PLAYSTUDIOS (MYPS) Risk Factors

We receive, store, process, use, and share data, some of which contains personal information and other data relating to our players, employees and business contacts, and we enable our players to share their personal information with each other and with third parties, including on the Internet and mobile platforms. There are numerous federal, state, and local laws around the world regarding privacy and the storing, sharing, use, processing, disclosure, and protection of personal information, the scopes of which are changing, subject to differing interpretations, and may be inconsistent between jurisdictions or conflict with other rules. We are subject to European Union rules with respect to cross-border transfers of personal data out of the EEA and the UK. Recent legal developments in Europe have created complexity and uncertainty regarding transfers of personal data from the EEA and the UK to the U.S. On July 16, 2020, the Court of Justice of the European Union ("CJEU") invalidated the EU-US Privacy Shield Framework, or Privacy Shield, under which personal data could be transferred from the EEA to U.S. entities, such as ourselves, who had self-certified under the Privacy Shield scheme. While the CJEU upheld the adequacy of the standard contractual clauses (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism, and potential alternative to the Privacy Shield), it made clear that reliance on them alone may not necessarily be sufficient in all circumstances. These recent and ongoing developments will require us to continually review and amend the legal mechanisms by which we make and/ or receive personal data transfers to in the U.S. As supervisory authorities issue further guidance on personal data export mechanisms, including circumstances where the standard contractual clauses and other mechanisms cannot be used, and/or start taking enforcement action, we could suffer additional costs, complaints, and regulatory investigations or fines, or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. In addition, various government and consumer agencies have called for new regulation and changes in industry practices and are continuing to review the need for greater regulation for the collection of information concerning consumer behavior on the Internet, including regulation aimed at restricting certain targeted advertising practices. In the U.S., there are numerous federal and state privacy and data protection laws and regulations governing the collection, use, disclosure, protection, and other processing of personal information, including federal and state data privacy laws, data breach notification laws, and consumer protection laws. For example, the California Consumer Privacy Act of 2018, or CCPA, became effective on January 1, 2020 and created new privacy rights for consumers residing in the state of California. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA allows for the California Attorney General to impose civil penalties for violations and also provides a private right of action for certain data breaches. In November 2020, California voters passed the California Privacy Rights Act, or CPRA, which became effective on January 1, 2023. The CPRA significantly expands the CCPA, including by introducing additional obligations such as data minimization and storage limitations, granting additional rights to consumers, such as correction of personal information and additional opt-out rights, and creates a new entity, the California Privacy Protection Agency, to implement and enforce the law. The CCPA and CPRA could subject us to additional compliance costs as well as potential fines, individual claims and commercial liabilities. There currently are a number of additional proposals related to data privacy or security pending before federal, state, and foreign legislative and regulatory bodies, and a number of U.S. states have adopted consumer protection laws similar to the CCPA. This legislation may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs, and could impact strategies and availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. In the European Economic Area, or EEA, we are subject to the European Union's General Data Protection Regulation, or GDPR, which became effective in May 2018, and from January 1, 2021, we are also subject to the UK GDPR and UK Data Protection Act 2018, which retains the GDPR in UK national law. The GDPR and national implementing legislation in EEA member states and the UK impose a strict data protection compliance regime in relation to our collection,control, processing, sharing, disclosure, and other use of personal data, including providing detailed disclosures about how personal data is collected and processed, granting new rights for data subjects to access, delete, or object to the processing of their data, mandatory breach notification to supervisory authorities (and in certain cases, affected individuals) of certain data breaches, and significant documentary requirements to demonstrate compliance through policies, procedures, training, and audit. In particular, European Union privacy supervisory authorities have focused on compliance with requirements relating to the processing of children's personal data and ensuring that services offered to children are age appropriate, and we may be subject to regulatory scrutiny and subsequent enforcement actions if we are found to be processing children's data given the nature of our services. We are also subject to European Union rules with respect to cross-border transfers of personal data out of the EEA and the UK. Recent