal information have been accessed or acquired as a result of a data breach. State laws are changing rapidly and there is discussion in Congress of a new comprehensive federal data privacy law to which we would become subject if it is enacted, which may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment of resources in compliance programs, impact strategies and the availability of previously useful data and could result in increased compliance costs or changes in business practices and policies. While most of our international operations are conducted through franchise, license and wholesale arrangements, we are also subject to certain international laws, regulations and standards in certain international jurisdictions and may be subject to additional international laws, regulations and standards, whether existing or enacted in the future, that apply broadly to the collection, use, retention, security, disclosure, transfer and other processing of personal information. One set of laws applicable to us is Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), which became effective on January 1, 2001, as well as substantially similar provincial privacy laws. These privacy statutes broadly govern the entire lifecycle of personal information, enumerating principles that govern accountability; purpose; consent; limitations on collection, use, disclosure, and retention; accuracy; safeguards, transparency; right to access; and complaint-handling. Certain of the statutes also contain a mandatory breach notification regime. Federal and provincial authorities enforce these laws. Privacy regulators have an express obligation to investigate complaints, and have the authority to initiate investigations. Under PIPEDA, the Office of the Privacy Commissioner of Canada has the power to require an organization to enter into a compliance agreement and failure to comply may result in a court order or court proceedings. A complainant may also appeal to Federal Court and the court has broad authority including awarding damages. Similarly, the E.U. General Data Protection Regulation (“GDPR”), which became effective in May 2018, greatly increased the European Commission’s jurisdictional reach of its laws and adds a broad array of requirements for handling personal data, and the GDPR serves and has served as a model for other jurisdictions’ data protection laws. EU member states are tasked under the GDPR to enact, and have enacted, certain implementing legislation that adds to and/or further interprets the GDPR requirements and, depending on the extent and degree to which we conduct business in the European Economic Area (“EEA”) and United Kingdom, potentially extends our obligations and potential liability for failing to meet such obligations. The GDPR, together with national legislation, regulations and guidelines of the EU member states and the United Kingdom governing the processing of personal data, impose strict obligations and restrictions on the ability to collect, use, retain, protect, disclose, transfer and otherwise process personal data, and other international jurisdictions are expected to pass similar laws that may include even more stringent requirements. Changes in such international laws, or changes in our business strategy such as direct expansions into additional jurisdictions may cause us to incur additional compliance costs, increase our risks of being subject to lawsuits, complaints and/or regulatory investigations or fines, or restrict our ability to transfer personal data between and among countries and regions in which we operate or may in the future operate. Such international laws, and our compliance with such laws, could impact the manner in which we do business and the geographical location or segregation of our relevant operations, and could adversely affect our results of operations, financial condition and cash flows. All of these evolving compliance and operational requirements impose significant costs, such as costs related to organizational changes, implementing additional protection technologies, and training associates and engaging consultants, which are likely to increase over time. In addition, such requirements may require us to modify our data processing practices and policies, distract management or divert resources from other initiatives and projects, all of which could have a material adverse effect on our results of operations, financial condition and cash flows. Any failure or perceived failure by us to comply with any applicable federal, state or similar foreign laws and regulations relating to data privacy and security could result in damage to our reputation and our relationship with our customers, as well as proceedings or litigation by governmental agencies or customers, including class-action privacy and data-protection litigation in certain jurisdictions, which could subject us to significant fines, sanctions, awards, penalties or judgments, any of which could have a material adverse effect on our results of operations, financial condition and cash flows.

We believe that our trade names, trademarks and patents are important assets and an essential element of our strategy. We have obtained or applied for federal registration of these trade names, trademarks and patents and have applied for or obtained registrations in many foreign countries. There can be no assurance that we will obtain such applied for registrations or that the registrations we obtain will prevent the imitation of our products or infringement or other violation of our intellectual property rights by others. In particular, the laws of certain foreign countries may not protect proprietary rights to the same extent as the laws of the U.S. If any third-party copies our products or our stores in a manner that projects lesser quality or carries a negative connotation, it could have a material adverse effect on our brand image and reputation as well as our results of operations, financial condition and cash flows. Third parties may assert rights in or ownership of our trademarks and other intellectual property rights, or trademarks that are similar to our trademarks, or claim that we are infringing, misappropriating or otherwise violating their intellectual property rights. We may be unable to successfully resolve these types of conflicts to our satisfaction and may be required to enter into costly license agreements, be required to pay significant royalties, settlements costs or damages, be required to rebrand our products and/or be prevented from selling some of our products.

