Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - RBLX
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
Item 1A. Risk Factors
Our Board of Directors has the ultimate responsibility for the oversight of our risk management framework, which is designed to identify, assess, and manage risks to which we are exposed, as well as to foster a corporate culture of integrity. Management is responsible for the day-to-day oversight and management of strategic, operational, legal and compliance, cybersecurity, and financial risks. The Audit and Compliance Committee (the “ACC”) is central to the Board of Directors’ oversight of cybersecurity risks and has been delegated the primary responsibility for this domain. The ACC is composed of independent board members with diverse expertise including risk management, technology, and finance, equipping them to oversee cybersecurity risks effectively. The ACC has also engaged a cybersecurity advisor to assist them in cybersecurity matters. In overseeing our cybersecurity risks and mitigation strategies, at least quarterly the CISO, members of management, and the ACC’s cybersecurity advisor, review and discuss with the ACC guidelines, practices and policies to identify, monitor, and address enterprise risks, including cybersecurity risks. In overseeing the Company’s cybersecurity risks and mitigation strategies, at least quarterly the CISO, members of management, and the ACC’s cybersecurity advisor, review and discuss with the ACC guidelines, practices and policies to identify, monitor, and address enterprise risks, including cybersecurity risks. The ACC then oversees and monitors management’s plans to address such risks.
To oversee the material risks and strategic opportunities associated with AI, we formally established a specialized AI governance committee in September 2025. The committee, which has been operating since May 2025, is composed of senior leaders from our legal, security, engineering, and people and systems organizations, and is responsible for overseeing our AI governance framework, defining our risk tolerance, evaluating AI use cases, driving company policy, and supporting compliance with evolving regulatory obligations. The committee provides periodic updates regarding our AI strategy and risk management program to management and the ACC. During the last fiscal year, we did not identify any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that materially affected us, including our business strategy, results of operations, or financial condition. However, we face ongoing and increasing cybersecurity risks, including those from threat actors who are becoming more sophisticated and effective over time. If realized, these risks may materially affect us.
RISK FACTORS
A description of the risks and uncertainties associated with our business is set forth below. You should carefully consider the risks described below, as well as the other information in this Annual Report on Form 10-K, including our consolidated financial statements and “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” The occurrence of any of the events or developments described below could materially and adversely affect our business, financial condition, results of operations, and growth prospects. In such an event, the market price of our Class A common stock could decline, and you may lose all or part of your investment. Additional risks and uncertainties not presently known to us or that we currently believe are not material may also impair our business, financial condition, results of operations, and growth prospects.
Risk Factors Summary
Below is a summary of the principal factors that make an investment in our Class A common stock speculative or risky:
•We have a history of net losses and we may not be able to achieve or maintain profitability in the future.
•Our business is affected by seasonal demands, and our financial condition and results of operations will fluctuate from quarter to quarter, which makes our financial results difficult to predict and may not fully reflect our underlying performance.
•We are subject to laws and regulations worldwide that are constantly evolving, which could increase our costs or adversely affect our business, including preventing our ability to operate our Platform in certain jurisdictions.We are subject to state, federal, and international regulations and any changes in such regulations could harm or prevent our ability to operate our Platform in those jurisdictions.
•We have experienced rapid growth at times, in part due to the virality of certain experiences on our Platform, and our growth rates may not be indicative of our future growth or the growth of our market.
•We depend on effectively operating with third-party operating systems, hardware, and networks that may make changes affecting our operating costs, as well as our ability to maintain our Platform, which would hurt our business.
•The success of our business model is contingent upon maintaining a strong reputation and brand, including our ability to provide a safe online environment for our users, many of whom are children, to experience and if we are not able to provide such an environment, our business will suffer dramatically.
•We are subject to numerous legal proceedings that are costly and time-consuming to defend and could harm our business, financial condition, or results of operations.
•If we fail to retain users or add new users, or if our users decrease their level of engagement with our Platform, our revenue, bookings, and operating results will be harmed.
•We depend on our creators to create digital content that our users find compelling, and if we fail to properly incentivize our creators to develop and monetize content, our business will suffer.
•If we are unable to further monetize our Platform and user base, our business will suffer.
•The loss of one or more of our key personnel, or our failure to attract and retain other highly qualified personnel in the future, could harm our business.
•If we experience loss of availability or degradation in our services, Platform support, and/or technological infrastructure, our ability to provide sufficiently reliable services to our users and maintain the performance of our Platform could be negatively impacted, which could harm our relationships with our creators and users, and consequently, our business.33Table of ContentsIf we experience outages, constraints, disruptions, or degradations in our services, Platform support and/or technological infrastructure, our ability to provide sufficiently reliable services to our customers and maintain the performance of our Platform could be negatively impacted, which could harm our relationships with our developers, creators, and users, and, consequently, our business.
•Security compromises of our Platform, our private information, and our users’ private information could disrupt our internal operations and harm public perception of our Platform, which could cause our business and reputation to suffer.
•The operation of our Platform outside the United States exposes us to risks inherent in international operations.The expansion of our Platform outside the United States exposes us to risks inherent in international operations.
•Our continued success significantly depends on our ability to effectively navigate the integration of rapidly evolving technologies such as generative AI into our business and address their impact on our threat landscape.
•Because we recognize revenue from bookings over the estimated average lifetime of a paying user or as the virtual items are consumed, changes in our business may not be immediately reflected in our operating results.
•Our user metrics and other estimates are subject to inherent challenges in measurement, and real or perceived inaccuracies in those metrics may significantly harm and negatively affect our reputation and our business.
24
•We may incur liability as a result of content published using our Platform or as a result of claims related to content generated by our creators and users, including copyright infringement, and legislation regulating content on our Platform may require us to change our Platform or business practices.•We may incur liability as a result of content published using our Platform or as a result of claims related to content generated by our developers, creators, and users, including copyright infringement, and legislation regulating content on our Platform may require us to change our Platform or business practices.
•The market price of our Class A common stock has fluctuated and could decline regardless of our operating performance.
•The dual class stock structure of our common stock has the effect of concentrating voting control in David Baszucki, our Founder, President, CEO, and Chair of our Board of Directors, which limits or precludes your ability to influence corporate matters, including the election of directors and the approval of any change of control transaction.
Risks Related to Our Business
We have a history of net losses and we may not be able to achieve or maintain profitability in the future.
We have incurred net losses since our inception, and we expect to continue to incur net losses in the foreseeable future. We incurred net losses attributable to common stockholders of $1,065.1 million, $935.4 million, and $1,151.9 million for the years ended December 31, 2025, 2024, and 2023, respectively. We incurred net losses attributable to common stockholders of $1,151.9 million, $924.4 million and $491.7 million for the years ended December 31, 2023, 2022, and 2021, respectively. As of December 31, 2025, we had an accumulated deficit of $5,060.7 million. We also expect our operating expenses to continue to increase, and if our growth does not increase to offset these anticipated increases in our operating expenses, our business, results of operations, and financial condition will be harmed, and we may not be able to achieve or maintain profitability. We expect our costs and investments to continue to increase in future periods as we intend to continue to make investments to grow our business, including an expected increase in infrastructure and stock-based compensation expenses. These efforts may be more costly than we expect and may not result in increased revenue or growth of our business. If we fail to increase our revenue to sufficiently offset the increases in our operating expenses, we will not be able to achieve or maintain profitability in the future.
Our business is affected by seasonal demands, and our financial condition and results of operations will fluctuate from quarter to quarter, which makes our financial results difficult to predict and may not fully reflect our underlying performance.
Historically, our business has been highly seasonal, with the highest percentage of our bookings occurring in the fourth quarter when holidays permit our users to spend increased time on our Platform and lead to increased spend on prepaid gift cards, and we expect this trend to continue. We also typically see higher levels of engagement in the months of June, July, and August, which are summer periods in the northern hemisphere, and lower levels of engagement in the post-summer months of September, October, and November. However, school holidays around the world differ in timing year-over-year and therefore have impacted and may continue to impact our quarterly results. Similarly, other periods of seasonality include holidays such as Lunar New Year, Easter, and Ramadan, each of which may differ in timing year-over-year, and therefore have impacted and may continue to impact our quarterly results. We also have and may continue to experience fluctuations due to external factors that we are unable to predict or control that affect user or creator engagement with our Platform as further described in our other Risk Factors in this Annual Report on Form 10-K. Accordingly, we expect our quarterly results of operations will continue to fluctuate and you should not rely on our past quarterly results of operations as indicators of future performance. You should take into account the risks and uncertainties frequently encountered by companies in rapidly evolving market segments.
We are subject to laws and regulations worldwide that are constantly evolving, which could increase our costs or adversely affect our business, including preventing our ability to operate our Platform in certain jurisdictions.We are subject to state, federal, and international regulations and any changes in such regulations could harm or prevent our ability to operate our Platform in those jurisdictions.
As a global platform, we are subject to a myriad of laws and regulations that affect our business, including but not limited to, laws and regulations regarding online gaming, user-generated content, online safety, privacy, AI, online platform liability, social media platforms, content moderation, intellectual property ownership and infringement, consumer protection, protection of minors, anti-competition, taxation, labor, real estate, export and national security, requirements related to the use of parental consent, biometrics, cybersecurity, privacy data protection and data localization requirements, the use of prepaid cards, subscriptions, advertising, electronic marketing, illegal content, escheatment, tariffs, anti-corruption, campaign finance, gambling, loot boxes, ratings, telecommunications, and payments regulation, all of which are continuously evolving and developing. In recent periods, there has been increased regulatory scrutiny, investigations, and litigation on areas that impact our business including the protection of minors online and online safety overall. The scope and interpretation of laws, regulations, and other requirements that are or may be applicable to us, are often uncertain and may differ or conflict from jurisdiction to jurisdiction. We have policies and procedures designed to promote compliance with applicable laws and regulations, but we cannot assure you that authorities will not assert or determine that our practices violate such laws and regulations. We have policies and procedures designed to ensure compliance with applicable laws and regulations, but we cannot assure you that we will not experience violations of such laws and regulations or our policies and procedures.
25
The widespread availability of user-generated content online, and particularly to minors, is relatively new, and the regulatory framework is new and continuously evolving with increased legislative initiatives and regulatory focus on areas including the protection of minors online and users’ personal information, among other areas. The scope and interpretation of these laws, regulations, and other requirements that are or may be applicable to us, are often uncertain, may differ and even conflict from jurisdiction to jurisdiction and compliance may be burdensome and expensive. Moreover, in some cases these new regulations can be enforced by private parties in addition to governmental agencies.
We are subject to global laws and regulations that address online safety, content moderation, and online platforms with social features. For example, the United Kingdom’s (“U.K.”) Online Safety Act (“OSA”) introduced, among other things, duties to protect children and other users online, complete risk assessments, remove illegal content, and address content harmful to children. Noncompliance with the OSA could lead to investigations and other proceedings, substantial fines of up to £18 million or 10% of the prior year’s global revenues, as well as the imposition of product requirements and other measures that could restrict access to the Platform. The EU’s Digital Services Act (“DSA”) imposes content moderation obligations, notice and transparency obligations, protection of minors obligations, advertising restrictions, and other requirements on digital platforms to protect consumers and their rights online. Guidelines for the DSA’s requirements specific to children include, among other matters, age assurance measures, default settings obligations and various other aspects of product design and function, risk assessment obligations, measures to improve moderation and reporting tools, and requirements for parental control tools. Allegations of noncompliance with the DSA can and have led to investigations and other proceedings, such as the Roblox investigation announced in January 2026 by the Netherlands. The DSA imposes significant penalties for non-compliance including fines of up to 6% of annual global revenues, in addition to the ability of civil society organizations and non-governmental organizations to commence class action lawsuits. Brazil’s Digital Statute for Children and Adolescents (“Digital ECA”) will take effect in March 2026 and includes a number of similar obligations around youth and adolescent default settings, parental controls, transparency, risk assessments, advertisement, localization, and harm prevention. Indonesia has also introduced a series of requirements on digital services, with a particular emphasis on children’s online safety and illegal content, which will go into effect in early 2027. Australia’s Online Safety Act of 2021 (“AUS OSA”) also includes a number of content and product design requirements. We expect such laws and regulations to continue to evolve over time. As our user base in key jurisdictions continues to grow, we expect to be subject to more stringent compliance obligations and increased costs, including annual independent audits, mandatory risk assessments of online safety risks (such as illegal content and negative effects on minors), increased transparency requirements, increased content takedown demands, and potentially additional supervisory fees.
In addition to these international laws and regulations, we are subject to U.S. federal and state regulation of online services accessed and used by children, which vary significantly. For example, in 2024 the State of Texas enacted restrictions on purchasing by minors, including requiring parental consent for minors to purchase digital items, including on our Platform. Further, in March 2025 the States of Utah, Louisiana, and Texas enacted restrictions on applications available via app stores, which include requiring app stores to collect parental consent for minors to download applications and engage in in-app purchases, including on our Platform. Additional states and the federal government are continuing to consider similar proposals. Pending the outcome of relevant constitutional challenges, these additional restrictions may have an adverse impact on our revenue and bookings from users in any states where enacted.
There are also evolving laws and regulations relating to social media. For example, Australia has implemented a ban on social media for children under 16 pursuant to its Social Media Minimum Age Act, requiring certain social media platforms to block underage accounts or face significant fines. There are similar discussions and legislative efforts ongoing in several jurisdictions, including the U.S and EU related to restricting minors’ access to social media platforms, with a particular emphasis on restricting access to features that may be considered addictive or harmful to minors, with certain legislation and regulation addressing these matters having been enacted. Depending on the scope of covered services, laws and regulations such as these may affect how we configure and present our Platform or our ability to offer our Platform to certain demographics entirely, which may in turn have an adverse impact on our bookings and revenue. Every quarter, we complete an assessment of our estimated paying user life, which is used for revenue recognition of durable virtual items and calculated based on historical monthly retention data for each paying user cohort to project future participation on our Platform.
In the U.S. and abroad there are ongoing discussions and legislative and executive efforts to remove or restrict the protections from liability for third-party content found under Section 230 of the Communications Decency Act (“CDA”) and similar international regulations. For example, in June 2025, the Brazilian Supreme Court ruled that Article 19 of Brazil’s Internet Act is partially unconstitutional, creating platform liability for third-party content in certain instances. The resulting legal framework is in flux, but as it stands, platforms that host third party content like Roblox will be subject to presumptive civil liability for certain categories of content, as well as new regulatory requirements around localization, content moderation, transparency, risk assessment and management, and customer support.
26
In addition, there are ongoing discussions and legislative efforts in the U.S. and abroad regarding whether certain mechanisms that may be included in experiences on our Platform, such as features referred to as “loot boxes,” and certain genres of experiences, such as social casino, that may reward gambling-like behavior, should be limited and/or restricted to protect consumers, and particularly minors and persons susceptible to addiction. For example, in countries such as Belgium and the Netherlands, “loot box” mechanics may be considered gambling and are restricted as a result. In Australia, gaming content containing “loot boxes” requires a mature age rating (15 years of age and older). Additionally, we are subject to regulations with respect to advertising, in particular, advertising to minors, and advertising regulations could differ based on the jurisdiction of a user. We are subject to regulations with respect to advertising, in particular, advertising to minors, and advertising regulations could differ based on the jurisdiction of the user. For example, in the U.S. the FTC and other regulators restrict deceptive or unfair commercial activities, including in relation to targeted advertising and advertising to minors.
Our efforts to comply with these evolving laws and regulations, as well as uncertainty over their scope and interpretation has led to, and will continue to lead to, increased operational costs for us, expose us to litigation, fines, or other injunctive and monetary penalties, and harm our brand and reputation if we are, or are alleged to be, unable to comply. Even the perception of these issues may cause developers, creators, and users to use our Platform less or stop using it altogether, and the costs could divert our attention and resources, any of which could result in claims, demands, and legal liability to us, regulatory investigations and other proceedings, and otherwise harm our business, reputation, financial condition, or results of operations. To comply with these regulations, in certain jurisdictions and for subsets of our users, we have been required to and could in the future be required to modify or remove certain content on our Platform, change the default settings of our Platform, modify, restrict access to, or disable certain features or tools on our Platform, including communication-features, change our business model for specific jurisdictions or subsets of our users, and take on more onerous obligations, including, but not limited to, applying for government-issued licenses to operate, establishing a local presence, implementing specified age rating systems, developing localized product offerings and practices, storing user information on servers in a jurisdiction within which users are located, and developing local education initiatives.In addition, unauthorized, fraudulent, and/or illegal purchases and/or sales of Robux or other digital goods on or off of our Platform, including through third-party websites, bots, fake accounts, or “cheating” or malicious programs that enable users to exploit vulnerabilities in the experiences on our Platform or our partners’ websites and platforms, could reduce our revenue and bookings by, among other things, decreasing revenue from authorized and legitimate transactions, increasing chargebacks from unauthorized credit card transactions, causing us to lose revenue and bookings from dissatisfied users who stop engaging with the experiences on our Platform, or could increase costs that we incur to develop technological measures to curtail unauthorized transactions and other malicious programs, or could reduce other operating metrics. In addition, certain government authorities have restricted access to or blocked our Platform entirely. These requirements may impact user engagement, the functionality and effectiveness of our Platform, our ability to operate across demographics and geographies, our creators’ ability to monetize their experiences in some jurisdictions, and reduce the overall use or demand for our Platform, which would harm our business, financial condition, and results of operations. We may experience greater incident response forensics, data recovery, legal fees, and costs of notification related to any such potential incident, and we may face an increased risk of reputational harm, regulatory enforcement, and consumer litigation, which could further harm our business, financial condition, results of operations, and future business opportunities. We expect the costs of compliance with, and other burdens imposed by, these laws, regulations, standards, and obligations, to continue to increase and the costs could become prohibitively expensive. Required product or Platform changes may also make our Platform less attractive for or restrict availability to younger users and harm our business, financial condition, and results of operations. We have partnered with the International Age Rating Coalition to facilitate age and content rating assignments for our experiences by rating authorities across various countries and regions. As we further develop our experience rating systems, ratings-based restrictions on our users’ ability to access specific content on our Platform may make our Platform less attractive for younger users and harm our business, financial condition, and results of operations. For instance, if a significant understatement or overstatement of active users or hours engaged were to occur, we may expend resources to implement unnecessary business measures or fail to take required actions to attract a sufficient number of users to satisfy our growth strategies. Moreover, the adoption of any laws or regulations adversely affecting the growth, popularity or use of the internet, including laws impacting internet neutrality, could decrease the demand for our Platform and/or increase our operating costs.
We have experienced rapid growth at times, in part due to the virality of certain experiences on our Platform, and our growth rates may not be indicative of our future growth or the growth of our market.
We have experienced rapid growth in prior periods relative to our quarterly forecast and historic trends, which may not be indicative of our financial and operating results in future periods.We experienced rapid growth in prior periods relative to our quarterly forecast and historic trends, which may not be indicative of our financial and operating results in future periods. For example, historically we experienced periods of increased activity levels due in part to the COVID-19 lockdowns, prepaid gift card partnerships, and from the emergence of viral hits, each of which led to increased demand for and engagement with our Platform. These periods of increased activity levels, while significant, have generally not been sustainable. For periods of increased engagement impacted by viral experiences, our results have generally moderated as peak engagement of viral experiences naturally declines. The long-term impact of these increased activity levels to our business, operations, and financial results will depend on numerous evolving factors that we may not be able to accurately predict. The long-term impact to our business, operations, and financial results will depend on numerous evolving factors that we may not be able to accurately predict. We may not experience any growth in bookings or our user base during periods where we are comparing against historical periods impacted by increased activity levels. In addition, our growth could be affected to the extent certain users only engage with our Platform due to viral experiences which may not remain popular. We believe our overall market acceptance, revenue growth, and increases in bookings depend on a number of factors, some of which are not within our control. There can be no assurance that users will not reduce their usage or engagement with our Platform or reduce their discretionary spending on our Platform, particularly if the popularity of viral or other key experiences wanes, which would adversely impact our revenue and financial condition. There can be no assurance that users will not reduce their usage or engagement with our Platform or reduce their discretionary spending on Robux, which would adversely impact our revenue and financial condition. If we are unable to continue to maintain the attractiveness of our Platform to creators and users, including through a diverse and continuously engaging set of experiences, they may no longer seek new experiences in our Platform, which would result in decreased market acceptance, lower revenue, fewer bookings, and could harm our results of operations. If we are unable to continue to maintain the attractiveness of our Platform to developers, creators, and users, they may no longer seek new experiences in our Platform, which would result in decreased market acceptance, fewer bookings, and lower revenue and could harm our operations.
27
We depend on effectively operating with third-party operating systems, hardware, and networks that may make changes affecting our operating costs, as well as our ability to maintain our Platform, which would hurt our business.
For the year ended December 31, 2025, 29% of our revenue was attributable to Robux sales through the Apple App Store and 15% of our revenue was attributable to Robux sales through the Google Play Store. Because of the significant use of our Platform on mobile devices, our application must remain interoperable with these and other popular mobile app stores and platforms, and related hardware. We are subject to the standard policies and terms of service of these operating systems, as well as policies and terms of service of the various software application stores that make our application and experiences available to our creators and users. These policies and terms of service govern the availability, promotion, distribution, content, and operation of applications and experiences on such operating systems and stores. Each provider of these operating systems and stores has broad discretion to change and interpret its terms of service and policies with respect to our Platform and those changes may be unfavorable to us and our creators’ and users’ use of our Platform. If an operating system provider or application store limits or discontinues access to, or changes the terms governing, its operating system or store for any reason, it could adversely affect our business, financial condition, or results of operations.
