Global developments in privacy and data security regulations are changing some of the ways we, our sellers, our vendors and other third parties collect, use, and share personal information and other proprietary or confidential information. Compliance with these changing regulations have necessitated some specific product changes for our non-U.S. activities, and required additional compliance obligations for us and for our relationships with sellers, vendors, and other third parties.
a) General Data Protection Regulation (GDPR):
In the European Union, the GDPR contains strict requirements for processing the personally identifiable information of individuals residing in the European Economic Area (“EEA”), Switzerland and (in a form frozen as of December 31, 2020 and as further separately domestically amended), the United Kingdom. The GDPR seeks to harmonize the data protection regulations throughout these jurisdictions. The regulation contains numerous requirements and changes from previous E.U. law, including more robust obligations on data processors, greater rights for data subjects (requiring potentially significant changes to both our technology and operations), security and accountability obligations, and significantly heavier documentation and record-keeping requirements for data protection compliance programs. Specifically, the GDPR introduced numerous privacy-related changes for companies operating in the European Union, including greater control over personal data by data subjects (e.g., the “right to be forgotten”), increased data portability, access, and redress rights for E.U. consumers, data breach notification requirements, increased rules for online and email marketing, compliance requirements related to our sellers, vendors and third parties, and stronger regulatory enforcement regimes. The GDPR is subject to changing interpretations due to decisions of data protection authorities, courts, and related legislative efforts both E.U.-wide and in particular jurisdictions. The GDPR requirements apply to some third-party transactions (such as commercial contracts with partners and vendors) and to transfers of information between us and our subsidiaries, including user and employee information. GDPR requirements may also apply, depending on interpretation of its reach, to some users in our worldwide community of sellers.
b) California Consumer Privacy Act (CCPA):
In the United States, rules and regulations governing data privacy and security include those promulgated under the authority of the Federal Trade Commission Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, California’s CCPA (effective January 1, 2020) and CPRA (effective January 1, 2023), and other state and federal laws relating to privacy, consumer protection, and data security. The CCPA and CPRA introduce new requirements regarding the handling of personal information of California consumers and households, including compliance and record keeping obligations, the right to request access to and deletion of their personal information, and the right to opt out of the sale of their personal information and provides a private right of action and statutory damages for data breaches.
Other jurisdictions in the United States are beginning to expand existing regulations, or propose laws similar to the CCPA. If more stringent privacy legislation arises in the United States, it could increase our potential liability and adversely affect our business, results of operations, and financial condition. Additionally, other countries outside of Europe have enacted or are considering enacting similar cross-border data transfer restrictions and laws requiring local data residency, and strict limitations to the processing of personal information, which could increase the cost and complexity of delivering our services and operating our business. In the past year, for example, Brazil recently enacted the General Data Protection Law, New Zealand recently enacted the New Zealand Privacy Act, China released its draft Personal Information Protection Law, and Canada introduced the Digital Charter Implementation Act.
c) Risks and Response:
We may experience difficulty retaining or obtaining new E.U. sellers or current and new sellers may limit their selling into the European Union, due to the legal requirements, compliance cost, potential risk exposure, and uncertainty for them in respect of their own compliance obligations with respect to GDPR. In addition, although our sellers are independent businesses, it is possible that a privacy authority could deem us jointly and severally liable for actions of our sellers or vendors, which would increase our potential liability exposure and costs of compliance, which could negatively impact our business. We could face potential liability, regulatory investigation, and costly litigation, which may not be adequately covered by insurance. GDPR, CCPA, and similar laws coming into effect in other jurisdictions may continue to change the data protection landscape globally, may be potentially inconsistent or incompatible, and could result in potentially significant operational costs for internal compliance and risk to our business. Some of these requirements may introduce friction into the buying and selling experience on our platform and may impact the scope and effectiveness of our marketing efforts, which could negatively impact our business and future outlook. Beyond GDPR and CCPA/CPRA, individual jurisdictions continue to pass laws related to data protection, such as data privacy and data breach notification, resulting in a diverse set of requirements across states, countries, and regions. Non-compliance with these laws could result in proceedings against us by one or more data protection authorities, other public authorities, third parties, or individuals. Under GDPR alone, noncompliance could result in fines of up to 20 million Euros or up to 4% of the annual global revenue of the noncompliant company, whichever is greater. In addition, E.U. data protection laws, including the GDPR, also generally prohibit the transfer of personal information from Europe to the United States and most other countries unless the recipient country has been deemed to have adequate privacy protections in place to protect the personal information. Parties transferring protected personal data to jurisdictions deemed inadequate must establish a legal basis for, and implement specific safeguards for, such intra-party or inter-party transfers. A recent judgment of the Court of Justice of the European Union found a common basis for such transfers, the E.U.-U.S. Privacy Shield, insufficient, and a parallel arrangement with Switzerland may similarly be deemed insufficient. While Etsy did not rely upon Privacy Shield for cross-border transfers, Reverb previously had done so. While effective solutions may be available to permit these transfers, such as Standard Contractual Clauses (“SCCs”) continuing changes to the rules related to cross-border transfers may nonetheless impede Etsy and Reverb’s ability to effectively transfer data between jurisdictions with parties such as partners, vendors and users, or may make such transfers of personal data more costly. In particular, another recent decision and related European Commission guidance and updates to the SCCs may impose additional obligations on companies seeking to rely on the SCCs and may require significant expense and resources associated with compliance. For example, transfers with the United Kingdom might be deemed inadequate after its departure from the European Union and European Economic Area and require substantial expense and resources to comply with based upon adequacy mechanisms such as SCCs. Transfers by us or our vendors of personal information from Europe pursuant to SCCs may not comply with E.U. data protection law, may increase our exposure to the GDPR’s heightened sanctions for violations of its cross-border data transfer restrictions, and may result in lower sales on our platform because of difficulty of establishing a lawful basis for personal information transfers out of Europe.