legal developments in Europe have created complexity and uncertainty regarding transfers of personal data from the EEA and the UK to the U.S. On July 16, 2020, the Court of Justice of the European Union, or CJEU, invalidated the EU-US Privacy Shield Framework, or Privacy Shield, under which personal data could be transferred from the EEA to U.S. entities, such as ourselves, who had self-certified under the Privacy Shield scheme. While the CJEU upheld the adequacy of the standard contractual clauses (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism, and potential alternative to the Privacy Shield), it made clear that reliance on them alone may not necessarily be sufficient in all circumstances. The U.S. Children's Online Privacy Protection Act ("COPPA"), regulates the collection, use and disclosure of personal information from children under 13 years of age. While our social casino games do not target children under 18 years of age as their primary audience, the Federal Trade Commission (the "FTC"), as well as consumer organizations, may consider whether the characteristics of our games attract children under 13 years of age. The FTC has taken action against other gaming companies relating to children's' privacy, including against Epic Games, the maker of the popular game Fortnite, pursuant to which Epic Games agreed to pay a $275 million fine for alleged violations of COPPA as well as take other corrective actions. While none of our games are directed at children under 13 years of age, if COPPA were to apply to us, failure to comply with COPPA may increase our costs, subject us to expensive and distracting government investigations and could result in substantial fines. Although we have taken measures to identify which of our games are subject to COPPA due to their child-appealing nature and to comply with COPPA with respect to those games, if COPPA were to apply to us in a manner other than we have assessed or prepared for, our actual or alleged failure to comply with COPPA may increase our costs, subject us to expensive and distracting lawsuits or government investigations, could result in substantial fines or civil damages and could cause us to temporarily or permanently discontinue certain games or certain features and functions in games. While our social casino games do not target children under 18 years of age as their primary audience, the United Kingdom in 2020 enacted the "Age Appropriate Design Code" (commonly referred to as the "Children's Code"), a statutory code of practice pursuant to the United Kingdom Data Protection Act 2018, which became enforceable on September 2, 2021. The code requires online services, including our games that are likely to be accessed by children under 18, to put the best interests of the child's privacy first in the design, development and data-related behavior of the game. The UK government is also separately consulting on legislation in relation to user safety online. The Data Protection Commission in Ireland published its Fundamentals for a Child-Oriented Approach to Data Processing, introducing certain child-specific data protection measures. It is possible that other countries within and outside the European Union will follow with their own codes or guidance documents relating to processing personal information from children or in relation to online harms; currently, other countries are considering or have issued drafts of similar codes, including France, Denmark, and Switzerland. These may result in substantial additional costs and may necessitate changes to our business practices which may compromise our growth strategy, adversely affect our ability to attract, monetize or retain players, and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. In addition, in some cases, we are dependent upon our platform providers to solicit, collect and provide us with information regarding our players that is necessary for compliance with these various types of regulations. Our business, including our ability to operate and expand internationally, could be adversely affected if laws or regulations are adopted, interpreted or implemented in a manner that is inconsistent with our current business practices and that require changes to these practices, the design of our games, game features, or our privacy policy. These platform providers may dictate rules, conduct or technical features that do not properly comply with federal, state, local and foreign laws, regulations and regulatory codes and guidelines governing data privacy, data protection and security, including with respect to the collection, storage, use, processing, transmission, sharing and protection of personal information and other consumer data. In addition, these platforms may dictate rules, conduct or technical features relating to the collection, storage, use, transmission, sharing and protection of personal information and other consumer data, which may result in substantial costs and may necessitate changes to our business practices, which in turn may compromise our growth strategy,adversely affect our ability to attract, monetize or retain players, and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. Any failure or perceived failure to comply with these platform-dictated rules, conduct or technical features may result in platform-led investigations or enforcement actions, litigation, or public statements against us, which in turn could result in significant liability or temporary or permanent suspension of our business activities with these platforms, cause our players to lose trust in us, and otherwise compromise our growth