Additionally, an operating system provider or application store could also limit or discontinue our access to its operating system or store if it establishes more favorable relationships with one or more of our competitors, launches a competing product itself, or it otherwise determines that it is in its business interests to do so. If competitors control the operating systems and related hardware our application runs on, they could make interoperability of our Platform more difficult or display their competitive offerings more prominently than ours. There is no guarantee that new devices, platforms, systems, and software application stores will continue to support our Platform or that we will be able to maintain the same level of service on these new systems. If it becomes more difficult for our users or creators to access and engage with our Platform, our business and user retention, growth, and engagement could be significantly harmed. If it becomes more difficult for our users, developers or creators to access and engage with our Platform, our business and user retention, growth, and engagement could be significantly harmed.
Similarly, at any time, our operating system providers or application stores can change their policies on how we operate on their operating system or in their application stores by, for example, applying content moderation for applications and advertising or imposing technical or code requirements.28Table of ContentsSimilarly, at any time, our operating system providers or application stores can change their policies on how we operate on their operating system or in their application stores by, for example, applying content moderation for applications and advertising or imposing technical or code requirements. These actions by operating system providers or application stores may affect our ability to collect, process, and use data as desired and could negatively impact our ability to leverage data about the experiences our creators develop which in turn could impact our resource planning and feature development planning for our Platform.
We rely on third-party distribution channels and third-party payment processors to facilitate purchases by our Platform users. If we are unable to maintain a good relationship with such providers, if their terms and conditions change, or if we fail to process or ensure the safety of users’ payments, our business will suffer. If we are unable to maintain a good relationship with such providers, if their terms and conditions change, or fail to process or ensure the safety of users’ payments, our business will suffer.
Purchases of Robux and other products (e.g., prepaid gift cards) or services on our Platform are facilitated through third-party online distribution channels and third-party payment processors., prepaid gift cards) on our Platform are facilitated through third-party online distribution channels and third-party payment processors. We utilize these distribution channels, such as Amazon, Apple, Blackhawk, ePay, Google, Incomm, PayPal, Stripe, Microsoft, Sony’s PlayStation Network, and Xsolla, to receive cash proceeds from purchases of Robux. We utilize these distribution channels, such as Amazon, Apple, Blackhawk, ePay, Google, Incomm, PayPal, Vantiv, Stripe, and Xsolla, to receive cash proceeds from sales of our Robux through direct purchases on our Platform. For our experiences accessed through mobile platforms such as the Apple App Store and the Google Play Store and consoles, we are required to share a portion of the proceeds from in-game sales with the platform and console providers. For our experiences accessed through mobile platforms such as the Apple App Store and the Google Play Store, we are required to share a portion of the proceeds from in-game sales with the platform providers. For operations through the Apple App Store and Google Play Store, we are obligated to pay up to 30% of any money paid by users on our Platform to Apple and Google and this amount could increase. For operations through console providers, such as Microsoft Xbox and Sony PlayStation, we are obligated to pay around 30% of any money paid by users on our Platform, and these amounts could also increase. These costs are expected to remain a significant operating expense for the foreseeable future. If the amount these platform providers charge increases, it could have a material impact on our ability to pay creators and our results of operations. Each provider of an operating system, application store, or console may also change its fee structure or add fees associated with access to and use of its operating system, which could have an adverse impact on our business. Each provider of an operating system or application store may also change its fee structure or add fees associated with access to and use of its operating system, which could have an adverse impact on our business. There has been litigation, as well as governmental inquiries over application store fees, and Apple or Google could modify their platform in response to such litigation and inquiries in a manner that may harm us. There have been litigation and governmental inquiries over application store fees, and Apple or Google could modify their platform in response to such litigation and inquiries in a manner that may harm us. Any scheduled or unscheduled interruption in the ability of our users to transact with these distribution channels could adversely affect our payment collection and, in turn, our revenue and bookings.
Additionally, we do not directly process purchases made on our Platform or payments to our creators under our Developer Exchange Program.Additionally, we do not directly process purchases of Robux on our Platform, and, thus, any information on those purchases (e. Information on those purchases or under our Developer Exchange Program (e.g., debit and credit card numbers and expiration dates, personal information, including bank account information, and billing addresses) is disclosed to the third-party online platform and service providers (such as Stripe, Xsolla, and Tipalti)., debit and credit card numbers and expiration dates, personal information, and billing addresses) is disclosed to the third-party online platform and service providers facilitating Robux purchases by users (such as Vantiv, Stripe, and Xsolla). We do not have control over the security measures of those providers, and their security measures may not be adequate. We could be exposed to litigation and possible liability if our users’ (including our creators’) transaction information are compromised, which could harm our reputation and our ability to attract users and may materially adversely affect our business. We could be exposed to litigation and possible liability if our users’ transaction information involving Robux purchases is compromised, which could harm our reputation and our ability to attract users and may materially adversely affect our business.
28
We also rely on the stability of such distribution channels and their payment transmissions, and third-party payment processors for the continued payment services provided to our users. If any of these providers fail to process or ensure the security of users’ payments for any reason, our reputation may be damaged and we may lose our paying users, creators may lose interest in our Developer Exchange Program, creators may be discouraged from creating on our Platform, and users may be discouraged from making purchases on our Platform, which, in turn, would materially and adversely affect our business, financial condition, and prospects. If any of these providers fail to process or ensure the security of users’ payments for any reason, our reputation may be damaged and we may lose our paying users, and users may be discouraged from purchasing Robux in the future, which, in turn, would materially and adversely affect our business, financial condition, and prospects.
In addition, from time to time, we or our partners encounter fraudulent use of payment methods, which could impact our results of operations and if not adequately controlled and managed could create negative consumer perceptions of our Platform services.In addition, from time to time, we encounter fraudulent use of payment methods, which could impact our results of operations and if not adequately controlled and managed could create negative consumer perceptions of our service. If we are unable to maintain our fraud and chargeback rate at acceptable levels, card networks may impose fines, our users’ card approval rate may be impacted, and we may be subject to additional card authentication requirements. If we are unable to maintain our fraud and chargeback rate at acceptable levels, card networks may impose fines, our card approval rate may be impacted and we may be subject to additional card authentication requirements. The termination of our ability to process payments on any major payment method would significantly impair our ability to operate our business.
The success of our business model is contingent upon maintaining a strong reputation and brand, including our ability to provide a safe online environment for our users, many of whom are children, to experience, and if we are not able to provide such an environment, our business will suffer dramatically.•The success of our business model is contingent upon our ability to provide a safe online environment for children to experience and if we are not able to continue to provide a safe environment, our business will suffer dramatically.
Our Platform hosts experiences intended for audiences of varying ages, a significant percentage of which are designed to be experienced by children.Our Platform hosts a number of experiences intended for audiences of varying ages, a significant percentage of which are designed to be experienced by children. As a user-generated content platform, it is relatively easy for creators and users to upload content that can be viewed broadly. As a user-generated content platform, it is relatively easy for developers, creators, and users to upload content that can be viewed broadly. We continue to make significant efforts to provide a safe, civil, and enjoyable experience for users of all ages. We continue to make significant efforts to provide a safe and enjoyable experience for users of all ages. Although illicit activities violate our terms and policies, and we attempt to block objectionable material and ban bad actors from our Platform, we are unable to prevent all such violations from occurring and banned actors have, at times, been able to evade our detection systems and regain access to our Platform through alternative accounts.
We invest significant technical and human resources to proactively identify inappropriate content and activity on our Platform, including leveraging text-filtering, voice moderation, content moderation, and other automated systems powered by AI such as Roblox Sentinel. We provide our users with the ability to report activity that they find objectionable, and also provide customizable controls for parents and caregivers to restrict children’s access to experiences and communication features, such as our Content Maturity Labels that are designed for users to make informed decisions about the content they interact with. We work closely with regulators, authorities, and safety groups in many countries to promptly report illegal content, and also partner with leading global organizations and members of our community for continued input on the safety features of our Platform.
Notwithstanding our efforts and significant investment, bad actors have and may continue to circumvent our moderation and safety systems by engaging in activities including, but not limited to, uploading or generating inappropriate experiences or content, creating inappropriate environments or content in otherwise non-violative experiences by engaging in offensive behavior, or directing users off-Platform to less moderated third-party platforms to engage in inappropriate behavior. The occurrence of these activities can and has led to reputational harm, legal actions, and regulatory scrutiny on certain occasions, which could adversely affect our business and financial results. Such activities have and may continue to evolve in their complexity as bad actors become more sophisticated, which will require us to continue investing significant technical and human resources.
Some activities and content on our Platform has and may continue to be considered objectionable by certain users, parents, or members of our community, even if it does not violate our Community Standards or terms of use and may not be considered objectionable by certain demographics. Although permitting such content to remain on our Platform is consistent with our policies, this has resulted in and could in the future result in negative publicity or user backlash, which may damage our brand and reputation, lead to a decline in user engagement and growth, and negatively impact our business, financial condition, and operating results. Any such developments may also subject us to future litigation and regulatory inquiries, investigations, and proceedings, including from data protection authorities in countries where we offer services and/or have users, which could subject us to monetary penalties and damages, divert management’s time and attention, and lead to enhanced regulatory oversight. Additionally, violative content that has been removed from our Platform, at times, continues to be shared on social media, resulting in negative publicity and damage to our brand and reputation.
Measures intended to make our Platform more attractive to an older audience, including, but not limited to, chat without filters, Trusted Connections, and experiences with mature content could fail to gain sufficient market acceptance by their intended audience and have and may continue to create the perception that our Platform is not safe for younger users. Moreover, measures intended to make our Platform more attractive to an older, age verified audience, such as less highly moderated or unmoderated chat and the introduction of experiences with mature content, and new methods of communication could fail to gain sufficient market acceptance by its intended audience and may create the perception that our Platform is not safe for young users. This in turn has caused and may continue to cause some operating system providers, application stores, or regulatory agencies to require a higher age rating for our Platform, which could cause our Platform to become less available to younger users and harm our business, financial condition, and results of operations. In addition, the introduction of experiences for users who are 17 and older may cause regulatory agencies to require a higher age rating for our Platform, which could cause us to become less attractive to younger users and harm our business, financial condition and results of operations. For example, USK, who are responsible for game ratings in Germany, increased our age rating from USK12 to USK16 in January 2025.
29
Beginning in January 2026, we implemented mandatory age-check systems in all chat-enabled regions designed to check a user’s age prior to accessing chat on our Platform. Notwithstanding our efforts, from time to time users have been able to evade our systems and our age-check methodology has misclassified a user’s age. Evasion of our systems, misrepresentations of user age, or inaccuracies with our age-checking technology or policies have led to and may continue to lead to users being exposed to inappropriate content or behavior by participating in experiences that are not age-appropriate or gaining access to features we have restricted to older users. We have at times experienced negative media coverage related to content that may be age-inappropriate but younger users have accessed, and inaccuracies with our age-checking technology. In addition, as more of our brand partners and creators offer physical products for sale through our Platform, younger users may be able to purchase products that may not be age-appropriate. Unintentional access to content or physical products could cause harm to our audience and to our reputation of providing a safe environment for younger users. Unintentional access to this content could cause harm to our audience and to our reputation of providing a safe environment for children to play online.
In addition, we have statutory obligations under U.S. federal law to block or remove child pornography and report apparent offenses to the National Center for Missing and Exploited Children. Under the OSA, we have an additional set of obligations regarding content relating to child sexual abuse and exploitation (“CSEA”) on our Platform. CSEA content is considered to be one type of “priority illegal content,” which we are required to prevent individuals from encountering and swiftly take down if we are made aware. We are also required to report detected CSEA content on our Platform to the relevant authorities. While we have dedicated technology and trained human moderator staff that can detect and remove sexual content involving children, there have been instances where such content has been uploaded, and any unforeseen future non-compliance by us or allegations of non-compliance by us with respect to applicable domestic and international laws and regulations relating to child pornography and the sexual exploitation of children could significantly harm our reputation, create criminal liability, and be costly and time consuming to address or defend. While we have dedicated technology and trained human moderator staff that can detect and remove sexual content involving children, there have been instances where such content has been uploaded, and any future non-compliance by us or allegations of non-compliance by us with respect to US federal laws on child pornography or the sexual exploitation of children could significantly harm our reputation, create criminal liability, and could be costly and time consuming to address or defend. We expect laws and regulations relating to CSEA content to continue to evolve over time and we expect to be subject to increased scrutiny as a result.
We believe that maintaining, protecting, and enhancing our reputation and brand is critical to grow the number of creators and users on our Platform, especially given the safe and civil atmosphere that we strive to achieve for our users, many of whom are children.31Table of ContentsWe believe that maintaining, protecting, and enhancing our reputation and brand is critical to grow the number of developers, creators, and users on our Platform, especially given the safe and civil atmosphere that we strive to achieve for our users, many of whom are children. Maintaining, protecting, and enhancing our brand will depend largely on our ability to continue to provide reliable high-quality, engaging, and shared experiences and activities on our Platform. If users or creators do not perceive our Platform to be reliable or of high quality, the value of our brand could diminish, thereby decreasing the attractiveness of our Platform. If users, developers, or creators do not perceive our Platform to be reliable or of high quality, the value of our brand could diminish, thereby decreasing the attractiveness of our Platform. Further, we have faced and are currently defending against class actions and civil lawsuits alleging that our Platform has been used by criminal offenders to identify and communicate with children and to possibly entice them to interact off-Platform, outside of the restrictions of our moderated chat, content blockers, and other on-Platform safety measures. Further, we have faced and are currently defending allegations that our Platform has been used by criminal offenders to identify and communicate with children and to possibly entice them to interact off-Platform, outside of the restrictions of our chat, content blockers, and other on-Platform safety measures. While we devote considerable resources to prevent this from occurring, we are unable to prevent all such interactions from taking place. We have also received and expect to continue to receive a high degree of media coverage alleging the use of our Platform for illicit or objectionable ends. We have also received and may continue to receive a high degree of media coverage, including the use of our Platform for illicit or objectionable ends. For example, we have experienced negative media publicity from traditional media sources and self-described short seller investors related to the age of some of our creators, the content that creators produce, our operating metrics and disclosures, the strength of our moderation practices, and the conduct of users on our Platform that may be deemed illicit, explicit, profane, or otherwise objectionable. If we do not provide the right technologies, education or financial incentives to our developers and creators, they may develop fewer experiences or virtual items or be unable to or choose not to monetize their experiences, and our users may elect to not participate in the experiences or acquire the virtual items, and, thus, our Platform, revenue, and bookings could be adversely affected. Additional unfavorable publicity has covered, and may in the future cover, our privacy, cybersecurity or data protection practices, terms of service, including our advertising policies, product changes, product quality, litigation or regulatory activity, actions we take to address content on our Platform, accusations that certain of our trust and safety efforts favor certain viewpoints or suppress freedom of expression, our use of and policies regarding generative AI, the actions of our users, our use of age-checking technology, and the actions of our creators whose products are integrated with our Platform.
Our reputation and brand could also be negatively affected by the actions of creators, contractors, and users that are hostile, inappropriate, or illegal, whether on or off our Platform. Our reputation and brand could also be negatively affected by the actions of developers and users that are hostile, inappropriate, or illegal, whether on or off our Platform. Actual or perceived incidents or misuses of user data or other privacy or security incidents, the substance or enforcement of our Community Standards, the quality, integrity, characterization, and age-appropriateness of content shared on our Platform, or the actions of other companies that provide similar services to ours, have and could adversely affect our reputation and lead to scrutiny and inquiries, investigations, and other actions and proceedings from governments and regulators. Actual or perceived incidents or misuses of user data or other privacy or security incidents, the substance or enforcement of our community standards, the quality, integrity, characterization and age-appropriateness of content shared on our Platform, or the actions of other companies that provide similar services to ours, has in the past, and could in the future, adversely affect our reputation. Criminal incidents or allegations involving Roblox, whether or not we are directly responsible, have and could continue to adversely affect our reputation as a safe place for children and hurt our business. Any criminal incidents or allegations involving Roblox, whether or not we are directly responsible, could adversely affect our reputation as a safe place for children and hurt our business. Negative publicity has and could continue to create the perception that we do not provide a safe online environment and may have an adverse effect on the size, engagement, and loyalty of our creator and user community, which would adversely affect our business and financial results. Any negative publicity could create the perception that we do not provide a safe online environment and may have an adverse effect on the size, engagement, and loyalty of our developer, creator, and user community, which would adversely affect our business and financial results. Maintaining, protecting, and enhancing our reputation and brand has required us to make substantial investments, and these investments may not be successful. Maintaining, protecting, and enhancing our reputation and brand may require us to make substantial investments, and these investments may not be successful.
30
We are subject to numerous legal proceedings that are costly and time-consuming to defend and could harm our business, financial condition, or results of operations.
We are subject to numerous legal proceedings and expect to continue to be the target of litigation and regulatory scrutiny globally. The legal proceedings have involved or could involve claims by private parties as well as regulators such as state Attorneys General that arise in the ordinary course of business, including intellectual property, privacy, biometrics, cybersecurity, data protection, consumer protection, product liability, social media and video game addiction, false and misleading advertising, employment, class action, fiduciary duty and governance matters, whistleblower, contract, securities, tort, the civil provisions of the Racketeer Influenced and Corrupt Organizations Act, human trafficking, unfair competition, the False Claims Act, unclaimed property, the use of generative AI, and our reincorporation from Delaware to Nevada that was completed in May 2025. We are and may continue to be subject to legal proceedings asserting claims arising from allegations that we have facilitated gambling by users of our Platform including by minors, that our Platform is unsafe, that we have misrepresented the safety of our Platform, that we have failed to warn of or misrepresented the risk of encountering bad actors on our Platform, that we provide inadequate safety controls on our Platform, that our Platform is addictive, that our terms of use are not enforceable against minors, that we unlawfully or unfairly benefit from child labor, that we have misrepresented information about our user base, that we have engaged in copyright infringement, that we have engaged in unlawful employment practices, and suits related to our refund policies. A number of cases have been filed in federal or state court against us alleging that our Platform design, moderation systems, and safety safeguards have been insufficient to protect minor users from predatory behavior and sexual exploitation and asserting various claims including negligence, design defect, failure to warn, and fraudulent misrepresentation. Additional cases have been filed in federal or state court against us related to allegations of social media or video game addiction. We have and may continue to be subject to legal proceedings asserting claims on behalf of shareholders related to allegations that discussions of our growth prospects have been misleading and unsustainable due to concerns related to safety and our implementation of parental controls on our Platform, as well as claims that our leadership has engaged in insider trading. Various state Attorneys General have filed claims or announced the intent to file claims against us based on various state laws and causes of action primarily relating to youth-related consumer protection and online safety matters. For a more detailed description on certain of such litigation, see “Note 9 – Commitments and Contingencies – Legal Proceedings” to the condensed consolidated financial statements in this Annual Report on Form 10-K. Any such legal proceedings, claims, investigations, or other proceedings have been and in the future may be time-consuming, divert management’s attention and resources, cause us to incur significant expenses or liability, or require us to change our business practices.We may also be required to enter into license agreements with various licensors, including record labels, music publishers, performing rights organizations, and collective management organizations, to obtain licenses that authorize the storage and use of content uploaded by our users. The expenses related to such legal proceedings, claims, investigations, or other proceedings and the timing of these expenses from period to period are difficult to estimate, subject to change, and could adversely affect our financial condition and results of operations. Although we have certain policies and procedures in place to monitor our use of open-source software that are designed to avoid subjecting our Platform to open source licensing conditions, those policies and procedures may not be effective to detect or address all such conditions. Because of the potential risks, expenses, and uncertainties of legal proceedings, claims, investigations, or other proceedings, we may, from time to time, settle disputes, even where we have meritorious claims or defenses, by agreeing to settlement agreements. Because of the potential risks, expenses, and uncertainties of litigation, we may, from time to time, settle disputes, even where we have meritorious claims or defenses, by agreeing to settlement agreements. Any of the foregoing could adversely affect our business, financial condition, and results of operations.
If we fail to retain users or add new users, or if our users decrease their level of engagement with our Platform, our revenue, bookings, and operating results will be harmed.
We view DAUs as a critical measure of our user engagement, and adding, maintaining, and engaging users has been and will continue to be necessary to our continued growth. Accordingly, we have made and continue to make investments to enable our creators to design and build compelling content and deliver it to our users on our Platform in order to grow and maintain their userbase. Our DAU growth rate has fluctuated in the past and may slow in the future due to various factors including:
•the introduction of new or updated experiences or virtual content on our Platform;
•the variety of experiences and genres on our Platform;
•the virality of experiences or content on our Platform;
•our ability to personalize and feature relevant experiences to our users;
•performance issues with our Platform;
•the modification and/or removal of popular experiences or other content on our Platform due to factors that may or may not be within our control;
•the availability of our Platform across markets and user demographics, which may be impacted by regulatory or legal requirements, including the use of parental consent and age-check technologies and policies;
•changes to the default settings, features, and/or tools on our Platform overall, or for specific user groups;
•changes to our terms of use, advertising policies, and generative AI policies; and
•higher market penetration rates and competition from a variety of sources for our users and their time.
