Cardlytics (CDLX) Risk Factors

We leverage our FI partners' purchase data and infrastructures to deliver our Cardlytics platform. We do not currently receive or have access to any PII from our FI partners, although we may obtain or have access to PII from our FI partners in the future as our business evolves. Additionally, we receive, collect, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, share and have access to personal data as a result of other aspects of our business. As such, we may be a more visible target for cyberattacks or physical breaches of our systems, databases or data centers, and we may in the future suffer from such attacks or breaches. There is a risk that actors may attempt to gain access to our systems, for the purpose of stealing personal data, sensitive or proprietary data, accessing sensitive information on our network, or disrupting our or their respective operations. Cyberattacks, malicious internet-based activity and online and offline fraud, and other similar activities threaten the confidentiality, integrity, and availability of our sensitive information and information systems, and those of the third parties upon which we rely. Such threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer "hackers," threat actors, "hacktivists," organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors. Some actors now engage and are expected to continue to engage in cyberattacks, including without limitation nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we, the third parties upon which we rely, and our customers may be vulnerable to a heightened risk of these attacks, including retaliatory cyberattacks, that could materially disrupt our systems and operations, and ability to provide our service. In addition to traditional computer "hackers," we and the third parties upon which we rely are subject to a variety of evolving threats, including but not limited to social-engineering attacks (including deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), threat actors, software bugs, malicious code (such as viruses and worms), employee theft or misuse, denial-of-service attacks, credential attacks, credential harvesting, and ransomware attacks, sophisticated nation-state and nation-state supported actors now engage in attacks (including advanced persistent threat intrusions). We also may be the subject of viruses, malware installation, server malfunction, software or hardware failures, loss of data or other computer assets, adware, malicious or unintentional actions or in actions by employees or others with authorized access to our network that create or expose vulnerabilities, attacks enhanced or facilitated by artificial intelligence ("AI"), and other similar threats or other similar issues. In particular, severe ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, ability to provide our products or services, loss of sensitive data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Current or future criminal capabilities, discovery of existing or new vulnerabilities in our systems and attempts to exploit those vulnerabilities or other developments may compromise the technology protecting our systems. Due to a variety of both internal and external factors, including defects or misconfigurations of our technology, our services could become vulnerable to security incidents (both from intentional attacks and accidental causes) that cause them to fail to secure networks and detect and block attacks. In the event that our protection efforts are unsuccessful, and our systems are compromised such that a third-party gains entry to our or any of our FI partners' systems, we could suffer substantial harm. In addition, many of our employees work remotely, which may make us more vulnerable to cyberattacks and has increased risks to our systems and data, as more of our employees utilize network connections, computers and devices outside our premises or network, including working at home, while in transit and in public locations. A security breach could result in operational or administrative disruptions, or impair our ability to meet our marketers' requirements, which could result in decreased revenue. Also, our reputation could suffer irreparable harm, causing our current and prospective marketers and FI partners to decline to use our solutions in the future. We rely on third-party service providers and technologies to operate critical business systems to process sensitive information in a variety of contexts, including, without limitation, cloud-based infrastructure, data center facilities, encryption and authentication technology, employee email, and other functions. Our ability to monitor these third parties' information security practices is limited, and these third parties may not have adequate information security measures in place. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their data privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award. In addition, supply-chain attacks have increased in frequency and severity, and we cannot guarantee that third parties' infrastructure in our supply chain or our third-party partners' supply chains have not been compromised. While we have implemented security measures designed to protect against security incidents, there can be no assurance that these measures will be effective. We take steps designed to detect, mitigate, and remediate vulnerabilities in our systems (such as our hardware and software, including that of third parties upon which we rely). We may not, however, detect and remediate all such vulnerabilities, at all or on a timely basis. Further, we may experience delays in developing and deploying remedial measures and patches designed to address identified vulnerabilities. Even if we have issued or otherwise made patches for vulnerabilities in our software applications, products or services, our customers may be unwilling or unable to deploy such patches and use such information effectively and in a timely manner. Vulnerabilities could be exploited and result in a security incident. Any of the previously identified