Zoom Video Communications (ZM) Risk Factors

We use generative AI processes and algorithms, including by deploying generative AI features in our products and services, which may result in adverse effects to our operations, legal liability, reputation and competitive risks. The use of generative AI at scale is relatively new, and may lead to challenges, concerns and risks that are significant or that we may not be able to predict. For example, AI algorithms use machine learning ("ML") and predictive analytics which may be insufficient, biased, inaccurate or of poor quality, which could result in customer rejection or skepticism of our products, adversely impact the rights of individuals, affect our reputation or brand, and negatively affect our financial results. Additionally, we rely on third parties for certain AI features of our products and if such third parties do not provide us those features (or do not do so on acceptable terms), experience interruptions, or cease operating, we may need to work with another provider, which may take time or may not be possible, and could result in the disruption of certain of our products or services, affect our reputation or brand, and negatively affect our financial results. We could also face claims from third parties claiming infringement of their intellectual property or other proprietary rights with respect to materials used or created by generative AI tools or features that we believed to be available for use and not subject to such rights. The investment required to bring AI features to market and the costs associated with providing these features to our customers may be significant, and we may be unable to recover these costs if customers and users do not widely adopt these features. We currently offer our AI features at no additional cost, as we believe they will ultimately enhance user satisfaction, improve customer retention, and drive revenue. If such benefits are not realized, the associated investment costs could further negatively impact our margins. Further, use of generative AI tools by our employees or others could result in disclosure of confidential or sensitive company and customer data, reputational harm, and legal liability.

One of the most important features of our platform is its broad interoperability with a range of diverse devices, operating systems, and third-party applications. Our platform is accessible from the web and from devices running Windows, Mac OS, iOS, Android, and Linux. We also have integrations with Atlassian, Dropbox, Google, Microsoft, Salesforce, Slack, and a variety of other productivity, collaboration, data management, and security vendors. We are dependent on the accessibility of our platform across these and other third-party operating systems and applications that we do not control, and some of these third parties can make it more difficult for our platform to interoperate with their systems in favor of competitive platforms. For example, given the broad adoption of Microsoft Office and other productivity software, it is important that we are able to integrate with this software. Several of our competitors own, develop, operate, or distribute operating systems, app stores, co-located data center services, and other software, and also have material business relationships with companies that own, develop, operate, or distribute operating systems, applications markets, co-located data center services, and other software that our platform requires in order to operate. Moreover, some of these competitors have inherent advantages developing products and services that more tightly integrate with their software and hardware platforms or those of their business partners. Third-party services and products are constantly evolving, and we may not be able to modify our platform to assure its compatibility with that of other third parties following development changes. In addition, some of our competitors may be able to disrupt the operations or compatibility of our platform with their products or services, or exert strong business influence on our ability to, and terms on which we, operate and distribute our platform. For example, we currently offer products that directly compete with several large technology companies that we rely on to ensure the interoperability of our platform with their products or services. As our respective products evolve, we expect this level of competition to increase. Should any of our competitors modify their products or standards in a manner that degrades the functionality of our platform or gives preferential treatment to competitive products or services, whether to enhance their competitive position or for any other reason, the interoperability of our platform with these products could decrease and our business could be harmed. In addition, we provide, develop, and create applications for our platform partners that integrate our platform with our partners' various offerings. For example, our Zoom Workplace product integrates with tools offered by companies, such as Atlassian and Dropbox, to help teams get more done together. If we are not able to continue and expand on existing and new relationships to integrate our platform with our partners' solutions, or there are quality issues with our products or service interruptions of our products that integrate with our partners' solutions, our business will be harmed. We are subject to requirements imposed by app stores such as those operated by Apple and Google, who may change their technical requirements or policies in a manner that adversely impacts the way in which we or our partners collect, use and share data from users. For example, Apple recently began requiring mobile applications using its iOS mobile operating system to obtain a user's permission to track them or access their device's advertising identifier for certain purposes. The long-term impact of these and any other privacy and regulatory changes remains uncertain. If we do not comply with applicable requirements imposed by app stores, we could lose access to the app store and users, and our business would be harmed.

The software technology underlying our platform is inherently complex and may contain material defects or errors, particularly when new products are first introduced or when new features or capabilities are released. We have from time to time found defects or errors in our platform, and new defects or errors in our existing platform or new products may be detected in the future by us or our users. There can be no assurance that our existing platform and new products will not contain defects. Any real or perceived errors, failures, vulnerabilities, or bugs in our platform have in the past resulted and could in the future result in negative publicity or lead to data security, access, retention, or other performance issues, all of which could harm our business. The costs incurred in correcting such defects or errors may be substantial and could harm our business. Moreover, the harm to our reputation and legal liability related to such defects or errors may be substantial and would harm our business. We also utilize hardware purchased or leased and software and services licensed from third parties to offer our platform. Any defects in, or unavailability of, our or third-party hardware, software, or services that cause interruptions to the availability of our services, loss of data, or performance issues could, among other things: - cause a reduction in revenue or delay in market acceptance of our platform;- require us to issue refunds to our customers or expose us to claims for damages;- cause us to lose existing customers and make it more difficult to attract new customers;- divert our development resources or require us to make extensive changes to our platform, which would increase our expenses;- increase our technical support costs; and - harm our reputation and brand.