strategy, adversely affect our ability to attract, monetize or retain players, and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. Player interaction with our games is subject to our privacy policy and terms of service. If we fail to comply with our posted privacy policy or terms of service or if we fail to comply with existing privacy-related or data protection laws and regulations, it could result in proceedings or litigation against us by governmental authorities or others, which could result in fines or judgments against us, damage our reputation, impact our financial condition and harm our business. If regulators, the media or consumers raise any concerns about our privacy and data protection or consumer protection practices, even if unfounded, this could also result in fines or judgments against us, damage our reputation, and negatively impact our financial condition and damage our business. In the area of information security and data protection, many jurisdictions have passed laws requiring notification when there is a security breach involving personal data or requiring the adoption of minimum information security standards that are often vaguely defined and difficult to implement. Our security measures and standards may not be sufficient to protect personal information and we cannot guarantee that our security measures will prevent security breaches. A security breach that compromises personal information could harm our reputation and result in a loss of player and/or employee confidence in our games and ultimately in a loss of players, which could adversely affect our business and impact our financial condition. A security breach could also involve loss or unavailability of business-critical data and could require us to spend significant resources to mitigate and repair the breach, which in turn could compromise our growth and adversely affect our ability to attract, monetize or retain players. These risks could also subject us to liability under applicable security breach-related laws and regulations and could result in additional compliance costs, costs related to regulatory inquiries and investigations, and an inability to conduct our business. In addition, Brazil's passage of the Lei Geral de Protecao de Dados Pessoais, or LGPD, became effective September 2020 and created new privacy rights for consumers residing in Brazil. Compliance with the GDPR, LGPD, CCPA, CPRA, and similar legal requirements has required us to devote significant operational resources and incur significant expenses. We expect the number of jurisdictions adopting their own data privacy laws to increase, which will require us to devote additional significant operational resources and incur additional significant expenses and will also increase our exposure to risks of claims by our players that we have not complied with all applicable data privacy laws. All of our games are subject to our online privacy policy and our terms of service accessible through our platform providers' storefronts, from our games, and on our corporate website. While we strive to comply with such policies and all applicable laws, regulations, other legal and contractual obligations, and certain industry standards and codes of conduct relating to data privacy and data protection, these obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. It is also possible that new laws, regulations, other legal obligations or industry codes of conduct may be adopted, or existing laws, regulations, other legal obligations or industry codes of conduct may be interpreted in such a way that results in us having to take further compliance steps and/or could prevent us from being able to offer services to citizens of a certain jurisdiction or makes it costlier or more difficult for us to do so. Any failure or perceived failure by us to comply with our privacy policy and terms of service, or our data privacy-related legal obligations including those to our players or other third parties, or any compromise of security that results in the unauthorized release or transfer of personal information, including personal information about our players, may result in regulatory investigations, governmental enforcement actions, and significant fines, which, as an example, can be up to 20 million euros or up to 4% of the annual global revenue of the noncompliant undertaking, whichever is greater, for violations of certain requirements of the GDPR. The UK GDPR mirrors the fines under the GDPR. In addition to the foregoing, we may suffer reputational damage, orders to cease or change our processing of our data, civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, or public statements against us by consumer advocacy groups or others which could cause our players to lose trust in us, any of which could have an adverse effect on our business, financial condition, or results of operations. Additionally, if third parties we work with such as our players or vendors violate applicable laws or our policies, such violations may also put personal information at risk and expose us to potential liability and reputational harm. Further, public scrutiny of, or complaints about, technology companies or their data handling or data protection practices,even if unrelated to our business, industry, or operations, may lead to increased scrutiny of technology companies, including us, and may cause government agencies to enact additional regulatory requirements, or to modify their enforcement or investigation activities. Any of the foregoing could have an adverse effect on our business, financial condition, or results of operations.