or similar threats could cause a security incident or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our sensitive information or our information technology systems, or those of the third parties upon whom we rely. A security incident or other interruption could disrupt our ability (and that of third parties upon whom we rely) to provide our platform. Further, we could expend significant financial and operational resources to protect against or in response to a security incident, including repairing system damage, increasing cybersecurity protection costs by deploying additional personnel and protection technologies, dealing with regulatory scrutiny, and litigating and resolving legal claims, all of which could divert resources and the attention of our management and key personnel away from our business operations. Applicable data privacy and security obligations may require us to notify relevant stakeholders, including affected individuals, customers, regulators, and investors, of security incidents. Such disclosures are costly, and the disclosure or the failure to comply with such requirements could lead to adverse consequences. In any event, an actual or perceived breach of the security of our, or the third parties on which we rely, systems or data could materially harm our business, financial condition and operating results. Security incidents and associated consequences may prevent or cause customers to stop using our platform, deter new customers from using our platform, and negatively impact our ability to grow and operate our business. We cannot assure you that any limitations of liability provisions in our contracts would be enforceable or adequate or would otherwise protect us from any liabilities or damages with respect to any particular claim relating to a security lapse or breach. While we maintain cybersecurity insurance, our insurance may be insufficient or may not cover all liabilities incurred by such attacks. We also cannot be certain that our insurance coverage will be adequate for data handling or data security liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceeds available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results and reputation. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

The market for purchase intelligence is nascent and we believe that there is no one company with which we compete directly across our range of solutions. With respect to the Cardlytics platform, we believe that we are the only company that enables marketing through FI channels at scale, although we believe we currently have competition from other companies that deliver similar solutions on a smaller scale. In the future, we may face competition from online retailers, credit card companies, established enterprise software companies, advertising and marketing companies and agencies, digital publishers and mobile pay providers with access to a substantial amount of consumer purchase data. While we may successfully partner with a wide range of companies that are only moderately competitive to us, these companies may become more competitive to us in the future. As we introduce new solutions, as our existing solutions evolve and as other companies introduce new products and solutions, we are likely to face additional competition. Some of our actual and potential competitors may have advantages over us, such as longer operating histories, significantly greater financial, technical, marketing or other resources, stronger brand and recognition, larger intellectual property portfolios and broader global distribution and presence. In addition, our industry is evolving rapidly and is becoming increasingly competitive. Larger and more established companies may focus on purchase intelligence marketing and could directly compete with us. Smaller companies could also launch new products and services that we do not offer and that could gain market acceptance quickly. Our competitors may be able to respond more quickly and effectively than we can to new or changing opportunities, technologies, standards or customer requirements. Larger competitors are also often in a better position to withstand any significant reduction in capital spending and will therefore not be as susceptible to economic downturns and inflationary pressure. In addition, current or potential competitors may be acquired by third parties with greater available resources. As a result of such relationships and acquisitions, our current or potential competitors might be able to adapt more quickly to new technologies and customer needs, devote greater resources to the promotion or sale of their products and services, initiate or withstand substantial price competition, take advantage of other opportunities more readily or develop and expand their product and service offerings more quickly than we can. For all of these reasons, we may not be able to compete successfully against our current or future competitors.

We believe that developing and maintaining awareness of the Cardlytics brand in a cost-effective manner is critical to achieving widespread acceptance of our existing solutions and future solutions and is an important element in attracting new marketers and partners. Furthermore, we believe that the importance of brand recognition will increase as competition in our market increases. Successful promotion of our brand will depend largely on the effectiveness of our marketing efforts and on our ability to deliver valuable solutions for our marketers, their agencies and our partners. In the past, our efforts to build our brand have involved significant expense. Brand promotion activities may not yield increased revenue and billings, and even if they do, any increased revenue and billings may not offset the expenses that we incurred in building our brand. If we fail to successfully promote and maintain our brand or incur substantial expenses in an unsuccessful attempt to promote and maintain our brand, we may fail to attract enough new marketers or partners or retain our existing marketers or partners and our business could suffer.