Unlike traditional communications and collaborations technologies, our services depend on our users' high-speed broadband access to the internet, usually provided through a cable or digital subscriber line connection. Increasing numbers of users and increasing bandwidth requirements may degrade the performance of our platform due to capacity constraints and other internet infrastructure limitations. As our number of users has grown and their usage of communications capacity has increased, we have been required to make additional investments in network capacity to maintain adequate data transmission speeds, the availability of which may be limited, or the cost of which may be on terms unacceptable to us. If adequate capacity does not continue to be available to us to support our user base in the future, our network may be unable to achieve or maintain sufficiently high data transmission capacity, reliability, or performance. In addition, if internet service providers and other third parties providing internet services have outages or deteriorations in their quality of service, our users will not have access to our platform or may experience a decrease in the quality of our platform. Furthermore, as the rate of adoption of new technologies increases, the networks our platform relies on may not be able to sufficiently adapt to the increased demand for these services, including ours. Frequent or persistent interruptions could cause current or potential users to believe that our systems or platform are unreliable, leading them to switch to our competitors or to avoid our platform, which could permanently harm our business. In addition, users who access our platform through mobile devices, such as smartphones and tablets, must have a high-speed connection, such as 3G, 4G, 5G, LTE, satellite, or Wi-Fi, to use our services and applications. Currently, this access is provided by companies that have significant and increasing market power in the broadband and internet access marketplace,including incumbent phone companies, cable companies, satellite companies, and wireless companies. Some of these providers offer products and subscriptions that directly compete with our own offerings, which can potentially give them a competitive advantage. Also, these providers could take measures that degrade, disrupt, or increase the cost of user access to third-party services, including our platform, by restricting or prohibiting the use of their infrastructure to support or facilitate third-party services or by charging increased fees to third parties or the users of third-party services, any of which would make our platform less attractive to users and reduce our revenue. On January 4, 2018, the Federal Communications Commission ("FCC") released an order reclassifying broadband internet access as an information service, a regulatory regime generally referred to as network neutrality, subject to certain provisions of Title I of the Communications Act. The order requires broadband providers to publicly disclose accurate information regarding network management practices, performance characteristics, and commercial terms of their broadband internet access services sufficient to enable consumers to make informed choices regarding the purchase and use of such services, and entrepreneurs and other small businesses to develop, market, and maintain internet offerings. The new rules went into effect on June 11, 2018. Numerous parties filed judicial challenges to the order, and on October 1, 2019, the United States Court of Appeals for the District of Columbia Circuit released a decision that rejected nearly all of the challenges to the new rules, but reversed the FCC's decision to prohibit all state and local regulation targeted at broadband internet service, requiring case-by-case determinations as to whether state and local regulation conflicts with the FCC's rules. The court also required the FCC to reexamine three issues from the order but allowed the order to remain in effect, while the FCC conducts that review. On October 27, 2020, the FCC adopted an order concluding that the three issues remanded by the court did not provide a basis to alter its conclusions in the 2018 order. On October 19, 2023, the FCC adopted a notice of proposed rulemaking proposing to reinstate the 2015 rules, and on April 24, 2024, adopted an order that substantially reinstated those rules. The rules were stayed pending completion of an appeal by an order of the U.S. Court of Appeals for the Sixth Circuit on August 1, 2024. We cannot predict the impact of the new rules on our operations or business. In addition, a number of states have adopted or are adopting or considering legislation or executive actions that would regulate the conduct of broadband providers. After a federal court judge denied a request for a preliminary injunction against California's state-specific network neutrality law, California began enforcing that law on March 25, 2021. A number of other states have adopted or are adopting or considering legislation or executive actions that would regulate the conduct of broadband providers. A similar law in Vermont is subject to a pending challenge, but went into effect on April 20, 2022 and the challenge has been suspended until an appeal in another case addressing state powers to adopt internet regulation is resolved. The FCC's April 24 order permits it to preempt any state-level network neutrality requirements that go beyond the requirements adopted in that order, but specifically held that the California law would not be preempted. We cannot predict whether the FCC order or other state initiatives will be enforced, modified, overturned, or vacated by legal action of the court, federal legislation, or the FCC. Under the FCC's current rules, broadband internet access providers may be able to charge web-based services such as ours for priority access or favor services offered by our competitors or by the internet access providers themselves, which could result in increased costs and a loss of existing customers, impair our ability to attract new customers, and harm our business but the new rules, if they go into effect, are intended to limit the ability of broadband internet access providers to engage in such behavior. If there are changes to the regulatory structures in the United States or elsewhere that reduce investment in infrastructure by internet service providers, including a return of the network neutrality regulations that were repealed, any impacts of reduced investment that reduce network capacity or speed could have a negative effect on our business, operating results, and financial condition.

We track our key business metrics with tools that are not independently verified by any third party. Our tools have limitations, and our methodologies for tracking these metrics may change over time, which could result in unexpected changes to our performance metrics, including the key metrics we report. If the tools we use to track these metrics over- or undercount performance or contain errors, the data we report may not be accurate and our understanding of certain details of our business may be distorted, which could affect our longer-term strategies. We are continually seeking to improve our ability to measure our key business metrics, and regularly review our processes to assess potential improvements.

Our ability to engage, retain, and increase our base of customers and users and to increase our revenue will depend on our ability to successfully create new products, features, and functionality, both independently and together with third parties. We may introduce significant changes to our existing platform or develop and introduce new and unproven products, including technologies with which we have little or no prior development or operating experience. These new products and updates may not perform as expected, have attracted and may in the future attract negative attention if they involve technologies with heightened public interest, may fail to engage, retain, and increase our base of customers and users or may create lag in adoption of such new products. New products may initially suffer from performance and quality issues that may negatively impact our ability to market and sell such products to new and existing customers. The short- and long-term impact of any major change to our products, or the introduction of new products, is particularly difficult to predict. If new or enhanced products, including those incorporating AI features, fail to engage, retain, and increase our base of customers, or do not perform as expected, we may fail to generate sufficient revenue, operating margin, or other value to justify our investments in such products, any of which may harm our business in the short term, long term, or both. In addition, our current platform, as well as products, features, and functionality that we may introduce in the future, may require us to compensate or reimburse third parties. For example, our cloud phone system, Zoom Phone, is a PBX phone solution that requires us to compensate carriers that operate the PSTN. As a result, a portion of the payments that we will receive from customers that will use our Zoom Phone product will be allocated towards compensating these telephone carriers, which lowers our margins for Zoom Phone as compared to our other products. In addition, new products that we introduce in the future may similarly require us to compensate or reimburse third parties, all of which would lower our profit margins for any such new products. If this trend continues with our new and existing products, including Zoom Phone, it could harm our business.