31
In addition, our strategy seeks to expand the demographic make-up of our user base. If and when we achieve maximum market penetration rates among any particular user cohort overall and in particular geographic markets, future growth in DAUs will need to come from other demographic cohorts, which may be difficult, costly, or time consuming for us to achieve. As we are better able to estimate the demographic makeup of our user base, our product and growth strategies may need to evolve. We are continuing to expand safety initiatives on our Platform, including limitations on access to voice and text-based chat on the Platform. We cannot currently determine how such measures may impact activities on the Platform and user engagement, retention, and demographics across our Platform and whether it could have a material impact on our business, financial condition, and operations. Our safety changes have impacted and in the future may continue to impact user engagement, retention, revenue, and bookings. Accessibility to the internet and bandwidth or connectivity limitations as well as regulatory requirements, may also affect our ability to further expand our user base in a variety of geographies. If the growth rate in our key metrics such as DAUs or hours engaged slows or becomes stagnant, or we have a decline in one of our key metrics such as DAUs or hours engaged, our financial performance could be significantly harmed and we may not be able to achieve our goal of capturing 10% of the global gaming content market.
Our business plan assumes that the demand for interactive entertainment offerings will increase for the foreseeable future. However, if this market shrinks or grows more slowly than anticipated or if demand for our Platform does not grow as quickly as we anticipate, whether as a result of competition, product obsolescence, budgetary constraints of our creators and users, technological changes, unfavorable economic conditions, uncertain geopolitical or regulatory environments, or other factors, we may not be able to increase our revenue and bookings sufficiently to ever achieve profitability and our stock price would decline. However, if this market shrinks or grows more slowly than anticipated or if demand for our Platform does not grow as quickly as we anticipate, whether as a result of competition, product obsolescence, budgetary constraints of our developers, creators, and users, technological changes, unfavorable economic conditions, uncertain geopolitical or regulatory environments or other factors, we may not be able to increase our revenue and bookings sufficiently to ever achieve profitability and our stock price would decline. We compete to attract and retain our users’ attention and their hours engaged with other global technology leaders such as Amazon, Apple, Meta Platforms, Google, Microsoft, and Tencent, global entertainment companies such as Comcast, Disney, Paramount Global, and Warner Bros Discovery, global gaming companies such as Activision Blizzard (now owned by Microsoft), Electronic Arts, Take-Two, Epic Games, Krafton, NetEase, and Valve, online content platforms such as Netflix, Spotify, and YouTube, as well as platforms such as Facebook, TikTok, Instagram, WhatsApp, Pinterest, X, Reddit, Discord, and Snap. We compete to attract and retain our users’ attention and their engagement hours with other global technology leaders such as Amazon, Apple, Meta Platforms, Google, Microsoft, and Tencent, global entertainment companies such as Comcast, Disney, ViacomCBS, and Warner Bros Discovery, global gaming companies such as Activision Blizzard (now owned by Microsoft), Electronic Arts, Take-Two, Epic Games, Krafton, NetEase, and Valve, online content platforms including Netflix, Spotify, and YouTube, as well as social platforms such as Facebook, TikTok, Instagram, WhatsApp, Pinterest, X (Twitter), Reddit, Discord and Snap. We expect competition to continue to increase in the future.We expect competition to continue to increase in the future. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages, such as larger sales and marketing budgets and resources; broader and more established relationships with our target demographics; greater resources to make acquisitions and enter into strategic partnerships; lower labor and research and development costs; larger and more mature intellectual property portfolios; and substantially greater financial, technical, and other resources. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages, such as larger sales and marketing budgets and resources; broader and more established relationships with users, developers, and creators; greater resources to make acquisitions and enter into strategic partnerships; lower labor and research and development costs; larger and more mature intellectual property portfolios; and substantially greater financial, technical, and other resources. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages, such as larger sales and marketing budgets and resources; broader and more established relationships with users, developers, and creators; greater resources to make acquisitions and enter into strategic partnerships; lower labor and research and development costs; larger and more mature intellectual property portfolios; and substantially greater financial, technical, and other resources. Moreover, a large number of our users are under the age of 13. This demographic may be less brand loyal and more likely to follow trends, including viral trends, than other demographics. These and other factors may lead users to switch to another entertainment option rapidly, which can interfere with our ability to forecast usage or DAUs and would negatively affect our user retention, growth, and engagement. We also may not be able to penetrate other demographics in a meaningful manner to compensate for the loss of DAUs in this age group.
We depend on our creators to create digital content that our users find compelling, and if we fail to properly incentivize our creators to develop and monetize content, our business will suffer.
Our Platform relies on our creators to create experiences and virtual items on our Platform for our users, and we believe the interactions between and within the creator and user communities on our Platform create a thriving and organic ecosystem. To facilitate and incentivize the creation of experiences and virtual items by creators, our Platform offers creators an opportunity to accumulate Robux, a virtual currency on our Platform, which, as described in our terms of use, is a license to engage in experiences and/or obtain virtual items. Every quarter, we complete an assessment of our estimated paying user life, which is used for revenue recognition of durable virtual items and calculated based on historical monthly retention data for each paying user cohort to project future participation on our Platform. When virtual items are acquired on our Platform, the originating creator accumulates a portion of the Robux paid for the item. When virtual items are acquired on our Platform, the originating developer or creator earns a portion of the Robux paid for the item. Creators are paid fiat currency based on the amount of earned Robux they have accumulated under certain conditions outlined in our Developer Exchange Program. In addition, we have paid access experiences where creators can offer access to their experiences to users for a set price in fiat currency and in exchange earn a higher revenue share of these user purchases.
While we have millions of creators on our Platform, a substantial portion of user engagement is concentrated in a relatively small number of highly popular experiences. For example, 51% of in-experience hours engaged were spent in the top 50 experiences in the month ended December 31, 2025. If the popularity of such experiences decreases and our users do not consider other content to be appealing, our DAUs and engagement could decline, which would have a material impact on our business, financial condition, and operations.
32
We compete to attract and retain creators with gaming and metaverse platforms such as Epic Games, Unity, Meta Platforms, and Valve, which also give creators the ability to create or distribute interactive content, and we expect competition to continue to increase in the future. We do not have any agreements with our creators that require them to continue to use our Platform for any time period. We do not have any agreements with our developers that require them to continue to use our Platform for any time period. Some of our creators have developed attractive businesses in developing content, including experiences, on our Platform. Some of our developers have developed attractive businesses in developing content, including games, on our Platform. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages, such as larger sales and marketing budgets and resources; broader and more established relationships with our target demographics; greater resources to make acquisitions and enter into strategic partnerships; lower labor and research and development costs; larger and more mature intellectual property portfolios; and substantially greater financial, technical, and other resources. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages, such as larger sales and marketing budgets and resources; broader and more established relationships with users, developers, and creators; greater resources to make acquisitions and enter into strategic partnerships; lower labor and research and development costs; larger and more mature intellectual property portfolios; and substantially greater financial, technical, and other resources. Many of our existing competitors have, and some of our potential competitors could have, substantial competitive advantages, such as larger sales and marketing budgets and resources; broader and more established relationships with users, developers, and creators; greater resources to make acquisitions and enter into strategic partnerships; lower labor and research and development costs; larger and more mature intellectual property portfolios; and substantially greater financial, technical, and other resources. We continue to update our Platform in an effort to increase creator earnings to further incentivize them to build on our Platform. For example, in July 2025 we launched our Creator Rewards Program and beginning September 5, 2025 and applying prospectively, we increased the amount creators can receive in fiat currency by 8.5% for all earned Robux accumulated by creators in our Developer Exchange Program. If we are unable to continue attracting and retaining creators and they elect to develop content on other platforms, this could result in an overall reduction in the quantity and quality of our content, make our Platform less appealing for creators, and harm our results of operations.
In addition, we continuously review and revise our Platform policies to enhance regulatory compliance and the trust and safety of our Platform. Changes to our Platform policies may reduce or create the perception that they may reduce the ability of creators to monetize their experience. For example, we have implemented age-check systems designed to age-check users prior to accessing chat on Platform. The system is designed to enable chat only between users in similar age groups or Trusted Connections. We have also implemented new eligibility requirements for publishing and updating experiences that are designed to reduce spam and potentially violating content. We have received negative feedback from certain of our creators on these changes because of their perceived impact to monetization and profitability. If our creators believe these changes will materially impact the monetization and profitability of their content, they may stop developing content on our Platform, which could harm our results of operations, and particularly if such creators are responsible for a substantial portion of our user engagement.
We spend substantial amounts of time and money to evolve our Platform to incorporate additional features, improve functionality, and make other enhancements to meet the rapidly evolving demands of our creators and users while also prioritizing safety and security. Developments and innovations on our Platform may rely on new or evolving technologies which may at times be still in development and may never be fully developed. Developments and innovations on our Platform may rely on new or evolving technologies which are still in development and may never be fully developed. Maintaining adequate research and development resources, such as the appropriate personnel and development technology, to meet the demands of the market is essential. Despite our efforts, creators may become dissatisfied with our Platform technology or policies, billing or payment policies, our handling of personal data, or other aspects of our Platform, such as our efforts to control botting and other forms of automated play on our Platform. If we fail to adequately address these or other complaints, negative publicity about us or our Platform could diminish confidence in and the use of our Platform. If we fail to adequately address these or other user, developer, or creator complaints, negative publicity about us or our Platform could diminish confidence in and the use of our Platform. If we do not provide the right technologies, education, or financial incentives to our creators, they may develop less or lower quality content or choose not to monetize their content, which could decrease engagement of our Platform and adversely affect our revenue and bookings. Furthermore, when we develop new or enhanced features for our Platform, we typically incur expenses and expend resources upfront to develop, market, promote, and sell new features, and we may not be able to realize some or all of the anticipated benefits of these investments. When we develop new or enhanced features for our Platform, we typically incur expenses and expend resources upfront to develop, market, promote, and sell new features, and we may not be able to realize some or all of the anticipated benefits of these investments.
If we are unable to further monetize our Platform and user base, our business will suffer.
Only a small portion of our users regularly purchase Robux compared to all users who use our Platform in any period. Only a small portion of our users regularly purchase Robux compared to all users who use our Platform in any period. If our efforts to attract and retain paying users are not successful, our business, operating results, and financial condition may be adversely impacted. If our efforts to attract and retain subscribers are not successful, our business, operating results, and financial condition may be adversely impacted. We may not succeed in further monetizing our Platform and user base, which would harm our ability to grow revenue and our financial performance generally due to various factors including, but not limited to if:
•our user growth outpaces our ability to monetize our users, and particularly as our user growth occurs in markets that are not profitable or less profitable;
•we fail to provide the tools and education to our creators to enable them to monetize their experiences and creators do not create engaging or new experiences for users;
•we fail to continue to incentivize creators on our Platform to develop content that our users consider to be of value;
•we launch new features on our Platform that cannot be monetized;
•we fail to accurately predict which specific Platform features encourage users to become paying users;
•we introduce new or adjust existing features or pricing in a manner that is not favorably received by our users;
•we fail to establish a successful advertising model;
•we fail to increase or maintain the amount of time spent on our Platform;
•we fail to increase the number of experiences or content that our users are willing to pay for;
33
•we fail to increase the features of our Platform, allowing it to more broadly serve the entertainment, education, communication, and business markets;
•we fail to increase penetration and engagement across all demographics, including our goal of reaching 10% of the global gaming content market;
•measures intended to make our Platform more attractive to older users create the perception that our Platform is not safe for younger users;
•our paying users stop interacting with our Platform and purchasing Robux as they increase in age; and
•if paying users reduce their spend on our Platform due to reasons such as the need to reduce household expenses or the perception that competitive services provide better value.
The loss of one or more of our key personnel, or our failure to attract and retain other highly qualified personnel in the future, could harm our business.
We depend on the continued services and performance of our Founder, President, CEO, and Chair of our Board of Directors, David Baszucki, members of our senior management team, and other key personnel.Additionally, we depend on the continued services and performance of our Founder, President, CEO and Chair of our Board of Directors, David Baszucki, members of our senior management team, and other key personnel. Mr. Baszucki has been responsible for our strategic vision, and should he stop working for us for any reason, it is unlikely that we would be able to immediately find a suitable replacement. David Baszucki has been responsible for our strategic vision, and should he stop working for us for any reason, it is unlikely that we would be able to immediately find a suitable replacement. We do not maintain key man life insurance for Mr. Baszucki, and do not believe any amount of key man insurance would allow us to recover from the harm to our business if Mr. Baszucki were to leave us for any reason. Similarly, members of our senior management team and other key personnel are highly sought after and others may attempt to encourage these individuals to leave us. The loss of one or more of the members of the senior management team or other key personnel for any reason, or the inability to attract new or replacement members of our senior management team or other key personnel could disrupt our operations, create uncertainty among investors, adversely impact employee retention and morale, and significantly harm our business. The loss of one or more of the members of the senior management team or other key personnel for any reason, or the inability to attract new or replacement members of our senior management team, other key personnel, or highly qualified employees could disrupt our operations, create uncertainty among investors, adversely impact employee retention and morale, and significantly harm our business.
If we experience loss of availability or degradation in our services, Platform support, and/or technological infrastructure, our ability to provide sufficiently reliable services to our users and maintain the performance of our Platform could be negatively impacted, which could harm our relationships with our creators and users, and consequently, our business.33Table of ContentsIf we experience outages, constraints, disruptions, or degradations in our services, Platform support and/or technological infrastructure, our ability to provide sufficiently reliable services to our customers and maintain the performance of our Platform could be negatively impacted, which could harm our relationships with our developers, creators, and users, and, consequently, our business.
Our users expect fast, reliable, and resilient systems to enhance their experience and support their activity on our Platform, which depends on the continuing operation and availability of our Platform from our global network of data centers controlled and operated by us and our external service providers, including third-party “cloud” computing services. Our reliance on these third-party providers introduces inherent risks, as their actions, security practices, and operational resilience directly impact our ability to deliver services. We also provide services to our creator community through our Platform, including Developer Forum and Creator Hub for tutorials, hosting, customer service, regulatory compliance, and translation, among many others. We also provide services to our developer and creator community through our Platform, including DevForum and Creator Hub for tutorials, hosting, customer service, regulatory compliance, and translation, among many others. The experiences and technologies on our Platform are complex software products and maintaining the sophisticated internal and external technological infrastructure required to reliably deliver these experiences and technologies is expensive and complex. The reliable delivery and stability of our Platform, referred to collectively as availability, has been, and could in the future be, adversely impacted by outages, disruptions, failures, or degradations in our network and related infrastructure or those of our partners or service providers, including those stemming from the malicious activities of threat actors such as the exploitation of vulnerabilities or via social engineering attacks such as phishing, or due to non-malicious root causes such as misconfigurations, insufficient capacity, or the inherent complexity of managing microsystems architecture.
34
We have experienced outages from time to time since our inception when our Platform is unavailable for all or some of our users and creators. In addition, there may be times when access to our Platform for users and creators may be limited. Outages or service degradation can be caused by a number of factors, including as a result of proactive actions we take while we provide critical updates or an unexpected outcome of routine maintenance, a move to a new technology or exploitation of security vulnerabilities in new or existing technologies, the demand on our Platform exceeding the capabilities of our technological infrastructure (e.g., spikes in usage volume), delays or failures resulting from natural disasters, manmade disasters, or other catastrophic events, the migration of data among data centers and to third-party hosted environments, a decision to close our facilities without adequate notice, our inability to secure additional or replacement data center capacity as needed, increased energy consumption as a result of AI-related growth, a cyber event or act of terrorism, and issues relating to our reliance on third-party software, third-party application stores, and third parties that host our Platform in areas where we do not operate our own data centers. This could be due to proactive actions we take while we provide critical updates or as an unexpected outcome of routine maintenance, which most recently occurred in July 2023. Outages can be caused by a number of factors, including a move to a new technology, the demand on our Platform exceeding the capabilities of our technological infrastructure, delays or failures resulting from natural disasters, manmade disasters, or other catastrophic events, the migration of data among data centers and to third-party hosted environments, and issues relating to our reliance on third-party software, third-party application stores, and third parties that host our Platform in areas where we do not operate our own data centers. The unavailability of our Platform, particularly if outages should become more frequent or longer in duration, could cause our users to seek other entertainment options, including those provided by our competitors, which may adversely affect our financial results. If we or our partners or third-party service providers experience outages and our Platform is unavailable or if our creators and users are unable to access our Platform within a reasonable amount of time or at all, as a result of any such events, our reputation and brand may be harmed, creator and user engagement with our Platform may be reduced, we could be subject to fines, and our revenue, bookings, and profitability could be, and has been in the past, negatively impacted. If we or our partners or third party service providers experience outages and our Platform is unavailable or if our developers, creators, and users are unable to access our Platform within a reasonable amount of time or at all, as a result of any such events, our reputation and brand may be harmed, developer, creator and user engagement with our Platform may be reduced, and our revenue, bookings and profitability could be negatively impacted. We may also experience a negative impact to our financial results due to decreased usage on our Platform or decrease of payouts to creators, as well as potential monetary penalties. We may also experience a negative impact to our financial results as a result of decreased usage on our Platform or decrease of payouts to developers and creators. Despite a reliability program focused on anticipating and solving issues that may impact the availability of our Platform and precautions taken at our data centers, we may not have full redundancy for all of our systems and data at all times and our disaster recovery planning may not be sufficient to mitigate the risks of technological exploitation by threat actors, address all aspects of any consequence or incident, or allow us to maintain business continuity at profitable levels or at all. Further, in the event of damage or service interruption, our business interruption insurance policies may not adequately compensate us for losses that we may incur.
In addition to the events described above, our data and our technological infrastructure may also be subject to laws, administrative actions or regulations, changes to legal or permitting requirements, and litigation that could stop, limit, or delay operations, particularly as we expand operations globally.In addition to the events described above, our data and our technological infrastructure may also be subject to local and federal administrative actions or regulations, changes to legal or permitting requirements, and litigation that could stop, limit, or delay operations. Accordingly, the occurrence of any or all of these factors could result in interruptions or delays on our Platform, impede our ability to scale our operations or have other adverse impacts upon our business, and adversely impact our ability to serve our creators and users.
Customer support personnel and technologies are critical to resolve issues and to allow creators and users to realize the full benefits that our Platform provides and deliver an excellent customer experience.Customer support personnel and technologies are critical to resolve issues and to allow developers, creators, and users to realize the full benefits that our Platform provides and provide an excellent customer experience. High-quality support is important for the retention of our creators and users and to encourage the expansion of their use of our Platform. High-quality support is important for the retention of our existing developers, creators, and users and to encourage the expansion of their use of our Platform. We rely on third-party service providers for a variety of services, including to assist in our customer support. Our third-party service providers, employees, creators, and users have been and may in the future be a source of exploitation for threat actors to attempt to compromise our systems and information. For example, third-party service providers with weak security protocols or individuals engaged by third-party service providers with malicious intent have and could in the future inadvertently or intentionally expose our systems to unauthorized access, data breaches, or other cyber events. We do not have sufficient control over the security practices of all our third-party service providers, which could lead to vulnerabilities that can be exploited by threat actors. If a threat actor is successful in using one or more of our third-party service providers, employees, creators, or users to compromise our systems or personal information of our users, it could impact our business and results of operation as well as our reputation.
We must continue to invest in the infrastructure required to support our Platform. We must continue to invest in the infrastructure required to support our Platform. If we do not help our creators and users quickly resolve issues and provide effective ongoing support, our ability to maintain and expand our Platform to existing and new creators and users could suffer. If we do not help our developers, creators, and users quickly resolve issues and provide effective ongoing support, our ability to maintain and expand our Platform to existing and new developers, creators, and users could suffer. In addition, if we do not make sufficient investments in servers, software, or personnel in support of our infrastructure, to scale effectively and accommodate increased demands placed on our infrastructure, the reliability of our underlying infrastructure will be harmed and our ability to provide a quality experience for our creators and users will be significantly harmed. In addition, if we do not make sufficient investments in servers, software or personnel in support of our infrastructure, to scale effectively and accommodate increased demands placed on our infrastructure, the reliability of our underlying infrastructure will be harmed and our ability to provide a quality experience for our developers, creators, and users will be significantly harmed. This would lead to a reduction in the number of creators and users on our Platform, a reduction in our revenues, bookings, and ability to compete, and our reputation with existing or potential creators or users could suffer. This would lead to a reduction in the number of developers, creators, and users on our Platform, a reduction in our revenues, bookings, and ability to compete, and our reputation with existing or potential developers, creators, or users could suffer.
The lack of comprehensive encryption for communications on our Platform may increase the impact of a security breach or incident.34Table of ContentsThe lack of comprehensive encryption for communications on our Platform may increase the impact of a security breach or incident.
Communications on our Platform are not comprehensively encrypted at this time. As such, any security breach or incident that involves unauthorized access, acquisition, disclosure, or use of communications on our Platform may be particularly impactful to our business. We may experience greater incident response forensics, data recovery, legal fees, and costs of notification related to any such potential incident or vulnerabilities, and we may face an increased risk of reputational harm, regulatory enforcement, and consumer litigation, which could further harm our business, financial condition, results of operations, and future business opportunities. We may experience greater incident response forensics, data recovery, legal fees, and costs of notification related to any such potential incident, and we may face an increased risk of reputational harm, regulatory enforcement, and consumer litigation, which could further harm our business, financial condition, results of operations, and future business opportunities.
