Table of Contents
or other confidential data of individuals, including payment card information, and the FTC and many state attorneys general are applying federal and state
consumer protection laws to impose standards on the online collection, use and dissemination of data. Self-regulatory obligations, other industry standards,
policies and other legal obligations may apply to our collection, distribution, use, security or storage of personal information or other data relating to
individuals, including payment card information. These obligations may be interpreted and applied inconsistently from one jurisdiction to another and may
conflict with one another, other regulatory requirements or our internal practices. Any failure or perceived failure by us to comply with U.S., E.U. or other
foreign privacy or security laws, policies, industry standards or legal obligations or any security incident resulting in the unauthorized access to, or acquisition,
release or transfer of, personal information or other confidential data relating to our customers, employees and others, including payment card information, may
result in governmental enforcement actions, litigation, fines and penalties or adverse publicity and could cause our customers to lose trust in us, which could
have an adverse effect on our reputation and business.
We expect there will continue to be newly enacted and proposed laws and regulations as well as emerging industry standards concerning privacy, data
protection and information security in the U.S., the E.U. and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and
standards may have on our business. Such laws, regulations, standards and other obligations could impair our ability to, or the manner in which we, collect or
use information to target advertising to our customers, thereby having a negative impact on our ability to maintain and grow our total customers and increase
revenue. For example, California enacted the California Consumer Protection Act, as amended by the California Privacy Rights Act (CPRA, and collectively,
CCPA) that, among other things, requires covered companies to provide certain disclosures to California residents and afford such residents certain rights,
including the right to opt-out of the sale or sharing of their personal information, or opt-into certain financial incentive programs. To date, we have not incurred
significant cost or impact regarding our data processing practices due to requirements of CCPA and CPRA. Several other states have enacted, and others are
considering enacting, similar data privacy and cybersecurity laws that may require disclosures or notices to consumers and the recognition of certain rights
relating to personal information, any of which may require us to modify our data processing practices in the future, for which the cost and impact are currently
not predictable. Future restrictions on the collection, use, sharing or disclosure of our users' data or additional requirements for express or implied consent of
users for the use, disclosure or other processing of such information could increase our operating expenses, require us to modify our products, possibly in a
material manner, or stop offering certain products, and could limit our ability to develop and implement new product features.
In particular, with regard to transfers to the U.S. of personal data (as such term is used in the GDPR and applicable E.U. member state legislation, and
as similarly defined under the proposed ePrivacy Regulation) from our employees and European customers and users, we historically relied upon the E.U.-U.S.
Privacy Shield, as well as E.U. Model Clauses in certain circumstances. The E.U.-U.S. Privacy Shield was invalidated by the Court of Justice of the E.U.
(CJEU) in July 2020 (Schrems II), and the E.U. Model Clauses have been subject to legal challenge and were updated in June 2021. Following Schrems II, we
have an ongoing process to review Data Processing Agreements with our sub-processors and, where there is a transfer involving a third country, to incorporate
other data transfer mechanisms, such as the 2021 Standard Contractual Clauses (SCCs), for personal data transfers between E.U. and non-E.U. countries
without an adequacy decision from the European Commission. We will continue to transfer personal data pursuant to the SCCs, but the CJEA has indicated that
sole reliance on SCCs for transfers of personal information outside the European Economic Area may not be sufficient in all circumstances and the transfers
must be assessed on a case-by-case basis. On July 10, the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework (DPF) entered
into effect and the EU-U.S. DPF Principles (DPF Principles) entered into effect the same date. The DPF and the DPF Principles provide a new mechanism for
transferring personal data from the EEA to the US, with the European Commission having determined that data transfers to the US made by companies who
have self-certified their adherence to the DPF and DPF Principles provides a level of data protection comparable to the protection offered in the EU. However,
this decision will likely face legal challenges and ultimately may be invalidated by the CJEU just as was the EU-U.S. Privacy Shield. On July 17, 2023, the
U.S. Department of Commerce recognized several GoDaddy entities, including Go Daddy Operating Company, LLC, as having self-certified their adherence to
the DPF by virtue of their prior self-certification under the EU-U.S. Privacy Shield. The Department of Commerce will require self-certified companies to take
certain steps to implement the DPF’s requirements by October 2023 to maintain their self-certification and we intend to complete all required steps applicable
to us by the applicable deadlines. Our failure or inability to comply with all requirements of the DPF could limit our ability to transfer data from the EEA to the
US. However, we continue to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated
herewith.
Notwithstanding the aforementioned measures, we may be unable to maintain legitimate means for our transfer and receipt of personal data from the
European Economic Area (EEA). We may, in addition to other impacts, experience additional costs associated with increased compliance burdens, and we and
our customers face the potential for regulators in the EEA to apply different standards to the transfer of personal data from the EEA to the U.S., and to block, or
require ad hoc verification of
64