Playtika Holding (PLTK) Risk Factors

We collect, process, store, use and share data, some of which contains personal information, including the personal information of our players. Our business is therefore subject to a number of federal, state, local and foreign laws, regulations, regulatory codes and guidelines governing data privacy, data protection and security, including with respect to the collection, storage, use, processing, transmission, sharing and protection of personal information. Such laws, regulations, regulatory codes and guidelines may be inconsistent across jurisdictions or conflict with other rules. The scope of data privacy and security regulations worldwide continues to evolve, and we believe that the adoption of increasingly restrictive regulations in this area is likely within the United States and other jurisdictions. For example, in 2018, California enacted the California Consumer Privacy Act ("CCPA"), which became effective on January 1, 2020. The CCPA gives California residents new rights to access and require deletion of their personal information, opt out of certain personal information sharing, and receive detailed information about how their personal information is collected, used, and shared. The CCPA provides for civil penalties for violations, as well as a private right of action for security breaches that may increase security breach litigation. The effects of the CCPA are significant and have required, and could continue to require, us to modify our data collection or processing practices and policies and to incur substantial costs and expenses in an effort to comply. Some observers have noted that the CCPA could mark the beginning of a trend toward more stringent state privacy legislation in the U.S., which could increase our potential liability and adversely affect our business. Further, in November 2020, California voters passed the California Privacy Rights Act, or CPRA. The CPRA significantly expands the CCPA, including by introducing additional obligations such as data minimization and storage limitations, granting additional rights to consumers, such as correction of personal information and additional opt-out rights, and creates a new entity, the California Privacy Protection Agency, to implement and enforce the law. Further, there currently are a number of additional proposals related to data privacy or security pending before federal, state, and foreign legislative and regulatory bodies and a number of U.S. states have adopted consumer protection laws similar to the CCPA. This legislation may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs, and could impact strategies and availability of previously useful data and could result in increased compliance costs and/or changes in business practices and policies. Further, the European Union has adopted comprehensive data privacy and security regulations. The European Union's Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), or the GDPR, which became effective in May 2018, imposes strict requirements on controllers and processors of personal data in the European Economic Area, or EEA, including, for example, higher standards for obtaining consent from individuals to process their personal data, more robust disclosures to individuals and a strengthened individual data rights regime, and shortened timelines for data breach notifications. The GDPR created compliance obligations applicable to our business and some of our players, which could require us to self-determine how to interpret and implement these obligations, change our business practices and expose us to lawsuits (including class action or similar representative lawsuits) by consumers or consumer organizations for alleged breach of data protection laws. The GDPR increases financial penalties for noncompliance (including possible fines of up to 4% of global annual revenues for the preceding financial year or €20 million (whichever is higher) for the most serious violations). The United Kingdom operates a separate but similar regime to the European Union that allows for fines of up to the greater of £17.5 million or 4% of the total worldwide annual turnover of the preceding financial year. Further, beginning January 1, 2021, we were required to comply with the GDPR and also the United Kingdom GDPR (UK GDPR), which, together with the amended United Kingdom Data Protection Act 2018, retains the GDPR in United Kingdom national law. These laws and regulations lead to additional costs and increase our overall risk exposure. In recent years, the United States and European lawmakers and regulators have expressed concern over electronic marketing and the use of third-party cookies, web beacons and similar technology for online behavioral advertising. In the European Union, marketing is defined broadly to include any promotional material and the rules specifically on e-marketing are currently set out in the ePrivacy Directive which will be replaced by a new ePrivacy Regulation. While the ePrivacy Regulation was originally intended to be adopted in May 2018 (alongside the GDPR), it is still going through the European legislative process. The current draft of the ePrivacy Regulation imposes strict opt-in e-marketing rules with limited exceptions for business-to-business communications and significantly increases fining powers to the same levels as the GDPR. Regulation of cookies and web beacons may lead to broader restrictions on our online activities, including efforts to understand followers' internet usage and promote ourselves to them. Israel has also implemented data protection laws and regulations, including the Israeli Protection of Privacy Law, 5741-1981, or the PPL. The PPL imposes certain obligations on the owners of databases containing personal data, including, e.g., a requirement to register databases with certain characteristics, an obligation to notify data subjects of the purposes for which their personal data is collected and processed and of the disclosure of such data to third parties, a requirement to respond to certain requests from data subjects to access, rectify, and/or delete personal data relating to them and an obligation to maintain the security of personal data. In addition, the Protection of Privacy Regulations (Data Security), 5777-2017, that entered into force in May 2018, impose comprehensive data security requirements on the processing of personal data. The Protection of Privacy Regulations (Transfer of Data to Overseas Databases), 5761-2001, further impose certain conditions on cross-border transfers of personal data from databases in Israel. Certain violations of the PPL are considered a criminal and/or a civil offense and could expose the violating entity to criminal, administrative, and financial sanctions, as well as to civil actions. Additionally, the Israel Privacy Protection Authority, or the Privacy Protection Authority, may issue a public statement that an entity violated the PPL, and such a determination could potentially be used against such entity in civil litigation. The Israeli Ministry of Justice has introduced amendments to the PPL designed, among other things, to enhance the Privacy Protection Authority's investigative and enforcement powers (including powers to impose fines) and to broaden data subject rights. Regarding transfers to the United States of personal data (as such term is used in the GDPR and applicable EU member state legislation) about our staff, European users, and other third parties, we utilize certain standard contractual clauses approved by the EU Commission (the SCCs). The SCCs and other cross-border data transfer mechanisms have been the subject of legal challenges and regulatory scrutiny in the past and may face additional legal challenges or be the subject of additional legislative activity and regulatory guidance. We may need to implement different or additional measures to establish or maintain legitimate means for the transfer and receipt of personal data from the European Economic Area, Switzerland and the United Kingdom to the United States (and other countries), and we may, in addition to other impacts, experience additional costs associated with increased compliance burdens, and we face the potential for regulators to apply different standards to the transfer of personal data from the European Economic Area, Switzerland and the United Kingdom to the United States (and other countries), and to block, or require verification of measures taken with respect to, certain data flows from the European Economic Area, Switzerland and the United Kingdom to the United States (and other countries). We also may be required to engage in contract negotiations with third parties that aid in processing data on our behalf, to the extent that any of our service providers or consultants have been relying on invalidated or insufficient transfer mechanisms (including the EU-U.S. Privacy Shield and/or contractual protections) for compliance with evolving interpretations of and guidance for cross-border data transfers pursuant to the GDPR, Swiss privacy laws, and UK privacy laws. In such cases, we may not be able to find alternative service providers which could limit our ability to process personal data from the European Economic Area, Switzerland, or the United Kingdom and increase our costs and/or impact our games or other offerings. We may face a risk of enforcement actions by data protection authorities in the European Economic Area, Switzerland and the United Kingdom relating to personal data transfers. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel, and adversely affect our business, financial condition, and results of operations. Efforts to comply with these and other data privacy and security restrictions that may be enacted could require us to modify our data processing practices and policies and increase the cost of our operations. Failure to comply with such restrictions could subject us to criminal and civil sanctions and other penalties. In part due to the uncertainty of the legal climate, complying with regulations, and any applicable rules or guidance from regulatory authorities or self-regulatory organizations relating to privacy, data protection, information security and consumer protection, may result in substantial costs and may necessitate changes to our business practices, which may compromise our growth strategy, adversely affect our ability to attract or retain players, and otherwise adversely affect our business, reputation, legal exposure, financial condition and results of operations. Any failure or perceived failure by us to comply with our posted privacy policies, our privacy-related obligations to players or other third parties, or any other legal obligations or regulatory requirements relating to privacy, data protection, or information security may result in governmental investigations or enforcement actions, litigation, claims (including class actions), or public statements against us by consumer advocacy groups or others and could result in significant liability, cause our players to lose trust in us, and otherwise materially and adversely affect our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to us may limit the adoption and use of, and reduce the overall demand for, our games. Additionally, if third parties we work with, such as our service providers or data sharing partners, violate applicable laws, regulations, or agreements, such violations may put our players' and/or employees' data at risk, could result in governmental investigations or enforcement actions, fines, litigation, claims (including class action claims) or public statements against us by consumer advocacy groups or others and could result in significant liability, cause our players to lose trust in us and otherwise materially and adversely affect our reputation and business. Further, public scrutiny of, or complaints about, technology companies or their data handling or data protection practices, even if unrelated to our business, industry or operations, may lead to increased scrutiny of technology companies, including us, and may cause government agencies to enact additional regulatory requirements, or to modify their enforcement or investigation activities, which may increase our costs and risks. While most of our games do not primarily target children under 18 years of age as their primary audience, the FTC, as well as consumer organizations, may consider that the characteristics of several of our games attract children under 13 years of age. The U.S. Children's Online Privacy Protection Act, or COPPA, regulates the collection, use and disclosure of personal information from children under 13 years of age. The FTC has taken action against another gaming company relating to children's' privacy, and in December 2022, Epic Games, the maker of the popular game Fortnite, agreed to pay a $275 million fine for alleged