PLAYSTUDIOS (MYPS) Risk Analysis

We receive, store, process, use, and share data, some of which contains personal information and other data relating to our players, employees and business contacts, and we enable our players to share their personal information with each other and with third parties, including on the Internet and mobile platforms. There are numerous federal, state, and local laws around the world regarding privacy and the storing, sharing, use, processing, disclosure, and protection of personal information, the scopes of which are changing, subject to differing interpretations, and may be inconsistent between jurisdictions or conflict with other rules. In addition, heightened regulatory scrutiny of digital business models that rely on in-game purchases, targeted advertising, and virtual currency mechanics has increased the likelihood of investigations, enforcement actions, and civil claims in this area. In the European Economic Area, or EEA, we are subject to the European Union's General Data Protection Regulation, or GDPR, which became effective in May 2018, and from January 1, 2021, we are also subject to the UK GDPR and UK Data Protection Act 2018, which retains the GDPR in UK national law. The GDPR and national implementing legislation in EEA member states and the UK impose a strict data protection compliance regime in relation to our collection, control, processing, sharing, disclosure, and other use of personal data, including providing detailed disclosures about how personal data is collected and processed, granting new rights for data subjects to access, delete, or object to the processing of their data, mandatory breach notification to supervisory authorities (and in certain cases, affected individuals) of certain data breaches, and significant documentary requirements to demonstrate compliance through policies, procedures, training, and audit. In particular, European Union privacy supervisory authorities have focused on compliance with requirements relating to the processing of children's personal data and ensuring that services offered to children are age appropriate, and we may be subject to regulatory scrutiny and subsequent enforcement actions if we are found to be processing children's data given the nature of our services. The GDPR and similar laws require that we establish a valid legal basis for processing personal data, including for targeted advertising, profiling, and analytics activities. Regulatory authorities may disagree with our assessment of the appropriate legal basis for certain processing activities, which could require us to modify our practices or limit certain data uses. We are subject to European Union rules with respect to cross-border transfers of personal data out of the EEA and the UK. Recent legal developments in Europe have created complexity and uncertainty regarding transfers of personal data from the EEA and the UK to the U.S. We rely on approved transfer mechanisms, including the EU-U.S. Data Privacy Framework and standard contractual clauses, for certain cross-border data transfers. Regulatory guidance and enforcement relating to international data transfers continue to evolve, and supervisory authorities may determine that additional safeguards are required. If we are unable to lawfully transfer personal data across jurisdictions in which we operate, we may be required to implement costly localization measures, modify our service offerings, or suspend certain data flows. These recent and ongoing developments will require us to continually review and amend the legal mechanisms by which we make and/or receive personal data transfers from the EEA and UK to the U.S. As supervisory authorities issue further guidance on personal data export mechanisms, including circumstances where the standard contractual clauses and other mechanisms cannot be used, and/or start taking enforcement action, we could suffer additional costs, complaints, and regulatory investigations or fines, or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. In addition, various government and consumer agencies have called for new regulation and changes in industry practices and are continuing to review the need for greater regulation for the collection of information concerning consumer behavior on the Internet, including regulation aimed at restricting certain targeted advertising practices. Regulators in the United States, European Union, and other jurisdictions have increased scrutiny of so-called "dark patterns," addictive design features, manipulative user interface practices, and the marketing of in-game purchases. Enforcement in this area may require modifications to user flows, monetization mechanics, disclosures, or consent processes, which could impact player engagement or revenue. In addition, certain jurisdictions regulate automated decision-making and profiling activities, which may impact our ability to personalize content, promotions, or pricing. In the U.S., there are numerous federal and state privacy and data protection laws and regulations governing the collection, use, disclosure, protection, and other processing of personal information, including federal and state data privacy laws, data breach notification laws, and consumer protection laws. For example, the California Consumer Privacy Act of 2018, or CCPA, became effective on January 1, 2020 and created new privacy rights for consumers residing in the state of California. The CCPA gives California residents expanded rights to access and delete their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA allows for the California Attorney General to impose civil penalties for violations and also provides a private right of action for certain data breaches. In November 2020, California voters passed the California Privacy Rights Act, or CPRA, which became effective on January 1, 2023. The CPRA significantly expands the CCPA, including by introducing additional obligations such as data minimization and storage limitations, granting additional rights to consumers, such as correction of personal information and additional opt-out