Continuing to expand our business to attract players in countries outside of the U.S. is an important element of our business strategy. An important part of targeting international markets is developing offerings that are localized and customized for the players in those markets. While we have international game studios in Hong Kong, Israel, Serbia, Singapore, and Vietnam, we expect to continue to expand our international operations in the future by opening new international game studio locations and expanding our offerings in new languages. Our ability to expand our business and to attract players and talented employees in other international markets we may enter will require considerable management attention and resources and is subject to the particular challenges of supporting a rapidly growing business in an environment of multiple languages, cultures, customs, economics, legal systems, alternative dispute systems, regulatory systems, and commercial infrastructures. Expanding our international focus may subject us to risks that we have not faced before or increase risks that we currently face, including risks associated with: - inability to offer certain games in certain foreign countries;- recruiting and retaining talented and capable management and employees in foreign countries;- challenges caused by distance, language, and cultural differences;- developing and customizing games and other offerings that appeal to the tastes and preferences of players in international markets;- competition from local game makers with intellectual property rights and significant market share in those markets and with a better understanding of player preferences;- obtaining, utilizing, protecting, defending, and enforcing our intellectual property rights;- negotiating agreements with local distribution platforms that are sufficiently economically beneficial to us and protective of our rights;- the inability to extend proprietary rights in our brand, content, or technology into new jurisdictions;- implementing alternative payment methods for virtual currency in a manner that complies with local laws and practices and protects us from fraud;- compliance with applicable foreign laws and regulations, including privacy laws and laws relating to content and consumer protection;- compliance with anti-bribery laws and anti-corruption laws, including the Foreign Corrupt Practices Act (the "FCPA");- credit risk and higher levels of payment fraud;- currency exchange rate fluctuations;- protectionist laws and business practices that favor local businesses in some countries;- double taxation of our international earnings and potentially adverse tax consequences due to changes in the tax laws of the U.S. or the foreign jurisdictions in which we operate;- political, economic, and social instability;- public health crises, such as the COVID-19 pandemic and other future health epidemics or contagious disease outbreaks, which can result in varying impacts to our employees, players, vendors, rewards partners, and commercial partners internationally;- higher costs associated with doing business internationally;- limitations on, and costs related to, the repatriation of funds;- compliance with applicable sanctions regimes regarding business dealings or other business relationships with or involving certain designated persons or countries;- export or import regulations; and - trade and tariff restrictions. Certain of these laws also contain provisions that require accurate record keeping and further require companies to devise and maintain an adequate system of internal accounting controls. Although we have policies and controls in place that are designed to ensure compliance with these laws, if those controls are ineffective or an employee or intermediary fails to comply with the applicable regulations and policies or if the design of those policies and controls is incomplete or inadequate, we may be subject to criminal and civil sanctions and other penalties. Any such violation could disrupt our business and adversely affect our reputation, results of operations, cash flows and financial condition. In addition, as we operate and sell internationally, we are subject to the FCPA, and other laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties and other business entities for the purpose of obtaining or retaining business. While we have attempted to implement safeguards to discourage these practices by our employees, consultants and agents, violations of the FCPA may result in severe criminal or civil sanctions, and we may be subject to other liabilities, which would negatively affect our business, results of operations and financial condition. Further, our ability to expand successfully in foreign jurisdictions involves other risks, including difficulties in integrating foreign operations, risks associated with entering jurisdictions in which we may have little experience and the day-to-day management of a growing and increasingly geographically diverse company. We may not realize the operating efficiencies, competitive advantages or financial results that we anticipate from our investments in foreign jurisdictions. In addition, our international business operations could be interrupted and negatively affected by terrorist activity, political unrest or other economic or political uncertainties. Moreover, foreign jurisdictions could impose tariffs, quotas, trade barriers and other similar restrictions on our international sales. If we are unable to manage the complexity of our global operations successfully, our business, financial condition, and operating results could be adversely affected. Additionally, our ability to successfully gain market acceptance in any particular market is uncertain, and the distraction of our senior management team could harm our business, financial condition, or results of operations.

We believe that we maintain insurance customary for businesses of our size and type. However, there are types of losses we may incur that cannot be insured against or that we believe are not economically reasonable to insure. Moreover, any loss incurred could exceed policy limits and policy payments made to us may not be made on a timely basis. Such losses could adversely affect our business prospects, results of operations, cash flows, and financial condition.