35
Security compromises of our Platform, our private information, and our users’ private information could disrupt our internal operations and harm public perception of our Platform, which could cause our business and reputation to suffer.
We collect and store personal data and certain other sensitive, confidential, and proprietary information in the operation of our business, including creator, user, and employee information.We collect and store personal data and certain other sensitive and proprietary information in the operation of our business, including developer, creator, user and employee information, and other confidential data. While we have implemented measures designed to prevent unauthorized access to or loss of our confidential data, attacks such as malware, ransomware, viruses, hacking, social engineering, spam, and phishing attempts across our organization have occurred and may continue to occur on our Platform, our systems, and those of our third-party service providers. While we have implemented measures designed to prevent unauthorized access to or loss of our confidential data, malware, ransomware, viruses, hacking, social engineering, spam, and phishing attacks have occurred and may occur on our Platform and our systems and those of our third-party service providers again in the future. Because of the popularity of our Platform, we believe that we are an attractive target for these sorts of attacks and have seen the frequency of these types of attacks increase over time
The techniques used by malicious actors to obtain unauthorized access to, or to sabotage, our systems or networks, or to utilize our systems maliciously, are constantly evolving and generally are not identified as a threat vector until launched against a target. In addition to actions by individuals, such attacks could also potentially be launched by nation states, state-sponsored bad actors, or other well-funded and highly sophisticated individuals. Despite the measures we have taken, we at times have not been able to anticipate these techniques by implementing preventive measures, detecting, or reacting in a timely manner, which has resulted in and could continue to result in, delays in our detection or remediation of, or other responses to, security breaches and other security-related incidents. Consequently, despite the measures we have taken, we may be unable to anticipate these techniques, detect or react in a timely manner, or implement preventive measures, which could result in delays in our detection or remediation of, or other responses to, security breaches and other security-related incidents. In addition, the use of open source software in our Platform has exposed us to security vulnerabilities in the past and will likely continue to expose us to security vulnerabilities in the future. The use of open source software used in our Platform has exposed us to security vulnerabilities in the past and will likely continue to expose us to security vulnerabilities in the future. The use of AI in our products and business practices may increase or create additional cybersecurity and privacy risks, including risks of data breaches and security incidents. Our use of AI in our products and business practices may increase or create additional cybersecurity risks, including risks of security breaches and incidents.
Our Platform and services operate in conjunction with, and we are dependent upon, third-party products, services, and components. Our Platform and service operate in conjunction with, and we are dependent upon, third-party products, services, and components. Our reliance on third-party service providers, including cloud infrastructure providers, payment processors, analytics tools, distribution channels, and customer support platforms, introduces significant and evolving risks related to cybersecurity and data privacy. Our ability to influence and monitor our third-party service providers’ cybersecurity is limited, and in any event, attackers may be able to circumvent our third-party service providers’ cybersecurity measures. Our ability to monitor our third-party service providers’ cybersecurity is limited, and in any event, attackers may be able to circumvent our third-party service providers’ cybersecurity measures. There have been and may continue to be significant attacks on certain of our third-party providers, and we cannot guarantee that our or our third-party providers’ systems and networks have not been breached or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our systems and networks or the systems and networks of third parties that support us. Specifically, these third parties have been and may in the future be targeted by threat actors seeking to gain access to our data or systems through a less secure entry point; experience their own security incidents, data breaches, or operational failures, even if unrelated to our specific data, which could still impact our services or expose our users’ information; or employ individuals who are bad actors and could intentionally compromise data or systems, or who may be susceptible to social engineering or other tactics by malicious individuals. Existing and prospective developers may not be successful in creating content that leads to and maintains user engagement (including maintaining the quality of experiences); they may fail to expand the types of experiences that they can build for users; or our competitors may entice our developers, users and potential users away from, or to spend less time with, our Platform, each of which could adversely affect users’ interest in our Platform and lead to a loss of revenue opportunities and harm our results of operations. Additionally, these third parties may have inadequate security protocols, policies, or infrastructure, creating security weaknesses that we cannot directly control; or fail to promptly identify or remediate vulnerabilities, leading to prolonged exposure.
Actual or alleged security vulnerabilities, errors, or other bugs in these third-party products, services, or components, and security exploits targeting them has at times and could continue to cause us to face increased costs, claims, liability, reduced revenue, and harm to our reputation or competitive position. We and our service providers may be unable to anticipate these techniques, react, remediate, or otherwise address any security vulnerability, breach, or other incident in a timely manner, or implement adequate preventative measures.
If any unauthorized access to our network, systems, or data, including our sensitive and proprietary information, personal data from our users or creators, or other data, or any other loss or unavailability of, or unauthorized use, modification, disclosure, or other processing of personal data or any other security breach or incident occurs or is believed to have occurred, whether as a result of third-party action, employee negligence, error or malfeasance, defects, social engineering techniques, ransomware attacks, or otherwise, our reputation, brand, and competitive position could be damaged, our and our users’ and creators’ data and intellectual property could potentially be lost or compromised, and we could be required to spend capital and other resources to alleviate problems caused by such actual or perceived breaches or incidents and remediate our systems.If any unauthorized access to our network, systems or data, including our sensitive and proprietary information, personal data from our users, developers, or creators, or other data, or any other loss or unavailability of, or unauthorized use, modification, disclosure, or other processing of personal data or any other security breach or incident, occurs or is believed to have occurred, whether as a result of third-party action, employee negligence, error or malfeasance, defects, social engineering techniques, ransomware attacks, or otherwise, our reputation, brand and competitive position could be damaged, our and our users’, developers’ and creators’ data and intellectual property could potentially be lost or compromised, and we could be required to spend capital and other resources to alleviate problems caused by such actual or perceived breaches or incidents and remediate our systems. In the past, we have experienced social engineering and phishing attacks aimed at compromising sensitive data, and if similar attacks occur and are successful, this could have a negative impact on our business or result in unfavorable publicity. In the past, we have experienced social engineering and phishing attacks, and if similar attacks occur and are successful, this could have a negative impact on our business or result in unfavorable publicity.
36
We incur significant costs in an effort to detect and prevent security breaches and other security-related incidents, including those to secure our product development, test, evaluation, and deployment activities, and we expect our costs will increase as we make improvements to our systems and processes to prevent future breaches and incidents. The economic costs to us to reduce cyber or other security problems, such as spammers, errors, bugs, flaws, “cheating” programs, defects, or corrupted data, could be significant and may be difficult to anticipate or measure. Even the perception of these issues may cause creators and users to use our Platform less or stop using it altogether, and the costs could divert our attention and resources, any of which could result in claims, demands, and legal liability to us, regulatory investigations and other proceedings, and otherwise harm our business, reputation, financial condition, or results of operations. Even the perception of these issues may cause developers, creators, and users to use our Platform less or stop using it altogether, and the costs could divert our attention and resources, any of which could result in claims, demands, and legal liability to us, regulatory investigations and other proceedings, and otherwise harm our business, reputation, financial condition, or results of operations. There could also be regulatory fines or non-monetary penalties imposed in connection with certain cyber incidents or data breaches that take place around the world. Further, certain laws and regulations relating to privacy, biometrics, cybersecurity, and data protection, such as the California Consumer Privacy Act (“CCPA”), allow for a private right of action, which may lead to consumer litigation for certain data breaches that relate to specified categories of personal information. From time to time, we identify product vulnerabilities, including through our bug bounty program. From time to time, we do identify product vulnerabilities, including through our bug bounty program. Although we have policies and procedures in place designed to promptly characterize the potential impact of such vulnerabilities and develop appropriate patching or upgrade recommendations and also maintain policies and procedures related to vulnerability scanning and management of our internal corporate systems and networks, such policies and procedures may not be followed or detect every issue, and from time to time, we have, and may in the future again, need to proactively disable access to our Platform in order to provide necessary patching or upgrades. Although we have policies and procedures in place designed to swiftly characterize the potential impact of such vulnerabilities and develop appropriate patching or upgrade recommendations and also maintain policies and procedures related to vulnerability scanning and management of our internal corporate systems and networks, such policies and procedures may not be followed or detect every issue, and from time to time, we have, and may in the future again, need to proactively disable access to our Platform in order to provide necessary patching or upgrades.
Although we maintain cyber and privacy insurance, subject to applicable deductibles and policy limits, such coverage may not extend to all types of incidents relating to privacy, data protection, or cybersecurity, and it may be insufficient to cover all costs and expenses associated with such incidents. Although we maintain cyber and privacy insurance, subject to applicable deductibles and policy limits, such coverage may not extend to all types of incidents relating to privacy, data protection, or cybersecurity, and it may be insufficient to cover all costs and expenses associated with such incidents. Further, such insurance may not continue to be available to us in the future on economically reasonable terms, or at all, and insurers may deny us coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.
The operation of our Platform outside the United States exposes us to risks inherent in international operations.The expansion of our Platform outside the United States exposes us to risks inherent in international operations.
We operate our Platform throughout the world and are subject to risks and challenges associated with international business which require considerable management attention and resources.We operate our Platform throughout the world and are subject to risks and challenges associated with international business. For the year ended December 31, 2025, approximately 82% of our DAUs and 39% of our revenue was derived from outside the U.S. and Canada region. We intend to continue to expand internationally, and this expansion is a critical element of our future business strategy. However, as we continue to expand internationally, including into developing countries where consumer discretionary spending is relatively weak, while our DAUs increase, the growth rate of our bookings could decelerate due to weaker spending by users from those regions, and our ABPDAU has been and may continue to be negatively impacted. While we have data centers, contractors, creators, and users outside of the U.S., we have limited offices located outside of the U.S. and Canada, and there is no guarantee that our international expansion efforts will be successful. The risks and challenges associated with expanding our international presence and operations include the below, and the occurrence of these and other factors could harm our ability to generate revenue and bookings outside of the U.S. and, consequently, adversely affect our business, financial condition, and results of operations:
•greater difficulty in enforcing contracts and accounts receivable collection, and longer collection periods;
•higher costs of doing business internationally, including increased accounting, travel, infrastructure, security, legal, and compliance costs;
•double taxation of our international earnings and potentially adverse tax consequences due to changes in the tax laws of the U.S. or the foreign jurisdictions in which we operate;
•compliance with multiple, ambiguous, or evolving laws and regulations, including those relating to employment, tax, child protection, consumer protection, content regulation, online safety, privacy, data protection, anti-corruption, import/export, customs, anti-boycott, sanctions and embargoes, antitrust, data transfer, storage and security, content monitoring, preclusion, and removal, online entertainment offerings, advertising, and industry-specific laws and regulations, particularly as these requirements apply to users under the age of 18;
•increased cybersecurity, technology and physical security risks to the data, systems, facilities, and people supporting the operation of the Platform;
•uncertainty regarding the imposition of and changes in the U.S.’ and other governments’ trade regulations, trade wars, tariffs or other restrictions, and responsive retaliatory actions as a result thereof or other geopolitical events, including, without limitation, the evolving relations between the U.S. and China, the issuance of new executive orders and related national security-based data transfer restrictions, and geopolitical conflicts such as in Ukraine and the Middle East;
•expenses related to monitoring and complying with differing labor and employment regulations, especially in jurisdictions where labor and employment laws may be more favorable to employees than in the U.S.;
37
•increased exposure to fluctuations in exchange rates between the U.S. dollar and foreign currencies in markets where we do business;
•challenges inherent to efficiently recruiting and retaining qualified employees in foreign countries and maintaining our company culture and employee programs across all of our offices;
•management communication and integration problems resulting from language or cultural differences and geographic dispersion;
•the uncertainty of protection for intellectual property in some countries;
•the uncertainty of our exposure to third-party claims of intellectual property infringement and the availability of statutory safe harbors in some countries;
•foreign exchange controls that might prevent us from repatriating cash earned outside the U.S.;
•risks associated with trade restrictions and foreign legal requirements, and greater risk of unexpected changes in regulatory requirements, tariffs and tax laws, trade laws, foreign investment restrictions, and export controls (including data export) and other trade restrictions;
•negative perceptions of U.S.-based companies in regions where we operate or plan to operate;
•risks relating to the implementation of exchange controls, including restrictions promulgated by the Office of Foreign Assets Control (“OFAC”), and other similar trade protection regulations and measures;
•exposure to regional or global public health issues, and to travel restrictions and other measures undertaken by governments in response to such issues;
•general economic and political conditions in these foreign markets, including political and economic instability in some countries and regions;
•modifying our Platform in certain jurisdictions, including modifying or removing certain content, making certain experiences inaccessible, changing default settings, and modifying, restricting access to, or disabling certain features or tools, including but not limited to communication on-Platform, and implementing age-check technology;
•localization of our services, including translation into foreign languages and associated expenses and the ability to monitor and moderate our Platform in new and evolving markets and in different languages to confirm that we maintain standards, including trust and safety standards, consistent with our brand and reputation;
•our Platform being blocked in certain countries entirely, such as the Republic of Türkiye, certain Middle Eastern countries, and Russia;
•regulatory frameworks or business practices favoring local competitors;
•changes in the perception of our Platform by governments in the regions where we operate or plan to operate; and
•natural disasters, acts of war, and terrorism, and resulting changes to laws and regulations, including changes oriented to protecting local businesses.
If we are not successful in our efforts to develop virtual platform-wide events or live experiences on our Platform, our business could suffer.
We have undergone efforts to develop the live and limited-time events and experiences available on our Platform, such as virtual Platform-wide events, concerts, classrooms, and other meeting types, and to offer commercial partners with branding opportunities in conjunction with key events, such as a product launch.We have undergone efforts to further develop the live experiences available on our Platform, such as virtual concerts, classrooms, meetings, and conferences and to offer commercial partners with branding opportunities in conjunction with key events, such as a product launch. There is no guarantee that these efforts will be successful or that users will engage with these experiences. New features or enhancements and changes to the existing features of our Platform, such as VR applications, could fail to attain sufficient market acceptance for many reasons, including: failure to predict market demand accurately in terms of functionality and to supply features that meet this demand in a timely fashion; defects, errors, or failures; negative publicity about performance, safety, privacy, or effectiveness; delays in releasing new features or enhancements on our Platform; and introduction or anticipated introduction of competing products by competitors. New features or enhancements and changes to the existing features of our Platform, such as these live experiences, could fail to attain sufficient market acceptance for many reasons, including failure to predict market demand accurately in terms of functionality and to supply features that meet this demand in a timely fashion; defects, errors, or failures; negative publicity about performance, safety, privacy, or effectiveness; delays in releasing new features or enhancements on our Platform; and introduction or anticipated introduction of competing products by competitors. The failure to obtain market acceptance for these live experiences would negatively affect our business, financial condition, results of operations, and brand.
38
Our continued success significantly depends on our ability to effectively navigate the integration of rapidly evolving technologies such as generative AI into our business and address their impact on our threat landscape.
The market for an immersive platform for connection and communication is a new and evolving market characterized by rapid, complex, and disruptive changes in technology and user and creator demands that could make it difficult for us to effectively compete. The expectations and needs of our users and creators are constantly evolving. The expectations and needs of our users, developers, and creators are constantly evolving. Our future success depends on a variety of factors, including our continued ability to innovate, introduce new products and services efficiently, enhance and integrate our products and services in a timely, safe, secure, and cost-effective manner, extend our core technology into new applications, and anticipate technological developments. Our future success depends on a variety of factors, including our continued ability to innovate, introduce new products and services efficiently, enhance and integrate our products and services in a timely and cost-effective manner, extend our core technology into new applications, and anticipate technological developments. If we are unable to react quickly to new technology trends compared to our competitors —such as the continued growth of generative AI solutions which affect the ways creators create experiences or the way users consume virtual content—it may harm our business and results of operation. If we are unable to react quickly to new technology trends—for example the continued growth of generative AI solutions which disrupts the ways developers create experiences or may disrupt the way users consume virtual goods—it may harm our business and results of operation. Conversely, our adoption of generative AI solutions and changes to our generative AI policies may not be favored by our community of creators and users, and may result in diminished engagement on our Platform. The expertise in AI, as well as other emerging technologies, can be difficult and costly to obtain given the increasing focus on AI development and competition for talent. Further, legal, social, and ethical issues relating to the use of new and evolving technologies such as AI in our offerings, may result in reputational harm and liability, and may cause us to incur additional legal, security, and research and development costs to resolve such issues. Further, social and ethical issues relating to the use of new and evolving technologies such as AI in our offerings, may result in reputational harm and liability, and may cause us to incur additional research and development costs to resolve such issues. If we enable or offer solutions that draw controversy due to their perceived or actual impact on society, we may experience brand or reputational harm, competitive harm, or legal liability. AI presents emerging ethical issues and if we enable or offer solutions that draw controversy due to their perceived or actual impact on society, we may experience brand or reputational harm, competitive harm, or legal liability. Failure to address AI ethics issues by us or others in our industry could undermine public confidence in our use of AI.
We have incorporated, and are continuing to develop and deploy, AI in our products and the operations of our business. Our use of generative AI in aspects of our Platform may present risks and challenges that could increase as AI solutions become more prevalent. The Roblox Cloud may be more relied upon in the future to facilitate increasingly complex decision-making as it integrates hardware and accelerated machine learning AI, including generative AI, for a broad range of compute tasks, including improved personalization, synthetic content generation, and enhanced automation of the player experience. The Roblox Cloud may be relied upon in the future for increasingly complex decision-making as it integrates hardware, accelerated machine learning AI, including generative AI, for a broad range of compute tasks, including control of non-player characters, improved personalization, synthetic content generation, and automation of the player experience. However, AI algorithms may be flawed and datasets may be insufficient or contain biased information. However, AI algorithms may be flawed. Even with safeguards in place and oversight, AI systems may make decisions unpredictably or autonomously, such as generating incorrect, offensive, and/or infringing content. This can raise new or exacerbate existing ethical, technological, legal, and other challenges, and may negatively affect the performance or the perception of our Platform and the user and creator experience. Certain users have and may in the future attempt to manipulate AI systems to create violative content on our Platform. In addition, threat actors have used and in the future may use AI to enhance the effectiveness of their attacks against our Platform which may cause the loss of availability of the Platform, degradation in services, or compromises to user or company data. While we have and will continue to implement safeguards, these deficiencies and potential failures of AI systems due to their nature as increasingly complex technology or the use of AI by threat actors to enhance their attacks, could subject us to increased security risk, competitive harm, regulatory action, legal liability, and reputational harm, especially as the regulatory landscape around AI continues to rapidly develop.
There are also many new and evolving laws and regulations focused on the use of AI. For example, the EU’s Artificial Intelligence Act (“AI Act”) entered into force on August 1, 2024. Certain of its obligations entered into effect on February 2, 2025, and the majority of its applicable provisions are currently due to become effective by August 2, 2026, although the EU’s legislature may vary this date for certain obligations. The AI Act proposes a framework of prohibitions as well as disclosure, transparency, and other regulatory obligations based on various levels of risk for businesses introducing AI systems in the EU. Provisions of the AI Act could require us to alter or restrict our use of AI both in features or products available to our users and in our systems that interact with our users, depending on respective levels of risk-categorization, types of systems, and manner of use, as set forth in the AI Act. The AI Act also may require us to comply with monitoring and reporting requirements. The AI Act also could require us to comply with monitoring and reporting requirements. As a result, we may need to devote substantial time and resources to evaluate our obligations under the AI Act and to develop and execute a plan designed to promote compliance. Noncompliance with the AI Act could result in fines of up to €35 million or 7% of annual global turnover for the previous year, whichever is higher. There have been numerous other laws and bills proposed at the domestic and international level aimed at regulating the deployment or provision of AI systems and services. These include, among others, the Texas Responsible Artificial Intelligence Governance Act which went into effect on January 1, 2026, and focuses on prohibiting harmful uses of AI, and the Colorado AI Act, which will become effective June 30, 2026, and, similar to the AI Act, provides for a regulatory risk-based framework. In addition, President Trump released a new executive order on December 11, 2025 seeking to establish national standards for AI that would supersede conflicting state laws.
39
Our user metrics and other estimates are subject to inherent challenges in measurement, and real or perceived inaccuracies in those metrics may significantly harm and negatively affect our reputation and our business.
We regularly review metrics, including our DAUs, hours engaged, unique payers, user demographics, and ABPDAU to evaluate growth trends, measure our performance, and make strategic decisions. These metrics are calculated using internal data gathered on an analytics platform that we developed and operate and have not been validated by an independent third party. Our metrics are based on estimates and may also differ from estimates published by third parties or from similarly titled metrics of our competitors due to differences in methodology or underlying assumptions. Our metrics and estimates may also differ from estimates published by third parties or from similarly titled metrics of our competitors due to differences in methodology or the assumptions on which we rely. If our metrics are inaccurate, then investors will have less confidence in our company and our prospects, which could cause the market price of our Class A common stock to decline, and our reputation and brand could be harmed. If our estimates are inaccurate, then investors will have less confidence in our company and our prospects, which could cause the market price of our Class A common stock to decline, and our reputation and brand could be harmed.