We may be subject to, or respond to requests from law enforcement that are legally valid, appropriately scoped, and sufficiently detailed in connection with enforcement of, various civil and criminal laws, including those covering copyright, indecent content, child protection, consumer protection, telecommunications services, taxation, and similar matters. It may be difficult, expensive, and disruptive for us to address law enforcement requests, subpoenas and other legal process, and laws in various jurisdictions may conflict and hamper our ability to satisfy or comply with such requests, subpoenas and other legal process. There have been instances where improper or illegal content has been shared on our platform without our knowledge. As a service provider and as a matter of policy, we do not monitor user meetings. However, to protect user safety and prevent conduct that is illegal, violent, or harmful to others, we enforce our terms of service through use of a mix of tools that suggest when such activity may be occurring on our platform. Our trust and safety team may take further action as appropriate, including suspension or termination of the participant's account or referral to law enforcement. The laws in this area are currently in a state of flux and vary widely between jurisdictions. Accordingly, it may be possible that in the future we and our competitors may be subject to legal actions along with the users who shared such content. In addition, regardless of any legal liability we may face, our reputation could be harmed should there be an incident generating extensive negative publicity about the content shared on our platform. Such publicity would harm our business.

There have been various Congressional and executive efforts to eliminate or modify Section 230 of the Communications Act of 1934, enacted as part of the Communications Decency Act of 1996. Section 230 provides protection for providers of online service from liability for content produced by third parties and protects the right to engage in moderation of user content. President Biden and many Members of Congress from both parties support the reform or repeal of Section 230, so the possibility of Congressional action remains. In addition, the FCC is considering a petition, filed by the Trump Administration, to adopt rules interpreting Section 230, which limits the liability of internet platforms for third-party content that is transmitted via those platforms and for good-faith moderation of offensive content. No date has been set for a vote on that proposal, and the FCC has not released any document describing the rules that would be proposed. The Democratic members of the FCC have indicated that they are opposed to the petition and now control the agenda of the FCC. There is no schedule for action by the FCC on the petition. If Congress revises or repeals Section 230 or the FCC adopts rules, we may no longer be afforded the same level of protection offered by Section 230. In addition, there are pending cases before the judiciary that may result in changes to the protections afforded to internet platforms, including a lawsuit by former President Trump that, if successful, would greatly limit the scope of Section 230. The U.S. Supreme Court recently declined to limit the applicability of Section 230 in certain circumstances, but future cases may not yield the same results and a recent decision by the U.S. Court of Appeals for the Third Circuit would limit the applicability of Section 230 to curated content. These various efforts to limit the protections provided by Section 230 would increase the risks faced by internet-based businesses, like Zoom, that rely on third-party content. Even if claims asserted against us do not result in liability, we may incur substantial costs in investigating and defending such claims. If we are found liable for our customers' or other users' activities, we could be required to pay fines or penalties, redesign business methods, or otherwise expend resources to remedy any damages caused by such actions and to avoid future liability. Legislation has been adopted in Florida and Texas that is intended to reduce or eliminate the power of businesses operating on the Internet to moderate user-generated content, implicitly eliminating the federal protections granted under Section 230. Similar legislation has been introduced in other states. Implementation of the Florida and Texas statutes has been stayed by various federal courts, including the U.S. Supreme Court. On August 18, 2022, the parties in the Florida case requested, and were granted, a stay of the appeals court mandate pending Supreme Court review. On September 16, 2022, the U.S. Court of Appeals for the Fifth Circuit issued a decision upholding the Texas law. On September 30, the parties in that case filed an unopposed motion to stay the Fifth Circuit decision pending Supreme Court review, and the Fifth Circuit granted that request on October 13, 2022. On September 29, 2023, the Supreme Court announced that would review both the Florida and Texas decisions, and on July 1, 2024, the Court issued a decision returning both cases to the trial courts for additional analysis. The district court in Texas, on August 29, 2024, issued a decision staying some portions of the Texas law and allowing others to go into effect, relying on analysis under both Section 230 and the First Amendment. The district court in Florida set a trial date in its case for June 2025. Florida amended its statute in an effort to address issues that led the court to issue the stay. It is likely that any other such state legislation also would be challenged under the First Amendment to the U.S. Constitution and on the ground that it is preempted by Section 230. In addition, on August 27, 2024, the U.S. Court of Appeals for the Third Circuit issued a decision limiting the protections afforded by Section 230 in cases where a social media company curates user feeds to the extent that the feed becomes the speech of the company, reversing a trial court decision that immunized the company under Section 230. We cannot predict whether any such state legislation will be adopted, enforced, modified, overturned, or vacated. Furthermore, new laws and regulations have been enacted or are being considered that impose extensive obligations regarding online safety and the operation of online services or platforms, such as the OSA and DSA, which may increase our compliance costs, require changes to our processes, operations, and business practices. For example, these new laws and regulations may seek to regulate the sharing of user-generated content and require us to identify, mitigate, and manage the risks of harm to users from illegal or harmful content. Violating these obligations could carry significant consequences. For example, violating the DSA can result in fines of up to 6% of total annual worldwide revenue and violating the OSA can result in audits, inspections, and fines of up to £18 million or 10% of worldwide revenue, whichever is higher.