Competition in the gaming industry, especially the mobile gaming segment, is intense and subject to rapid changes, including changes from evolving player preferences and emerging technologies. Many new games are introduced in each major industry segment (mobile, web, PC, and console) each year, but only a relatively small number of titles account for a significant portion of total revenue in each segment. While we have diversified our product offering, we historically competed primarily in the social casino gaming category. Our competitors that develop mobile and web games in the social casino gaming category vary in size and offerings and include companies such as Aristocrat, DoubleU, Huuuge Games, Playtika, SciPlay, Scopely, Zynga (owned by Take-Two Interactive), and others. In addition, there are competitors that develop mobile and web games that are not currently focused on the social casino gaming category but may move into that space and that may also impede our diversification efforts, including companies such as Activision Blizzard (owned by Microsoft Corporation and the parent company of King Digital), Electronic Arts (EA Mobile), Epic Games, Netmarble (the parent company of Jam City and Kabam), NetEase (NetEase Games), Niantic, Take-Two Interactive Software, Vivendi (the parent company of Gameloft), and others. In addition, online game developers and distributors that are primarily focused on specific international markets, such as Giant Interactive and Tencent in Asia, and high-profile companies with significant online presences that to date have not actively focused on social games, such as Facebook, Apple, Google, Amazon, and Netflix, may decide to develop social games including social casino games which may compete with our games. Some of these current and potential competitors have significant resources for developing or acquiring additional games, may be able to incorporate their own strong brands and assets into their games, have a more diversified set of revenue sources than we do and may be less severely affected by changes in player preferences, regulations. or other developments that may impact our industry. Furthermore, certain competitors of our social casino games may provide real-money gambling offerings, which could negatively impact demand for our social casino games. There are relatively low barriers to entry to develop a mobile or online game and we expect new game competitors to enter the market and existing competitors to allocate more resources to develop and market competing games and applications. We also compete or will likely compete with a vast number of small companies and individuals who are able to create and launch games and other content for devices and platforms using relatively limited resources and with relatively limited start-up time or expertise. The proliferation of titles in these open developer channels makes it difficult for us to compete for players without substantially increasing our marketing expenses. We also face competition for the leisure time, attention, and discretionary spending of our players from other non-gaming activities, such as social media and messaging applications, personal computer and console games, virtual reality and augmented reality games, video streaming services, television, movies, sports, and the Internet. Increasing competition could result in loss of players, increasing player acquisition and retention costs, and loss of talent, all of which could harm our business, financial condition, or results of operations.

Compared to all players who play our games in any period, only a small portion are paying players. In order to sustain and grow our revenue levels, we must attract, retain, and increase the number of paying players or more effectively monetize our players through advertising and other strategies. To retain players, we must devote significant resources so that the games they play retain their interest and attract them to our other games. We also organize periodic in-person events for our players and, in addition, provide personal hosting services to our most engaged players, Nevertheless, we might not succeed in our efforts to increase the monetization rates of our players, particularly if we are unable to retain our paying players. If we fail to grow or sustain the number of our paying players, if the rates at which we attract and retain paying players declines, if the average amount our players pay declines, or if we fail to retain and effectively monetize the relatively small number of players that comprise our most highly engaged player tiers, our business may be negatively impacted and our financial results may suffer.

We believe that establishing and maintaining our brands is critical to maintaining and creating favorable relationships with players, rewards partners, content licensors, and advertisers, as well as competing for key talent. Increasing awareness of our brands and recognition of our games is particularly important in connection with our strategic focus on developing games based on our own intellectual property and successfully cross-promoting our games. In addition, globalizing and extending our brands and recognition of our games requires significant investment and extensive management time to execute successfully. Although we make significant sales and marketing expenditures in connection with the launch of our games, these efforts may not succeed in increasing awareness of our brands or the new games. If we fail to increase and maintain brand awareness and consumer recognition of our games, our potential revenue could be limited, our costs could increase, and our business, financial condition, results of operations, or reputation could suffer. We strive to establish and maintain our brands by obtaining trademark rights, including for our games. However, if our trademarks and trade names are not adequately protected, we may not be able to build name recognition in our markets of interest and our competitive position, business, financial condition, or results of operations may be harmed.