In the ordinary course of business, we collect, receive, store, process, use, generate, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share personal data and other sensitive information including proprietary and confidential business data, trade secrets, and intellectual property ("process" or "processing") necessary to operate our business, for legal and marketing purposes, and for other business-related purposes. We, our FI partners, our marketers and other third parties whom we rely upon are subject to a number of data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy policies, contractual requirements, and other obligations relating to data privacy and security as well as laws and regulations regarding online services and the Internet generally. In the U.S., the rules and regulations to which we, directly or contractually through our partners, or our marketers may be subject, include but are not limited to those promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act and state cybersecurity, privacy and breach notification laws, as well as regulator enforcement positions and expectations reflected in federal and state regulatory actions, settlements, consent decrees and guidance documents. The regulatory framework for online services and data privacy and security issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. Many of these obligations conflict with each other, and interpretation of these laws, rules and regulations and their application to our solutions in the U.S. and foreign jurisdictions is ongoing and cannot be fully determined at this time. A number of existing bills are pending in the U.S. Congress that contain provisions that would regulate how companies can use various tracking technologies to collect and utilize user information. Additionally, new legislation proposed or enacted in various states will continue to shape the data privacy environment nationally. The California Consumer Privacy Act ("CCPA"), which took effect on January 1, 2020, is an example of the trend towards increasingly comprehensive privacy legislation being introduced in the United States. The CCPA gives California residents expanded rights to request access to and deletion of their personal data, opt out of certain personal data sharing, and receive detailed information about how their personal data is used. The CCPA also increases the data privacy and security obligations on entities handling personal data, which is broadly defined under the law. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches, and includes statutorily defined damages of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages, which is expected to increase data breach litigation. The CCPA also imposes requirements on businesses that "sell" information (which is defined broadly under the CCPA); there is significant ambiguity regarding what constitutes a sale and many of our or our partner's business practices may qualify. Further the California Privacy Rights Act ("CPRA"), which took effect on January 1, 2023, significantly modifies the CCPA, including by expanding consumers' rights with respect to certain sensitive personal data. The CPRA also created a new state agency that is vested with authority to implement and enforce the CCPA and the CPRA. In the past few years, other states, including Virginia, Colorado, Utah, Iowa, Montana, Indiana, Tennessee, Oregon, Texas, Delaware, New Jersey, New Hampshire and Connecticut, have also passed comprehensive privacy laws that impose certain obligations on covered businesses, including requiring covered businesses to provide specific disclosures in privacy notices and to afford residents with certain rights concerning their personal data. Similar laws are being considered in several other states, as well as at the federal and local levels. These developments may further complicate compliance efforts, and may increase legal risk and compliance costs for us and the third parties upon whom we rely. Outside of the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security. For example, the European Union's General Data Protection Regulation ("EU GDPR") and the United Kingdom's GDPR ("U.K. GDPR") impose strict requirements for processing personal data. For example, under the EU GDPR, companies may face temporary or definitive bans on data processing and other corrective actions, fines of up to 20 million euros or 4% of annual global revenue (whichever is greater), or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. An example of the type of international regulation to which we may be subject is the U.K.'s Privacy and Electronic Communications Regulations 2011 ("PECR"), which implements the requirements of Directive 2009/136/EC (which amended Directive 2002/58/EC), which is known as the ePrivacy Directive. The PECR regulates various types of electronic direct marketing that use cookies and similar technologies. The PECR also imposes sector-specific breach reporting requirements, but these requirements only apply to providers of certain public electronic communications services. Additional European Union member state laws of this type may follow. In the ordinary course of business, we may transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area ("EEA") and the U.K. have significantly restricted the transfer of personal data to the U.S. and other countries whose privacy laws it believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and U.K. to the U.S. in compliance with law, such as the EEA standard contractual clauses and U.K.'s International Data Transfer Agreement, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the U.S. If there is no lawful manner for us to transfer personal data from the EEA, the U.K., or other jurisdictions to the U.S., or if the requirements for a legally compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Additionally, companies that transfer personal data out of the EEA and U.K. to other jurisdictions, particularly to the U.S., are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of the EEA for allegedly violating GDPR's cross-border data transfer