Federal Regulation Zoom Phone is provided through our wholly owned subsidiary, Zoom Voice Communications, Inc., which is regulated by the FCC as an interconnected voice over internet protocol ("VoIP") service provider. As a result, Zoom Phone is subject to existing or potential FCC regulations, including, but not limited to, regulations relating to privacy, disability access, porting of numbers, federal Universal Service Fund ("USF"), contributions and other regulatory assessments, emergency calling/Enhanced 911 ("E-911"), access charges for long distance services, and law enforcement access. Congress or the FCC may expand the scope of Zoom Phone's regulatory obligations at any time. In addition, FCC classification of Zoom Phone as a common carrier or telecommunications service could result in additional federal and state regulatory obligations. If we do not comply with any current or future state regulations that apply to our business, we could be subject to substantial fines and penalties, we may have to restructure our product offerings, exit certain markets, or raise the price of our products, any of which could ultimately harm our business and results of operations. Any enforcement action by the FCC, which may be a public process, would hurt our reputation in the industry, possibly impair our ability to sell Zoom Phone to our customers and harm our business. As described above, the FCC has reinstated its prior network neutrality regulations. See Part 1A. Failures in internet infrastructure or interference with broadband access could cause current or potential users to believe that our systems are unreliable, possibly leading our customers to switch to our competitors, or to cancel their subscriptions to our platform. Changes in FCC regulation of the internet and internet-based services also could impose new regulatory obligations on our other services. Such action could result in extension of common carrier regulation to internet-based communications services like the ones we offer. The imposition of common carrier regulation would increase our costs, and we could be required to modify our service offerings to comply with regulatory requirements. The failure to comply with such regulation could result in substantial fines and penalties and other sanctions. On December 13, 2023, the FCC adopted revised rules on reporting of breaches of private customer information, known as CPNI. The revised rules could broaden the types of CPNI breaches that must be reported, but also could limit the number of reports that must be filed by adopting a minimum threshold for the number of customers affected and not requiring reporting in certain circumstances when customers are not harmed. The rules also require that breach reports be provided directly to the FCC, which could increase the risk of enforcement action, including fines and behavioral remedies. These rules are not yet in effect and have been challenged in federal court. We cannot predict the impact of the new rules on our operations or business or whether they will be overturned in court The FCC has adopted rules that prohibit Chinese companies that are deemed to be a national security risk by other federal agencies from obtaining new authorizations and placed on a list known as the Covered List to sell telecommunications equipment in the U.S. and is considering proposed rules that would ban those companies from selling previously-authorized equipment or could prohibit use of their equipment in the U.S. Zoom does not currently have any equipment from the companies subject to the ban in its network, but if other companies are added to the Covered List and the FCC adopts rules that ban sales or use of equipment from such companies, we could be required to find new sources for similar equipment or replace existing equipment entirely. State Regulation State telecommunications regulation of Zoom Phone is generally preempted by the FCC. However, states are allowed to assess state USF contributions, E-911 fees, and other surcharges. A number of states require us to contribute to state USF and pay E-911 and other assessments and surcharges, while others are actively considering extending their programs to include the products we offer. The California Public Utilities Commission is now taking the position that it can require VoIP providers like Zoom Phone to obtain authority to operate in that state. We generally pass USF, E-911 fees, and other surcharges through to our customers where we are permitted to do so, which may result in our products becoming more expensive. We expect that state public utility commissions will continue their attempts to apply state telecommunications regulations to services like Zoom Phone. If we do not comply with any current or future state regulations that apply to our business, we could be subject to substantial fines and penalties, and we may have to restructure our product offerings, exit certain markets, or raise the price of our products, any of which could harm our business. Certain states have adopted or are adopting or considering legislation or executive actions that would regulate the conduct of broadband providers. California's state-specific network neutrality law has taken effect and Vermont's law took effect, but a challenge to that law remains pending. The FCC's April 25 order permits it to preempt any state-level network neutrality requirements that go beyond the requirements adopted in that order, but specifically held that the California law would not be preempted. The FCC order was stayed on August 1, 2024, pending resolution of an appeal. For additional information on this order, see the risk factor titled "Failures in internet infrastructure or interference with broadband access could cause current or potential users to believe that our systems are unreliable, possibly leading our customers to switch to our competitors, or to cancel their subscriptions to our platform." We cannot predict whether other state initiatives will be enforced, modified, overturned, or vacated. International Regulation As we expand internationally, we may be subject to telecommunications, consumer protection, privacy, data protection, and other laws and regulations in the foreign countries where we offer our products. If we do not comply with any current or future international regulations that apply to our business, we could be subject to substantial fines and penalties, we may have to restructure our product offerings, exit certain markets, or raise the price of our products, any of which could harm our business.

As a public company listed in the United States, we incur significant additional legal, accounting, and other expenses. In addition, changing laws, regulations, and standards relating to corporate governance and public disclosure, including regulations implemented by the SEC and The Nasdaq Stock Market, may increase legal and financial compliance costs and make some activities more time consuming. These laws, regulations, and standards are subject to varying interpretations, and as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. We intend to invest resources to comply with evolving laws, regulations, and standards, and this investment may result in increased general and administrative expenses and a diversion of management's time and attention from revenue-generating activities to compliance activities. If, notwithstanding our efforts, we fail to comply with new laws, regulations, and standards, regulatory authorities may initiate legal proceedings against us and our business may be harmed. Failure to comply with these rules might also make it more difficult for us to obtain certain types of insurance, including director and officer liability insurance, and we might be forced to accept reduced policy limits and coverage or incur substantially higher costs to obtain the same or similar coverage. The impact of these events would also make it more difficult for us to attract and retain qualified persons to serve on our board of directors, on committees of our board of directors, or as members of senior management.

