Owlet (OWLT) Risk Analysis

Regulatory agencies in many countries require us to report potential safety issues with our products and services under a variety of circumstances. For example, the FDA's Medical Device Reporting regulations require that for any medical device we market, we report when we become aware of information that reasonably suggests that the product may have caused or contributed to a death or serious injury, or has malfunctioned in a way that, if the malfunction were to recur, would likely cause or contribute to a death or serious injury. We may fail to report adverse events of which we become aware within the prescribed timeframe. We may also fail to recognize that we have become aware of a reportable adverse event, especially if it is not reported to us as an adverse event or if it is an adverse event that is unexpected or removed in time from the use of the implant system. If we fail to comply with our reporting obligations, the FDA could take action, including warning letters, untitled letters, administrative actions, criminal prosecution, imposition of civil monetary penalties, revocation of our device clearance, seizure of our products or delay in clearance of future products. Similarly, under the Consumer Product Safety Commission ("CPSC") reporting requirements, we are required to report to the CPSC any incident in which a CPSC-regulated product of ours creates an unreasonable risk of serious injury or death, contains a defect which could create a substantial product hazard, fails to comply with an applicable consumer product safety rule, or fails to comply with any other rule, regulation, standard or ban enforced by the CPSC. In addition, all manufacturers placing medical devices on the market in the EU are legally required to immediately report any serious incidents and field safety corrective actions involving products produced or sold by the manufacturer to the relevant authority in those jurisdictions where any such incident occurred. As to general consumer products, where manufacturers and distributors know or ought to know that a product that they have placed on the market poses risks to the consumer that are incompatible with the general safety requirements, they shall immediately inform the relevant authority in the relevant jurisdictions. The FDA, CPSC and similar foreign regulatory authorities have the authority to require the recall of our commercialized products under certain circumstances and depending on the type of product. For example, the FDA must find that there is a reasonable probability that a medical device would cause serious adverse health consequences or death in order to require a recall. The standard for ordering a mandatory recall may be different for each regulatory agency and in foreign jurisdictions. In addition, manufacturers may, under their own initiative, correct or remove a marketed product for any reason and under any circumstance, which may constitute a recall if the product violates applicable laws. A government-mandated or voluntary recall by us or by one of our distributors could occur as a result of component failures, manufacturing errors, design or labeling defects or other deficiencies and issues. We may initiate certain field actions, such as a correction or removal of our products in the future. Any correction or removal initiated by us to reduce a health risk posed by a medical device, or to remedy a regulatory violation caused by the device that may present a risk to health, must be reported to the FDA. Other regulatory authorities may have similar reporting requirements. If the regulatory agency subsequently determines that a report was required for a correction or removal of our products that we did not believe required a report, we could be subject to enforcement actions. Any recalls of our products or enforcement actions would divert managerial and financial resources and could have an adverse effect on our financial condition and results of operations. In addition, given our dependence upon consumer perceptions, any negative publicity associated with any recalls could materially and adversely affect our business, financial condition, results of operations and growth prospects.

We are, and may in the future become, party to litigation, regulatory proceedings or other disputes. In general, claims made by or against us in disputes and other legal or regulatory proceedings can be expensive and time-consuming to bring or defend against, requiring us to expend significant resources and divert the efforts and attention of our management and other personnel from our business operations. These potential claims may include but are not limited to personal injury and class action lawsuits, intellectual property claims and regulatory investigations relating to the advertising and promotional claims about our products and services and employee claims against us based on, among other things, discrimination, harassment or wrongful termination. Any one of these claims, even those without merit, may divert our financial and management resources that would otherwise be used to benefit the future performance of our operations. Any adverse determination against us in these proceedings, or even the allegations contained in the claims, regardless of whether they are ultimately found to be without merit, may also result in settlements, injunctions or damages that could have a material adverse effect on our business, financial condition and results of operations. Additionally, in the past, securities class action and derivative litigation has often been brought against a company following a decline in the market price of its securities. For example, in November 2021, two putative class action complaints were filed against us in the U.S. District Court for the Central District of California, the first captioned Butala v. Owlet, Inc., Case No. 2:21-cv-09016, and the second captioned Cherian v. Owlet, Inc., Case No. 2:21-cv-09293. For additional information regarding these matters, and other legal proceedings involving the Company, see, Part II. Item 8. "Financial Statements and Supplementary Data" - Note 7. These lawsuits and any future lawsuits to which we may become a party are subject to inherent uncertainties and will likely be expensive and time-consuming to investigate, defend and resolve. Any litigation to which we are a party may result in an onerous or unfavorable judgment that may not be reversed upon appeal, or in payments of substantial monetary damages or fines, or we may decide to settle this or other lawsuits on similarly unfavorable terms, which could have a material adverse effect on our business, financial condition, results of operations or stock price.