violations of COPPA as well as take other corrective actions. While none of our games are directed at children under 13 years of age, if COPPA were to apply to us, failure to comply with COPPA may increase our costs, subject us to expensive and distracting government investigations and could result in substantial fines. Although we have taken measures to identify which of our games are subject to COPPA due to their child-appealing nature and to comply with COPPA with respect to those games, if COPPA were to apply to us in a manner other than we have assessed or prepared for, our actual or alleged failure to comply with COPPA may increase our costs, subject us to expensive and distracting lawsuits or government investigations, could result in substantial fines or civil damages and could cause us to temporarily or permanently discontinue certain games or certain features and functions in games. While most of our games do not primarily target children under 18 years of age as their primary audience, the United Kingdom enacted the "Age Appropriate Design Code" (commonly referred to as the "Children's Code"), a statutory code of practice pursuant to the United Kingdom Data Protection Act 2018. This code came into force on September 2, 2020, and became enforceable on September 2, 2021. The code requires online services, including our games that are likely to be accessed by children under 18, to put the best interests of the child's privacy first in the design, development and data-related behavior of the game. The UK government is also separately consulting on legislation in relation to user safety online. The Data Protection Commission in Ireland published its Fundamentals for a Child-Oriented Approach to Data Processing, introducing certain child-specific data protection measures. It is possible that other countries within and outside the European Union will follow with their own codes or guidance documents relating to processing personal information from children or in relation to online harms; currently, other countries are considering or have issued drafts of similar codes, including: France, Denmark, Switzerland. These may result in substantial costs and may necessitate changes to our business practices which may compromise our growth strategy, adversely affect our ability to attract, monetize or retain players, and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. In addition, in some cases, we are dependent upon our platform providers to solicit, collect and provide us with information regarding our players that is necessary for compliance with these various types of regulations. Our business, including our ability to operate and expand internationally, could be adversely affected if laws or regulations are adopted, interpreted or implemented in a manner that is inconsistent with our current business practices and that require changes to these practices, the design of our games, features or our privacy policy. These platform providers may dictate rules, conduct or technical features that do not properly comply with federal, state, local and foreign laws, regulations and regulatory codes and guidelines governing data privacy, data protection and security, including with respect to the collection, storage, use, processing, transmission, sharing and protection of personal information and other consumer data. In addition, these platforms may dictate rules, conduct or technical features relating to the collection, storage, use, transmission, sharing and protection of personal information and other consumer data, which may result in substantial costs and may necessitate changes to our business practices, which in turn may compromise our growth strategy, adversely affect our ability to attract, monetize or retain players, and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. Any failure or perceived failure by us to comply with these platform-dictated rules, conduct or technical features may result in platform-led investigations or enforcement actions, litigation, or public statements against us, which in turn could result in significant liability or temporary or permanent suspension of our business activities with these platforms, cause our players to lose trust in us, and otherwise compromise our growth strategy, adversely affect our ability to attract, monetize or retain players, and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. Player interaction with our games is subject to our privacy policy and terms of service. If we fail to comply with our posted privacy policy or terms of service or if we fail to comply with existing privacy-related or data protection laws and regulations, it could result in proceedings or litigation against us by governmental authorities or others, which could result in fines or judgments against us, damage our reputation, impact our financial condition and harm our business. If regulators, the media or consumers raise any concerns about our privacy and data protection or consumer protection practices, even if unfounded, this could also result in fines or judgments against us, damage our reputation, and negatively impact our financial condition and damage our business. In the area of information security and data protection, many jurisdictions have passed laws requiring notification when there is a security breach involving personal data or requiring the adoption of minimum information security standards that are often vaguely defined and difficult to implement. Our security measures and standards may not be sufficient to protect personal information and we cannot guarantee that our security measures will prevent security breaches. A security breach that compromises personal information could harm our reputation and result in a loss of player and/or employee confidence in our games and ultimately in a loss of players, which could adversely affect our business and impact our financial condition. A security breach could also involve loss or unavailability of business-critical data and could require us to spend significant resources to mitigate and repair the breach, which in turn could compromise our growth and adversely affect our ability to attract, monetize or retain players. These risks could also subject us to liability under applicable security breach-related laws and regulations and could result in additional compliance costs, costs related to regulatory inquiries and investigations, and an inability to conduct our business.