rights, and creates a new entity, the California Privacy Protection Agency, to implement and enforce the law. The CCPA and CPRA could subject us to additional compliance costs as well as potential fines, individual claims and commercial liabilities. In addition, numerous other U.S. states have enacted comprehensive consumer privacy statutes that create additional compliance obligations, including opt-out rights for targeted advertising and profiling, data minimization requirements, and enhanced disclosure obligations. The patchwork of state-level requirements increases compliance complexity and risk of inconsistent interpretations. Certain of these laws also provide for private rights of action, statutory damages, or class action remedies, which may increase litigation risk. Furthermore, certain privacy laws impose data minimization and storage limitation requirements that may restrict the duration or scope of our data retention practices, potentially affecting analytics, personalization, and marketing effectiveness. There currently are a number of additional proposals related to data privacy or security pending before federal, state, and foreign legislative and regulatory bodies, and a number of U.S. states have adopted consumer protection laws similar to the CCPA. This legislation may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs, and could impact strategies and availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. The U.S. Children's Online Privacy Protection Act ("COPPA"), regulates the collection, use and disclosure of personal information from children under 13 years of age. While our social casino games do not target children under 18 years of age as their primary audience, the Federal Trade Commission (the "FTC"), as well as consumer organizations, may consider whether the characteristics of our games attract children under 13 years of age. The FTC has taken action against other gaming companies relating to children's' privacy, including against Epic Games, the maker of the popular game Fortnite, pursuant to which Epic Games agreed to pay a $275 million fine for alleged violations of COPPA as well as take other corrective actions. Although our social casino games are not directed at children under 13 years of age, regulators may evaluate whether certain game features, themes, or marketing practices could appeal to minors. If COPPA were to apply to us, failure to comply with COPPA may increase our costs, subject us to expensive and distracting government investigations and could result in substantial fines. Although we have taken measures to identify which of our games are subject to COPPA due to their child-appealing nature and to comply with COPPA with respect to those games, if COPPA were to apply to us in a manner other than we have assessed or prepared for, our actual or alleged failure to comply with COPPA may increase our costs, subject us to expensive and distracting lawsuits or government investigations, could result in substantial fines or civil damages and could cause us to temporarily or permanently discontinue certain games or certain features and functions in games. While our social casino games do not target children under 18 years of age as their primary audience, the United Kingdom in 2020 enacted the "Age Appropriate Design Code" (commonly referred to as the "Children's Code"), a statutory code of practice pursuant to the United Kingdom Data Protection Act 2018, which became enforceable on September 2, 2021. The code requires online services, including our games that are likely to be accessed by children under 18, to put the best interests of the child's privacy first in the design, development and data-related behavior of the game. The UK government is also separately consulting on legislation in relation to user safety online. The Data Protection Commission in Ireland published its Fundamentals for a Child-Oriented Approach to Data Processing, introducing certain child-specific data protection measures. It is possible that other countries within and outside the European Union will follow with their own codes or guidance documents relating to processing personal information from children or in relation to online harms; currently, other countries are considering or have issued drafts of similar codes, including France, Denmark, and Switzerland. These may result in substantial additional costs and may necessitate changes to our business practices which may compromise our growth strategy, adversely affect our ability to attract, monetize or retain players, and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. Failure to comply with child-specific data protection or online safety requirements could result in regulatory investigations, significant fines, mandated product changes, or restrictions on our ability to offer certain features in affected jurisdictions. In addition, in some cases, we are dependent upon our platform providers to solicit, collect and provide us with information regarding our players that is necessary for compliance with these various types of regulations. Our business, including our ability to operate and expand internationally, could be adversely affected if laws or regulations are adopted, interpreted or implemented in a manner that is inconsistent with our current business practices and that require changes to these practices, the design of our games, game features, or our privacy policy. These platform providers may dictate rules, conduct or technical features that do not properly comply with federal, state, local and foreign laws, regulations and regulatory codes and guidelines governing data privacy, data protection and security, including with respect to the collection, storage, use, processing, transmission, sharing and protection of personal information and other consumer data. We remain responsible for our compliance obligations even where platform providers control certain data flows or user interface elements. If platform practices are inconsistent with applicable laws, or if we are unable to obtain necessary information from such platforms to meet regulatory