State, local and foreign tax jurisdictions have differing rules and regulations governing sales, use, value-added and other taxes, and these rules and regulations can be complex and are subject to varying interpretations that may change over time. Existing tax laws, statutes, rules, regulations, or ordinances could be interpreted, changed, modified, or applied adversely to us (possibly with retroactive effect). One or more states, countries or other jurisdictions may seek to impose sales, use, value added or other tax collection obligations on us, including for past sales. A successful assertion by a state, country or other jurisdiction that we should have been or should be collecting additional sales, use, value added or other taxes on our products could, among other things, result in substantial tax liabilities for past sales, create significant administrative burdens for us, or otherwise harm our business, results of operations, and financial condition.

The global data protection landscape is rapidly evolving, and we are or may become subject to numerous state, federal and foreign laws, requirements and regulations governing the collection, use, disclosure, retention, and security of health-related and other personal information, including information we collect about children and infants, their parents and other consumers who purchase our products and services, as well as information that we may now or in the future collect in connection with clinical trials in the U.S. and abroad. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or perception of their requirements may have on our business. This evolution may create uncertainty in our business, affect our ability to operate in certain jurisdictions or to collect, store, transfer, use and share personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us to comply with federal, state or foreign laws or regulations, our internal policies and procedures, or our contracts governing our processing of personal information could result in negative publicity, government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have a material adverse effect on our operations, financial performance and business. As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. In the U.S., the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, and regulations promulgated thereunder (collectively, "HIPAA") imposes, among other things, certain standards relating to the privacy, security, transmission and breach reporting of individually identifiable health information. Certain states have also adopted comparable privacy and security laws and regulations, which govern the privacy, processing and protection of health-related and other personal information and some of which may be more stringent than HIPAA. Such laws and regulations will be subject to interpretation by various courts and other governmental authorities, thus creating potentially complex compliance issues for us and our future customers and strategic partners. For example, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act (collectively, the "CCPA") requires covered businesses that process the personal information of California residents to, among other things: (i) provide certain disclosures to California residents regarding the business's collection, use, and disclosure of their personal information; (ii) receive and respond to requests from California residents to access, delete, and correct their personal information, or to opt out of certain disclosures of their personal information; and (iii) enter into specific contractual provisions with service providers that process California resident personal information on the business's behalf. Similar laws have been passed in other states and are continuing to be proposed at the state and the federal level, reflecting a trend toward more stringent privacy legislation in the U.S. For example, Washington State enacted a broadly applicable law to protect the privacy of health information known as the "My Health My Data Act," which generally requires affirmative consent for the collection, use, or sharing of any "consumer health data." Consumer health data is defined to include personal information that is linked or reasonably linkable to a consumer and that identifies a consumer's past, present, or future physical or mental health status; consumer health data also includes information that is derived or extrapolated from non-health information, such as algorithms and machine learning. Other states, including Connecticut and Nevada, have also passed consumer health data laws, and given the increased focus on the use of health data by entities that are not subject to HIPAA, additional states are expected to pass consumer health privacy laws. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. In the event that we are subject to or affected by or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition. Furthermore, the FTC also has authority to initiate enforcement actions against entities that make deceptive statements about privacy and data sharing in privacy policies, fail to limit third-party use of personal health information, fail to implement policies to protect personal health information or engage in other unfair practices that harm customers or that may violate Section 5(a) of the FTC Act. According to the FTC, failing to take appropriate steps to keep consumers' personal information secure can constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities. The FTC and many state Attorneys General also continue to enforce federal and state consumer protection laws against companies for online collection, use, dissemination and security practices that appear to be unfair or deceptive. These consumer protection laws are increasingly being applied by FTC and state Attorneys General to regulate the collection, use, storage, and disclosure of personal or personally identifiable information, through websites or otherwise, and to regulate the presentation of website content. We are also or may become subject to rapidly evolving data protection laws, rules and regulations in foreign jurisdictions. For example, the General Data Protection Regulation ("GDPR") went into effect in May 2018 and imposes strict requirements for processing the personal data of individuals within the EEA, including in relation to use, collection, analysis, and transfer (including cross-border transfer) of such personal data. Companies that must comply with the GDPR face increased compliance obligations and risk, including more robust regulatory enforcement of data protection requirements and potential fines for noncompliance of up to €20 million or 4% of the annual global revenues of the noncompliant company, whichever is greater. In addition to fines, a breach of the GDPR may result in regulatory investigations, reputational damage, orders to cease or change our data processing activities, enforcement notices, assessment notices (for a compulsory audit) and/ or civil claims (including class actions). Among other requirements, the GDPR regulates transfers of personal data subject to the GDPR to third countries that have not been found to provide adequate protection to such personal data, including the United States, and the efficacy and longevity of current transfer mechanisms between the EEA and the United States remains uncertain. Case law from the Court of Justice of the European Union ("CJEU") states that reliance on the standard contractual clauses – a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism – alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. On July 10, 2023, the European Commission adopted its Adequacy Decision in relation to the new EU-US Data Privacy Framework ("DPF"), rendering the DPF effective as a GDPR transfer mechanism to U.S. entities self-certified under the DPF. We currently rely on the EU standard contractual clauses and the UK Addendum to the EU standard contractual clauses and the UK International Data Transfer Agreement and the DPF as relevant to transfer personal data outside the EEA and the UK, including to the United States, with respect to both intragroup and third party transfers. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the DPF Adequacy Decision to be challenged and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As a result, we may have to make certain operational changes and we will have to implement revised standard contractual clauses and other relevant documentation for existing data transfers within required time frames. Since the beginning of 2021, after the end of the transition period following the UK's departure from the European Union, we are also subject to the United Kingdom General Data Protection Regulation and Data Protection Act 2018 (collectively, the "UK GDPR"), which imposes separate but similar obligations to those under the GDPR and comparable penalties, including fines of up to £17.5 million or 4% of a noncompliant company's global annual revenue for the preceding financial year, whichever is greater. On October 12, 2023, the UK Extension to the DPF came into effect (as approved by the UK Government), as a UK GDPR data transfer mechanism to U.S. entities self-certified under the UK Extension to the DPF. As we continue to expand into other foreign countries and jurisdictions, we may be subject to additional laws and regulations that may affect how we conduct business. Although we work to comply with applicable laws, regulations and standards, our contractual obligations and other legal obligations, these requirements are evolving and may be modified, interpreted and applied in an inconsistent manner from one jurisdiction to another, and may conflict with one another or other legal obligations with which we must comply. Any failure or perceived failure by us or our employees, representatives, contractors, consultants, collaborators, or other third parties to comply with such requirements or adequately address privacy and security concerns, even if unfounded, could result in additional cost and liability to us, regulatory investigations or enforcement actions, litigation (including class actions), damage our reputation, and adversely affect our business and results of operations.

