Cricut Inc (CRCT) Risk Analysis

The markets in which we participate, including the traditional craft market and the other creative or DIY markets we touch, are highly competitive with limited barriers to entry. We operate and manage our business in three reportable segments: Connected Machines, Subscription and Accessories and Materials. We face competition in every aspect of our business, but particularly in Accessories and Materials. Many accessories and materials produced by our competitors, including the private label products of some of our retail partners, are compatible with our connected machines and are often available for purchase through our retail partners. Our competitors may offer competing accessories and materials at lower price points or with different features than our products. We are currently seeing intensifying competition in Accessories and Materials, and we expect the competition in the accessories and materials DIY market to continue to intensify in the future as new and existing competitors introduce new or enhanced products that may compete with our product lines. Our efforts to increase our sales of accessories and materials may not have the desired effect. Because we derive a significant portion of our revenue from the sales of accessories and materials, the material decline in such sales is having and could continue to have a pronounced impact on our future revenue and results of operations. We also experience competition in connected machines from sellers of both connected and manual cutting and other machines. For example, Brother, Graphtec, Loklik, Silhouette America, and Siser sell cutting machines, and a number of companies sell heat press machines. Our Subscriptions business, which provides users with fonts and images for making designs, competes with well-established content providers, from free resources that enable users to access content that is compatible with our platform, to more specific content marketplaces, like Creative Fabrica and Etsy, where customers can purchase digital files to upload to our platform. With respect to all of our segments, introduction by competitors of comparable products at lower price points, a maturing product lifecycle, a decline in consumer spending or other factors could result in a decline in our revenue derived from our products, which may adversely affect our business, financial condition and results of operations. Additionally, if in the future, due to competitor discounting or other marketing strategies, we significantly reduce our prices on our products without a corresponding increase in sales volume, it would negatively impact our revenue and would adversely affect our gross margins and overall profitability. As our product categories mature, new competitive forces and competitors may emerge. As we expand our product offerings, we may begin to compete in new product offerings with new competitors. Our competitors may develop, or have already developed, products, features, content, services or technologies that are similar to ours or that achieve greater market acceptance, undertake more successful product development efforts, create more compelling employment opportunities or marketing campaigns or may adopt more aggressive pricing policies. Our competitors may develop or acquire, or have already developed or acquired, intellectual property rights that significantly limit or prevent our ability to compete effectively in the public marketplace. In addition, our competitors may have significantly greater resources than we do or may introduce product features, including artificial intelligence and machine learning capabilities, sooner than we do, allowing them to identify and capitalize more efficiently upon opportunities in new markets and consumer preferences and trends, quickly transition and adapt their products, devote greater resources to marketing and advertising or better position themselves to withstand substantial price competition. If we are not able to compete effectively against our competitors, they may acquire and engage our users or generate revenue at the expense of our efforts, which could adversely affect our business, financial condition and results of operations.

Our ability to accurately forecast demand could be affected by many factors, including changes in consumer demand for our products, changes in demand for the products of our competitors, unanticipated changes in general market or economic conditions or changes in consumer confidence in future economic conditions. This risk may be exacerbated by the fact that we do not have the manufacturing capacity or supply-chain flexibility to satisfy short-term demand increases. For example, during the COVID-19 pandemic and stay-at-home orders, we saw significant growth in sales in 2020, which strained our inventory levels and caused shortages that likely resulted in lost sales. Although our in-channel and on-hand inventory as of December 31, 2023 were generally sufficient, if we fail to accurately forecast consumer demand, we may experience insufficient or excess inventory levels or a shortage or surplus of products available for sale. If we underestimate demand or are otherwise unable to meet consumer demand, we could experience loss of revenue, reputational harm and damaged relationships, including through social media or other communications from our community, and adversely affect our business, financial condition and results of operations. If we forecast inventory levels in excess of consumer demand, this may result in inventory write-downs or write-offs and the sale of excess inventory at discounted prices, which would cause our gross margins to suffer and could impair the strength and premium nature of our brand image. While supply chain conditions have improved during 2023, if our supply chain faces challenges again, it could continue to put pressure on margins.