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share confidential, proprietary, and sensitive information, including personal information, customer and user content, business data, trade secrets, intellectual property, third-party data, business plans, transactions, financial information Our data processing activities subject us to numerous privacy, data protection, and information security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, and contractual requirements. Laws in the United States In the United States, federal, state, and local governments have enacted numerous privacy, data protection, and information security laws, including data breach notification laws, personal information privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, the California Consumer Privacy Act of 2018 ("CCPA") applies to personal information of consumers, business representatives, and employees, and requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights. The CCPA provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Similar laws are being considered in several other states, as well as at the federal and local levels and we expect more states to pass similar laws in the future. These developments may further complicate compliance efforts and increase legal risk and compliance costs for us and the third parties upon whom we rely. Under various laws and other obligations related to privacy, data protection, and information security, we may be required to obtain certain consents to process personal information. For example, some of our data processing practices may be challenged under wiretapping laws when we obtain consumer information from third parties through various methods, including chatbot and session replay providers, or via third-party marketing pixels. These practices may be subject to increased challenges by class action plaintiffs. Our inability or failure to obtain consent for these practices could result in adverse consequences, including class action litigation and mass arbitration demands. Laws Outside of the United States Outside the United States, an increasing number of laws, regulations, and industry standards related to privacy, data protection, and information security may govern. For example, the European Union's General Data Protection Regulation ("EU GDPR"), the United Kingdom's GDPR ("UK GDPR"), Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or "LGPD") (Law No. 13,709/2018), and China's Personal Information Protection Law ("PIPL") impose strict requirements for processing personal information. For example, under the EU GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR and 17.5 million pounds sterling under the UK GDPR, or 4% of annual global revenue, in each case, whichever is greater; or private litigation related to processing of personal information brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. China's PIPL imposes a set of specific obligations on covered businesses in connection with their processing and transfer of personal information and imposes fines of up to RMB 50 million or 5% of the prior year's total annual revenue of the violator. The Swiss Federal Act on Data Protection ("FADP"), also applies to the collection and processing of personal information, including health-related information, by companies located in Switzerland, or in certain circumstances, by companies located outside of Switzerland. We also target customers in Asia and have operations in Japan, Singapore and India, and may be subject to new and emerging privacy, data protection, and information security regimes in the region, including Japan's Act on the Protection of Personal Information, Singapore's Personal Data Protection Act, and India's new privacy legislation, the Digital Personal Data Protection Act. In addition, we may be unable to transfer personal information from Europe and other jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal information to other countries. In particular, the European Economic Area ("EEA") and the United Kingdom ("UK") have significantly restricted the transfer of personal information to the United States and other countries whose privacy laws they generally believe are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal information from the EEA and UK to the United States in compliance with law, such as the EEA's standard contractual clause, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allow for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms can be subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal information to the United States. If there is no lawful manner for us to transfer personal information from the EEA, the UK, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal information necessary to operate our business. Additionally, companies that transfer personal information out of the EEA and UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers of personal information out of Europe for allegedly violating the EU GDPR's cross-border data transfer limitations. For example, in May 2023, the Irish Data Protection Commission determined that a major social media company's use of the standard contractual clauses to transfer personal information from Europe to the United States was insufficient and levied a 1.2 billion Euro fine against the company and prohibited the company from transferring personal information to the United States. The United States is also increasingly scrutinizing certain data transfers and may also impose certain data localization requirements, particularly in relation to our transfer of personal information to, or processing of personal information of residents of, high risk or sanctioned jurisdictions. We may also become subject to new laws that regulate non-personal information. For example, the European Union's Data Act imposes certain data and cloud service interoperability and switching obligations to enable users to switch between cloud service providers without undue delay or cost, as well as certain requirements concerning cross-border international transfers of, and governmental access to, non-personal information outside the EEA. Depending on how this Act and any similar laws are implemented and interpreted, we may have to adapt our business practices, contractual arrangements, and products and services to comply with such obligations. Artificial Intelligence Our development and use of AI and machine learning ("ML") technologies is subject to privacy, data protection, IP, and information security laws, industry standards, external and internal privacy and security policies, and contractual requirements, as well as increasing regulation and scrutiny. Several jurisdictions around the globe, including the EU, the UK and certain U.S. states, have proposed, enacted, or are considering laws governing the development and use of AI/ML. For example, the EU's AI Act enters into force this year and will have a direct effect across all EU jurisdictions. The EU AI Act and other similar laws, if implemented and if applicable, could impose onerous obligations related to the use of AI-related systems. Obligations on AI/ML may make it harder for us to conduct our business using, or build products incorporating, AI/ML, require us to change our business practices, require us to retrain our algorithms, or prevent or limit our use of AI/ML. For example, the FTC has required other companies to turn over (or disgorge) valuable insights or trainings generated through the use of AI/ML where they allege the company has violated privacy and consumer protection laws. Additionally, certain privacy laws extend rights to consumers (such as the right to delete certain personal information) and regulate automated decision making, which may be incompatible with our use of AI/ML. If we do not develop or incorporate AI/ML in a manner consistent with these factors, and consistent with customer expectations, it may result in an adverse impact to our reputation, our business may be less efficient, or we may be at a competitive disadvantage. Similarly, if customers and users do not widely adopt our new product AI/ML experiences, features, and capabilities, or they do not perform as expected, we may not be able to realize a return on our investment. Laws Relating to Minors Additionally, regulators are increasingly scrutinizing companies that process minors' data and/or provide online services or other interactive platforms used by minors. Numerous laws, regulations, and legally-binding codes, such as the Children's Online Privacy Protection Act ("COPPA"), California's Age Appropriate Design Code, the CCPA, other U.S. state comprehensive privacy laws, the EU and UK GDPR, the EU's Digital Services Act ("DSA"), the UK's Online Safety Act ("OSA") and the UK Age Appropriate Design Code, impose various obligations on companies that process minors' data and/or provide online services, or other interactive platforms used by children, including prohibiting showing minors advertising, requiring age verification, limiting the use of minors' personal information, requiring certain consents to process such data and extending certain rights to children and their parents with respect to that data. These laws may, or in some cases already have been subject to legal challenges and changing interpretations which may further complicate our efforts to comply with laws applicable to us. Some of these obligations have wide ranging applications, including for services that do not intentionally target child users (defined in some circumstances as a user under the age of 18 years old). In particular, COPPA is a U.S. Federal law that applies to operators of commercial websites and online services directed to U.S. children under the age of 13 that collect personal information from children, and to operators of general audience websites with actual knowledge that they are collecting personal information from U.S. children under the age of 13. We provide video communications and collaboration services to schools, school districts, and school systems to support traditional, virtual, and hybrid classrooms, distance learning, educational office hours, guest lectures, and other services. As part of these services, Zoom may be used by students, including students under the age of 13, and we collect personal information from such students on behalf of our school subscribers. School subscribers must contractually consent to Zoom's information practices on behalf of students, prior to students using the services. If we fail to accurately anticipate the application, interpretation, or legislative expansion of these laws, regulations, and legally-binding codes, we could be subject to governmental enforcement actions, data processing restrictions, litigation, fines and penalties, adverse publicity or loss of customers. Moreover, as a result of any such failures, we could be in breach of our K-12 school customer contracts, and our customers could lose trust in us, which could harm our reputation and business. Consumer Preferences and Protection Individuals are increasingly resistant to the collection, use, and sharing of personal information to deliver targeted advertising. Third-party platforms have introduced (or plan to introduce) measures to provide users with more privacy controls over targeted advertising activities, and regulators (including in the EEA/UK) are heavily scrutinizing the use of technologies used to deliver such advertisements. Major technology platforms on which we rely to gather information about consumers have adopted or proposed measures to provide consumers with additional control over the collection, use, and sharing of their personal information for targeted advertising or other purposes. For example, in 2021, Apple began allowing users to more easily opt-out of activity tracking across devices. In February 2022, Google announced similar plans to adopt additional privacy controls on its Android devices to allow users to limit sharing of their data with third parties and reduce cross-device tracking for advertising purposes. Additionally, Google has announced that it intends to phase out third-party cookies in its Chrome browser, which could make it more difficult for us to target advertisements. Other browsers, such as Firefox and Safari, have already adopted similar measures. In addition, legislative proposals and present laws and regulations regulate the use of cookies and other tracking technologies, electronic communications, and marketing. For example, in the EEA and the UK, regulators are increasingly focusing on compliance with requirements related to the targeted advertising ecosystem. European regulators have issued significant fines in certain circumstances where the regulators alleged that appropriate consent was not obtained in connection with targeted advertising activities. In the EU, it is anticipated that the ePrivacy Regulation and national implementing laws will replace the current national laws implementing the ePrivacy Directive, which may require us to make significant operational changes. In the United States, the CCPA, for example, grants California residents the right to opt-out of a company's sharing of personal information for advertising purposes in exchange for money or other valuable consideration, and requires covered businesses to honor user-enabled browser signals from the Global Privacy Control. Partially as a result of these developments, individuals are becoming increasingly resistant to the collection, use, and sharing of personal information to deliver targeted advertising or other types of tracking. Individuals are now more aware of options related to consent, "do not track" mechanisms (such as browser signals from the Global Privacy Control), and "ad-blocking" software to prevent the collection of their personal information for targeted advertising purposes. As a result, we may be required to change the way we market our products, and any of these developments or changes could materially impair our ability to reach new or existing customers or otherwise negatively affect our operations. We are also subject to consumer protection laws that may affect our sales and marketing efforts, including laws related to subscriptions, billing, and auto-renewal. These laws, as well as any changes in these laws, could adversely affect our self-serve model and make it more difficult for us to retain and upgrade customers and attract new customers. For example, in September 2024, the FCC adopted new rules that require video conferencing services to include features that expand accessibility requirements for consumers of our products and services. Additionally, we have in the past, are currently, and may from time to time in the future become the subject of inquiries and other actions by regulatory authorities as a result of our business practices, including our subscription, billing, and auto-renewal policies. Consumer protection laws may be interpreted or applied by regulatory authorities in a manner that could require us to make changes to our operations or incur fines, penalties, or settlement expenses, which may result in harm to our business. Industry Standards In addition to privacy, data protection and information security laws, we are contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. We may also have privacy, data protection, information security obligations arising from the practices in our industry or of companies similar to us. We are also bound by other contractual obligations related to privacy, data protection, and information security, and our efforts to comply with such obligations may not be successful. If we fall below such industry standard or cannot comply with such contractual obligations, our reputation and business may be harmed. We also publish privacy policies, marketing materials, and other statements, such as compliance with certain certifications or self-regulatory principles, regarding privacy, data protection, and information security. If these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Government Inquiries and Investigations We have in the past and may in the future receive inquiries or be subject to investigations by domestic and international government entities regarding, among other things, our privacy, data protection, and information security practices. The result of these proceedings could impact our brand reputation, subject us to monetary remedies and costs, interrupt or require us to change our business practices, divert resources and the attention of management from our business, or subject us to other remedies that adversely affect our business. We also face litigation regarding our privacy and security practices, including alleged data sharing with third parties, in various jurisdictions. See Part I, Item 3 "Legal Proceedings" for additional information. In June 2020, we received a grand jury subpoena from the Department of Justice's U.S. Attorney's Office for the EDNY, which requested information regarding our interactions with foreign governments and foreign political parties, including the Chinese government, as well as information regarding storage of and access to user data, the development and implementation of Zoom's privacy policies, and the actions we took responding to law enforcement requests from the Chinese government. In July 2020, we received subpoenas from the Department of Justice's U.S. Attorney's Office for the NDCA and the SEC. Both subpoenas seek documents and information relating to various security, data protection, and privacy matters, including our encryption, and our statements relating thereto, as well as calculation of usage metrics and related public statements. In addition, the NDCA subpoena seeks information relating to any contacts between our employees and representatives of the Chinese government, and any attempted or successful influence by any foreign government in our policies, procedures, practices, and actions as they relate to users in the United States. We have since received additional subpoenas from EDNY and NDCA seeking related information. We are fully cooperating with all of these investigations and have conducted our own thorough internal investigation. These investigations are ongoing, and a negative outcome in any or all of these matters could cause us to incur substantial fines, penalties, or other financial exposure, as well as material reputational harm, a loss of customer and user confidence and business, additional expenses, and other harm to our business. As of the date hereof, in regard to the SEC matter, a tentative settlement offer is now outstanding and remains subject to SEC approval. We do not know when these matters will be completed, including the SEC matter, which facts we will ultimately discover as a result of the investigations, or what actions the government may or may not take. We were also the subject of an investigation by the FTC relating to our privacy and security representations and practices. We have reached a settlement agreement with the FTC, which the FTC voted to make final on January 19, 2021. We could fail or be perceived to fail to comply with the terms of the settlement with the FTC or any other orders or settlements relating to litigation or governmental investigations with respect to our privacy and security practices. Any failure or perceived failure to comply with such orders or settlements may increase the possibility of additional adverse consequences, including litigation, additional regulatory actions, injunctions, or monetary penalties, or require further changes to our business practices, significant management time, or the diversion of significant operational resources. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, policies, and other obligations that are applicable to the businesses of our users may limit the adoption and use of, and reduce the overall demand for, our platform and services, which could have an adverse impact on our business. Consents Additionally, we rely on the administrators of our customers in the healthcare and education industries to obtain the necessary consents from users of our products and services and to ensure their account settings are configured correctly for their compliance under applicable laws and regulations, including HIPAA. Furthermore, if third parties we work with, such as vendors or developers, make misrepresentations, violate applicable laws and regulations, or our policies, such misrepresentations and violations may also put our users' content at risk and could in turn have an adverse effect on our business. Any significant change to applicable laws, regulations, or industry practices regarding the collection, use, retention, security, or disclosure of our users' content, or regarding the manner in which the express or implied consent of users for the collection, use, retention, or disclosure of such content is obtained, could increase our costs and require us to modify our services and features, possibly in a material manner, which we may be unable to complete and may limit our ability to store and process user data or provide or develop new services and features. Public Perception Increased usage of our services and additional awareness of Zoom and our brand has led to greater public scrutiny of, press related to, or a negative perception of our collection, use, storage, disclosure, and processing of personal information, and our privacy policies and practices. For example, users and customers, particularly those that are new to Zoom, may not have significant IT or security knowledge or have their own IT controls like those of a larger organization to configure our service in a manner that provides them with control over user settings. This has resulted in reports of users and customers experiencing meeting disruptions by malicious actors. Additional unfavorable publicity and scrutiny has led to increased governmental and regulatory scrutiny and litigation exposure, and could result in material reputational harm, a loss of customer and user confidence, additional expenses and other harm to our business. Failure to Comply with our Obligations Obligations related to privacy, data protection, information security, the use of AI, the provision of online services and other interactive platforms (and consumers' expectations regarding them) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources and may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal information on our behalf. We may at times fail (or be perceived to have failed) in our efforts to comply with our obligations relating to privacy, data protection, information security, the use of AI and the provision of online services and other interactive platforms. Moreover, despite our efforts, our personnel or third parties with whom we work may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties with whom we work fail, or are perceived to have failed, to address or comply with applicable privacy, data protection, and information security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans or restrictions on processing personal information; and orders to destroy or not use personal information. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims and mass arbitration demands. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of customers; inability to process personal information or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