We must successfully manage introductions of new or advanced products, such as BabySat and Dream Sock, and services, such as the development of our software platform and our subscription offering, Owlet360. Development of new products and services requires the expenditure of considerable time and resources, but we may not be able to successfully develop and introduce such products on a timely basis, or at all. Products and services that are not well-received by the market may lead to excess inventory and discounting of our existing products and services. Inventory levels in excess of consumer demand may result in inventory write-downs or write-offs and the sale of inventory at discounted prices, may affect our gross margin and could impair the strength of our brand. Reserves and write-downs for rebates, promotions and excess inventory are recorded based on our forecast of future demand. Actual future demand could be less than our forecast, which may result in additional reserves and write-downs in the future, or actual demand could be stronger than our forecast, which may result in increased shipping costs and a reduction to previously recorded reserves and write-downs in the future and increase the volatility of our operating results. Introductions of new or advanced products and services could also adversely impact the sales of our existing products and services to consumers. For instance, the introduction or announcement of new or advanced products and services may shorten the life cycle of our existing products or reduce demand, thereby reducing any benefits of successful product or service introductions and potentially leading to challenges in managing write-downs or write-offs of inventory of existing products and services. In addition, some of our products are regulated by the FDA and foreign regulatory agencies as medical devices and require marketing authorization from the FDA and similar marketing authorization or certification from other applicable regulatory authorities or notified bodies prior to commercialization. New products, particularly those products needing to meet FDA or other regulatory requirements, may have higher manufacturing costs than legacy products, which could negatively impact our gross margins and operating results. Accordingly, if we fail to effectively manage introductions of new or advanced products and services, our business may be adversely affected. We have in the past experienced challenges managing the inventory of our products, which has led and may in the future lead to increased shipping costs for air freight in order to fulfill customer orders in a timely manner, which has affected our gross margin and could impair the strength of our brand.