We participate in promotional and rebate programs with our key brick-and-mortar and online retail partners to enhance the sale of our products. These promotional programs consist of incentives or entitlements to our customers, such as advertising allowances, volume and growth incentives, business development, product damage allowances and point-of-sale support. Customer rebates are considered to be variable consideration, which we estimate each quarter using the expected value method or most likely amount, based upon the nature of the incentive. Sales are reduced by the cost of these promotional and rebate programs and we record a related sales incentive liability in our consolidated balance sheets at the date of the transaction. To the extent that our estimates of variable consideration from customer rebates each quarter are not accurate, it could affect our revenue in future periods.

We use a variety of shipping services for delivery of our products to users and brick-and-mortar and online retail partners, including air carriers and ocean shipping services. All of our contract manufacturers are based in Asia, so our products are shipped to our third-party logistics partner facilities primarily via ocean shipping services. We have experienced and could continue to experience increased congestion and new import and export restrictions implemented at ports on which we rely for our business. In many cases, we have had to secure alternative transportation, such as air freight, or use alternative routes, at increased costs, to run our supply chain. In the event of any significant interruption in service by shipping providers or at airports or shipping ports, we may be unable to engage alternative suppliers or to receive or ship goods through alternate sites in order to deliver our products in a timely and cost-efficient manner. As a result, we could experience delays, increased shipping costs and lost sales as a result of missed delivery deadlines and product demand cycles. For example, at times during the COVID-19 pandemic, shipping of our products has been delayed, which has inconvenienced our users and brick-and-mortar and online retail partners. We could experience shipping delays in the future as a result of shortages of containers and ships, local port challenges or for other reasons. Furthermore, if the cost of delivery or shipping services were to increase significantly and the additional costs could not be covered by product pricing, our results of operations could be adversely affected. In particular, we are dependent upon major shipping companies, including FedEx and UPS, for the shipment of our products to and from our third-party logistics partner facilities. Changes in shipping terms, or the inability of these third-party shippers to perform effectively, could affect our responsiveness to our users and brick-and-mortar and online retail partners. Increases in our shipping costs may adversely affect our financial results if we are unable to pass on these higher costs to our users or brick-and-mortar and online retail partners.

We rely on a limited number of distributors for certain domestic sales, including to help establish relationships with certain retailers, and primarily sell through distributors internationally. If we lose any of our key distributors, particularly in our international target markets, if we are unable to meet our key distributors' demand requirements or if our key distributors sell competing products, our business and results of operations could be adversely affected. Moreover, because certain of our key distributors may have dominant positions in their markets, such key distributors may not be easy to replace and the loss of a key distributor could also impact our relationships with certain retailers. Any loss of market share or financial difficulties faced by our key distributors, including bankruptcy and financial restructuring, could adversely affect our financial performance. We also continue to pursue direct to retailer sales, which may impact our relationships with existing distributors. In the future, we may choose to temporarily or permanently stop shipping product to distributors who do not follow the policies and guidelines in our sales agreements, which could adversely affect our revenue and results of operations. Additionally, many of our international distributors buy from us in U.S. dollars and sell to retailers in local currency, so significant currency fluctuations could affect their profitability, and in turn, affect their ability to buy products from us in the future. For example, in recent years, there has been significant short-term volatility in global stock markets and currency exchange rate fluctuations that make it more expensive for international distributors to purchase our products. Any reduction in sales by our international retailers could harm our international expansion and adversely affect our future growth.

To ensure adequate inventory supply, we must forecast inventory needs and expenses and place orders with our contract manufacturers and component suppliers sufficiently in advance, based on our estimates of future demand for particular products. Failure to accurately forecast our needs may result in manufacturing delays, increased costs or excess inventory. Because we bear supply risk under our contract manufacturing arrangements, any such delays, increased costs or excess inventory could negatively impact our business. Failure to forecast appropriate demand, lead times, significant price fluctuations or shortages in materials or components, including the costs to transport such materials or components, the uncertainty of currency fluctuations against the U.S. dollar, increases in labor rates, trade duties or tariffs and/or the introduction of new and expensive raw materials could adversely affect our contract manufacturers' ability to manufacture our products in sufficient quantity and within sufficient time to meet our consumer demand, which would adversely affect our business, financial condition and operational results. If we overestimate our production requirements, we or our contract manufacturers may purchase excess components and build excess inventory. If we, or our contract manufacturers at our request, purchase excess components that are unique to our products or build excess products, we could be required to pay for these excess components or products. In limited circumstances, we have agreed to reimburse our manufacturers for purchased components that were not used as a result of our decision to discontinue products or the use of particular components. If we incur costs to cover excess supply commitments, this would harm our business. If we underestimate our product requirements, our contract manufacturers may have inadequate component inventory, which could interrupt the manufacturing of our products and result in delays or cancellation of orders from brick-and-mortar and online retail partners, distributors and online sales channels. We may be required to incur higher costs to secure the necessary production capacity and components to meet unanticipated demand, which could result in lower margins. While supply chain conditions have improved during 2023, if our supply chain faces challenges again, it could continue to put pressure on margins.