There are inherent challenges in measuring how our Platform is used. As a result, the metrics may misstate the number of DAUs, monthly unique payers, hours engaged, ABPDAU, and average bookings per monthly unique payer. The methodologies used to measure these metrics require significant judgment and are also susceptible to algorithm or other technical errors. In addition, we are continually seeking to improve our metrics and such metrics may change due to improvements or changes in our methodology or underlying assumptions. In addition, we are continually seeking to improve our estimates of our user base and hours engaged, and such estimates may change due to improvements or changes in our methodology. We regularly review our processes and assumptions for calculating these metrics, and from time to time we discover inaccuracies in our metrics or make adjustments to improve their accuracy, which can result in our use of updated metrics in a current period and corresponding adjustments to our historical metrics. Our ability to recalculate our historical metrics to reflect any change in methodology of a metric in a current period may be impacted by data limitations, limitations in functionality of and user behaviors on different platforms, or other factors that require us to apply different methodologies for such adjustments over current and historic periods.
Additionally, there are users who have multiple accounts, fake user accounts, or fraudulent accounts created by bots.Additionally, there are users who have multiple accounts, fake user accounts, or fraudulent accounts created by bots to inflate user activity for a particular developer or creator on our Platform, thus making the developer’s or creator’s experience or other content appear more popular than it really is. These actions may be done to inflate user activity in order to make a creator’s experience or other content appear more popular than it really is or to enable users to level up or otherwise progress in an experience more rapidly. Detecting and taking action with respect to such issues requires considerable judgment and is technically challenging. We strive to detect and minimize fraud, the use of bots, and unauthorized use of our Platform, and while these practices are prohibited in our terms of service and we implement measures to detect and suppress that behavior, when we are unsuccessful, our operating results may be negatively affected. Users may also disagree with our rationale for terminating, suspending, or taking other actions on accounts, which has and could continue to lead to reputational harm and further negatively impact our operating results.
In addition, some of our demographic data may also be incomplete or inaccurate. In future periods, we may also change the information we report or the breakdown of our reported age demographics based on the data that is available to us at the time. For example, historically our reported age demographics were based on age information self-reported by our users. We are currently developing, testing, and implementing new systems designed to check the ages of our users, which we refer to as “age-checking,” and currently we incorporate facial age estimation technology, identity verification, and parent or caregiver provided age data. Age-checked metrics will not be comparable to historical periods that relied on self-reported data. In addition, since our age-check systems are only mandatory for users seeking to access chat features on our Platform, our future reported age-demographic data will not include all of our users, including those who engage on our Platform but do not use our chat features or users in geographies in which chat is not enabled. In addition, the introduction of experiences for users who are 17 and older may cause regulatory agencies to require a higher age rating for our Platform, which could cause us to become less attractive to younger users and harm our business, financial condition and results of operations. Therefore, there is no guarantee that the population of users who access chat is representative of our entire user base. As the number of users that choose to undergo age-check processes, the features or tools that require age-check, and our methodologies for age-checking continue to develop, prior period demographics may not be comparable to future ones. Our age demographic data could differ from users’ actual ages due to the functionality of our age-check systems, policies and technology. Users seeking to evade our age estimation systems and tools may also be more likely to create alternate or multiple accounts which would inflate our user activity.
Errors or inaccuracies in our metrics or data could also result in incorrect business decisions and inefficiencies. For instance, if a significant understatement or overstatement of active users, hours engaged, or our reported age demographics were to occur, we may expend resources to implement unnecessary business measures or fail to take required actions to attract a sufficient number of users to satisfy our growth strategies. For instance, if a significant understatement or overstatement of active users or hours engaged were to occur, we may expend resources to implement unnecessary business measures or fail to take required actions to attract a sufficient number of users to satisfy our growth strategies. If our investors or creators do not perceive our user, geographic, or other demographic metrics to be accurate representations of our user base, or if we discover material inaccuracies in our user, geographic, or other demographic metrics, our reputation may be seriously harmed. If our investors or developers do not perceive our user, geographic, or other demographic metrics to be accurate representations of our user base, or if we discover material inaccuracies in our user, geographic, or other demographic metrics, our reputation may be seriously harmed. Our estimates also may change as our methodologies and Platform evolve, including through the application of new data sets, the introduction of new metrics or technologies, or as our Platform changes with new features and enhancements. Such changes could lead to investor confusion or the perception that our estimates, methodologies, and underlying assumptions are unreliable, which could also cause our creators and partners to be less willing to allocate their budgets or resources to our Platform, which could seriously harm our business.
Additionally, we have and continue to innovate and expand our safety initiatives, including the launch of our age-checking systems. These and any future safety changes have and may continue to impact engagement, retention, revenue, and bookings.
40
We rely on suppliers for data center capacity and certain components of the equipment we use to operate our Platform and any disruption in the availability of data center capacity or components could delay our ability to expand or increase the capacity of our Platform or replace defective equipment.
We rely on suppliers for data center capacity and several components of the equipment we use to operate our Platform.We rely on suppliers for several components of the equipment we use to operate our Platform. Our reliance on these suppliers exposes us to risks, including reduced control over costs and constraints based on the current availability, terms, and pricing of these components and data center capacity. Our reliance on these suppliers exposes us to risks, including reduced control over production costs and constraints based on the current availability, terms, and pricing of these components. While the network equipment and servers we purchase generally are commodity equipment and we believe an alternative supply source for network equipment and servers on substantially similar terms could be identified quickly, our business could be adversely affected until those efforts are completed. In addition, the technology equipment industry has experienced component shortages and delivery delays, and we have and may in the future experience shortages or delays, including as a result of increased demand in the industry, such as due to rapid growth in AI demand, data center natural disasters, trade control and restrictions, or our suppliers lacking sufficient rights to supply the components in all jurisdictions in which we have data centers and edge data centers that support our Platform. In addition, the technology equipment industry has experienced component shortages and delivery delays, and we have and may in the future experience shortages or delays, including as a result of increased demand in the industry, natural disasters, export and import control restrictions, or our suppliers lacking sufficient rights to supply the components in all jurisdictions in which we have data centers and edge data centers that support our Platform. For example, supply chain constraints for servers and other networking equipment required for our operations has resulted and could in the future result in disruptions and delays for these components and the delivery and installation of such components at our data centers and edge data centers. If our supply of certain components is disrupted or delayed, there can be no assurance that additional supplies or components can serve as adequate replacements for the existing components or that supplies will be available on terms that are favorable to us, if at all. Any disruption or delay in the supply of hardware components or data center availability may delay the opening of new data centers, edge data centers, co-location facilities or the creation of fully redundant operations, limit capacity expansion, or replacement of defective or obsolete equipment at existing data centers and edge data centers or cause other constraints on our operations that could damage our ability to serve our creators and users. Any disruption or delay in the supply of our hardware components may delay the opening of new data centers, edge data centers, co-location facilities or the creation of fully redundant operations, limit capacity expansion, or replacement of defective or obsolete equipment at existing data centers and edge data centers or cause other constraints on our operations that could damage our ability to serve our developers, creators, and users.
Some creators and users on our Platform may make unauthorized, fraudulent, or illegal use of Robux and other digital goods or experiences on our Platform, including by use of unauthorized third-party websites or “cheating” programs.Some developers, creators, and users on our Platform may make unauthorized, fraudulent, or illegal use of Robux and other digital goods or experiences on our Platform, including through unauthorized third-party websites or “cheating” programs.
Robux and digital goods on our Platform have no monetary value and no authorized market or application outside of our Platform. Creators that participate in our Developer Exchange Program can be paid fiat currency based on the amount of Robux they have accumulated, subject to eligibility. However, users have made and may in the future make unauthorized, fraudulent, or illegal sales and/or purchases of Robux, other digital goods, and Roblox accounts on or off of our Platform, including by use of unauthorized third-party websites in exchange for fiat currency or to facilitate online wagers.Robux and digital goods on our Platform have no monetary value outside of our Platform, but users have made and may in the future make unauthorized, fraudulent, or illegal sales and/or purchases of Robux and other digital goods on or off of our Platform, including through unauthorized third-party websites in exchange for real-world currency. For example, some users have made fraudulent use of credit cards owned by others to purchase Robux and offer the purchased Robux for sale at a discount on third-party websites. For example, some users have made fraudulent use of credit cards owned by others on our Platform to purchase Robux and offer the purchased Robux for sale at a discount on a third-party website. For the year ended December 31, 2025, total chargebacks and refunds to us, some of which may have been related to fraud were approximately 2.5% of bookings. For the year ended December 31, 2023, total chargebacks to us from this fraud was approximately 3.11% of bookings.
While we regularly monitor and screen usage of our Platform with the aim of identifying and preventing these activities, and regularly monitor third-party websites for fraudulent Robux or digital goods offers as well as regularly send cease-and-desist letters to operators of these third-party websites, we are unable to control or stop all unauthorized, fraudulent, or illegal transactions in Robux or other digital goods that occurs on or off of our Platform. Although we are not responsible for such activities conducted by these third parties, our user experience may be adversely affected, and users and/or creators may choose to leave our Platform if these activities are pervasive. Although we are not responsible for such unauthorized, fraudulent, and/or illegal activities conducted by these third parties, our user experience may be adversely affected, and users and/or developers may choose to leave our Platform if these activities are pervasive. These activities have and may in the future result in negative publicity, disputes, regulatory scrutiny, and legal claims, and measures we take in response may be expensive, time consuming, and disruptive to our operations. These activities may also result in negative publicity, disputes, or even legal claims, and measures we take in response may be expensive, time consuming, and disruptive to our operations.
In addition, unauthorized, fraudulent, and/or illegal purchases and/or sales of Robux, Roblox accounts, or other digital goods on or off of our Platform, including through third-party websites, bots, fake accounts, or “cheating” or malicious programs that enable users to exploit both vulnerabilities and legitimate mechanics in the experiences on our Platform or our partners’ websites and platforms, could reduce our revenue and bookings by, among other things, decreasing revenue from authorized and legitimate transactions, increasing chargebacks from unauthorized credit card transactions, or causing us to lose revenue and bookings from dissatisfied users who stop engaging with the experiences on our Platform.In addition, unauthorized, fraudulent, and/or illegal purchases and/or sales of Robux or other digital goods on or off of our Platform, including through third-party websites, bots, fake accounts, or “cheating” or malicious programs that enable users to exploit vulnerabilities in the experiences on our Platform or our partners’ websites and platforms, could reduce our revenue and bookings by, among other things, decreasing revenue from authorized and legitimate transactions, increasing chargebacks from unauthorized credit card transactions, causing us to lose revenue and bookings from dissatisfied users who stop engaging with the experiences on our Platform, or could increase costs that we incur to develop technological measures to curtail unauthorized transactions and other malicious programs, or could reduce other operating metrics. Additionally, such prohibited activity could increase costs that we incur to develop technological measures to curtail unauthorized transactions and other malicious programs, or could reduce other operating metrics.
Under our community rules for our Platform, which creators and users are obligated to comply with, we reserve the right to temporarily or permanently ban individuals for breaching our terms of use or Community Standards, including by engaging in any illegal activity on our Platform. We have banned individuals as a result of unauthorized, fraudulent, or illegal use of our Platform, Robux, or other digital goods on our Platform, which has and may continue to lead to reputational harm in cases where users disagree with our enforcement decisions. We have also employed technological measures to help detect unauthorized Robux transactions and continue to develop additional methods and processes through which we can identify unauthorized transactions and block such transactions. However, there can be no assurance that our efforts to prevent or minimize these unauthorized, fraudulent, or illegal transactions will be successful.
41
We have made and are continuing to make investments in privacy, data protection, user safety, cybersecurity, and content review efforts to combat misuse of our services and user data by third parties, including investigations of individuals we have determined to have attempted to access and, in some cases, have accessed, user data without authorization. Our internal teams also continually monitor and work to address any identified unauthorized attempts to access data stored on servers that we own or control or data available to our third-party customer service providers. Our internal teams also continually monitor and address any unauthorized attempts to access data stored on servers that we own or control or data available to our third-party customer service providers. As a result of these efforts, we have discovered and disclosed, and anticipate that we will continue to discover and disclose, incidents of misuse of or unauthorized access of user data or other undesirable activity by third parties. As a result of these efforts, we have discovered and disclosed, and anticipate that we will continue to discover and disclose, additional incidents of misuse of or unauthorized access of user data or other undesirable activity by third parties. We have taken steps to protect the data that we have access to, but despite these efforts, our security measures, or those of our third-party service providers, could be insufficient or breached as a result of third-party action, malfeasance, employee errors, service provider errors, technological limitations, defects, or vulnerabilities in our Platform or otherwise. Additionally, many of our employees and third-party service providers with access to user data currently are and may in the future be working remotely, or in higher risk geographic regions as we expand our global footprint, which may increase our employees’ or our third-party service providers’ risk of security breaches or incidents. Additionally, many of our employees and third-party service providers with access to user data currently are and may in the future be working remotely, which may increase our or our third-party service providers’ risk of security breaches or incidents. Moreover, the risk of state-supported and geopolitical-related cyber-attacks may increase with geopolitical events. We have sometimes failed to discover and in the future may not discover all such incidents or activity or be able to respond to or otherwise address them, promptly, in sufficient respects or at all. Such incidents and activities have in the past, and may in the future, involve the use of user data or our systems in a manner inconsistent with our terms, contracts or policies, the existence of false or undesirable user accounts, theft of in-game currency or virtual items in valid user accounts, and activities that threaten people’s safety on- or offline. We may also be unsuccessful in our efforts to enforce our policies or otherwise remediate any such incidents. Any of the foregoing developments, whether actual or perceived, may negatively affect user trust and engagement, harm our reputation and brand, require us to change our business practices in a manner adverse to our business, and adversely affect our business and financial results. Any of the foregoing developments, whether actual or perceived, may negatively affect user trust and engagement, harm our reputation and brands, require us to change our business practices in a manner adverse to our business, and adversely affect our business and financial results. Any such developments have and may continue to subject us to future litigation and regulatory inquiries, investigations, and proceedings, including from data protection authorities in countries where we offer services and/or have users, which could subject us to monetary penalties and damages, divert management’s time and attention, and lead to enhanced regulatory oversight. Any such developments may also subject us to future litigation and regulatory inquiries, investigations, and proceedings, including from data protection authorities in countries where we offer services and/or have users, which could subject us to monetary penalties and damages, divert management’s time and attention, and lead to enhanced regulatory oversight.
We focus our business on our creators and users, and acting in their interests in the long term may conflict with the short-term expectations of analysts and investors.We focus our business on our developers, creators, and users, and acting in their interests in the long-term may conflict with the short-term expectations of analysts and investors.
A significant part of our business strategy and culture is to focus on long-term growth and creator and user experience over short-term financial results.A significant part of our business strategy and culture is to focus on long-term growth and developer, creator, and user experience over short-term financial results. We expect our expenses to continue to increase in the future as we broaden our creator and user community, as creators and users increase the amount and types of experiences and virtual items they make available on our Platform and the content they consume, as we continue to seek ways to increase payments to our creators, and as we develop and further enhance our Platform, expand our technical infrastructure and data centers, and hire additional employees to support our expanding operations. We expect our expenses to continue to increase in the future as we broaden our developer, creator, and user community, as developers, creators, and users increase the amount and types of experiences and virtual items they make available on our Platform and the content they consume, as we continue to seek ways to increase payments to our developers and as we develop and further enhance our Platform, expand our technical infrastructure and data centers, and hire additional employees to support our expanding operations. As a result, in the near- and medium-term, we may continue to operate at a loss, or our near- and medium-term profitability may be lower than it would be if our strategy were to maximize near- and medium-term profitability. We expect to continue making significant expenditures to grow our Platform and develop new features, integrations, capabilities, and enhancements to our Platform for the benefit of our creators and users. We will also be required to invest in our internal IT systems, technological operations infrastructure, financial infrastructure, and operating, compliance, and administrative systems and controls. Such expenditures may not result in improved business results or profitability over the long term. If we are ultimately unable to achieve or improve profitability at the level or during the time frame anticipated by securities or industry analysts, investors, and our stockholders, the market price of our Class A common stock may decline.
The popularity of our Lua-based scripting language is a key driver of content creation and engagement with our Platform, and if other programming languages or platforms become more popular with our creators, it may affect engagement with and content creation for our Platform.The popularity of our Lua scripting language is a key driver of content creation and engagement with our Platform, and if other programming languages or platforms become more popular with our developers, it may affect engagement with and content creation for our Platform.
Roblox experiences are programmed using our Lua-based scripting language on the Roblox Platform.Roblox experiences are programmed using Lua scripting language on the Roblox Platform. In order to enhance the attractiveness of our Platform to potential creators, we have made our scripting language available without charge. In order to enhance the attractiveness of our Platform to potential developers, we have made the Lua scripting language available without charge. Our scripting language permits creators on our Platform to develop customized add-on features for their own or others’ use, and we have provided education to our creators on how to write add-on programs using our scripting language. The Lua scripting language permits developers on the Roblox Platform to develop customized add-on features for their own or others’ use, and we have trained our developers on how to write add-on programs using Lua scripting language. As part of this strategy, we have encouraged the development of an active community of programmers similar to those which have emerged for other software platforms. As part of this strategy, we have encouraged the development of an active community of Lua programmers similar to those which have emerged for other software platforms. The widespread use and popularity of our Lua-based scripting language is critical to creating engaging content on and demand for our Platform. The widespread use and popularity of our Lua scripting language is critical to creating engaging content on and demand for our Platform. If creators do not find our scripting language or our Platform simple and attractive for developing content or determine that our scripting language or other features of our Platform are undesirable or inferior to other scripting languages or platforms, or the scripting language becomes unavailable for use by the creators for any reason, they may shift their resources to developing content on other platforms, and our business may be harmed. If developers do not find the Lua scripting language or our Platform simple and attractive for developing content or determine that our Lua scripting language or other features of our Platform are undesirable or inferior to other scripting languages or platforms, or Lua scripting language becomes unavailable for use by the developers for any reason, they may shift their resources to developing content on other platforms and our business may be harmed.
42
We rely on Amazon Web Services for a portion of our cloud infrastructure in certain areas, and as a result any disruption of AWS would negatively affect our operations and significantly harm our business.
We rely on Amazon Web Services (“AWS”) as a third-party provider for a portion of our backend services, including for some of our high-speed databases, scalable object storage, and message queuing services, as well as virtual cloud infrastructure. For location-based support areas, we outsource certain aspects of the infrastructure relating to our cloud-native Platform. As a result, our operations depend, in part, on AWS’ ability to protect their services against damage or interruption from natural or manmade disasters. Our creators and users need to be able to access our Platform at any time, without interruption or degradation of performance. Our developers, creators, and users need to be able to access our Platform at any time, without interruption or degradation of performance. Although we have disaster recovery plans that utilize multiple AWS availability zones to support our cloud infrastructure, any incident affecting their infrastructure that may be caused by natural or manmade disasters and other similar events beyond our control, could adversely affect our cloud-native Platform. Any disruption of or interference with our use of AWS could impair our ability to deliver our Platform reliably to our creators and users.
Additionally, if AWS were to experience a hacking attack or other security incident, it could result in unauthorized access to, damage to, disablement or encryption of, use or misuse of, disclosure of, modification of, destruction of, or loss of our data or our creators’ and users’ data, or disrupt our ability to provide our Platform or service.Additionally, if AWS were to experience a hacking attack or another security incident, it could result in unauthorized access to, damage to, disablement or encryption of, use or misuse of, disclosure of, modification of, destruction of, or loss of our data or our developers’, creators’, and users’ data or disrupt our ability to provide our Platform or service. A prolonged AWS service disruption affecting our cloud-native Platform for any of the foregoing reasons would adversely impact our ability to serve our users and creators and could damage our reputation with current and potential users and creators, expose us to liability, regulatory action under NIS2 requirements, result in substantial costs for remediation, cause us to lose users and creators, or otherwise harm our business, financial condition, or results of operations. A prolonged AWS service disruption affecting our cloud-native Platform for any of the foregoing reasons would adversely impact our ability to serve our users, developers, and creators and could damage our reputation with current and potential users, developers, and creators, expose us to liability, result in substantial costs for remediation, cause us to lose users, developers, and creators, or otherwise harm our business, financial condition, or results of operations. We may also incur significant costs for using alternative hosting cloud infrastructure services or taking other actions in preparation for, or in reaction to, events that damage or interfere with the AWS services we use.
We have entered into an enterprise agreement with AWS and a supplemental private pricing addendum that will remain in effect until June 2026. In the event that our AWS service agreements are terminated, or there is a lapse of service, elimination of AWS services or features that we utilize, we could experience interruptions in access to our Platform, especially during peak times for concurrent users, as well as significant delays and additional expense in arranging for or creating new facilities or re-architecting our Platform for deployment on a different cloud infrastructure service provider, which would adversely affect our business, financial condition, and results of operations.42Table of ContentsWe have entered into an enterprise agreement with AWS and a supplemental private pricing addendum that will remain in effect until June 2026. In the event that our AWS service agreements are terminated, or there is a lapse of service, elimination of AWS services or features that we utilize, we could experience interruptions in access to our Platform as well as significant delays and additional expense in arranging for or creating new facilities or re-architecting our Platform for deployment on a different cloud infrastructure service provider, which would adversely affect our business, financial condition, and results of operations.
Our business and results of operations are affected by fluctuations in currency exchange rates.
As we continue to expand our international operations, we become more exposed to the effects of fluctuations in currency exchange rates. We generally collect revenue from our international markets in the local currency. For the year ended December 31, 2025, approximately 82% of our DAUs and 39% of our revenue was derived from outside the U.S. and Canada region. While we periodically adjust the price of Robux to account for the relative value of this local currency to the U.S. dollar, these adjustments are not immediate nor do they typically exactly track the underlying currency fluctuations. As a result, rapid appreciation of the U.S. dollar against these foreign currencies has harmed and may continue to harm our reported results and cause the revenue derived from our foreign users and overall revenue to decrease. In addition, even if we do adjust the cost of our Robux in foreign markets to fluctuations in the U.S. dollar, such fluctuations could change the costs of purchasing Robux to our users outside of the U.S., which may adversely affect our business, results of operations, and financial condition, or improve our financial performance.