Our business depends upon our ability to attract new customers, and maintain and expand our relationships with our existing customers, including upselling additional products and new product categories to our existing customers and upgrading users from a free plan to one of our paid offerings. Our business is subscription based, and customers are not obligated to, and may choose not to, renew their subscriptions after their existing subscriptions expire. Customers may also terminate or reduce the size of their existing subscriptions. As a result, we cannot provide assurance that customers will renew their subscriptions utilizing the same tier of plan, upgrade to a higher-priced tier, or purchase additional products, if they renew at all. Renewals of subscriptions to our platform may decline or fluctuate because of several factors, such as dissatisfaction with our products and support, a customer no longer having a need for our products, or a belief that a competitor's product is better, more secure, or less expensive than our products and platform. For example, during the COVID-19 pandemic, we saw a significant increase in usage and subscriptions. As a result, our customer base shifted largely from businesses and enterprises to a mix of businesses, enterprises, and consumers. Following the pandemic, some of our customers reduced or discontinued their use of our platform, and additional customers may do so in the future. Additionally, this shift in mix has resulted and may continue to result in higher non-renewal rates than we have experienced in the past. Renewals are also impacted by reductions in customer information technology spending budgets or a decision by the customer to consolidate their spending budgets on one of our competitor's platforms, both of which are more likely to occur during periods of high inflation or recessionary or uncertain economic environments. We must continually add new customers and licenses to grow our business and to replace customers and licenses who choose not to continue to use our platform. Finally, any decrease in user satisfaction with our products or support would harm our brand, word-of-mouth referrals, and ability to grow. We encourage customers to purchase additional products and encourage users of our free offering to upgrade to one of our paid offerings by recommending additional features and through in-product prompts and notifications. However, free users may never upgrade to one of our paid offerings. We also seek to expand within organizations by adding new licenses, having workplaces purchase additional products, or expanding the use of our platform into other teams and departments within an organization. If we fail to upsell our customers or upgrade free users to one of our paid offerings or expand the number of licenses within organizations, our business would be harmed.

