PRSS 2017 Annual Report

6 maintain DMCA-complaint practices for notice and take-down as well as other required practices such as repeat offender management. • The CAN-SPAMAct of 2003 and similar laws adopted by a number of states, which regulate unsolicited commercial e- mails, create criminal penalties for unmarked sexually-oriented material and e-mails containing fraudulent headers and control other abusive online marketing practices. Similarly, the guidelines of the Federal Trade Commission imposes responsibilities upon us for communications with respect to consumers and imposes fines and liability for failure to comply with rules with respective advertising or marketing practices they may deem misleading or deceptive. Further, the European Union, or the E.U., alsomaintains standards and regulations with respect to communications with consumers that we must comply with as we expand our marketing practices into those countries. • Numerous product safety and environmental regulations that apply to the manufacture, sale and distribution of products and apply to our products and services to varying degrees based on the individual types of products sold through our portfolio of e-commerce websites and the inks used in our decorating processes. These regulations include, without limitation, the Consumer Product SafetyAct, The Fair Packaging and LabelingAct, the Federal Food, Drug and Cosmetic Act, California Proposition 65, the California Transparency in Supply Chains Act of 2010, as well as a number of other federal and state product safety and environmental regulatory schemes. Product safety regulations applicable to the E.U. in particular, where the majority of our international sales is currently shipped, are often more stringent than those in the United States and we therefore must evaluate and test applicable products to E.U. standards with respect to products intended for distribution in those markets. • TheCredit CardAccountabilityResponsibility andDisclosureAct of 2009 (CARDAct) andother state laws and regulations that relate to credit card and gift certificate use fairness, including expiration dates and fees, aswell as state laws surrounding escheat and abandonment of unclaimed property. • In the United States and internationally, we must evaluate tax liabilities from transactions on our portfolio of e-commerce websites and maintain finance infrastructure to support the collection and remittance of applicable sales taxes. In the United States, sales tax nexus issues with respect to Internet sales to consumers in states where we do not have a physical presence, which create potential nexus through affiliate program marketing activities and other nascent efforts to imply tax nexus on royalties payable on content licenses. This regulation continues to be an area of great uncertainty and legal scrutiny both on a federal and state level, with over 27 states evaluating or imposing new legislation on various e-commerce activities or engaging in lawsuits with e-retailers. In Europe, we must comply with regulations with respect to customs, duties andV.A.T. as they apply to our business, sometimes on a country-by-country basis, which requires complex tracking and remittance processes. • The Communications DecencyAct of 1996, which gives statutory protection to online service providers for claims against interactive computer services providers who distribute third-party content. • The Children’s Online Privacy ProtectionAct of 1998, which restricts the distribution of certain materials deemed harmful to children and imposes additional restrictions on the ability of online services to collect user information from minors. In addition, the Protection of Children From Sexual Predators Act of 1998 requires online service providers to report evidence of violations of federal child pornography laws under certain circumstances. • Data privacy and security with respect to the collection of personally identifiable consumer information continues to be a focus of worldwide legislation and compliance review. Examples include statutes adopted by the State of California that require online services to report certain breaches of the security of personal data, and to report to California customers when their personal data might be disclosed to direct marketers. • Foreign governments are raising similar privacy and data security concerns. In particular, the E.U. has enacted a new General Data Protection Regulation (“GDPR”) that will replace the current Data Protection Directive in May 2018. The GDPR will tighten regulation of the collection, use and security of personal data and will continue to restrict the trans- border flow of such data while increasing the potential fines for non-compliance. Several European countries have issued new guidelines under the E.U. e-Privacy (Cookie) Directive that require robust disclosures and consumer choice before a user can be tracked online. The European Commission has proposed a new e-Privacy Regulation (“e-PR”) that would supersede the existing Directive and is intended to become effective at the same time as the GDPR. If adopted, the new e-PR would require extensive privacy warnings about third party tracking tools and would establish express consent as the only valid basis for third party processing of personal data for advertising or cross-domain analytics. European industry has implemented a self-regulatory regime for online behavioral advertising that is largely consistent with the U.S. self-regulatory framework. It is unclear how compliance with the GDPRwill affect our business and it is not possible to predict whether the e-PR will be enacted as proposed. Canada, Australia, Russia, China, Japan and other countries in South/Latin America and Asia are also strengthening their privacy laws and the enforcement of privacy and data security requirements.