limitations. Our employees and personnel may use generative AI technologies to perform their work, and the disclosure and use of personal data in generative AI technologies is subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and lawsuits. If we are unable to use generative AI, it could make our business less efficient and result in competitive disadvantages. In addition to data privacy and security laws, we are also bound by contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. We publish privacy policies, marketing materials and other statements regarding data privacy and security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresent our practices, we may be subject to investigation, enforcement actions by regulators or other adverse consequences. Obligations related to data privacy and security are quickly changing, becoming increasingly stringent, and creating regulatory uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources, which may necessitate changes to our services, information technologies, systems, and practices and to the services, information, technologies, systems and practices of any third parties that process personal data on our behalf. In addition, these obligations may require us to change or business model. We may, for example, be required to, or otherwise may determine that it is advisable to, develop or obtain additional tools and technologies for validation of certain of our limited sales related to online purchases to compensate for a potential lack of cookie data. Even if we are able to do so, such additional tools may be subject to further regulation, time consuming to develop or costly to obtain, and less effective than our current use of cookies. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties on whom we rely may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties which we rely upon fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including, but not limited to: government enforcement actions (which could result in investigations, fines, penalties, audits and inspections), litigation (including class-action claims), additional reporting requirements and/or oversight, bans on processing personal data and orders to destroy or not use personal data. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class action litigation and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business or financial condition, potentially resulting in negative consequences including, but not limited to loss of customers, interruptions or stoppages in our business operations, inability to process personal data or to operate in certain jurisdictions, limited ability to develop or commercialize our products, expenditure of time and resources to defend any claim or inquiry, adverse publicity or substantial changes to our business model or operations.

General worldwide economic conditions have created significant instability in recent years. For example, inflation rates have fluctuated significantly in recent periods, and increased inflation may result in decreased demand for our products and solutions, increases in our operating costs (including our labor costs), reduced liquidity and limitations on our ability to access credit or otherwise raise capital. In addition, the Federal Reserve has raised, and may again raise, interest rates in response to concerns about inflation, which coupled with reduced government spending and volatility in financial markets may have the effect of further increasing economic uncertainty and heightening these risks. Additionally, financial markets around the world experienced volatility following the invasion of Ukraine by Russia in February 2022 and escalating conflicts in the Middle East in late 2023. Further, concerns have recently arisen with respect to the financial condition of a number of banking organizations in the United States, in particular those with exposure to certain types of depositors and large portfolios of investment securities. While we do not have any exposure to banking organizations that have entered receivership or become insolvent, we do maintain our cash at financial institutions, at times in balances that exceed the current insurance limits set forth by the Federal Deposit Insurance Corporation (the "FDIC"). If other banks and financial institutions enter receivership or become insolvent in the future due to financial conditions affecting the banking system and financial markets, our ability to access our cash, cash equivalents and investments, including our ability to transfer funds, make payments or receive funds, may be threatened and could have a material adverse effect on our business and financial condition. These conditions make it extremely difficult for marketers and us to accurately forecast and plan future business activities and could cause marketers to begin or continue to reduce or delay their marketing spending. Historically, economic downturns have resulted in overall reductions in marketing spending. If macroeconomic conditions deteriorate or are characterized by uncertainty or volatility, marketers may curtail or freeze spending on marketing in general and for services such as ours specifically, which could have a material and adverse impact on our business, financial condition and operating results. In addition, our business may be materially and adversely affected by weak economic conditions in the industries that we serve. We have historically generated a substantial majority of our revenue from marketers in the restaurant, brick and mortar retail, telecommunications and cable industries, and have expanded into new industries such as travel and entertainment, direct-to-consumer, grocery and gas. All of these industries have been negatively impacted by inflationary pressure and certain precautions taken to control inflationary pressure. We cannot predict the timing, strength or duration of any economic slowdown or recovery. In addition, even if the overall economy is robust, we cannot assure you that the market for services such as ours will experience growth or that we will experience growth.