Our success in maintaining and increasing our user community depends on our ability to identify trends, as well as to anticipate and react to changing preferences, which cannot be predicted with certainty. If we are unable to introduce new or enhanced products, or additional designs and projects, in a timely manner, if such new offerings are not accepted by our user community or if our competitors introduce similar offerings faster than we do, our business may be adversely affected. We also need to successfully educate our users on new offerings or improvements to current offerings. Moreover, our new offerings may not receive market acceptance if preferences change rapidly to different types of personal DIY offerings or away from these types of offerings altogether. Our future success depends in part on our ability to anticipate and respond to these changes as well as to improve the user experience in each aspect of our business. For example, some users find our connected machines to be challenging to use or may require user education in order to operate them efficiently or have the best user experience. If we are not able to make our connected machines easier to use or improve user education and experience, it may have an adverse effect on our business. In addition, failure to anticipate and respond in a timely manner to changing user preferences could lead to, among other things, reduced word-of-mouth referrals, lower sales, lower subscription rates, pricing pressure, lower gross margins, discounting of our existing products and excess inventory levels. Even if we are successful in anticipating user preferences, our ability to adequately react to and address them will partially depend upon our continued ability to develop and introduce innovative, high-quality products. Development and launch of new or enhanced products is time-consuming and requires significant financial investment, which could result in increased costs and a reduction in our profit margins. We have experienced, and may in the future experience, delays in the planned release dates of new products. Delays could result in adverse publicity (if potential new product announcements are leaked and then delayed), loss of sales and delay in market acceptance, any of which could cause us to lose or fail to engage with existing users or impair our ability to attract new users. In addition, the introduction of new products by competitors could adversely affect our ability to compete. Any delay or failure in the introduction of new products could harm our business, results of operations and financial condition. Moreover, we must successfully manage the introduction of new or enhanced products and product offerings, which could adversely affect the sales of our existing products. For instance, users may choose to forgo purchasing existing connected machines in advance of new product launches, and we may experience higher returns from users of existing products after a new product launch occurs. As we introduce new or enhanced products, we may face additional challenges related to managing a more complex supply chain and manufacturing process, including the time and cost associated with onboarding and overseeing additional suppliers, contract manufacturers and third-party logistics partners. As we develop, acquire, and introduce new technologies, including those that may incorporate artificial intelligence and machine learning, we may be subject to new or heightened legal, ethical, and other challenges, including the ability to innovate as quickly as our competitors as well as increased research and development expenses. We may also face challenges managing the inventory of new or existing products, which could lead to excess inventory and discounting of such products. Users may negatively react to changes we introduce to products and product offerings. In addition, new or enhanced products may have varying selling prices and costs compared to legacy products, which could negatively impact our gross margins and results of operations.

Although our agreements with users submitting designs or other content to our websites and mobile apps specifically require users to represent that they have the right and authority to provide and license the designs and other content they submit for the purposes used by us, that the content does not and will not violate any law, statute, ordinance or regulation, and that the content (and our use of it) does not and will not infringe on any rights of any third party, we do not currently have the ability to determine the accuracy of these representations on a case-by-case basis. There is a risk that a user may supply an image or other content that is the property of another party used without permission, that infringes the copyright or trademark of another party or another party's right of privacy or right of publicity or that would be considered to be defamatory, pornographic, hateful, racist, scandalous, obscene or otherwise offensive, objectionable or illegal under the laws or court decisions of the jurisdiction where that user lives. There is, therefore, a risk that users may intentionally or inadvertently order and receive products from us that are in violation of the rights of another party or a law or regulation of a particular jurisdiction. The EU has also enacted a new law that will require us to use best efforts in accordance with the high industry standards of professional diligence to exclude infringing content from our platform that may be uploaded by our users. To comply with this new law, we will likely have to devote significant time and resources to develop technologies to prevent infringing content from being uploaded to our platform and, to the extent infringing content makes it onto our platform, to expeditiously remove such content and implement measures to prevent re-uploads of such content. Although the new law does not mandate monitoring, there may be no practical way for us to comply with the law's stringent new requirements without adopting some form of robust content identification systems. We may also be required to enter into license agreements with various rights holders to obtain licenses that authorize the storage and use of content uploaded by our users. We may not be able to develop technological solutions to comply with applicable law on economically reasonable terms and there is no guarantee that we will be able to enter into agreements with all relevant rights holders on terms that we deem reasonable. Compliance may therefore cause us to encounter increased costs which could substantially harm our business and results of operations.