In addition to patent protection, we also rely on protection of copyrights, trade secrets, know-how and confidential and proprietary information. We generally enter into confidentiality and invention assignment agreements with our employees, consultants and third parties upon their commencement of a relationship with us. However, we may not enter into such agreements with all employees, consultants and third parties who have been involved in the development of our intellectual property and such agreements may not be enforceable in accordance with the terms in every jurisdiction where such employees, consultants or third parties reside or are employed. In addition, these agreements may not provide meaningful protection against the unauthorized use or disclosure of our trade secrets or other confidential information, and adequate remedies may not exist if unauthorized use or disclosure were to occur. The exposure of our trade secrets and other proprietary information would impair our competitive advantages and could have a material adverse effect on our business, financial condition and results of operations. In particular, a failure to protect our proprietary rights may allow competitors to copy our technology, which could adversely affect our pricing and market share. Further, other parties may independently develop substantially equivalent know-how and technology. In addition to contractual measures, we try to protect the confidential nature of our proprietary information using commonly accepted physical and technological security measures. Such measures may not, for example, in the case of misappropriation of a trade secret by an employee or third party with authorized access, provide adequate protection for our proprietary information. Our security measures may not prevent an employee or consultant from misappropriating our trade secrets and providing them to a competitor, and recourse we take against such misconduct may not provide an adequate remedy to protect our interests fully. Unauthorized parties may also attempt to copy or reverse engineer certain aspects of our products and services that we consider proprietary and a trade secret. Enforcing a claim that a party illegally disclosed or misappropriated a trade secret can be difficult, expensive and time-consuming, and the outcome is unpredictable. Even though we use commonly accepted security measures, trade secret violations are often a matter of state law, and the criteria for protection of trade secrets can vary among different jurisdictions. In addition, trade secrets may be independently developed by others in a manner that could prevent legal recourse by us. We also have agreements with our employees, consultants and third parties that obligate them to assign their inventions to us, however these agreements may not be self-executing, not all employees or consultants may enter into such agreements, or employees or consultants may breach or violate the terms of these agreements, and we may not have adequate remedies for any such breach or violation. If any of our intellectual property or confidential or proprietary information, such as our trade secrets, were to be disclosed or misappropriated, or if any such information was independently developed by a competitor, it could have a material adverse effect on our competitive position, business, financial condition, results of operations, and prospects.

Because our products and services are used by caregivers to monitor infants, it is critical that our products and services be accessible without interruption or degradation of performance. Customers may become dissatisfied by any system failure that interrupts our ability to provide our services to them. Sustained or repeated system failures would reduce the attractiveness of our products or services to customers. Moreover, negative publicity arising from these types of disruptions could damage our reputation and may adversely impact use of our products and services. We currently host our products and services, serve our customers and support our operations primarily from third-party data and call centers and other cloud-based services. For example, we rely on cloud services and bespoke software services provided by Ayla Networks for our Dream Sock and Smart Sock products to support the transfer of data to the cloud and back to us and the user. Additionally, we rely on the data transfer services of ThroughTek to enable video viewing access for the Owlet Cam. We do not have control over the operations of the services or the facilities of any of those providers. These facilities are vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, cyber security attacks, terrorist attacks, power losses, telecommunications failures and similar events. Certain of these events may be exacerbated by climate change; for more information, see our risk factor titled "We are subject to a series of risks regarding climate change." The occurrence of a natural disaster or an act of terrorism, a decision to close the facilities without adequate notice, or other unanticipated problems could result in lengthy interruptions in our services. The facilities also could be subject to break-ins, computer viruses, sabotage, intentional acts of vandalism and other misconduct. We may not be able to easily switch our cloud operations to another cloud provider if there are disruptions or interference with such providers. None of our third-party cloud-based providers has an obligation to renew their agreements with us on commercially reasonable terms, or at all. If we are unable to renew our agreements with these providers on commercially reasonable terms, if our agreements with our providers are prematurely terminated, or if in the future we add additional cloud-based providers, we may experience costs or downtime in connection with the transfer to, or the addition of, new providers. If these providers were to increase the cost of their services, we may have to increase the price of our products and services, and our operating results may be materially adversely affected. Furthermore, we are subject to the risk that one or more of our critical third-party providers, such as Ayla Networks or ThroughTek, may experience financial instability, file for bankruptcy, or otherwise cease operations. The loss of a key provider could result in significant disruptions to our services, delays in product functionality, and increased costs associated with transitioning to alternative providers. Because our products are essential for infant monitoring, any such disruption could severely damage our reputation and adversely affect our business, financial condition, and results of operations.