requirements, we may be exposed to enforcement risk. Any failure or perceived failure to comply with these platform-dictated rules, conduct or technical features may result in platform-led investigations or enforcement actions, litigation, or public statements against us, which in turn could result in significant liability, suspension of our business activities on such platforms, reputational harm, and adverse effects on our business, financial condition, and results of operations. Player interaction with our games is subject to our privacy policy and terms of service. If we fail to comply with our posted privacy policy or terms of service or if we fail to comply with existing privacy-related or data protection laws and regulations, it could result in proceedings or litigation against us by governmental authorities or others, which could result in fines or judgments against us, damage our reputation, impact our financial condition and harm our business. If regulators, the media or consumers raise any concerns about our privacy and data protection or consumer protection practices, even if unfounded, this could also result in fines or judgments against us, damage our reputation, and negatively impact our financial condition and damage our business. In the area of information security and data protection, many jurisdictions have passed laws requiring notification when there is a security breach involving personal data or requiring the adoption of minimum information security standards that are often vaguely defined and difficult to implement. Our security measures and standards may not be sufficient to protect personal information and we cannot guarantee that our security measures will prevent security breaches. Sophisticated threat actors, ransomware groups, and nation-state affiliated actors continue to target digital entertainment and consumer technology companies. A significant cybersecurity incident could result in regulatory reporting obligations, contractual liabilities, and litigation in multiple jurisdictions. A security breach that compromises personal information could harm our reputation and result in a loss of player and/or employee confidence in our games and ultimately in a loss of players, which could adversely affect our business and impact our financial condition. A security breach could also involve loss or unavailability of business-critical data and could require us to spend significant resources to mitigate and repair the breach, which in turn could compromise our growth and adversely affect our ability to attract, monetize or retain players. These risks could also subject us to liability under applicable security breach-related laws and regulations and could result in additional compliance costs, costs related to regulatory inquiries and investigations, and an inability to conduct our business. Other jurisdictions, including Brazil (LGPD), Canada, India, and certain Asia-Pacific countries, have adopted or proposed comprehensive data protection laws, further increasing global compliance complexity. Compliance with the GDPR, LGPD, CCPA, CPRA, and similar legal requirements has required us to devote significant operational resources and incur significant expenses. We expect the number of jurisdictions adopting their own data privacy laws to increase, which will require us to devote additional significant operational resources and incur additional significant expenses and will also increase our exposure to risks of claims by our players that we have not complied with all applicable data privacy laws. All of our games are subject to our online privacy policy and our terms of service accessible through our platform providers' storefronts, from our games, and on our corporate website. While we strive to comply with such policies and all applicable laws, regulations, other legal and contractual obligations, and certain industry standards and codes of conduct relating to data privacy and data protection, these obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. It is also possible that new laws, regulations, other legal obligations or industry codes of conduct may be adopted, or existing laws, regulations, other legal obligations or industry codes of conduct may be interpreted in such a way that results in us having to take further compliance steps and/or could prevent us from being able to offer services to citizens of a certain jurisdiction or makes it costlier or more difficult for us to do so. Any failure or perceived failure by us to comply with our privacy policy and terms of service, or our data privacy-related legal obligations including those to our players or other third parties, or any compromise of security that results in the unauthorized release or transfer of personal information, including personal information about our players, may result in regulatory investigations, governmental enforcement actions, and significant fines, which, as an example, can be up to 20 million euros or up to 4% of the annual global revenue of the noncompliant undertaking, whichever is greater, for violations of certain requirements of the GDPR. The UK GDPR mirrors the fines under the GDPR. In addition to the foregoing, we may suffer reputational damage, orders to cease or change our processing of our data, civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, or public statements against us by consumer advocacy groups or others which could cause our players to lose trust in us, any of which could have an adverse effect on our business, financial condition, or results of operations. Additionally, if third parties we work with such as our players or vendors violate applicable laws or our policies, such violations may also put personal information at risk and expose us to potential liability and reputational harm. Regulatory investigations or enforcement actions may also result in mandated audits, monitoring obligations, or restrictions on future data processing activities. Any of the foregoing could materially and adversely affect our business, financial condition, results of operations, cash flows, or reputation.