We also incur expenses for employee compensation and other operating expenses at our non-U.S. locations in the local currency. Additionally, global events as well as geopolitical developments, and inflation have caused, and may in the future cause, global economic uncertainty, and uncertainty about the interest rate environment, which could amplify the volatility of currency fluctuations. Additionally, global events as well as geopolitical developments, including conflict in Europe and inflation have caused, and may in the future cause, global economic uncertainty, and uncertainty about the interest rate environment, which could amplify the volatility of currency fluctuations. Fluctuations in the exchange rates between the U.S. dollar and other currencies could result in the dollar equivalent of our expenses being higher which may not be offset by additional revenue earned in the local currency. This could impact our reported results of operations. To date, we have not engaged in any hedging strategies and any such strategies, such as forward contracts, options, and foreign exchange swaps related to transaction exposures that we may implement in the future to mitigate this risk may not eliminate our exposure to foreign exchange fluctuations. Moreover, the use of hedging instruments may introduce additional risks if we are unable to structure effective hedges with such instruments.
We plan to continue to make acquisitions and investments in other companies, which could require significant management attention, disrupt our business, dilute our stockholders, and significantly harm our business.
As part of our business strategy, we have made and intend to make acquisitions and investments to add or access specialized employees and complementary companies, products, features, and technologies.As part of our business strategy, we have made and intend to make acquisitions to add specialized employees and complementary companies, features, and technologies. Our ability to acquire and successfully integrate larger or more complex companies, products, features, and technologies is unproven. In the future, we may not be able to find other suitable acquisition or investment candidates, and we may not be able to complete acquisitions, investments, or similar strategic transactions on favorable terms, if at all. The risks and challenges associated with acquisitions and investments include:
•The pursuit of potential acquisitions or investments may divert the attention of management and cause us to incur significant expenses related to identifying, investigating, and pursuing suitable targets, whether or not they are consummated.
43
•Our previous and future acquisitions and investments may not achieve our goals, and any future acquisitions or investments we complete could be viewed negatively by users, creators, partners, or investors.
•If we fail to successfully close transactions or integrate new teams into our corporate culture, or fail to integrate the products, features, and technologies associated with acquisitions or investments in a timely fashion, our business and reputation could be significantly harmed.
•Any integration process may require significant time and resources, and we may not be able to manage the process successfully.
•We may not successfully evaluate or use the acquired products, technology, and personnel, or accurately forecast the financial impact of an acquisition, including accounting charges which could be recognized as a current period expense.
•We may not achieve the anticipated benefits of synergies from the target business, may encounter challenges with incorporating the acquired products, features, and technologies into our Platform while maintaining quality and security standards consistent with our brand, or may fail to identify security vulnerabilities in acquired technology prior to integration with our technology and Platform.
•We may incur unanticipated liabilities that we assume as a result of acquiring companies, including claims related to the acquired company, its offerings, or technologies or potential violations of applicable law or industry rules and regulations arising from prior or ongoing acts or omissions by the acquired business that were not discovered or deemed material during diligence.
•We will pay cash, incur debt, or issue equity securities to pay for any acquisitions or investments, any of which could reduce our ability to make future acquisitions or investments and significantly harm our financial results. In addition, if target companies view our Class A common stock unfavorably, we may be unable to consummate key acquisitions or investments.
•It generally takes several months after the closing of an acquisition to finalize the purchase price allocation. Therefore, it is possible that our valuation of an acquisition may change and result in unanticipated write-offs or charges, impairment of our goodwill, or a material change to the fair value of the assets and liabilities associated with a particular acquisition, any of which could significantly harm our business.
•Selling equity to finance any acquisition or investment would dilute our stockholders, and incurring debt would increase our fixed obligations and could also include covenants or other restrictions that would impede our ability to manage our operations.
In addition, the U.S. government introduced regulations effective January 2025 that require notification of or prohibit certain transactions by U.S. persons with entities in China or with linkages to China (the “Outbound Investment Rules”). The Outbound Investment Rules could apply to certain intracompany activities between Roblox and Roblox China Holding Corp or Luobu, as well as other Roblox investments or activities with entities in China or with linkages to China. The Outbound Investment Rules regulations could also limit the ability of others to transact certain business with us if those transactions involve or benefit, directly or indirectly Roblox China Holding Corp, Luobu, or our other operations in China. Furthermore, the FY 2026 National Defense Authorization Act expands on the existing Outbound Investment Rules and directs new or updated regulations to be published by early 2027. Where the Outbound Investment Rules apply to a given transaction, it might limit our ability to carry out our long-term business strategy.
Our ability to use our net operating loss carryforwards and certain other tax attributes may be limited, which could significantly harm our business.44Table of ContentsOur ability to use our net operating loss carryforwards and certain other tax attributes may be limited, each of which could significantly harm our business.
As of December 31, 2025, we had federal net operating loss carryforwards of $3,241.5 million, which do not expire, federal net operating loss carryforwards of $32.8 million, which begin to expire in 2037, state net operating loss carryforwards of $1,717.7 million, which begin to expire in 2028, and foreign net operating loss carryforwards of $61.9 million, which begin to expire in 2026. Utilization of our net operating loss carryforwards and other tax attributes may be subject to limitations on utilization or benefit due to the ownership change limitations provided by Sections 382 and 383 of the Internal Revenue Code of 1986, as amended (the “Code”), and other similar provisions. All of the $3,241.5 million of federal net operating losses are carried forward indefinitely but the deductibility of these losses is generally limited to 80% of current year taxable income. Our net operating loss carryforwards and other tax attributes may also be subject to limitations under state law. Our net operating loss carryforwards may also be subject to limitations under state law. For example, California legislation limits the use of state net operating loss carryforwards and tax credits for tax years beginning on or after January 1, 2024 and before January 1, 2027. If our net operating loss carryforwards and other tax attributes expire before utilization or are subject to limitations, our business and financial results could be harmed.
If our estimates or judgments relating to our critical accounting policies are based on assumptions that change or prove to be incorrect, our results of operations could fall below expectations of securities analysts and investors or our publicly announced guidance, and changes in our business may not be immediately reflected in our operating results. If a third party is able to obtain an injunction preventing us from accessing or exercising intellectual property rights, or if we cannot license or develop alternative technology for any infringing aspect of our business, we could be forced to limit or cease access to our Platform or cease business activities related to such intellectual property.
44
The preparation of financial statements in conformity with GAAP requires management to make estimates and assumptions that affect the amounts reported in our financial statements and accompanying notes. We base our estimates on historical experience and on various other assumptions that we believe to be reasonable under the circumstances, as described in the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” For example, the majority of the virtual items available on our Platform are durable virtual items, which, when acquired, are recognized ratably over the estimated period of time the virtual items are available to the user (estimated to be the average lifetime of a paying user). Every quarter, we complete an assessment of our estimated average lifetime of a paying user, which is used for revenue recognition of durable virtual items and calculated based on historical monthly retention data for each paying user cohort to project future participation on our Platform. Every quarter, we complete an assessment of our estimated paying user life, which is used for revenue recognition of durable virtual items and calculated based on historical monthly retention data for each paying user cohort to project future participation on our Platform. We calculate the average historical monthly retention data by determining the weighted average of monthly paying users that have spent time on our Platform. For example, in the second quarter of 2024, the estimated average lifetime of a paying user decreased from 28 months to 27 months, resulting in an increase in our fiscal year 2024 revenue and cost of revenue by $98.0 million and $20.4 million, respectively.
Much of the revenue we report in each quarter is the result of purchases of Robux during previous periods. Consequently, a decline in purchases of Robux in any one quarter will not be fully reflected in our revenue and operating results for that quarter. Any such decline, however, will negatively impact our revenue and operating results in future quarters. Accordingly, the effect of significant near-term downturns in purchases of Robux for a variety of reasons may not be fully reflected in our results of operations until future periods.
In addition to revenue recognition and estimates of the average lifetime of a paying user, our accounting policies involve other significant estimates and assumptions as described under Note 1, “Overview and Summary of Significant Accounting Policies”, to our consolidated financial statements included in this Annual Report on Form 10-K. Our management believes that such estimates, and judgments upon which they rely, are reasonable based upon information available to them at the time that these estimates and judgments are made. However, if our assumptions change or if actual circumstances differ from those in our assumptions, our results of operations could be adversely affected, which could cause our results of operations to fall below the expectations of securities analysts and investors, resulting in a decline in the market price of our Class A common stock. If our assumptions change or if actual circumstances differ from those in our assumptions, our results of operations could be adversely affected, which could cause our results of operations to fall below the expectations of securities analysts and investors, resulting in a decline in the market price of our Class A common stock.
Our results of operations may be harmed if we are required to collect sales, value added, or other similar taxes for the purchase of our virtual currency, for the sale of digital content, or purchase of physical goods, between our creators and users.Our results of operations may be harmed if we are required to collect sales, value added, or other similar taxes for the purchase of our virtual currency, or for the sale of content between our developers, creators, and users.
Although we, either directly or through our third-party distribution channels, collect and remit taxes from users in certain countries and regions on the sale of our virtual currency, there are some jurisdictions in which we operate where we do not currently collect taxes from users. The application of tax laws pertaining to the collection of sales, value added, and similar taxes to e-commerce businesses, such as ours, is a complex and evolving area. Jurisdictions may classify our product offerings differently such as intangible property, digital goods, or services, each with different tax rules and requirements. For example, many countries have enacted tax laws that require non-resident providers to register for and levy value added taxes on electronically provided services to such country’s residents. For example, many countries have recently enacted tax laws that require non-resident providers to register for and levy value added taxes on electronically provided services to such country’s residents. This would require us to calculate, collect, and remit value added taxes in some jurisdictions, even if we have no physical presence in such jurisdictions. Further, we may need to invest substantial amounts to modify our solutions or our business model to be able to collect and remit sales, value added, or similar taxes under such tax laws in the future.
Further, many jurisdictions have also adopted or are considering adopting marketplace facilitator laws that shift the burden of tax collection to online marketplaces. Further, many jurisdictions have also adopted or are considering adopting marketplace facilitator laws that shift the burden of tax collection to online marketplaces. In certain jurisdictions, we may be characterized as a marketplace facilitator for the sale of digital content or physical goods between our creators and users, and in such instances, we may need to invest substantial amounts to modify our solutions or business model to be able to meet any reporting and collection obligations with respect to sales, value added, or similar taxes. We have been and may continue to be subject to legal proceedings asserting claims arising from allegations that we disabled access to virtual items found to violate our Terms of Use, that we have facilitated gambling by minors, that we have misrepresented the safety of our Platform, that our Platform is addictive or otherwise unsafe, and suits related to our refund policies. A successful assertion by a jurisdiction that we should have been or should be collecting additional sales, value added, or other taxes for the sale of content or physical goods between our creators and users, could, among other things, result in substantial tax payments, create significant administrative burdens for us, discourage potential users or creators from subscribing to our Platform, or otherwise harm our business, results of operations, and financial condition. A successful assertion by a jurisdiction that we should have been or should be collecting additional sales, value added, or other taxes for the sale of content between our developers, creators, and users, could, among other things, result in substantial tax payments, create significant administrative burdens for us, discourage potential users, developers or creators from subscribing to our Platform, or otherwise harm our business, results of operations, and financial condition.
We may not realize the benefits expected through our China joint venture.
In February 2019, we entered into a joint venture agreement with Songhua River Investment Limited, referred to as Songhua, an affiliate of Tencent Holdings Limited (“Tencent Holdings”), under which we created Roblox China Holding Corp (the “China JV”), of which we own a 51% ownership interest.In February 2019, we entered into a joint venture agreement with Songhua River Investment Limited, referred to as Songhua, an affiliate of Tencent Holdings Ltd. Through a wholly-owned subsidiary based in Shenzhen, branded as “Luobu,” the China JV is engaged in the development, localization, and licensing to Chinese creators of a Chinese version of Roblox Studio. Luobu also develops and oversees relations with local Chinese creators and helps them build and publish experiences and content for our global Platform. Luobu also develops and oversees relations with local Chinese developers and helps them build and publish experiences and content for our global Platform. In December 2020, Shenzhen Tencent Computer Systems Co. Ltd (“Tencent”), received a required publishing license from the Chinese government, which enabled Tencent to publish a localized version of the Roblox Client as a game in China under the name “Luobulesi.” The license could be withdrawn if Tencent fails to comply with applicable existing or future regulations. Such withdrawal could significantly impair or eliminate the ability to publish and operate Luobulesi in China. The Luobulesi app is not currently available to users in China while we and Tencent build the next version of Luobulesi.
45
Tensions between the U.S. and China have resulted in trade restrictions that could harm our ability to participate in Chinese markets and numerous additional such restrictions have been threatened by both countries. As an example, since February 2025, the U.S. government has imposed significant tariffs upon the import of almost all Chinese-origin items, subject to certain exemptions. The tariff policies and responses of both countries are currently fluid, and it is unclear whether or at what level tariff policies will stabilize. Sustained uncertainty about, or worsening of, current global economic conditions, as well as continued or further escalation of trade tensions between the U.S. and China, could result in a global economic slowdown and long-term impacts on global trade, including the imposition of retaliatory trade restrictions that could restrict our ability to participate in the China JV. As another example, the U.S. Department of Justice has promulgated new rules on Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (colloquially the “Data Security Program”), which place limitations, and in some cases prohibitions, on certain transfers of or grants of access to sensitive personal data to business partners located in China and other designated countries, or with other specified links to China and other designated countries. The Data Security Program may impact our ability to share certain kinds of data, platform access, or other important resources with Tencent or the China JV, or the China JV’s ability to interact with Tencent. We may find it difficult or impossible to comply with these or other conflicting regulations in the U.S. and China, which could make it difficult or impossible to achieve our business objectives in China or realize a return on our investment in this market.
Relations may also be compromised if the U.S. pressures the Chinese government regarding its monetary, economic, or social policies. Changes in political conditions in China and changes in the state of China-U.S. relations are difficult to predict and could adversely affect the operations or financial condition of the China JV. In addition, because of our proposed involvement in the Chinese market, any deterioration in political, economic, or trade relations might result in our products being perceived as less attractive in the U.S. or elsewhere. In January 2025, the U.S. Department of Defense (“DOD”) added Tencent Holdings to its list of Chinese military companies operating directly or indirectly in the U.S. under section 1260H of the National Defense Authorization Act for Fiscal Year 2021 (“1260H List”). Beginning in June 2026, this may restrict our ability to resell goods and services of Tencent Holdings to the DOD. The designation may also result in negative publicity for us and the China JV. Further regulatory changes adding Tencent Holdings to additional lists or export and sanctions related restricted or prohibited parties or further controls on entities viewed as connected to the Chinese military could impact our ability to work with Tencent Holdings. The Committee on Foreign Investment in the U.S. (“CFIUS”) has continued to apply a more stringent review of certain foreign investment in U.S. companies, including investment by Chinese entities, and has made inquiries to us with respect to Tencent Holding’s equity investment in us and involvement in the China JV. We cannot predict what effect any further inquiry by CFIUS into our relationship with Tencent and Tencent Holdings, developments with respect to the 1260H List, or changes in China-U.S. relations overall may have on our ability to effectively support the China JV or on the operations or success of the China JV.
The Chinese economic, legal, and political landscape also differs from other countries in many respects, including the level of government involvement and regulation, control of foreign exchange, and uncertainty regarding the practical enforceability of intellectual property rights. The laws, regulations, and legal requirements in China are also subject to frequent changes and the exact obligations under and enforcement of laws and regulations are often subject to unpublished internal government interpretations and policies which makes it challenging to ascertain compliance with such laws. We may incur increased operating expenses related to cybersecurity and data protection in China, including with respect to access to Chinese user data and confidential company information as well as any network interconnections and cross border system integrations.
In addition to market and regulatory factors, any future success of the China JV will require a collaborative effort with Tencent to build and operate Luobu and Luobulesi as together, they will form the exclusive basis for growing our penetration in the China market. In addition to market and regulatory factors, any future success of the China JV will require a collaborative effort with Tencent to build and operate Luobu and Luobulesi as together, they will form the exclusive basis for growing our penetration in the China market. In addition, upon the occurrence of certain events, such as a termination of certain of the contractual relationships applicable to Luobu, a change of control of us, or the acquisition of 20% of our outstanding securities by certain specified Chinese industry participants, we may be required to purchase Songhua’s interest in the China JV at a fair market value determined at the time of such purchase. Any future requirement to purchase the interest in China JV from Songhua may have a material adverse effect upon our liquidity, financial condition, and results of operations both as a result of the purchase of such interests and the fact that we would need to identify and partner with an alternative Chinese partner in order for operations to continue in the China market.
46
We may require additional capital to meet our financial obligations and support business growth, and this capital might not be available on acceptable terms or at all.
We intend to continue to make significant investments to support our business growth and may require additional funds to respond to business challenges, improve our Platform and operating infrastructure or acquire complementary businesses, personnel, and technologies. Accordingly, we may need to engage in additional equity or debt financings. If we raise additional funds through future issuances of equity or convertible debt securities, our existing stockholders could suffer significant dilution, and any new equity securities we issue could have rights, preferences, and privileges superior to those of our Class A common stock. Any debt financing that we secure in the future could involve offering security interests and undertaking restrictive covenants relating to our capital raising activities and other financial and operational matters, which may make it more difficult for us to obtain additional capital and to pursue business opportunities, including potential acquisitions. General market conditions including trading volatility affecting technology companies may reduce our ability to access capital on favorable terms or at all. Also, to the extent outstanding additional shares subject to options and warrants to purchase our capital stock are authorized and exercised, there will be further dilution. The amount of dilution could be substantial depending on the size of the issuance or exercise. If we are unable to obtain adequate financing or financing on terms satisfactory to us when we require it, our ability to continue to support our business growth and to respond to business challenges could be significantly impaired, and our business, financial condition, or results of operations may be harmed.
Risks Related to Government Regulations
Because we store, process, and use data, some of which contains personal information, we are subject to complex and evolving domestic and international laws and regulations regarding privacy, cybersecurity, data protection, and related matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in investigations, claims, changes to our business practices, increased cost of operations, and declines in user growth, retention, or engagement, any of which could significantly harm our business.
We are subject to a variety of evolving and uncertain laws and regulations in the U.S. and abroad related to privacy, cybersecurity, data protection, intellectual property, and related matters. The impact of any current and potential future regulations are far-reaching, create a patchwork of overlapping but different requirements, and have required and may continue to require us to, modify practices, policies, features and Platform defaults, incur substantial costs and expenses, and at times restrict our operations.
Certain privacy, biometrics, cybersecurity, and data protection laws and regulations have placed and will continue to place significant privacy, data protection, and cybersecurity obligations on organizations such as ours and may require us to continue to change our policies and procedures. For example, the EU’s General Data Protection Regulation (“GDPR”) imposes stringent data protection requirements regarding EU personal data, and EU regulators may impose fines of the greater of €20 million or 4% of annual global revenues of the previous year for the most serious breaches or instances of noncompliance. Such fines would be in addition to (i) the rights of individuals to sue for damages in respect of any data privacy breach that causes them to suffer harm, (ii) the right of individual member states to impose additional sanctions under local privacy laws over and above the administrative fines specified in the GDPR, and (iii) the ability of supervisory authorities to impose orders requiring companies to modify their practices. Such fines would be in addition to (i) the rights of individuals to sue for damages in respect of any data privacy breach which causes them to suffer harm, (ii) the right of individual member states to impose additional sanctions over and above the administrative fines specified in the GDPR, and (iii) the ability of supervisory authorities to impose orders requiring companies to modify their practices.
The U.K.’s data protection regime (UK GDPR and Data Protection Act 2018) imposes significant compliance obligations and penalties of up to the greater of £17.5 million or 4% of global revenue. The European Commission granted the U.K. an ‘adequacy’ decision allowing free data transfer from the EEA in 2021 and renewed the decision in 2025, extending the adequacy decision through December 27, 2031, with the possibility to be renewed. Any loss of adequacy or divergence between U.K. and EU laws could disrupt our data flows and increase compliance costs.
Because a large number of our DAUs are historically under 13, we face significant risks under the Children’s Online Privacy Protection Act (“COPPA”), Article 8 of the GDPR, and similar regulations. COPPA imposes requirements on operators of websites or online services directed to children under 13 years of age to obtain verifiable parental consent before collecting personal information from children under the age of 13, unless specific exceptions apply, and imposes data retention and information security obligations. No assurances can be given that our compliance efforts will be sufficient to avoid allegations of COPPA violations, and any non-compliance or allegations of non-compliance could expose us to significant liability, penalties and loss of revenue, significantly harm our reputation, and could be costly and time consuming to address or defend. To the extent we rely on consent for processing personal data under the GDPR, consent or authorization from the holder of parental responsibility is required in certain cases for the processing of personal data of children under the age of 16, and member states may enact laws that lower that age to 13. Additionally, in certain jurisdictions the law may allow minors to disaffirm their contracts, including our terms of use. If minors on our Platform are able to avoid enforcement of our terms of use under applicable law, it could have a material adverse impact on our business, financial condition, results of operations, and cash flow. If minors on our Platform are able to avoid enforcement of our Terms of Use under applicable law, it could have a material adverse impact on our business, financial condition, results of operations, and cash flow.