Cookies are small data files sent by websites and stored locally on an Internet user's computer or mobile device. We, and third parties who work on our behalf, collect data via cookies to track the behavior of visitors to our sites, provide a more personalized and interactive experience and analyze and increase the effectiveness of our marketing. However, Internet users can easily disable, delete and block cookies directly through browser settings or through other software, browser extensions or hardware. Privacy laws and regulations restrict how we deploy our cookies, and this could potentially increase the number of Internet users that choose to proactively disable cookies on their systems. Federal, state and foreign governmental authorities continue to evaluate the privacy implications inherent in the practice of online tracking for behavioral advertising and other purposes. Governments in the United States and internationally have enacted, have considered or are considering legislation or regulations that could significantly restrict the ability of companies and individuals to engage in these activities, such as by regulating the level of consumer notice and consent required before a company can employ electronic tracking tools or the use of data gathered with such tools. For example, the European Commission has proposed a draft regulation, known as the Regulation of Privacy and Electronic Communications, or the ePrivacy Regulation, which would replace the current ePrivacy Directive. If adopted, the ePrivacy Regulation could have broad potential impacts on the use of internet-based services and tracking technologies, such as cookies. We expect to incur additional costs to comply with the requirements of the ePrivacy Regulation and national implementation laws once they are enacted. In addition to the EU and United Kingdom, other regulators are increasingly focusing on compliance with requirements related to the online behavioral advertising ecosystem. For example, on January 13, 2022, the Austrian data protection authority published a decision ruling that the collection of personal data and transfer to the U.S. through Google Analytics and other analytics and tracking tools used by website operators violates the GDPR. In 2022, the Danish, French and Italian data protection authorities adopted similar decisions. On June 23, 2022, the Italian data protection authority adopted a similar decision. Other data protection authorities in the European Union increasingly are focused on the use of online tracking tools and have indicated that they plan to issue similar rulings. In addition, the CCPA grants California residents the right to opt-out of a company's sharing of personal information for advertising purposes in exchange for money or other valuable consideration. Additionally, some providers of consumer devices and web browsers have implemented means to make it easier for Internet users to block tracking technologies or to require new permissions from users for certain activities, which could, if widely adopted, significantly reduce the effectiveness of such practices and technologies. For example, Apple introduced an iOS update in April 2021 that allowed users to more easily opt-out of tracking activity across devices, and subsequently incorporated new SDK privacy controls into iOS 17, which was released in September 2023. These developments have impacted and may continue to impact business. In February 2022, Google announced it planned to adopt similar restrictions to restrict tracking activity across Android devices. In addition, the most commonly used Internet browsers-Chrome, Firefox, Internet Explorer and Safari-allow Internet users to modify their browser settings to prevent cookies from being accepted by their browsers, and a number of other software tools allow users to block or otherwise limit the functionality of cookies. Users can decide to opt out of nearly all cookie data creation, which could negatively impact operations. We may have to develop alternative systems to determine our users' behavior, customize their online experience or efficiently market to them if users block cookies or regulations introduce additional barriers to collecting cookie data.