During the nine months ended September 30, 2024 and 2023, we derived 7.9% and 5.2%, respectively, of our revenue from outside the U.S. While substantially all of our operations are located in the U.S., we have an office in the U.K. and may continue to expand our international operations as part of our growth strategy. Our ability to convince marketers to expand their use of our solutions or renew their agreements with us is directly correlated to our direct engagement with such marketers or their agencies. To the extent that we are unable to engage with non-U.S. marketers and agencies effectively with our limited sales force capacity, we may be unable to grow sales to existing marketers to the same degree we have experienced in the U.S. Our international operations subject us to a variety of risks and challenges, including: - localization of our solutions, including adaptation for local practices;- increased management, travel, infrastructure and legal and compliance costs associated with having international operations;- fluctuations in currency exchange rates and related effects on our operating results;- longer payment cycles and difficulties in collecting accounts receivable or satisfying revenue recognition criteria;- increased financial accounting and reporting burdens and complexities;- general economic conditions in each country or region, including inflationary pressure;- the global economic uncertainty and financial market conditions;- reduction in billings associated with the U.K. as well as issues related to foreign currency exchange rates and trade with the U.K.;- contractual and legislative restrictions or changes;- economic uncertainty around the world;- compliance with foreign laws and regulations and the risks and costs of non-compliance with such laws and regulations;- compliance with applicable laws and regulations for foreign operations, including the Foreign Corrupt Practices Act, the U.K. Bribery Act, import and export control laws, tariffs, trade barriers, economic sanctions and other regulatory or contractual limitations on our ability to sell our products in certain foreign markets, and the risks and costs of non-compliance;- potential changes in a specific country's or region's political or economic climate, including the current hostilities between Russia and Ukraine and conflict in the Middle East;- heightened risks of unfair or corrupt business practices in certain geographies and of improper or fraudulent sales arrangements that may impact financial results, which may also result in restatements of financial statements or irregularities in financial statements;- difficulties in repatriating or transferring funds from or converting currencies in certain countries;- cultural differences inhibiting foreign employees from adopting our corporate culture;- reduced protection for intellectual property rights in some countries and practical difficulties of enforcing rights abroad; and - compliance with the laws of foreign taxing jurisdictions and overlap of different tax regimes. Any of these risks could adversely affect our international operations, reduce our international revenues or increase our operating costs, adversely affecting our business, financial condition and operating results.

A significant public health crisis, epidemic or pandemic, or a natural disaster, such as an earthquake, fire or flood, or a significant power outage could have a material adverse impact on our business, operating results and financial condition. A significant portion of our employee base, operating facilities and infrastructure are centralized in Atlanta, GA; Menlo Park, CA and New York, NY. Any of our facilities may be harmed or rendered inoperable by natural or man-made disasters, including earthquakes, tornadoes, hurricanes, wildfires, floods, nuclear disasters, acts of terrorism or other criminal activities, infectious disease outbreaks and power outages, which may render it difficult or impossible for us to operate our business for some period of time. Our facilities would likely be costly to repair or replace, and any such efforts would likely require substantial time. Any disruptions in our operations could negatively impact our business, financial condition and operating results, and harm our reputation. In addition, we may not carry business insurance or may not carry sufficient business insurance to compensate for losses that may occur. Any such losses or damages could have a material adverse effect on our business, financial condition and operating results. In addition, the facilities of significant marketers, partners or third-party data providers may be harmed or rendered inoperable by such natural or man-made disasters, which may cause disruptions, difficulties or material adverse effects on our business.

Due to our international operations, we may be exposed to the effects of fluctuations in currency exchange rates, including inflationary pressure. We generate revenue and incur expenses for employee compensation and other operating expenses at our U.K. office in the local currency. Fluctuations in the exchange rates between the U.S. dollar and British pound could result in the dollar equivalent of such revenue and expenses being lower, which could have a negative net impact on our reported operating results. Although we may in the future decide to undertake foreign exchange hedging transactions to cover a portion of our foreign currency exchange exposure, we currently do not hedge our exposure to foreign currency exchange risks.