With respect to Dream Sock and Owlet Cam, we utilize a direct-to-consumer model where consumers purchase our products directly from us or one of our retailers. Currently, these products are not covered or reimbursed by any third-party payor. In the U.S., healthcare providers who may purchase these products generally rely on third-party payors, including Medicare, Medicaid and private health insurance plans, to pay for all or a portion of the cost of our products. To contain costs of new technologies, governmental healthcare programs and third-party payors are increasingly scrutinizing new and existing medical devices by requiring extensive evidence of favorable clinical outcomes. To the extent we market any medical devices, are successful in obtaining FDA marketing authorization to the extent applicable, and third-party payors determine that our products are medically necessary and clinically effective, the resulting reimbursement payment rates might not be adequate or may require co-payments that patients find unacceptably high. Third-party payors regularly update reimbursement amounts and may also revise the methodologies from time to time used to determine reimbursement amounts. This includes routine updates to payments to physicians for services provided. These updates could directly impact the demand for our products in the event our products or services using our products are covered and/or reimbursed by third-party payors. Although we believe that healthcare providers may be able to bill third-party payors using existing Current Procedural Terminology ("CPT") codes for the remote monitoring of patients using products for which we obtain FDA authorization, including the initial set-up and patient education on the use of such products, their inability to obtain adequate reimbursement from third-party payors may adversely affect our business. In addition, foreign jurisdictions have their own unique healthcare systems and regulation regimes that differ substantially from the U.S. and other international markets. Successfully navigating those regimes will require significant resources and may ultimately be unsuccessful. As a result, our financial performance could be harmed, our costs could increase, and our ability to generate revenue could be delayed. Given the evolving nature of the healthcare industry and on-going healthcare cost reforms, the likelihood of success of our new commercial strategy is, and will continue to be, subject to changes in the level of third-party payor coverage and reimbursement for these products and services.

As part of our marketing efforts, we rely on search engine marketing and social media platforms to attract and retain customers. These efforts may not be successful, and pose a variety of other risks, including the improper disclosure of proprietary information, the posting of negative comments about our brand, the exposure of personally identifiable information, fraud, use of out-of-date information or failure to comply with regulations regarding such practices. Negative or false commentary about us or our products or services may be posted on social media platforms and may harm our reputation or business and social media has also given users the ability to more effectively organize collective actions, such as boycotts, which could be taken against us or our products or services. Customers value readily available information and often act on such information without affording us an opportunity for redress or correction. The inappropriate use of social media vehicles, including a failure to abide by applicable laws and regulations, in the use of social media by us or our influencers, employees, contractors, suppliers, customers or other third parties associated or perceived to be associated with us could increase our costs, lead to litigation, fines or regulatory action or result in negative publicity that could damage our reputation. The occurrence of any such developments could have an adverse effect on our business results. In addition, events such as the Warning Letter reported in the media, including social media, whether or not accurate or involving us or our products or services, could create or amplify negative publicity for us or for the industry or market segments in which we operate. These and other types of social media risks could reduce demand for products and services offered by us and/or shift consumer preferences to competitors and could result in a decrease in customer demand for our products and services.

We market our products directly to consumers in the U.S. and a select number of international countries. If demand increases, we will be required to increase production proportionally. Adapting to changes in demand inherently lags behind the actual changes because it takes time to identify the change the market is undergoing and to implement any measures taken as a result. Further, increases in production requires significant capital expenditure. Finally, capacity adjustments are inherently risky because there is imperfect information, and market trends may rapidly intensify, ebb or even reverse. We have in the past not always been, and may in the future not be, able to accurately or timely predict trends in demand and consumer behavior or to take appropriate measures to mitigate risks and exploit opportunities resulting from such trends. Any inability in the future to identify or to adequately and effectively react to changes in demand could have a material adverse effect on our business, financial condition and results of operations.

Both our IT infrastructure and our products and services leverage third-party technology solutions, software and software services. While much of this third-party technology is commercially available, off-the-shelf technology procured on standard terms and conditions, we cannot be assured that the applicable vendors will continue to make this third-party technology available on the same terms and conditions. Because this technology has been integrated into our operations and may have been configured for our specific needs, replacement of such technology could result in substantial delay, additional costs, and possible business interruptions. In addition, if third-party vendors, including any cloud service providers, were to experience unplanned downtime, delays or other similar issues, our products, services and internal operations could be significantly and adversely impacted.