The regulatory framework for privacy and data security matters around the world is rapidly evolving and is likely to remain volatile for the foreseeable future. We are subject to privacy and data security obligations in the United States, United Kingdom, European Union and other foreign jurisdictions relating to the collection, use, sharing, retention, security, transfer and other handling of personal data about individuals, including our users and employees around the world. Data protection, consumer protection and privacy laws may differ, conflict and be interpreted and applied inconsistently, from country to country. In many cases, these laws apply not only to user data, employee data and third-party transactions, but also to transfers of personal data between or among ourselves, our subsidiaries, and other parties with which we have commercial relations, in addition to methods of communication and consent for such communication. These laws continue to develop in the U.S. and around the globe, including through regulatory and legislative action and judicial decisions, in ways we cannot predict and that may harm our business. For example, a new Quebec data protection law took effect in September 2023, and updates to Canadian federal privacy legislation are pending. India passed the Digital Personal Data Protection Act in 2023. In addition, the United States, through the Federal Communications Commission, recently implemented new lead generation "robot-text" and "robo-calls" regulations under the Telephone Consumer Protection Act (TCPA). As the particulars of these regulations are unknown at this time, these new consumer protection regulations could impact our organization's corporate go-to-market sales initiatives, as well as certain feature sets in our current product stack.
Any failure to comply with applicable laws, regulations or contractual obligations may harm our business, results of operations and financial condition. If we are subject to an investigation or litigation or suffer a breach of security of personal data, we may incur costs or be subject to forfeitures and penalties that could reduce our profitability. In addition, compliance with these laws may restrict our ability to provide services to our customers that they may find to be valuable. For example, the General Data Protection Regulation ("GDPR") became effective in May 2018. The GDPR, which applies to personal data collected in the context of all of our activities conducted from an establishment in the European Union, related to products and services offered to individuals in the European Union or related to the monitoring of individuals' behavior in Europe, imposes a range of significant compliance obligations regarding the handling of personal data. Actions required to comply with these obligations depend in part on how particular and strict regulators interpret and apply them. If we fail to comply with the GDPR, or if regulators assert we have failed to comply with the GDPR, we may be subject to, for example, regulatory enforcement actions, that can result in monetary penalties of up to 4% of our annual worldwide revenue or EUR 20 million (whichever is higher), private lawsuits, class actions, regulatory orders to stop processing and delete data, and reputational damage. In June 2021, the European Commission published new versions of the Standard Contractual Clauses, which are used as a legal cross-border mechanism allowing companies to transfer/allow access to personal data outside the European Economic Area. Use of the previous versions of the Standard Contractual Clauses is no longer allowed and all contracts that include the earlier versions should have been amended to replace them with the new versions by December 27, 2022. Also in June 2021, the European Data Protection Board finalized its recommendations regarding supplemental transfer measures to protect personal data during cross-border transfers. We must incur costs and expenses to comply with the new requirements, which may impact the cross-border transfer of personal data throughout our organization and to/from third parties.
Further, states continue to adopt new laws or amending existing laws related to data privacy, requiring attention to frequently changing regulatory requirements. For example, the California Consumer Privacy Act of 2018 ("CCPA") require businesses to provide specific disclosures in their privacy notices and honor residents' privacy rights. The CCPA provides for civil penalties of up to $7,500 per violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Although the CCPA does not apply to certain data that we process in the context of clinical trials, efforts to comply with the CCPA may increase our annual compliance costs and subject us to potential liability with respect to other personal information we may maintain about California residents. In addition, the California Privacy Rights Act of 2020 ("CPRA"), which came into effect on January 1, 2023, expanded the CCPA's requirements, extending it to cover personal information of business representatives and employees and the CPRA established a new regulatory agency to implement and enforce the law. Other states, such as Virginia, Nevada, Connecticut, Utah, Texas and Colorado, have also passed comprehensive privacy laws, and similar laws are being considered in several other states, as well as at the federal and local levels, which impose similar obligations to those in the CCPA. These laws may increase our potential liability related to our data processing activities, complicate our compliance efforts, and increase both legal risk and compliance costs for us and the third parties upon whom we rely.
Compliance with the GDPR, the new state laws, and other current and future applicable U.S. and international privacy, data protection, cybersecurity, artificial intelligence and other data-related laws can be costly and time-consuming. Complying with these varying requirements could cause us to incur substantial costs and/or require us to change our business practices in a manner adverse to our business. Violations of applicable data and privacy-related laws can result in significant penalties that could adversely affect our business, financial condition, reputation, and results of our operations. Furthermore, conflicting requirements across applicable privacy and data security laws would complicate our compliance efforts and increase both legal risk and compliance costs for us and the third parties upon whom we rely.
Australia recently amended its Privacy Act, increasing the maximum penalties available for serious or repeated data breaches from AUS 2.2 million to the greater of: (i) AUS 50 million; (ii) three times the value of any benefit obtained through misuse of the information; or (iii) 30% of a company's adjusted turnover in the relevant period.
In addition to the influx of privacy and data protection law, AI has become a topic of discussion across the United States and globe. In the United States, states have either passed laws or have utilized existing laws to implement policies and rules governing the use of AI as it relates to the personal data of individuals and decision making. For example, the California Privacy Protection Agency, has proposed regulations governing automated decision-making technologies pursuant to the authority granted under the CCPA. At the federal level, the United States government has affirmed its ability to regulate AI through, but not limited to, existing laws such as the Federal Trade Commission Act, the federal rule making process through various federal agencies, and Presidential Executive Orders. In addition, the United States Congress is actively and continuously introducing laws governing AI and data protection with the expectation that such laws will be passed in 2025 to regulate AI systems while providing protection for individuals within the United States. Globally, countries have been proactive in implementing laws and regulations concerning AI. For example, the EU AI Act was passed by the European Union entered into force on August 1, 2024, which provides for a compliance centered around a risk-based approach taking into account the implementation and use of the AI system. Other countries, such as Canada, Australia, the United Kingdom, have either proposed laws or provided guidance under existing law governing the use of AI. Compliance with the ever-changing AI landscape could result in substantial costs or require changes in business practices, with violations resulting in significant penalties.
We also may be bound by additional, more stringent contractual obligations relating to our collection, use and disclosure of personal data or may find it necessary or desirable to join industry or other self-regulatory bodies or other privacy or security related organizations that require compliance with their rules pertaining to privacy and data protection.
We post on our websites our privacy notices and practices concerning the collection, use, sharing, disclosure, deletion and retention of our user data. Any failure, or perceived failure, by us to comply with our posted privacy notices or with any regulatory requirements or orders or other federal, state or international privacy -related laws and regulations, including the GDPR, CCPA and CPRA, could result in proceedings or actions against us by governmental entities or others (e.g., class action plaintiffs), subject us to significant penalties and negative publicity, require us to change our business practices, increase our costs and adversely affect our business. We may also experience security breaches and likely will in the future, which themselves may result in a violation of these laws and give rise to regulatory enforcement and/or private litigation.