We are subject to a variety of laws and regulations in the United States and around the world, including those relating to traditional businesses, such as employment laws and taxation, as well as laws and regulations focused on e-commerce and online marketplaces, such as online payments, privacy, anti-spam, data security and protection, online platform liability, intellectual property and consumer protection, the ability to collect and/or share necessary information that allows us to conduct business on the Internet, marketing communications and advertising, content protection, electronic contracts or gift cards. In addition, emerging technologies we utilize, including artificial intelligence and machine learning, may also become subject to regulation under new laws or new applications of existing laws. In some cases, non-U.S. privacy, data protection, information security, consumer protection, e-commerce and other laws and regulations are more detailed than those in the United States and, in some countries, are actively enforced. These laws and regulations are continuously evolving, and compliance is costly and could require changes to our business practices and significant management time and effort, or may result in enforcement actions or litigation. For example, California's Automatic Renewal Law requires companies to adhere to enhanced disclosure requirements when entering into automatically renewing contracts with consumers. As a result, a wave of consumer class action lawsuits was brought against companies that offer online products and services on a subscription or recurring basis. Other laws, like the CCPA and the EU's GDPR, require us to implement reasonable privacy and security measures, including applying security requirements by contract to certain service providers and processors acting on our behalf, as well as requiring certain privacy and security disclosures to consumers and employees. In some jurisdictions, these laws and regulations may be subject to attempts to apply such domestic rules world-wide against us or our subsidiaries. Additionally, it is not always clear how existing laws apply to online marketplaces as many of these laws do not address the unique issues raised by online marketplaces or e-commerce. For example, as described elsewhere in this Risk Factors section, laws relating to privacy, data protection and information security are evolving differently in different jurisdictions. Federal, state and non-U.S. governmental authorities, as well as courts interpreting relevant laws, continue to evaluate and assess applicable privacy, data protection and information security requirements. Existing and future laws and regulations enacted by federal, state or non-U.S. governments or the inconsistent enforcement of such laws and regulations could impede the growth of e-commerce or online marketplaces, which could have a negative impact on our business and operations. Examples include data localization requirements, limitations on marketplace scope or ownership, intellectual property intermediary liability rules, regulation of online speech, limits on network neutrality and rules related to security, privacy, data protection or national security, which may impede us or our users. We could also face regulatory challenges or be subject to discriminatory or anti-competitive practices that could impede both our growth prospects, increase our costs and harm our business. We strive to comply with all applicable laws, but they may conflict with each other, and by complying with the laws or regulations of one jurisdiction, we may find that we are in conflict with the laws or regulations of another jurisdiction. Despite our best efforts, we may not have fully complied with all applicable laws and may not in the future. Any failure, or perceived failure, by us to comply with any of these laws or regulations could result in damage to our reputation, lost business and proceedings or actions against us by governmental entities or others, which could result in significant expenses, fines or penalties. Laws or regulations, or enforcement thereof, could also force us to change the way we operate, which could require us to incur significant expenses or to discontinue certain services, which could negatively affect our business. Additionally, if third parties with whom we work violate applicable laws or our policies, those violations could result in other liabilities for us and could harm our business. Furthermore, the circumstances in which we may be held liable for the acts, omissions or responsibilities of these parties is uncertain, complex and evolving. If an increasing number of such laws are passed, the resulting compliance costs and potential liability risk could negatively impact our business.

A predominant portion of the products we sell is originally manufactured in countries other than the United States. International trade disputes that result in tariffs and other protectionist measures could adversely affect our business, including disruption in and cost increases for sourcing our merchandise and increased uncertainties in planning our sourcing strategies and forecasting our margins. Importing and exporting has involved more risk since the beginning of 2018, as there has been increasing rhetoric, in some cases coupled with legislative or executive action, from several United States and foreign leaders regarding tariffs against foreign imports of certain materials. For example, the U.S. government imposed significant new tariffs on China related to the importation of certain product categories following the U.S. Trade Representative's Section 301 investigation. It is possible that the U.S. government may take further measures in the future to impose stricter export controls on items destined for China or additional duties on shipments made from China. During fiscal 2019, the Bureau of Industry and Security, or BIS, of the U.S. Department of Commerce placed certain Chinese entities on the Entity List, limiting the ability of U.S. companies to do business with those entities. The U.S. government may add additional parties to the Entity List, which could harm our business, increase the cost of conducting our operations in China or result in retaliatory actions against U.S. interests. In