We expect to continue selling our products and services to U.S. federal and state and foreign governmental agency customers, which may occur through sales to other companies that re-sell our services to government customers and/or through direct sales to government entities. While we are a U.S. Federal Risk and Authorization Management Program ("FedRAMP") authorized SaaS service, selling to government entities and other government contractors presents a number of unique challenges and risks including the following: - selling to governmental entities can be more competitive, expensive, and time-consuming than selling to private entities, often requiring significant up-front time and expense and ongoing compliance costs without any assurance that these efforts will generate a sale;- government certification requirements may change, or we may be unable to achieve or sustain one or more government certifications, including FedRAMP, which may restrict our ability to sell into the government sector until we have attained such certificates;- contracts with governmental entities and other government contractors, including resellers in the government market, contain terms that are less favorable than what we generally agree to in our standard agreements, including, terms and conditions required by regulation that are not negotiable with the customer;- non-compliance with terms and conditions of government contracts, or with representations or certifications made in connection with government contracts, can result in significantly more adverse consequences than we typically would expect in the commercial market, including, depending on the circumstances, criminal liability, liability under the civil False Claims Act, and/or suspension or debarment from doing business with governmental entities; and - government demand and payment for our products may be influenced, among other things, by public sector budgetary cycles and funding authorizations, with funding reductions or delays having an adverse impact on public sector demand for our products. To the extent that we become more reliant on contracts with government entities and/or other government contractors in the future, our exposure to such risks and challenges could increase, which in turn could adversely impact our business. In May 2021, the Biden Administration issued an Executive Order requiring federal agencies to implement additional information technology security measures, including, among other things, requiring agencies to adopt multifactor authentication and encryption for data at rest and in transit to the maximum extent consistent with Federal records laws and other applicable laws. The Executive Order will lead to the development of secure software development practices and/or criteria for a consumer software labeling program, which will reflect a baseline level of secure practices, for software that is developed and sold to the U.S. federal government. Software developers will be required to provide visibility into their software and make security data publicly available. Due to this Executive Order, federal agencies may require us to modify our cybersecurity practices and policies, thereby increasing our compliance costs. If we are unable to meet the requirements of the Executive Order, our ability to work with the U.S. government may be impaired and may result in a loss of revenue.

