If we or third-party contract manufacturing organizations, CROs or other contractors or consultants fail to comply with U.S. and international data protection laws and regulations, it could result in government enforcement actions (which could include civil or criminal penalties), private litigation, and/or adverse publicity and could negatively affect our operating results and business. Moreover, clinical trial subjects about whom we or our potential collaborators obtain information, as well as the providers who share this information with us, may contractually limit our ability to use and disclose the information. Claims that we have violated individuals’ privacy rights, failed to comply with data protection laws, or breached our contractual obligations, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business, operating results, financial condition and prospects.
We are subject to laws and regulations related to privacy, data protection, information security and consumer protection across different markets where we conduct our business. Our actual or perceived failure to comply with such obligations could harm our business.
We are, or will become, subject to numerous federal, state, local, and foreign laws and regulations related to, among other things, privacy, data protection, information security and consumer protection across different markets where we conduct, or in the future conduct, our business. Such laws and regulations are constantly evolving and changing and are likely to remain uncertain for the foreseeable future. Our actual or perceived failure to comply with such obligations could have an adverse effect on our business, operating results and financial operations. For example, in the United States, California has enacted the California Consumer Privacy Act (CCPA), which creates individual privacy rights for California consumers, increases the privacy and security obligations of entities handling certain personal information, requires new disclosures to California individuals and affords such individuals new abilities to opt out of certain sales of personal information, and provides for civil penalties for violations as well as a private right of action for data breaches that is expected to increase data breach litigation. Additional states have already passed similar comprehensive data privacy and information security legislation, and other states have proposed similar laws. If such proposed legislation is passed, including at the U.S. federal level, these laws may have potentially conflicting requirements that would make compliance challenging.
European data collection is also governed by restrictive regulations governing the use, processing and cross-border transfer of personal information. The collection, use, storage, disclosure, transfer, or other processing of personal data regarding individuals in the EU and UK, including personal health data, is subject to the EU GDPR and UK GDPR, respectively, which impose strict requirements for processing the personal data of individuals within the EEA and United Kingdom. In China, the Personal Information Protection Law (PIPL), provides a comprehensive set of data privacy and protection requirements that apply to the processing of personal information by organizations and individuals in China, and the processing of personal information of persons in China outside of China. For more information relating to United States and foreign regulations related to privacy, data protection, information security and consumer protection, see “Business — Government regulation – Personal data processing.”
Complying with these numerous, complex, and often changing regulations is expensive and difficult, and failure to comply with any privacy laws or data security laws or any security incident or breach involving the misappropriation, loss or other unauthorized processing, use or disclosure of sensitive or confidential patient, consumer or other personal information, whether by us, one of our collaborators or another third party, could adversely affect our business, financial condition, and results of operations, including but not limited to investigation costs, material fines and penalties, compensatory, special, punitive, and statutory damages, litigation, consent orders regarding our privacy and security practices, requirements that we provide notices, credit monitoring services, and/or credit restoration services or other relevant services to impacted individuals, adverse actions against our licenses to do business, reputational damage and injunctive relief.
We cannot assure you that our third-party service providers with access to our or our customers’, suppliers’, trial patients’ and employees’ personally identifiable and other sensitive or confidential information will not breach contractual obligations imposed by us, or that they will not experience data security breaches or attempts thereof, which could have a corresponding effect on our business, including putting us in breach of our obligations under privacy laws and regulations, which could in turn adversely affect our business, results of operations, and financial condition. We cannot provide assurances that our contractual measures and our own