47
We continue to monitor the development of new digital regulations and laws in the U.K. We have taken steps to comply with the U.K.’s Online Safety Act (“OSA”), including carrying out risk assessments and implementing measures to prevent illegal content from appearing on our service. We are observing ongoing developments and guidance from the U.K.’s Information Commissioner Office (“ICO”) on the Age Appropriate Design Code (“AADC”), which focuses on online safety and protection of children’s privacy online. Noncompliance with the AADC may result in publicized investigations, substantial fines, audits, or other proceedings by the ICO and other regulators in the EEA or Switzerland, as noncompliance with the AADC may indicate noncompliance with applicable data protection law. We may incur liabilities, expenses, costs, and other operational losses under the GDPR and laws and regulations of applicable EU Member States and the U. We may incur liabilities, expenses, costs, and other operational losses under the GDPR and laws and regulations of applicable EU Member States and the United Kingdom relating to privacy, cybersecurity and data protection in connection with any measures we take to comply with them. K. relating to privacy, cybersecurity, and data protection in connection with any measures we take to comply with them.
Other jurisdictions have adopted laws and regulations addressing privacy, data protection, and cybersecurity, many of which share similarities with the GDPR. For example, Law no. 13.709/2018 of Brazil, the Lei Geral de Proteção de Dados Pessoais or LGPD, applies to our processing of data for users in Brazil, regardless of our location, and grants users rights similar to the GDPR, including a private right of action. 13.709/2018 of Brazil, the Lei Geral de Proteção de Dados Pessoais or LGPD, entered into effect on September 18, 2020, authorizing a private right of action for violations. Non-compliance could result in fines of up to 2% of our revenue in Brazil or 50 million reais (approximately $9.5 million) per violation. Similarly, the Personal Information Protection Law, (“PIPL”) of the People’s Republic of China (“PRC”) imposes extraterritorial obligations similar to the GDPR, including strict data localization requirements. Violations can result in corporate fines of up to 50 million RMB or 5% of prior-year revenue. Notably, the PIPL also imposes personal liability on responsible individuals, including fines up to 1 million RMB and potential bans on serving as a director or senior managers.
Our approach with respect to regimes such as the LGPD, PIPL, and other foreign legislation may be subject to further evaluation and change, our compliance measures may not be fully adequate and may require modification, we may expend significant time and cost in developing and maintaining a privacy governance program, data transfer or localization mechanisms, or other processes or measures to comply with such regimes, and any implementing regulations or guidance under these regimes, and we may potentially face claims, litigation, investigations, or other proceedings or liability regarding such regimes and may incur liabilities, expenses, costs, and other operational losses under such regimes and any measures we take to comply with them. Our approach with respect to the LGPD and PIPL may be subject to further evaluation and change, our compliance measures may not be fully adequate and may require modification, we may expend significant time and cost in developing and maintaining a privacy governance program, data transfer or localization mechanisms, or other processes or measures to comply with the LGPD, the PIPL, and any implementing regulations or guidance under these regimes, and we may potentially face claims, litigation, investigations, or other proceedings or liability regarding the LGPD or PIPL and may incur liabilities, expenses, costs, and other operational losses under the LGPD and PIPL and any measures we take to comply with them. In addition to the changing international landscape, U.S. regulations on the restrictions on transfers of personal data to foreign jurisdictions continue to evolve and may increase operational complexity and compliance costs.
Additionally, NIS2 and its implementing laws regulate cybersecurity risk-management, including expanded incident reporting, of entities operating in a number of sectors. Assessed non-compliance with NIS2 may lead to administrative fines of a maximum of €10 million or up to 2% of the total worldwide revenue of the preceding fiscal year. Further, the EU’s Data Act (the “Data Act”) became applicable on September 12, 2025. Compliance with the Data Act may require us to adjust contract terms with business partners and enable data sharing in some situations. These changes may result in additional compliance and operational costs, which may affect our business.
In addition, the CCPA as modified and supplemented by the California Privacy Rights Act (“CPRA”), established a new privacy framework for covered businesses in California, such as ours, requires us to modify our data processing practices and policies, incur compliance related costs and expenses, and gives California residents the ability to opt-out of the selling and sharing of personal information and limit the use of their sensitive personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches, which may increase the likelihood and cost of data breach litigation. The CCPA has prompted similar legislative developments in other states in the U.S., including laws enacted in Virginia, Colorado, Utah, Connecticut, Florida, Iowa, Indiana, Montana, Tennessee, Oregon, Delaware, Texas, New Hampshire, New Jersey, Kentucky, Maryland, Nebraska, Rhode Island, and Minnesota.
We face a growing patchwork of states imposing substantial new obligations upon companies that offer online services, products, or features “likely to be accessed” by children 17 years of age or under, or certain types of social media and digital services, respectively. These state-level requirements include, among other things, data protection impact assessments, the implementation of privacy by design, restrictions and obligations in connection with users who are, or are deemed to be, under 18, including access restrictions, verifiable parental consent requirements, and other restrictions on abilities for minors to create accounts. Certain states such as New York and California are also considering or implementing laws that prohibit or restrict covered social media companies from providing individuals under 18 with allegedly “addictive feeds” or “chronological feeds.” Any or all of these restrictions and requirements may limit the use of our Platform or reduce overall demand for our Platform, which could harm our business, financial condition, and results of operations. Some countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could further increase the cost and complexity of operating our products and services and other aspects of our business. Some countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity of operating our products and services and other aspects of our business.
48
We have policies and procedures designed to promote compliance with applicable laws, regulations, and certain industry codes of conduct but we cannot assure you that authorities will not assert or determine that our practices violate such requirements. In addition, it is possible that the obligations imposed on us may be interpreted and applied in inconsistent manners and may conflict with other rules or our practices in certain jurisdictions. Additionally, due to the nature of our service, we are unable to maintain complete control over cybersecurity or the implementation of measures that reduce the risk of a security breach or incident. For example, our customers may accidentally disclose their passwords or store them on a mobile device that is “SIM swapped,” lost, or stolen, creating the perception that our systems are not secure against third-party access. Any failure or perceived failure by us to comply with our privacy policies, our obligations to users or other third parties relating to privacy, cybersecurity, data protection, or related matters, or our other policies or actual or asserted obligations relating to privacy, cybersecurity, data protection, or related matters, or any actual or perceived compromise of security, including any such compromise that results in the unauthorized loss, unavailability, modification, release, transfer, or other processing of personal information or other user or creator data, may result in governmental investigations, enforcement actions, inquiries, data requests, requests for information, actions, audits, and other actions and proceedings by domestic and international authorities and regulators, as well as litigation, claims, or public statements against us by consumer advocacy groups or others and could cause our creators and users to lose trust in us, any or all of which could have an adverse effect on our business, financial condition, or results of operations. Any failure or perceived failure by us to comply with our privacy policies, our obligations to users or other third parties relating to privacy, cybersecurity or data protection, or our other policies or obligations relating to privacy, cybersecurity, data protection, or related matters, or any actual or perceived compromise of security, including any such compromise that results in the unauthorized loss, unavailability, modification, release, transfer, or other processing of personal information or other user, developer or creator data, may result in governmental investigations and enforcement actions, litigation, claims or public statements against us by consumer advocacy groups or others and could cause our developers, creators, and users to lose trust in us, any or all of which could have an adverse effect on our business, financial condition, or results of operations.
Legal and regulatory restrictions on virtual currencies like Robux, prepaid gift cards, and payment-related activities may adversely affect our Platform, experiences, and virtual items on our Platform, which may negatively impact our revenue, bookings, business, and reputation.Legal and regulatory restrictions on virtual currencies like Robux may adversely affect our Platform, experiences, and virtual items on our Platform, which may negatively impact our revenue, bookings, business, and reputation.
The global regulatory landscape around payment-related activities is characterized by a lack of uniformity and increasing scrutiny especially when younger users are involved. Examples of payment-related activities on our Platform include the purchase of prepaid gift cards, Robux, and subscriptions. In addition, our Developer Exchange Program allows creators to be paid in fiat currency based on the amount of earned Robux they have accumulated under certain conditions. We have seen and may continue to see increased application of laws and regulations typically applicable to financial institutions such as regulations around money transmission, virtual currency, unclaimed property, and gift cards, many of which include anti-money laundering, KYC, and sanction screening obligations to online game and social media companies. Regulators may impose restrictions or bans on our ability to operate our Developer Exchange Program or on the sale of prepaid gift cards. Any such restrictions or prohibitions may adversely affect our Platform, business, revenue, bookings, and our creators. In the U.S., the SEC, its staff, and similar state regulators have deemed certain virtual currencies to be securities subject to regulation under the federal and state securities laws. While we do not consider Robux to be a regulated virtual currency, money transmission, or security, if Robux were deemed to be subject to such federal or state laws, we may be required to redesign our Platform in a manner that would be disruptive to operations and costly to implement, which may threaten the viability of the Platform. While we do not consider Robux to be a security, if Robux were subject to the federal or state securities laws of the US, we may be required to redesign our Platform considerably, in a manner that would be disruptive to operations and costly to implement, which may threaten the viability of the Platform. We may also be subject to enforcement or other regulatory actions by federal or state regulators, as well as private litigation, which could be costly to resolve. For example, some existing laws regarding the regulation of currency, money transmitters and other financial institutions, and unclaimed property have been interpreted to cover virtual currencies, and could potentially be viewed as covering Robux.
The increased use of interactive entertainment offerings like ours by consumers, including younger consumers, have prompted and may continue to prompt calls for more stringent consumer protection laws and regulations throughout the world that may impose additional burdens on companies such as ours making virtual currencies like Robux available for sale.50Table of ContentsThe increased use of interactive entertainment offerings like ours by consumers, including younger consumers, may prompt calls for more stringent consumer protection laws and regulations throughout the world that may impose additional burdens on companies such as ours making virtual currencies like Robux available for sale. For example, in the EU, consumer regulatory authorities issued the Consumer Protection Guidelines, which are new interpretations of existing law regarding virtual currencies that would treat certain virtual currencies as a representation of value and therefore impose strict disclosure and other requirements on the offer and acquisition of those virtual currencies. The European Commission has also indicated that it will seek to enact new legislation in the near future to provide additional protections for consumers online, including in the context of video games and e-commerce. In the U.K., the ICO has published industry guidance for game developers on how to comply with the AADC, including recommendations relating to in-game purchases, and the U.K. Digital Markets, Competition and Consumers Act also introduces specific obligations regarding transparent pricing and subscription contracts. These regulations and guidance could require us to make changes to our Platform, products, or policies or how we operate our business in certain jurisdictions and could have a material adverse effect on our business, financial condition, or results of operations. Some countries also are considering or have passed legislation requiring local storage and processing of data, or similar requirements, which could increase the cost and complexity of operating our products and services and other aspects of our business. Increased regulatory scrutiny globally may increase compliance obligations and require us to devote legal and other resources and make changes to our Platform to address such regulations or otherwise become subject to fines or other penalties, which may negatively impact our business and results of operations. In addition, the introduction of experiences for users who are 17 and older may cause regulatory agencies to require a higher age rating for our Platform, which could cause us to become less attractive to younger users and harm our business, financial condition and results of operations.
Although we have structured our virtual currency, prepaid gift cards, and Developer Exchange Program with applicable laws and regulations in mind, in some jurisdictions, the application or interpretation of applicable laws and regulations is not clear and a regulator could subject us to monetary fines or other penalties such as a cease and desist order, or we may be required to make product changes, any of which could be unpopular with or burdensome on our users or creators, or could have an adverse effect on our business and financial results. If a relevant regulator disagreed with our analysis of and compliance with applicable laws, we may be required to seek licenses, authorizations, or approvals from those regulators, which may be dependent on us meeting certain capital and other requirements and may subject us to additional regulation and oversight, all of which could significantly increase our operating costs.
49
We are subject to various governmental export control, trade sanctions, and import laws and regulations that require our compliance and may subject us to liability if we violate these controls.
In some cases, our software and experiences are subject to export control laws and regulations, including the Export Administration Regulations administered by the U.S. Department of Commerce, Data Security Program, and trade and economic sanctions, including those administered by OFAC, which we collectively refer to as Trade Control Laws and Regulations. Thus, we are subject to laws and regulations that could limit our ability to offer access or full access to our Platform and experiences to certain persons and in certain countries or territories. For example, certain U.S. laws and regulations administered and enforced by OFAC, may limit our ability to give certain users and creators access to aspects of our Platform and experiences. Trade Control Laws and Regulations are complex and dynamic, and monitoring and ensuring compliance can be challenging. In addition, we rely on our payment processors for compliance with certain of these Trade Control Laws and Regulations, including preventing paid activity by users and creators that attempt to access our Platform from various jurisdictions comprehensively sanctioned by OFAC, including Cuba, Iran, North Korea, and sanctioned regions of Ukraine. In addition, we rely on our payment processors for compliance with certain of these Trade Control Laws and Regulations, including preventing paid activity by users, developers, and creators that attempt to access our Platform from various jurisdictions comprehensively sanctioned by OFAC, including Cuba, Iran, North Korea, Syria, and sanctioned regions of Ukraine. Users and creators from certain of these countries and territories have access to our Platform and experiences and there can be no guarantee we will be found to have been in full compliance with Trade Control Laws and Regulations during all relevant periods. Users, developers, and creators from certain of these countries and territories have access to our Platform and experiences and there can be no guarantee we will be found to have been in full compliance with Trade Control Laws and Regulations during all relevant periods. Any failure by us or our payment processors to comply with the Trade Control Laws and Regulations may lead to violations of the Trade Control Laws and Regulations that could expose us to liability. Additionally, following Russia’s invasion of Ukraine, the U.S. and other countries imposed certain economic sanctions and severe export control restrictions against Russia and Belarus and have continued to strengthen these controls. These countries could continue to increase these sanctions and export restrictions or take other actions that could impact our business. Any failure to comply with applicable laws and regulations could have negative consequences for us, including reputational harm, government investigations, and monetary penalties. Any failure to comply with applicable laws and regulations also could have negative consequences for us, including reputational harm, government investigations, and monetary penalties. In addition, various foreign governments may also impose controls, export license requirements, and/or restrictions applicable to our Platform and experiences.In addition, various foreign governments may also impose controls, export license requirements, and/or restrictions applicable to our Platform and experiences. Compliance with such applicable regulatory requirements may create delays in the introduction of our Platform in some international markets or prevent certain international users and creators from accessing our Platform.
Changes in tax laws and unclaimed property audits by governmental authorities could have a material adverse effect on our business, cash flow, results of operations, or financial conditions.
We are subject to tax laws, regulations, and policies of several taxing jurisdictions. Changes in tax laws, among other factors, may lead to fluctuations in our tax liability, reporting obligations, and effective tax rates. These changes could also adversely affect our tax positions and increase our cost of compliance. For example, on July 4, 2025, the U.S. enacted the One Big Beautiful Bill Act (“OBBBA”), which contains numerous tax reform provisions that we continue to evaluate due to their potential impact on our overall tax strategy. Certain jurisdictions, such as Italy, the U.K., and France, have enacted a digital services tax on certain digital revenue streams, which could subject us to additional tax liabilities. Other jurisdictions, such as Brazil, have enacted or proposed indirect tax reform which may impose value added tax on the sales of electronically supplied services. Other jurisdictions, such as Brazil, have proposed indirect tax reform which may impose value added tax on the sales of electronically supplied services. Further, in response to new or additional U.S. tariffs or taxes, countries may impose retaliatory digital service taxes or other similar measures. Such laws and other attempts to impose taxes on e-commerce activities would likely increase the cost to us of operating our business, discourage potential customers from subscribing to our Platform, or otherwise adversely affect our business, results of operations, or financial condition. In addition, a number of U.S. states, the U.S. federal government, and foreign jurisdictions have implemented and may impose reporting or recording-keeping obligations for digital platforms. These new requirements may require us to modify our data processing and reporting practices and policies, which may cause us to incur substantial costs and expenses to comply with. Any failure by us to comply with these and similar information reporting and withholding obligations could result in substantial liabilities, monetary penalties, and other sanctions, adversely impact our ability to do business in certain jurisdictions, and harm our business.
In addition, the Organisation for Economic Co-operation and Development (the “OECD”) has proposed the OECD/G20 Base Erosion and Profit Shifting Project, which contains a two-pillar solution to address tax challenges arising from the digitalization of the economy. Pillar One would revise existing profit allocation and nexus rules to require profit allocation based on location of sales versus physical presence for certain large multinational businesses, but if implemented, could result in the removal of unilateral digital services tax initiatives described above.
Pillar Two provides for a global minimum tax that establishes a floor for tax competition among jurisdictions. Pillar Two has been implemented into the domestic laws of EU members, among other jurisdictions, and is being considered for implementation by other countries. On January 5, 2026, the OECD announced a side-by-side elective safe harbor that exempts U.S.-parented multinational businesses from certain provisions of Pillar Two for fiscal years beginning on or after January 1, 2026. We currently operate in countries that have digital service taxes and that have enacted all or portions of the Pillar Two framework. Any developments or changes in federal, state, or international tax laws or tax rulings, with respect to the foregoing or otherwise, could adversely affect our compliance costs, effective tax rate, and our operating results. Any developments or changes in federal, state, or international tax laws or tax rulings could adversely affect our compliance costs, effective tax rate, and our operating results.
50
In addition, we are subject to unclaimed property escheat laws which require us to turn over to certain government authorities the property of others held by us that has been unclaimed for a specified period of time. We are subject to state audits with regard to our escheatment practices. The legislation and regulations related to unclaimed property matters tend to be complex and subject to varying interpretations by government authorities. Although we believe that the positions we have taken are reasonable, authorities may challenge certain of the positions we have taken, which may also potentially result in additional liabilities for unclaimed property, interest and penalties in excess of accrued liabilities. An unfavorable resolution of assessments by a governmental authority could have a material adverse effect on our financial condition, results of operations, and cash flows in future periods. If it becomes necessary to implement any of these alternative measures, our business, results of operations, or financial condition could be materially and adversely affected.
We are subject to the Foreign Corrupt Practices Act and similar anti-corruption and anti-bribery laws, and anti-money laundering laws, and non-compliance with such laws can subject us to criminal or civil liability and harm our business, financial condition, and results of operations.
We are subject to the Foreign Corrupt Practices Act, U.S. domestic bribery laws, the UK Bribery Act and other anti-corruption and anti-bribery laws, and anti-money laundering laws in the countries in which we conduct activities. Anti-corruption and anti-bribery laws have been enforced aggressively in recent years and are interpreted broadly to generally prohibit companies, their employees, agents, representatives, business partners, and third-party intermediaries from authorizing, offering, or providing, directly or indirectly, improper payments or benefits to recipients in the public or private sector in order to influence official action, direct business to any person, gain any improper advantage, or obtain or retain business. These laws also require that we keep accurate books and records and maintain internal controls and compliance procedures designed to prevent any such actions.
With regard to our international business, we have engaged with business partners and third-party intermediaries to market our solutions and obtain necessary permits, licenses, and other regulatory approvals. We or our employees, agents, representatives, business partners, or third-party intermediaries have had direct or indirect interactions with officials and employees of government agencies or state-owned or affiliated entities. We can be held liable for the corrupt or other illegal activities of our employees, agents, representatives, business partners, or third-party intermediaries, even if we do not authorize such activities and notwithstanding having policies, training, and procedures designed to address compliance with these laws, we cannot assure you that no violations of our policies or these laws will occur. We can be held liable for the corrupt or other illegal activities of our employees, agents, representatives, business partners or third-party intermediaries, even if we do not authorize such activities and notwithstanding having policies, training, and procedures to address compliance with these laws, we cannot assure you that no violations of our policies or these laws will occur.
Detecting, investigating, and resolving actual or alleged violations of anti-corruption and anti-bribery laws and anti-money laundering laws can require a significant diversion of time, resources, and attention from senior management, as well as significant defense costs and other professional fees. In addition, noncompliance with these laws could subject us to whistleblower complaints, investigations, sanctions, settlements, prosecution, enforcement actions, fines, damages, other civil or criminal penalties or injunctions against us, our officers, or our employees, disgorgement of profits, suspension or debarment from contracting with the U.S. government or other persons, reputational harm, adverse media coverage, and other collateral consequences. If any subpoenas or investigations are launched, or governmental or other sanctions are imposed, or if we do not prevail in any possible civil or criminal proceeding, our reputation, business, financial condition, prospects, results of operations, and the market price of our Class A common stock could be harmed. Responding to any investigation or action will likely result in a materially significant diversion of management’s attention and resources and significant defense costs and other professional fees.
We may incur liability as a result of content published using our Platform or as a result of claims related to content generated by our creators and users, including copyright infringement, and legislation regulating content on our Platform may require us to change our Platform or business practices.•We may incur liability as a result of content published using our Platform or as a result of claims related to content generated by our developers, creators, and users, including copyright infringement, and legislation regulating content on our Platform may require us to change our Platform or business practices.