A significant portion of our operations are outside of the United States, including our principal executive offices in Israel and large development centers in Ukraine and Belarus, and we generate a significant portion of our revenues from operations outside of the United States. For each of the years ended December 31, 2023 and 2022, we derived approximately 30.8% and 29.5%, respectively, of our revenues from sales to players outside of the United States. Our operations in foreign jurisdictions may subject us to additional risks customarily associated with such operations, including: - challenges caused by distance, language and cultural differences;- the complexity of foreign laws, regulations and markets;- the uncertainty of enforcement of remedies in foreign jurisdictions;- higher costs associated with doing business internationally;- the effect of currency exchange rate fluctuations;- difficulties in staffing and managing international operations;- the impact of foreign labor laws and disputes;- the ability to attract and retain key personnel in foreign jurisdictions;- protectionist laws and business practices that favor local businesses in some countries;- the economic, tax and regulatory policies of local governments;- compliance with applicable anti-money laundering, anti-bribery and anti-corruption laws, including the U.S. Foreign Corrupt Practices Act, or the FCPA, and other anti-corruption laws that generally prohibit U.S. persons and companies and their agents from offering, promising, authorizing or making improper payments to foreign government officials for the purpose of obtaining or retaining business;- limitations on and costs related to the repatriation of funds;- compliance with applicable sanctions regimes regarding dealings with certain persons or countries;- restrictions on the export or import of technology or on our ability to operate in those jurisdictions;- trade and tariff restrictions;- variations in tariffs, quotas, taxes and other market barriers; and - difficulties in enforcing intellectual property rights in countries other than the United States. Certain of these laws also contain provisions that require accurate record keeping and further require companies to devise and maintain an adequate system of internal accounting controls. Although we have policies and controls in place that are designed to ensure compliance with these laws, if those controls are ineffective or an employee or intermediary fails to comply with the applicable regulations and policies or if the design of those policies and controls is incomplete or inadequate, we may be subject to criminal and civil sanctions and other penalties. Any such violation could disrupt our business and adversely affect our reputation, results of operations, cash flows and financial condition. In addition, as we operate and sell internationally, we are subject to the FCPA, and other laws that prohibit improper payments or offers of payments to foreign governments and their officials and political parties and other business entities for the purpose of obtaining or retaining business. While we have attempted to implement safeguards to discourage these practices by our employees, consultants and agents, violations of the FCPA may result in severe criminal or civil sanctions, and we may be subject to other liabilities, which would negatively affect our business, results of operations and financial condition. Further, our ability to expand successfully in foreign jurisdictions involves other risks, including difficulties in integrating foreign operations, risks associated with entering jurisdictions in which we may have little experience and the day-to-day management of a growing and increasingly geographically diverse company. We may not realize the operating efficiencies, competitive advantages or financial results that we anticipate from our investments in foreign jurisdictions. In addition, our international business operations could be interrupted and negatively affected by terrorist activity, political unrest or other economic or political uncertainties. Moreover, foreign jurisdictions could impose tariffs, quotas, trade barriers and other similar restrictions on our international sales. Additionally, while we maintain offices in the United States, most of our senior management and employees are located in our international offices, including our offices in Israel, Belarus, Ukraine and Romania, which subject us to added business, political and economic risks. As of December 31, 2023, we had operations in Australia, Austria, Belarus, Finland, Germany, India, Israel, Netherlands, Poland, Romania, Spain, Switzerland, Ukraine, the United Kingdom and the United States. We have in the past and may continue to experience disruption as a result of catastrophic events in the countries in which we operate. For example, we previously maintained a small office in Crimea, but were forced to close and relocate our personnel as a result of Crimea's annexation by Russia in 2014. For more information on risks related to our operations in Israel, see "-We have offices and other significant operations located in Israel, and, therefore, our results may be adversely affected by political, economic and military instability in Israel, including the ongoing War in Israel." For more information on risks related to our operations in Belarus, Ukraine and Romania, see "-Our operations may be adversely affected by ongoing developments in Belarus, Ukraine or Romania."