A large portion of our customers authorize us to bill their credit card accounts directly for our products. If customers pay for their subscriptions with stolen credit cards, we could incur substantial third-party vendor costs for which we may not be reimbursed. Further, our customers provide us with credit card billing information online or over the phone, and we do not review the physical credit cards used in these transactions, which increases our risk of exposure to fraudulent activity. We also incur charges, which we refer to as chargebacks, from the credit card companies for claims that the customer did not authorize the credit card transaction for our products, something that we have experienced in the past. If the number of claims of unauthorized credit card transactions becomes excessive, we could be assessed substantial fines for excess chargebacks, and we could lose the right to accept credit cards for payment. In addition, credit card issuers may change merchant standards, including data protection and documentation standards, required to utilize their services from time to time. If we fail to maintain compliance with current merchant standards or fail to meet new standards, the credit card associations could fine us or terminate their agreements with us, and we would be unable to accept credit cards as payment for our products. Our products may also be subject to fraudulent usage and schemes, including third parties accessing customer accounts or viewing and recording data from our communications solutions. These fraudulent activities can result in unauthorized access to customer accounts and data, unauthorized use of our products, and charges and expenses to customers for fraudulent usage. We may be required to pay for these charges and expenses with no reimbursement from the customer, and our reputation may be harmed if our products are subject to fraudulent usage. Although we implement multiple fraud prevention and detection controls, we cannot assure you that these controls will be adequate to protect against fraud. Substantial losses due to fraud or our inability to accept credit card payments would cause our customer base to significantly decrease and would harm our business.

Increased user demand for support may result in increased costs that may harm our results of operations. For example, during the COVID-19 pandemic we saw surging demand requiring us to allocate additional resources to support our expanded customer and user base, including many who were using our platform for the first time, placing additional pressure on our support organization. In addition, as we continue to support our global user base, we need to be able to continue to provide efficient support that meets our customers and users' needs globally at scale. If we are unable to provide efficient user support globally at scale or if we need to hire additional support personnel, our business may be harmed. Our new customer signups are highly dependent on our business reputation and on recommendations from our existing customers and users. Any failure to maintain high-quality support, or a market perception that we do not maintain high-quality support for our customers and users, would harm our business.