As a demand side platform within the digital programmatic ecosystem, we receive, store and process certain personal information and other data from and about consumers in addition to personal information and other data from and about our customers, employees, and services providers. Our handling of this data is subject to a wide variety of federal, state, and foreign laws and regulations and is subject to regulation by various government authorities and consumer actions. Our data handling is also subject to contractual obligations and may be deemed to be subject to industry standards.
The U.S. federal and various state and foreign governments have adopted or proposed laws relating to the collection, disclosure, processing, use, storage and security of data relating to individuals and households, including the use of contact information and other data for marketing, advertising and other communications with individuals and businesses. In the U.S., various laws and regulations apply to the collection, disclosure, processing, use, storage and security of certain types of data. Additionally, the FTC, many state attorneys general, and many courts are interpreting federal and state consumer protection laws as imposing standards for the collection, disclosure, process, use, storage and security of data. The regulatory framework for data privacy issues worldwide is complex, continually evolving and often conflicting, and is likely to remain uncertain for the foreseeable future. The occurrence of unanticipated events often rapidly drives the adoption of legislation or regulation affecting the use, collection or other processing of data and the manner in which we conduct our business. As a result, further restrictions could be placed upon the collection, disclosure, processing, use, storage and security of information, which could result in a material increase in the cost of obtaining certain kinds of data and could limit the ways in which we may collect, disclose, process, use, store or secure information.
U.S. federal and state legislatures, along with federal regulatory authorities, have recently increased their focus on matters concerning the collection and use of consumer data, including relating to interest- based advertising, or the use of data to draw inferences about a user’s interests and deliver relevant advertising to that user, and similar or related practices, such as cross-device data collection and aggregation, and steps taken to
de-identify
personal data and to use and distribute the resulting data, including for purposes of personalization and the targeting of advertisements. In the U.S.,
non-sensitive
consumer data generally may be used under current rules and regulations, subject to certain restrictions, including relating to transparency and affirmative
“opt-out”
rights of the collection or use of such data in certain instances. To the extent additional
opt-out
rights are made available in the U.S., additional regulations are imposed, or if an
“opt-in”
model were to be adopted, less data would be available, the cost of data and compliance would be higher, or we could be required to modify our data processing practices and policies. For example, California recently enacted legislation, the CCPA, that became operative on January 1, 2020 and came under California Attorney General (“AG”) enforcement on July 1, 2020. The CCPA requires covered companies to, among other things, provide new disclosures to California consumers and grant such consumers a new right to
opt-out
of “sales” of personal information, a concept that is defined broadly. The CCPA is also subject to regulations issued by the California AG, which were finalized and became effective in August 2020. The California Privacy Rights and Enforcement Act (“CPRA”), which was passed as a ballot initiative in November 2020 and comes into effect on January 1, 2023, expands upon the CCPA and, among other things, creates new categories of personal information with additional protections, creates new data subject rights such as a right of correction, creates a new state rulemaking and enforcement agency for the CPRA, expands potential liability for violations and gives consumers rights to opt out of additional forms of data sharing with third parties. It remains unclear how aspects of the CCPA (as amended by the CPRA) or its implementing regulations will be interpreted. We cannot yet fully predict the impact of these laws on our business or operations, but it or future regulations (particularly any regulations using an
“opt-
in” model), could require us or our customers to modify data processing practices and policies and to incur