Our functional currency is the U.S. Dollar and most of our revenues and expenses are primarily denominated in U.S. Dollars. However, increased international sales in the future may result in greater foreign currency denominated sales, increasing our foreign currency risk. In addition, a significant portion of our headcount related expenses, consisting principally of salaries and related personnel expenses as well as leases and certain other operating expenses incurred outside the United States and denominated in foreign currencies, are increasing and are subject to fluctuations due to changes in foreign currency exchange rates. If we are not able to successfully hedge against the risks associated with currency fluctuations, our financial condition and results of operations could be adversely affected. To date, we have entered into hedging transactions with respect to Israeli shekel ("ILS"), Polish Zloty ("PLN") and Romanian Leu ("RON") in an effort to reduce our exposure to foreign currency exchange risk. While we may decide to enter into additional hedging transactions in the future, the availability and effectiveness of these hedging transactions may be limited and we may not be able to successfully hedge our exposure, which could adversely affect our financial condition and results of operations.

Our games are primarily accessed and operated through platforms operated by Apple, Facebook and Google. A significant number of the virtual items that we sell to paying players are purchased using the payment processing systems of these platforms and, for the year ended December 31, 2023, 70.5% of our revenues were generated through the iOS App Store, Facebook, and Google Play Store. Consequently, our expansion and prospects depend on our continued relationships with these providers, and any other emerging platform providers that are widely adopted by our target players. We are subject to the standard terms and conditions that these platform providers have for application developers, which govern the content, promotion, distribution, operation of games and other applications on their platforms, as well as the terms of the payment processing services provided by the platforms, and which the platform providers can change unilaterally on short or without notice. Our business would be harmed if: - the platform providers discontinue or limit our access to their platforms;- governments or private parties, such as internet providers, impose bandwidth restrictions or increase charges or restrict or prohibit access to those platforms;- the platforms increase the fees they charge us;- the platforms modify their algorithms, communication channels available to developers, respective terms of service or other policies;- the platforms decline in popularity;- the platforms adopt changes or updates to their technology that impede integration with other software systems or otherwise require us to modify our technology or update our games in order to ensure players can continue to access our games and content with ease;- the platforms elect or are required to change how they label free-to-play games or take payment for in-game purchases;- the platforms block or limit access to the genres of games that we provide in any jurisdiction;- the platforms impose restrictions or spending caps or make it more difficult for players to make in-game purchases of virtual items;- the platforms change how the personal information of players is made available to developers or develop or expand their own competitive offerings; or - we are unable to comply with the platform providers' terms of service. If our platform providers do not perform their obligations in accordance with our platform agreements, we could be adversely impacted. For example, in the past, some of these platform providers have been unavailable for short periods of time, unexpectedly changed their terms or conditions, or experienced issues with their features that permit our players to purchase virtual items. Additionally, we rely on two separate third-party online payment service providers to process any payments generated on games accessed and operated on our own Direct-to-Consumer platforms. If any of these third-party service providers is unable to process payments, even for a short period of time, our business would be harmed. These platforms and our third-party online payment service providers may also experience security breaches or other issues with their functionalities. In addition, if we do not adhere to the terms and conditions of our platform providers, the platform providers may take actions to limit the operations of, suspend or remove our games from the platform, and/or we may be exposed to liability or litigation. As jurisdictions in which we operate and their regulatory bodies adopt or modify laws and regulations, our platform providers may adopt restrictive policies or take other adverse action against the Company and its games in connection with their interpretation and implementation of such laws and regulations. For example, in December 2023, the Company was informed that Google was beginning to enforce an existing Play Store policy banning simulated gambling apps in thirteen countries across the Middle East and Asia: Algeria, Iran, Jordan, Libya, Oman, Palestine, Qatar, Saudi Arabia, South Korea, Syria, Tunisia, the United Arab Emirates and Yemen. As a result, Google blocked Slotomania and Caesars Slots in December 2023 and World Series of Poker in January 2024 from these countries. Similarly, in January 2024, Indonesia's Ministry of Communication and Information Technology reported that it had conducted a broad sweep of online gambling content on the Google and Apple platforms including non-gambling games that contained gambling-related elements. Shortly thereafter, Slotomania was blocked from the Google Play Store in Indonesia. Although we are taking steps to oppose and try to reverse these types of actions and have not experienced a material impact on our business, financial condition or results of operations due to limited revenues we currently have in the affected jurisdictions, if our platform providers took these actions in jurisdictions that are more significant to our operations, it would be harmful to our business. If any such events described above occur on a short-term or long-term basis, or if these third-party platforms and online payment service providers otherwise experience issues that impact the ability of players to download or access our games, access social features, or make in-game purchases, it would have a material adverse effect on our brands and reputation, as well as our business, financial condition and results of operations.