In the operation of our business, we collect, use, transmit and otherwise process a large volume of personal and other confidential, proprietary and sensitive information. Information systems are susceptible to an increasing threat of continually evolving cybersecurity risks. Breaches or failures of security involving our information systems, including those provided, managed and supported by Victoria's Secret & Co., or those of any of our external service providers have occurred, and in the future may occur. Any significant compromise or breach of our data security, media reports about such an incident, whether accurate or not, or our failure to make adequate or timely disclosures to the public or law enforcement agencies following any such event, whether due to delayed discovery or a failure to follow existing protocols, could significantly damage our reputation with our customers, associates, investors and other third parties, cause the disclosure of personal, confidential, proprietary or sensitive customer, associate, third-party or company information, cause interruptions to our operations and distraction to our management, cause our customers to stop shopping with us and result in significant legal, regulatory and financial liabilities and lost revenues. Compounding these risks is the complexity of our information systems, which are a collection of our and our third-party service providers’ systems. While we train our associates and have implemented systems, processes and security measures to protect our physical facilities and information technology systems against unauthorized access and prevent data loss, there is no guarantee that these procedures are adequate to safeguard against all data security threats. Despite these measures, we have been and may in the future be vulnerable to targeted or random attacks on our systems that could lead to security breaches, phishing attacks, denial of service attacks, acts of vandalism, computer viruses, malware, ransomware, misplaced or lost data, programming and/or human errors or similar events. Our systems and facilities are also subject to compromise from internal threats, such as theft, misuse, unauthorized access or other improper actions by associates, third-party service providers and other third parties with otherwise legitimate access to our systems, websites, mobile applications or facilities (which risks may be heightened as a result of work-from-home policies and technologies implemented in the wake of the COVID-19 pandemic). Furthermore, because the methods of cyber-attack and deception change frequently, are increasingly complex and sophisticated, and can originate from a wide variety of sources, including nation-state actors, despite our reasonable efforts to ensure the integrity of our systems, websites and mobile applications, it is possible that we may not be able to anticipate, detect, appropriately react and respond to, or implement effective preventative measures against, all cybersecurity incidents. We have and may in the future be required to expend significant capital and other resources to protect against, respond to, and recover from any potential, attempted, or existing cybersecurity incidents. As cybersecurity incidents continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. In addition, our remediation efforts may not be successful, or may not be completed in a timely manner. The inability to implement, maintain and upgrade adequate safeguards could have a material adverse effect on our results of operations, financial condition and cash flows. Moreover, there could be public announcements regarding any cybersecurity incidents and any steps we take to respond to or remediate such incidents, and if securities analysts or investors perceive these announcements to be negative, it could, among other things, have a substantial adverse effect on the price of our common stock. While we currently maintain cybersecurity insurance, such insurance may not be sufficient in type or amount to cover us against claims related to breaches, failures or other data security-related incidents, and we cannot be certain that cyber insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our results of operations, financial condition and cash flows.

Our ability to effectively manage and operate our business depends significantly on information technology systems. We rely heavily on applications related to point-of-sale, e-commerce, merchandising, planning, sourcing, logistics, inventory management, data security and support systems including human resources and finance currently supplied to us by Victoria’s Secret & Co. pursuant to the TSA that we entered into in connection with the Separation. Victoria’s Secret & Co. is not in the business of providing information technology outsourcing services and does not have experience providing such services for third-parties. Victoria's Secret & Co. may not successfully execute all of these services during the transition period or we may have to expend significant efforts and/or costs materially in excess of those estimated by us to transition such services to our information technology systems and we may experience delays in such transition period. Any interruption in, or deficiency of, these services could have a material adverse effect on our business, results of operations, financial condition and cash flows.