Compared to all players who play our games in any period, only a small portion are paying players. As a result, a meaningful portion of our revenue is derived from a relatively small number of highly engaged players. In order to sustain and grow our revenue levels, we must attract, retain, and increase the number of paying players or more effectively monetize our players through advertising and other strategies. Spending patterns of paying players, particularly our most highly engaged players, can fluctuate significantly from period to period and are difficult to predict, To retain players, we must devote significant resources so that the games they play retain their interest and attract them to our other games. Players can easily reduce their spending or cease playing our games altogether in favor of competing entertainment options, including other social games, mobile games, or alternative forms of digital entertainment. We also organize periodic in-person events for our players and provide personal hosting services to our most engaged players. However, these initiatives involve significant costs, and there can be no assurance that they will result in increased engagement or monetization, particularly if we are unable to retain our paying players. If we fail to grow or sustain the number of our paying players, if player engagement levels decline, if the rates at which we attract and retain paying players declines, if the average amount our players pay declines, including due to changes in game mechanics, competitive dynamics, or regulatory or platform constraints, or if we fail to retain and effectively monetize the relatively small number of players that comprise our most highly engaged player tiers, our business may be negatively impacted and our financial results may suffer. Because a substantial portion of our revenue is derived from a relatively small number of highly engaged players, the loss or reduced spending of any of these players could have a disproportionate adverse effect on our business and results of operations.

We believe that establishing and maintaining our brands is critical to maintaining and creating favorable relationships with players, rewards partners, content licensors, and advertisers, as well as competing for key talent. Maintaining awareness of our brands and recognition of our games is particularly important to supporting engagement across our portfolio and enabling effective cross-promotion among our games. In addition, maintaining and, where appropriate, extending recognition of our brands and games across markets requires significant investment and extensive management time to execute successfully. Although we make significant sales and marketing expenditures, the effectiveness of such expenditures may diminish over time, including due to increased competition for player attention, changes in advertising platforms or algorithms, privacy restrictions, or rising player acquisition costs. Sales and marketing expenditures in connection with the launch of our games may not succeed in increasing awareness of our brands or the new games.In addition, negative publicity, player dissatisfaction, platform actions, or regulatory scrutiny could harm our brands or reputation, even if unrelated to the quality of our games.If we fail to increase and maintain brand awareness and consumer recognition of our games, our potential revenue could be limited, our costs could increase, and our business, financial condition, results of operations, or reputation could suffer. We strive to establish and maintain our brands by obtaining trademark rights, including for our games. Protecting and enforcing our intellectual property rights can be costly and time-consuming, and we may be unable to prevent third parties from using similar marks or engaging in conduct that dilutes or harms our brands. However, if our trademarks and trade names are not adequately protected, enforced or recognized in relevant jurisdictions, we may not be able to build name recognition in our markets of interest and our competitive position, business, financial condition, or results of operations may be harmed.

We maintain insurance coverage that we believe is customary for businesses of our size and industry. However, certain types of losses, including losses arising from cybersecurity incidents, intellectual property disputes, employment-related claims, regulatory investigations, business interruption, or geopolitical events, may be uninsured, uninsurable, or not economically reasonable to insure. In addition, any loss we incur could exceed applicable policy limits, may be subject to significant deductibles or exclusions, or may not be covered due to disputes over policy interpretation, and insurance proceeds may not be recovered in a timely manner, if at all. Any underinsured losses could adversely affect our business, financial condition, results of operations, cash flows, or reputation.

