The global data protection landscape is rapidly evolving, and we are or may become subject to numerous state, federal and foreign laws, requirements and regulations governing the collection, use, disclosure, retention, and security of health-related and other personal information, including information we collect about children and infants, their parents and other consumers who purchase our products and services, as well as information that we may now or in the future collect in connection with clinical trials in the U.S. and abroad. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or perception of their requirements may have on our business. This evolution may create uncertainty in our business, affect our ability to operate in certain jurisdictions or to collect, store, transfer, use and share personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us to comply with federal, state or foreign laws or regulations, our internal policies and procedures, or our contracts governing our processing of personal information could result in negative publicity, government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have a material adverse effect on our operations, financial performance and business.
As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. In the U.S., the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations promulgated thereunder (collectively, "HIPAA") imposes, among other things, certain standards relating to the privacy, security, transmission and breach reporting of individually identifiable health information. Certain states have also adopted comparable privacy and security laws and regulations, which govern the privacy, processing and protection of health-related and other personal information and some of which may be more stringent than HIPAA. Such laws and regulations will be subject to interpretation by various courts and other governmental authorities, thus creating potentially complex compliance issues for us and our future customers and strategic partners.
For example, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act (collectively, the "CCPA") requires covered businesses that process the personal information of California residents to, among other things: (i) provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information; (ii) receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt out of certain disclosures of their personal information; and (iii) enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. Similar laws have been passed in other states and are continuing to be proposed at the state and the federal level, reflecting a trend toward more stringent privacy legislation in the U.S. For example, Washington State enacted a broadly applicable law to protect the privacy of health information known as the "My Health My Data Act," which generally requires affirmative consent for the collection, use, or sharing of any "consumer health data." Consumer health data is defined to include personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health status; consumer health data also includes information that is derived or extrapolated from non-health information, such as algorithms and machine learning. Other states, including Connecticut and Nevada, have also passed consumer health data laws, and given the increased focus on the use of health data by entities that are not subject to HIPAA, additional states are expected to pass consumer health privacy laws. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. In the event that we are subject to or affected by or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition.
Furthermore, the FTC also has authority to initiate enforcement actions against entities that make deceptive statements about privacy and data sharing in privacy policies, fail to limit third-party use of personal health information, fail to implement policies to protect personal health information or engage in other unfair practices that harm customers or that may violate Section 5(a) of the FTC Act. According to the FTC, failing to take appropriate steps to keep consumers' personal information secure can constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. The FTC and many state Attorneys General also continue to enforce federal and state consumer protection laws against companies for online collection, use, dissemination and security practices that appear to be unfair or deceptive. These consumer protection laws are increasingly being applied by FTC and state Attorneys General to regulate the collection, use, storage, and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content.
We are also or may become subject to rapidly evolving data protection laws, rules and regulations in foreign jurisdictions. For example, the General Data Protection Regulation ("GDPR") went into effect in May 2018 and imposes strict requirements for processing the personal data of individuals within the EEA, including in relation to use, collection, analysis, and transfer (including cross-border transfer) of such personal data. Companies that must comply with the GDPR face increased compliance obligations and risk, including more robust regulatory enforcement of data protection requirements and potential fines for noncompliance of up to €20 million or 4% of the annual global revenues of the noncompliant company, whichever is greater. In addition to fines, a breach of the GDPR may result in regulatory investigations, reputational damage, orders to cease or change our data processing activities, enforcement notices, assessment notices (for a compulsory audit) and/ or civil claims (including class actions). Among other requirements, the GDPR regulates transfers of personal data subject to the GDPR to third countries that have not been found to provide adequate protection to such personal data, including the United States, and the efficacy and longevity of current transfer mechanisms between the EEA and the United States remains uncertain. Case law from the Court of Justice of the European Union ("CJEU") states that reliance on the standard contractual clauses – a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism – alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. On July 10, 2023, the European Commission adopted its Adequacy Decision in relation to the new EU-US Data Privacy Framework ("DPF"), rendering the DPF effective as a GDPR transfer mechanism to U.S. entities self-certified under the DPF. We currently rely on the EU standard contractual clauses and the UK Addendum to the EU standard contractual clauses and the UK International Data Transfer Agreement and the DPF as relevant to transfer personal data outside the EEA and the UK, including to the United States, with respect to both intragroup and third party transfers. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the DPF Adequacy Decision to be challenged and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As a result, we may have to make certain operational changes and we will have to implement revised standard contractual clauses and other relevant documentation for existing data transfers within required time frames.
Since the beginning of 2021, after the end of the transition period following the UK's departure from the European Union, we are also subject to the United Kingdom General Data Protection Regulation and Data Protection Act 2018 (collectively, the "UK GDPR"), which imposes separate but similar obligations to those under the GDPR and comparable penalties, including fines of up to £17.5 million or 4% of a noncompliant company's global annual revenue for the preceding financial year, whichever is greater. On October 12, 2023, the UK Extension to the DPF came into effect (as approved by the UK Government), as a UK GDPR data transfer mechanism to U.S. entities self-certified under the UK Extension to the DPF. As we continue to expand into other foreign countries and jurisdictions, we may be subject to additional laws and regulations that may affect how we conduct business.
Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, these requirements are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another or other legal obligations with which we must comply. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in additional cost and liability to us, regulatory investigations or enforcement actions, litigation (including class actions), damage our reputation, and adversely affect our business and results of operations.