addition, the U.S. government has exercised additional trade-related powers in a manner that could have a material adverse impact on our business, financial condition or results of operations. For example, on May 15, 2019, then-President Trump issued an executive order that invoked national emergency economic powers to implement a framework to regulate the acquisition or transfer of information communications technology in transactions that imposed undue national security risks. The executive order was subject to implementation by the Secretary of Commerce and purports to apply to contracts entered into prior to the effective date of the order. On January 19, 2021, the U.S. Department of Commerce published interim final rules in the Federal Register, subject to public notice and comment, which purport to permit the Department of Commerce to investigate transactions involving the use of information communications technology products or services provided by persons owned or controlled by certain nations, including China, and potentially to modify or prohibit those transactions. In addition, the White House, the Department of Commerce and other executive branch agencies have implemented additional restrictions and may implement still further restrictions that would affect conducting business with certain Chinese companies. We cannot predict whether these recent rules and restrictions will be implemented and acted upon by the Biden administration, modified, overturned or vacated by legal action. A substantial portion of our products are manufactured in China. As a result of tariffs, our cost of goods imported from China increased substantially, and could increase further depending on the outcome of the current trade negotiations, which have been protracted and resulted in increases in U.S. tariff rates on specified products from China. Although we continue to work with our vendors to mitigate our exposure to current or potential tariffs, there can be no assurance that we will be able to offset any increased costs. Other changes in U.S. tariffs, quotas, trade relationships or tax provisions could also reduce the supply of goods available to us or increase our cost of goods. We may fail to effectively adapt to and manage the adjustments in strategy that would be necessary in response to those changes. In addition to the general uncertainty and overall risk from potential changes in U.S. laws and policies, as we make business decisions in the face of such uncertainty, we may incorrectly anticipate the outcomes, miss out on business opportunities or fail to effectively adapt our business strategies and manage the adjustments that are necessary in response to those changes. These risks could adversely affect our revenue, reduce our profitability and negatively impact our business.

We are subject to numerous federal, state, local and international laws and regulations regarding privacy, data protection, information security and the storing, sharing, use, processing, transfer, disclosure and protection of personal information and other content and data, which we refer to collectively as privacy laws, the scope of which is changing, subject to differing interpretations and may be inconsistent among countries, or conflict with other laws, regulations or other obligations. We are also subject to the terms of our privacy policies and obligations to our users and other third parties related to privacy, data protection and information security. We strive to comply with applicable privacy laws; however, the regulatory framework for privacy, data protection and information security worldwide is, and is likely to remain for the foreseeable future, varied, and it is possible that these or other obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another. We also expect that there will continue to be new privacy laws proposed and enacted in various jurisdictions. For example, in May 2018, the GDPR went into effect in the EU. The GDPR imposed stringent data protection requirements and provides greater penalties for noncompliance than previous data protection laws, including potential penalties of up to €20 million or 4% of annual global revenue, whichever is greater. Among other requirements, the GDPR regulates transfers of personal data subject to the GDPR to the United States as well as other countries that have not been found to provide adequate protection to such personal data. The GDPR also imposed numerous requirements on companies operating in the EU, including enhanced disclosures to data subjects about how personal data is processed (including information about the profiling of individuals and automated individual decision-making), limited retention periods of personal data, mandatory data breach notification obligations and additional policies and procedures required to comply with the accountability principle under the GDPR. In addition, data subjects have more robust rights with regard to their personal data. Although legal mechanisms have been designed to allow for the transfer of personal data from the United Kingdom, the EEA, and Switzerland to the United States, uncertainty about compliance with such data protection laws remains and such mechanisms may not be available or applicable with respect to the personal data processing activities necessary to research, develop and market our products and services. For example, legal challenges in Europe to the mechanisms allowing companies to transfer personal data from the EEA and Switzerland to the United States could result in further limitations on the ability to transfer personal data across borders, particularly if governments are unable or unwilling to reach agreement on or maintain existing mechanisms designed to support cross-border data transfers. Specifically, on July 16, 2020, the Court of Justice of the EU, or CJEU, invalidated the EU-U.S. Privacy Shield Framework. The same decision also imposed additional conditions with respect to use of the Standard Contractual Clauses, or the SCCs, to lawfully transfer personal data from Europe to the United States and most other countries. The Swiss Federal Data Protection and Information Commissioner also has stated that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of personal data transfers from Switzerland to the United