Our international operations subject us to a variety of risks and challenges that could adversely affect our business, financial condition, and results of operations. We currently operate game studios and conduct business activities across multiple countries outside the United States, which requires us to manage operations in diverse regulatory, legal, cultural, economic, and labor environments. Operating internationally increases the complexity of our business and exposes us to risks associated with differing local laws and regulations, employment practices, tax regimes, currencies, political and economic conditions, and business customs, as well as challenges related to managing a geographically dispersed workforce. These factors can require significant management attention and resources and may increase our operating costs or limit our ability to operate efficiently and effectively across our international footprint. Operating and managing our business across multiple foreign jurisdictions subjects us to a variety of risks, including risks associated with: - recruiting, retaining, and managing skilled management and employees in foreign jurisdictions, including compliance with local employment laws and practices;- challenges arising from geographic distance, time zone differences, language barriers, and cultural differences;- localizing game content, live operations, and player engagement strategies to reflect differing player preferences and market dynamics;- competition from local and regional game developers that may have stronger brand recognition, established intellectual property rights, or a greater understanding of local player behavior;- obtaining, protecting, defending, and enforcing our intellectual property rights in foreign jurisdictions;- negotiating and maintaining agreements with local distribution platforms and service providers on terms that are economically favorable to us and adequately protect our rights;- limitations on our ability to obtain or enforce proprietary rights in our brands, content, or technology in certain jurisdictions;- implementing and supporting payment methods that comply with local laws and commercial practices while managing fraud risk and credit exposure;- compliance with foreign laws and regulations, including those relating to data privacy and protection, cybersecurity, content standards, consumer protection, and advertising;- compliance with anti-bribery and anti-corruption laws, including the U.S. Foreign Corrupt Practices Act ("FCPA") and similar laws in other jurisdictions;- higher levels of payment fraud, chargebacks, or credit risk in certain markets;- fluctuations in foreign currency exchange rates, which may adversely affect our reported results of operations and cash flows;- protectionist laws, regulations, or business practices that favor local competitors;- potential double taxation of international earnings and adverse tax consequences resulting from changes in U.S. or foreign tax laws;- political, economic, or social instability in countries where we operate;- public health crises, such as the COVID-19 pandemic or other future epidemics or contagious disease outbreaks, which may adversely affect our employees, players, vendors, rewards partners, and other commercial partners;- higher costs associated with operating internationally, including audit, legal, compliance, labor, and infrastructure costs;- restrictions on, or increased costs associated with, the repatriation of funds;- compliance with applicable sanctions regimes, export and import controls, and trade or tariff restrictions; and - limitations on our ability to offer certain games or features in particular countries due to local laws, regulations, or platform requirements;. Certain of these laws and regulations require accurate recordkeeping and the maintenance of adequate internal accounting controls. While we have implemented policies, procedures, and controls designed to promote compliance with applicable laws and regulations, including the FCPA, these controls may not be effective in all circumstances. If an employee, contractor, intermediary, or business partner fails to comply with applicable laws or our internal policies, or if our controls are inadequate or improperly designed, we could be subject to civil or criminal penalties, fines, sanctions, or reputational harm, any of which could adversely affect our business, results of operations, cash flows, and financial condition. In addition, managing international operations involves operational and organizational complexity, including coordinating activities across multiple jurisdictions and regulatory regimes and overseeing a geographically dispersed workforce. We may not achieve the efficiencies, cost savings, or operating performance improvements we expect from our international operations. Our international business could also be disrupted by political unrest, terrorism, economic instability, or other geopolitical events, as well as by the imposition of tariffs, quotas, trade barriers, or similar restrictions by foreign governments. If we are unable to manage the complexity, cost structure, and compliance requirements of our international operations effectively, our business, financial condition, and results of operations could be adversely affected.