We intend to continue to operate internationally and further expand into international markets through partner arrangements. The risks associated with international markets include difficulties in attracting customers due to a lack of customer familiarity with our brand, our lack of familiarity with local customer preferences and seasonal differences in the market. Any of these difficulties may lead to disruption in the overall timing of our international expansion efforts or increased costs. Further, entry into other markets may bring us into competition with new competitors or with existing competitors with an established market presence. Other risks include general economic conditions in specific countries or markets, volatility in the geopolitical landscape, restrictions on the repatriation of funds held internationally, disruptions or delays in shipments, occurrence of significant health hazards or pandemics, changes in diplomatic and trade relationships, political instability and foreign governmental regulation. Such expansions will also have upfront investment costs that may not be accompanied by sufficient revenues to achieve typical or expected operational and financial performance. Further, our results of operations and financial condition may be adversely affected by fluctuations in currency exchange rates. See “Fluctuations in foreign currency exchange rates could impact our financial condition and results of operations” below. These risks could have a material adverse effect on our results of operations, financial condition and cash flows.

The COVID-19 pandemic continued to impact our business and results of operations in fiscal year 2021. While many of our stores were open for most of the year, reduced consumer confidence and changes in shopping patterns adversely impacted store traffic during certain portions of the year, as more consumers were either not shopping or choosing to shop online as a result of the COVID-19 pandemic. Additionally, resurgences of COVID-19 cases led to temporary store closures for portions of the year in certain markets and have impacted, and continue to impact, our supply chain partners, including third-party manufacturers, logistics providers and other vendors. Current vessel, container and other transportation shortages, labor shortages and port congestion globally have delayed and may continue to delay inventory orders and, in turn, deliveries to our customers and availability in our stores and e-commerce sites. Conversely, in the first quarter of 2021, our operating results benefited from customers receiving government stimulus payments related to the COVID-19 pandemic. These stimulus payments are not expected to be reinstated in the near term and, therefore, the benefit to operating results we realized in the first quarter of 2021 due to the stimulus payments is not expected to reoccur. During this period, we are focused on protecting the health and safety of our customers, associates, contractors, suppliers and other business partners. We are also working with our suppliers to minimize potential disruptions, while managing our business in response to a changing dynamic. Due to the uncertainty of COVID-19 and the speed at which the pandemic continues to impact our markets, we are continuing to assess the situation, including government-imposed restrictions, market by market. We are unable to accurately predict the full impact that COVID-19, including the potential of new variants (which may be more contagious or severe, and may be less responsive to vaccines or treatments), will have on our operations going forward due to uncertainties which will be dictated by the length of time that such disruptions continue, which will, in turn, depend on the currently unknowable duration and spread of the COVID-19 pandemic, actions taken to limit the spread, and the public’s willingness to comply with such actions, the availability and efficacy of a vaccine and positive treatments for COVID-19, and the impact of governmental regulations that might be imposed in response to the pandemic. Numerous state, local and foreign jurisdictions have imposed, and others in the future may impose, shelter-in-place orders, quarantines, executive orders and similar government orders and restrictions for their residents to control the spread of COVID-19. Such orders, restrictions and changes in consumer behavior have negatively impacted our operations, especially in our stores and supply chain. In addition to these more near-term impacts, we are unable to accurately predict the full impact COVID-19 will have on our longer-term operations as well, particularly with respect to our current mix of merchandise offerings, event-based categories and store traffic trends. To the extent COVID-19 adversely affects our business, operations, financial condition and operating results, it may also have the effect of heightening many of the other risks described in this “Risk Factors” section, such as those relating to our level of indebtedness, our need to generate sufficient cash flows to service our indebtedness and our ability to comply with the covenants contained in the agreements that govern our indebtedness.

We are exposed to foreign currency exchange rate risk with respect to our sales, profits, assets and liabilities denominated in currencies other than the U.S. dollar. In addition, our royalty arrangements are calculated based on sales in local currency and, as such, we are exposed to foreign currency exchange rate fluctuations. Although we may use foreign currency forward contracts to hedge certain foreign currency risks, these measures may not succeed in offsetting all of the short-term negative impacts of foreign currency rate movements on our business and results of operations, financial condition and cash flows. Hedging would generally not be effective in offsetting the long-term impact of sustained shifts in foreign exchange rates on our business results. As a result, the fluctuation in the value of the U.S. dollar against other currencies could have a material adverse effect on our results of operations, financial condition and cash flows.