States. On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, directing the United States to take certain steps to implement the EU-U.S. Data Privacy Framework, and on December 13, 2022, the European Commission announced a draft decision on U.S. adequacy, which has allowed the EU-U.S. Data Privacy Framework to become available for use by companies seeking to legitimize personal data transfers from the EU to the U.S. There have, however, been reports that the EU-U.S. Data Privacy Framework may be subject to challenge. These and other developments may result in European data protection regulators applying differing standards for, and requiring ad hoc verification of, transfers of personal data from Europe to the United States. We may be required to take additional steps to legitimize any impacted personal data transfers and may be subject to increased costs of compliance and limitations on our vendors, contractors, consultants and us. On June 4, 2021, the European Commission published new SCCs. The CJEU's decision, the revised SCCs, regulatory guidance and opinions and other developments relating to cross-border data transfer may require us to implement additional contractual and technical safeguards for any personal data transferred out of the EEA and Switzerland. More generally, we may find it necessary or desirable to modify our data handling practices, and our practices relating to cross-border transfers of data or other data handling practices, or those of our vendors, contractors and consultants, may be challenged and our business, financial condition and operating results may be adversely impacted. We continue to monitor and review the impact of any developments relating to cross-border data transfers from the EEA and Switzerland that could affect our operations. Further, the United Kingdom's exit from the EU, and ongoing developments in the United Kingdom, have created uncertainty with regard to data protection regulation in the United Kingdom. Data processing in the United Kingdom is now governed by the UK General Data Protection Regulation and other domestic data protection laws, such as the UK Data Protection Act of 2018, which provide for penalties for noncompliance of up to the greater of £17.5 million or 4% of worldwide revenues. Although the European Commission adopted an adequacy decision for the United Kingdom in June 2021 that allows for the continued flow of personal data from the EU to the United Kingdom, this decision may be revoked or modified and will need to be renewed after four years from the date of adoption. In February 2022, the United Kingdom's Information Commissioner's Office issued new standard contractual clauses, or the UK SCCs, to support personal data transfers out of the United Kingdom, which went into effect in March 2022. We may, in addition to other impacts, experience additional costs associated with increased compliance burdens and be required to engage in new contract negotiations with third parties that aid in processing personal data on our behalf or localize certain data. We cannot fully predict how United Kingdom data protection laws or regulations may develop in the medium to longer term or how the EU will treat the United Kingdom with respect to data protection issues, including those relating to data transfers to and from the United Kingdom. We continue to monitor and review the impact of any resulting changes to EU or United Kingdom law, or related developments, that could affect our operations. We may incur liabilities, expenses, costs and other operational losses relating to the GDPR and privacy laws of applicable EU Member States and the United Kingdom, including in connection with any measures we take to comply with them. In Brazil, the Lei Geral de Proteção de Dados Pessoais – Law No. 13,709/2018, or LGPD, similar in many respects to the GDPR, was enacted August 14, 2018 and entered into effect September 18, 2020. Penalties for violation of the LGPD, if and when enforced, may be up to 2% of revenue in Brazil, capped at R$50 million per violation. The LGPD applies to businesses that process the personal data of individuals located in Brazil and provides consumer rights similar to the GDPR. A Brazilian Data Protection Authority, Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados, or ANPD), has been established and has begun issuing guidance on how to interpret and implement the LGPD's requirements. The ANPD has issued guidance regarding aspects of compliance with the LGPD, and is anticipated to issue further guidance. Our LGPD approach may be subject to further change, our compliance measures may not be fully adequate, we may expend significant time and cost in developing a privacy governance program and data transfer mechanisms in an effort to comply with the LGPD and any implementing regulations or guidance, and we may potentially face litigation or other proceedings relating to actual or alleged noncompliance with the LGPD. Vietnam's cybersecurity law went into effect on January 1, 2019 and includes stringent requirements regarding data localization and data transfers. On August 15, 2022, the Vietnamese government issued Decree 53, which elaborates on requirements relating to data protection and went into effect on October 1, 2022. To comply with the decree, we may be required to further invest in potentially duplicative infrastructure and personnel in Vietnam, establish and maintain a local data protection program, and incur other costs and expenses related to these new requirements. California also enacted legislation affording consumers expanded privacy protections, the CCPA, that went into effect as of January 1, 2020 and was subject to enforcement starting July 1, 2020. Additionally, the California Attorney General issued regulations that may add additional requirements on businesses. The potential effects of this legislation and the related CCPA regulations are far-reaching and may require us to modify our data processing practices and policies and to incur substantial costs and expenses in an effort to comply. For example, the CCPA gives California residents expanded rights to access personal information, request deletion of personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is collected and used. The CCPA also provides for civil penalties for violations (up to $7,500 per violation), as well as a private right of action for certain data breaches that may increase data breach litigation. Additionally, a new privacy law, the CPRA, was approved by California voters in November 2020, which went into effect January 1, 2023. The CPRA creates obligations relating to consumer personal information collected as of January 1, 2022, with implementing regulations remaining partially in flux, and enforcement having commenced July 1, 2023. The CPRA significantly modifies the CCPA, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in efforts to comply. Numerous other states have also enacted or proposed similar data privacy laws. For example, Virginia, Colorado, Utah and Connecticut have each passed laws similar to but different from the CCPA and CPRA that have taken effect in 2023; Florida, Montana, Oregon and Texas have enacted similar laws that go into effect in 2024; Tennessee, Delaware and Iowa have enacted similar laws that go into effect in 2025; and Indiana has enacted a similar law that will go into effect in 2026. This legislation and other proposed laws at the state and federal level in the United States create the potential for a patchwork of overlapping but different laws, result in further uncertainty, require us to incur additional costs and expenses in an effort to comply or require changes in business practices and policies. Further, some countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity of operating our products and services and other aspects of our business. With laws and regulations such as the GDPR, LGPD, CCPA and CPRA imposing new and relatively burdensome obligations, and with substantial uncertainty over the interpretation and application of these and other laws and regulations, there is a risk that the requirements of these or other laws and regulations, or of contractual or other obligations relating to privacy, data protection or information security, are interpreted or applied in a manner that is, or is alleged to be, inconsistent with our management and processing practices, our policies or procedures, or the features of our products and services. We may face challenges in addressing their requirements and making any necessary changes to our policies and practices, and we may find it necessary or appropriate to assume additional burdens with respect to data handling, to restrict our data processing or otherwise to modify our data handling practices and to incur significant costs and expenses in these efforts. Any failure or perceived failure by us to comply with our privacy policies, our privacy, data protection or information security-related obligations to brick-and-mortar and online retail partners, users or other third parties, or any of our other legal obligations relating to privacy, data protection or information security may result in governmental investigations or enforcement actions, litigation, claims or public statements against us by consumer advocacy groups or others, and could result in significant liability or cause our users to lose trust in us, which could adversely affect our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations and policies that are applicable to the businesses of our brick-and-mortar and online retail partners may limit the adoption and use of, and reduce the overall demand for, our products and services. Additionally, if third parties we work with, such as vendors or developers, violate applicable laws or regulations or our contracts and policies, such violations may also put our users' content and personal information at risk and could in turn adversely affect our business. Any significant change to applicable privacy laws or relevant industry practices could increase our costs and require us to modify our platform, design apps and features, possibly in a material manner, which we may be unable to complete and may limit our ability to store and process user data or develop new design apps and features.

Our products and subscriptions may be considered discretionary items for consumers. Factors affecting the level of consumer spending for such discretionary items include general economic conditions, consumer confidence in future economic conditions, fears of recession, the availability and cost of consumer credit, inflationary pressures, consumers' individual savings-to-spend ratio, levels of unemployment, discretionary time and money available, tax rates and political factors, including war or other armed conflicts, including the current conflicts between Russia and Ukraine and between Israel and Hamas. While we saw an increase in demand for our products and subscriptions during the COVID-19 pandemic in 2020 and 2021, our current revenue growth rates are declining compared to those years. There can be no assurance that sales will return to 2020 and 2021 levels in the future or that we will be able to continue to significantly grow our revenue in a post-COVID-19 environment. To date, our business has operated almost exclusively in a relatively strong economic environment. Current deteriorating general economic conditions, inflationary pressures affecting the pricing of our products, and changes in consumer spending preferences and buying trends are having an adverse effect on demand for our products. Further, a federal government shutdown resulting from failing to pass budget appropriations, adopt continuing funding resolutions, or raise the debt ceiling, and other budgetary decisions limiting or delaying deferral government spending, may negatively impact U.S. or global economic conditions, including corporate and consumer spending, and liquidity of capital markets. Unfavorable economic conditions or other related factors may lead consumers to delay or reduce purchases of our products and subscriptions, and consumer demand for our products and subscriptions may not grow as we expect. As a result of these factors, our rate of adding new users is declining in comparison to recent years and, in the short term, the number of paid subscribers could remain flat or decline. Our sensitivity to economic cycles and any related fluctuation in consumer demand for our products and subscriptions could adversely affect our business, financial condition and results of operations.