Our success relies in part on the ability of creators to drive engagement with content that is challenging, engaging, fun, interesting, and novel.Our success relies in part on the ability of developers and creators to drive engagement with content that is challenging, engaging, fun, interesting, and novel. Creators are responsible for clearing the rights to all of the content they upload to our service or physical goods that they make available for sale, but some creators may upload content or link goods that infringes the rights or violates the terms of use of third parties in violation of our terms of use. Developers and creators are responsible for clearing the rights to all of the content they upload to our service, but some developers or creators may upload content that infringes the rights or violates the terms of use of third parties in violation of our Terms of Use. We rely upon legal protections in various jurisdictions to protect us from claims of monetary damages for content that is uploaded to and stored on our system at the direction of our users, or counterfeit goods and copyright-infringing material made available for sale, but those protections may change or disappear over time, increasing our exposure for claims of copyright or other intellectual property infringement. We rely upon legal protections in various jurisdictions to protect us from claims of monetary damages for content that is uploaded to and stored on our system at the direction of our users but those protections may change or disappear over time, increasing our exposure for claims of copyright or other intellectual property infringement. If we should lose or fail to qualify for statutory or other legal protections that immunize us from monetary damages for intellectual property infringement, the damages could be significant and have a material impact on our business. While we have implemented measures designed to limit our exposure to claims of intellectual property infringement, such as our self-serve License Manager which enables our creators to partner with rights holders, intellectual property owners may still allege that we failed to take appropriate measures to prevent infringing activities on our systems, that we turned a blind eye to infringement, or that we facilitated, induced, or contributed to infringement. While we have implemented measures designed to limit our exposure to claims of intellectual property infringement, intellectual property owners may allege that we failed to take appropriate measures to prevent infringing activities on our systems, that we turned a blind eye to infringement, or that we facilitated, induced or contributed to infringement.
51
Even though we are not required to monitor uploaded content for copyright infringement in the U.S., we have chosen to do so through the services of a third-party audio monitoring service. We monitor all uploaded audio recordings in both audio and video files to exclude recordings owned or controlled by the major record labels and any other record labels who provide their music to the third-party audio monitoring service. We now monitor all uploaded sound recordings to exclude recordings owned or controlled by the major record labels and any other record labels who provide their music to the third-party audio monitoring service. These record labels register certain of their content with our service provider. When audio is uploaded to our Platform, we check the service provider’s system to exclude recordings owned or controlled by these record labels from being published on our Platform. If our monitoring proves ineffective, users manage to intentionally evade our detection measures, or we cease to rely upon a third-party monitoring service to exclude certain content from our Platform, our risk of liability may increase.
In the past, certain record companies and music publishers, either directly or through their authorized representatives, claimed that we are subject to liability for allegedly infringing content that was uploaded and may continue to exist on our Platform. We vigorously disputed such claims of infringement by such labels and publishers and reached settlements. However, we could be subject to additional claims in the future. An adverse judgment against us in any such lawsuit could require us to pay damages or settle any claims for an undetermined amount which could harm our reputation and have a material impact on our business, financial condition, or results of operations. An adverse judgment against us in any such lawsuit could require us to settle any claims for an undetermined amount which could have a material impact on our business, financial condition, or results of operations.
We may also be required to enter into license agreements with various licensors, including record labels, music publishers, performing rights organizations, and collective management organizations, to obtain licenses that authorize the storage and use of content uploaded by our users. We may not be able to develop technological solutions to comply with these license agreements on economically reasonable terms and there is no guarantee that we will be able to enter into agreements with all relevant rights holders on terms that we deem reasonable. Compliance may therefore negatively impact our financial prospects.
The EU enacted copyright laws such as the Copyright Directive that came into effect on June 6, 2019, that may require us to use best efforts in accordance with the high industry standards of professional diligence to exclude infringing content from our Platform that may be uploaded by our users. In addition, the monitoring and reporting obligations of the DSA may apply also with respect to intellectual property infringements that would fall outside the scope of the Copyright Directive. In addition, the monitoring and reporting obligations of the DSA may apply also with respect to copyright infringements that would fall outside the scope of the Copyright Directive.
Risks Related to Intellectual Property
Claims by others that we infringe their proprietary technology or other rights, the activities of our users, or the content of the experiences on our Platform could subject us to liability and harm our business.
We have been and may in the future become subject to intellectual property disputes, as well as costs and awards of damages and/or injunctive relief as a result of these disputes, and we are subject to liability for our intellectual property that we license to third parties.We have been and may in the future become subject to intellectual property disputes, and may become subject to liability, costs, and awards of damages and/or injunctive relief as a result of these disputes. Our success depends, in part, on our ability to develop and commercialize our Platform without infringing, misappropriating, or otherwise violating the intellectual property rights of third parties. However, there is no assurance that our technologies or Platform will not be found to infringe, misappropriate, or otherwise violate the intellectual property rights of third parties. We also have entered into agreements with third parties to manufacture and distribute merchandise based on user content on our Platform, and there is a possibility that such content could be found to be infringing. We also have agreements with third parties to manufacture and distribute merchandise based on user content on our Platform, and there is a possibility that such content could be found to be infringing. Lawsuits are time consuming and expensive to resolve and they divert management’s time and attention. Lawsuits are time-consuming and expensive to resolve and they divert management’s time and attention. Further, because of the substantial amount of discovery required in connection with intellectual property litigation, we risk compromising our confidential information during this type of litigation. Companies in the internet, technology, and gaming industries own large numbers of patents, copyrights, trademarks, domain names, and trade secrets and frequently enter into litigation based on allegations of infringement, misappropriation, or other violations of intellectual property or other rights. As we face increasing competition and gain a higher profile, the possibility of intellectual property rights and other claims against us grows. Our technologies may not be able to withstand any third-party claims against their use. In addition, many companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights and to defend claims that may be brought against them.
52
We have a number of issued patents. We have also filed a number of additional U.S. and foreign patent applications, but these applications may not successfully result in issued patents. Any patent litigation against us may involve patent holding companies or other adverse patent owners that have no relevant product revenue, and therefore, our patents and patent applications may provide little or no deterrence as we would not be able to reach meaningful damages if we assert them against such entities or individuals. If a third party is able to obtain an injunction preventing us from exercising intellectual property rights, or if we cannot license or develop alternative technology for any infringing aspect of our business, we could be forced to limit or cease access to our Platform or cease business activities related to such intellectual property. If a third party is able to obtain an injunction preventing us from accessing or exercising intellectual property rights, or if we cannot license or develop alternative technology for any infringing aspect of our business, we could be forced to limit or cease access to our Platform or cease business activities related to such intellectual property. In addition, we may need to settle litigation and disputes on terms that are unfavorable to us. We may be required to make substantial payments for legal fees, settlement fees, damages, royalties, license, or other fees in connection with a claimant securing a judgment against us. Although we carry general liability insurance, our insurance may not cover potential claims of this type or may not be adequate to cover all liability that may be imposed. We cannot predict the outcome of lawsuits and cannot ensure that the results of any such actions will not negatively affect our business, financial condition, or results of operations. We cannot predict the outcome of lawsuits and cannot ensure that the results of any such actions will not have an adverse effect on our business, financial condition, or results of operations. Any intellectual property claim asserted against us, or for which we are required to provide indemnification, may require us to cease selling or using or to recall products that incorporate the intellectual property rights that we allegedly infringe, misappropriate, or violate; make substantial payments for legal fees, settlement payments, or other costs or damages; obtain a license, which may not be available on reasonable terms or at all, to sell or use the relevant technology; or redesign or rebrand the allegedly infringing products to avoid infringement, misappropriation, or violation, which could be costly, time-consuming, or impossible. Any intellectual property claim asserted against us, or for which we are required to provide indemnification, may require us to cease selling or using or recall products that incorporate the intellectual property rights that we allegedly infringe, misappropriate, or violate; make substantial payments for legal fees, settlement payments, or other costs or damages; obtain a license, which may not be available on reasonable terms or at all, to sell or use the relevant technology; or redesign or rebrand the allegedly infringing products to avoid infringement, misappropriation, or violation, which could be costly, time-consuming, or impossible.
Furthermore, certain federal statutes in the U.S. may apply to us with respect to various activities of our users, including the Digital Millennium Copyright Act of 1998 (“DMCA”) and Section 230 of the Communications Decency Act (“CDA”). For example, we filter communications to eliminate speech we determine to be offensive based on our objective of creating a civil and safe place for all users. Bills have recently been proposed in Congress calling for a range of changes to Section 230 which include a complete repudiation of the statute to modifications of it in such a way as to remove certain social media companies from its protection. Bills have recently been proposed in Congress calling for a range of changes to Section 230 of the CDA which include a complete repudiation of the statute to modifications of it in such a way as to remove certain social media companies from its protection. The FCC may also consider reforms to Section 230, which could include taking action to limit the scope of Section 230 and certain liability protections provided to online service providers and other entities. If Section 230 were so repealed, amended, or modified by judicial determination, we could potentially be subject to liability if we continue to censor speech, even if that speech were offensive to our users, or we could experience a decrease in user activity and revenues if we are unable to maintain a safe environment for our users if certain blocking and screening activities are prohibited by law. If Section 230 of the CDA were so repealed, amended, or modified by judicial determination we could potentially be subject to liability if we continue to censor speech, even if that speech were offensive to our users, or we could experience a decrease in user activity and revenues if we are unable to maintain a safe environment for our users if certain blocking and screening activities are prohibited by law. In addition, certain states have either passed or are debating laws that would create potential liability for moderating or removing certain user content. While we believe these laws are of dubious validity under the U.S. Constitution and in light of Section 230, they nevertheless present some risk to our content-moderation efforts going forward.
While we rely on a variety of statutory and common-law frameworks and defenses, including those provided by the DMCA, the CDA, the fair-use doctrine in the U.S., and the DSA in the EU, differences between statutes, limitations on immunity, requirements to maintain immunity, and moderation efforts in the many jurisdictions in which we operate may affect our ability to rely on these frameworks and defenses, or create uncertainty regarding liability for information or content uploaded by creators or users or otherwise contributed by third parties to our Platform. As an example, Article 17 of the Directive on Copyright in the Digital Single Market was passed in the EU, which affords copyright owners some enforcement rights that may conflict with U.S. safe harbor protections afforded to us under the DMCA. In countries in Asia and Latin America, generally there are no similar statutes to the CDA or the DSA. The laws of countries in Asia and Latin America generally provide for direct liability if a platform is involved in creating such content or has actual knowledge of the content without taking action to take it down. Further, laws in some Asian countries also provide for primary or secondary liability, which can include criminal liability, if a platform fails to take sufficient steps to prevent such content from being uploaded. Although these and other similar legal provisions provide limited protections from liability for platforms like ours, if we are found not to be protected by the safe harbor provisions of the DMCA, CDA, or other similar laws, or if we are deemed subject to laws in other countries that may not have the same protections or that may impose more onerous obligations on us, including Article 17, we may owe substantial damages, and our brand, reputation, and financial results may be harmed. Although these and other similar legal provisions provide limited protections from liability for platforms like ours, if we are found not to be protected by the safe harbor provisions of the DMCA, CDA or other similar laws, or if we are deemed subject to laws in other countries that may not have the same protections or that may impose more onerous obligations on us, including Article 17, we may owe substantial damages and our brand, reputation, and financial results may be harmed.
Additionally, we have incorporated, and are continuing to develop and deploy, AI in our products and the operations of our business. Any content used to create, or created by using, generative AI tools and products may not be subject to copyright protection, the determination of which may adversely affect our intellectual property rights in, or ability to deploy, commercialize or use, such tools and products or the underlying content. In the U.S., a number of companies have faced civil lawsuits related to the foregoing and other issues, the outcome of any one of which may, among other things, require us to limit the ways in which we use AI in our business. In addition, regulatory obligations may require us to modify our practices with respect to intellectual property used in AI development. In addition to lawsuits and regulations focused on the AI service providers and deployers themselves, our use of output produced by generative AI tools may also expose us to claims, increasing our risks of liability. While AI-related lawsuits to date have generally focused on the AI service providers themselves, our use of any output produced by generative AI tools may expose us to claims, increasing our risks of liability.
Even if claims do not result in litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and harm our business and operating results.Even if the claims do not result in litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and harm our business and operating results. Moreover, there could be public announcements of the results of hearings, motions, or other interim proceedings or developments, and if securities analysts or investors perceive these results to be negative, it could negatively affect the market price of our Class A common stock. Moreover, there could be public announcements of the results of hearings, motions or other interim proceedings or developments and if securities analysts or investors perceive these results to be negative, it could have a substantial adverse effect on the price of our Class A common stock. We expect that the occurrence of asserted infringement claims will grow as the market for our Platform grows. We expect that the occurrence of infringement claims is likely to grow as the market for our Platform grows. Accordingly, our exposure to damages resulting from infringement claims could increase, and this could further exhaust our financial and management resources.
53
Indemnity provisions in various agreements potentially expose us to substantial liability for intellectual property infringement and other losses.
Some of our agreements with third parties include indemnification provisions under which we agree to indemnify these third parties for losses suffered or incurred as a result of claims of intellectual property infringement, or other liabilities relating to or arising from our software, services, Platform, or other contractual obligations. Large indemnity payments could harm our business, results of operations, and financial condition. Although we typically contractually limit our liability with respect to such indemnity obligations, those limitations may not be fully enforceable in all situations, and we may still incur substantial liability under the applicable agreements. Although we normally contractually limit our liability with respect to such indemnity obligations, those limitations may not be fully enforceable in all situations, and we may still incur substantial liability under those agreements. Any dispute with a third-party with respect to such obligations could negatively affect our relationship with such a party and harm our business and results of operations. Any dispute with a third-party with respect to such obligations could have adverse effects on our relationship with such party and harm our business and results of operations.
Failure to protect or enforce our intellectual property rights or the costs involved in such enforcement would harm our business.55Table of ContentsFailure to protect or enforce our intellectual property rights or the costs involved in such enforcement would harm our business.
Our success depends to a significant degree on our ability to obtain, maintain, protect, and enforce our intellectual property rights, including our proprietary software technology, know-how, and brand. We rely on a combination of trademarks, trade secret laws, patents, copyrights, service marks, contractual restrictions, and other intellectual property laws and confidentiality procedures to establish and protect our proprietary rights. However, the steps we take to obtain, maintain, protect, and enforce our intellectual property rights may be inadequate. We will not be able to protect our intellectual property rights if we are unable to enforce our rights or if we do not detect unauthorized use of our intellectual property rights. If we fail to protect our intellectual property rights adequately, or fail to continuously innovate and advance our technology, our competitors could gain access to our proprietary technology and develop and commercialize substantially identical products, services, or technologies. In addition, defending our intellectual property rights might entail significant expense and may not ultimately be successful.
Further, any patents, trademarks, or other intellectual property rights that we have or may obtain may be challenged or circumvented by others or invalidated or held unenforceable through administrative processes, including re-examination, inter partes review, interference and derivation proceedings, and equivalent proceedings in foreign jurisdictions, such as opposition proceedings or litigation. In addition, despite our pending patent and trademark applications, there is no assurance that our patent and trademark applications will result in issued patents and trademarks. In addition, despite our pending patent applications, there is no assurance that our patent applications will result in issued patents. Even if we continue to seek patent and trademark protection in the future, we may be unable to obtain or maintain patent and trademark protection for our technology and brands. Even if we continue to seek patent protection in the future, we may be unable to obtain or maintain patent protection for our technology. In addition, any patents and trademarks issued from pending or future patent and trademark applications or licensed to us in the future may not provide us with competitive advantages or may be successfully challenged by third parties. In addition, any patents issued from pending or future patent applications or licensed to us in the future may not provide us with competitive advantages, or it may be successfully challenged by third parties. Furthermore, legal standards relating to the validity, enforceability, and scope of protection of intellectual property rights are uncertain. Despite our precautions, it may be possible for unauthorized third parties to copy our Platform and use information that we regard as proprietary to create products that compete with ours. Patent, trademark, copyright, and trade secret protection may not be available to us in every country in which our products are available. The value of our intellectual property could diminish if others assert rights in or ownership of our trademarks and other intellectual property rights, or trademarks that are similar to our trademarks. We may be unable to successfully resolve these types of conflicts to our satisfaction. In some cases, litigation or other actions may be necessary to protect or enforce our trademarks and other intellectual property rights. In addition, the laws of some foreign countries may not be as protective of intellectual property rights as those in the U.S., and mechanisms for enforcement of intellectual property rights may be inadequate. As we expand our global activities, our exposure to unauthorized copying and use of our Platform and proprietary information will likely increase.
We rely, in part, on trade secrets, proprietary know-how, and other confidential information to maintain our competitive position. While we enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with other third parties, including suppliers and other partners, we cannot guarantee that we have entered into such agreements with every entity that has or may have had access to our proprietary information, know-how, and trade secrets or that has or may have developed intellectual property in connection with an engagement with us. While we enter into confidentiality and invention assignment agreements with our employees and consultants and enter into confidentiality agreements with other third parties, including suppliers and other partners, we cannot guarantee that we have entered into such agreements with each party that has or may have had access to our proprietary information, know-how and trade secrets or that has or may have developed intellectual property in connection with their engagement with us. Moreover, there are no assurances that these agreements will be effective in controlling access to, distribution, use, misuse, misappropriation, reverse engineering, or disclosure of our proprietary information, know-how, and trade secrets. Further, these agreements may not prevent our competitors from independently developing technologies that are substantially equivalent or superior to our Platform. These agreements may be breached, and we may not be able to detect any such breach and may not have adequate remedies for any such breach even if we know about it.
54
We use open source software as part of, and in connection with certain experiences on, our Platform, which may pose particular intellectual property and security risks to and could have a negative impact on our business.
We have and intend to continue to incorporate open source software in our codebase and our Platform. Some open source software licenses require users who make available open source software as part of their proprietary software to publicly disclose all or part of the source code to such proprietary software or make available any derivative works of such software free of charge, under open source licensing terms which would make it difficult to monetize such software and to protect and enforce our related intellectual property rights. Some open source software licenses require users who make available open source software as part of their proprietary software to publicly disclose all or part of the source code to such proprietary software or make available any derivative works of such software free of charge, under open source licensing terms. Licensors of open source software included in our products may, from time to time, modify the terms of their license agreements in such a manner that those license terms may become incompatible with our business model and thus could, among other consequences, prevent us from incorporating the software subject to the modified license. Certain open source projects also include other open source software and there is a risk that those dependent open source libraries may be subject to incompatible licensing terms. In addition, some open source software may include output from generative AI software or other software that incorporates or relies on generative AI or other AI technologies. Software produced by generative AI may infringe the rights of others. In addition, the use of such open source software may expose us to risks as the intellectual property ownership and use rights of software produced by generative AI have not been fully interpreted by U.S. or international courts or been fully addressed by federal or state regulation or those of other international legal jurisdictions in which we do business. This could create further uncertainties as to the governing terms for the open source software we incorporate.
Were it determined that our use of open source software was not in compliance with a particular license or our use is found to trigger certain obligations under a particular license, we may lose our rights to the open source software, be required to release our proprietary source code, defend claims, pay damages for breach of contract or copyright infringement, grant licenses to our patents, re-engineer our games, products, or Platform, discontinue distribution in the event re-engineering cannot be accomplished on a timely basis, or take other remedial action that may divert resources away from our product development efforts, any of which could negatively impact our business.47Table of ContentsGovernmental agencies in any of the countries in which we, our users, developers, or creators are located from time to time seek to and could seek to block access to, impose restrictions on, or require a license for our Platform, our website, operating system platforms, application stores or the internet generally for a number of reasons, including cybersecurity, privacy, data protection, confidentiality, or regulatory concerns which may include, among other things, governmental restrictions on certain content in a particular country, requirements to establish a local presence in a particular jurisdiction, and a requirement that user information be stored on servers in a country within which we operate. Open source compliance problems can also result in damage to reputation and challenges in recruitment or retention of engineering personnel.
We have certain policies and procedures in place to monitor our use of open-source software that are designed to avoid subjecting our Platform to adverse open source licensing conditions. However, the terms of various open source licenses have not been interpreted by courts, and there is a risk that such licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our use of or monetization of the open source software. The terms of various open source licenses have not been interpreted by courts, and there is a risk that such licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our use of the open source software. We may from time to time face claims from third parties claiming ownership of, or demanding release of, the software or derivative works that we developed using such open source software, which could include proprietary portions of our source code, or otherwise seeking to enforce the terms of the applicable open source licenses. Enforcement activity for open source licenses can be unpredictable and the terms of open source licenses can often be ambiguous. Enforcement activity for open source licenses can also be unpredictable. These claims could result in litigation and require us to make those proprietary portions of our source code freely available, purchase a costly license, make it difficult to monetize our products, or cease offering the implicated software or services unless and until we can re-engineer to no longer use the applicable open source software. This re-engineering process could require significant additional research and development resources and we may not be able to complete it successfully.
Additionally, although we devote significant resources to ensuring the security of our use of open source software on our Platform and in our systems, we cannot ensure that these security measures will be sufficient to prevent or mitigate the damage caused by a cybersecurity incident or network disruption, and our open source software may be vulnerable to hacking, insider threats, employee error or manipulation, theft, system malfunctions, or other adverse events.Additionally, although we devote significant resources to ensuring the security of our use of open source software on our Platform, we cannot ensure that these security measures will be sufficient to prevent or mitigate the damage caused by a cybersecurity incident or network disruption, and our open source software may be vulnerable to hacking, insider threats, employee error or manipulation, theft, system malfunctions, or other adverse events. The use of third-party open source software can lead to greater risks than the use of third-party commercial software, as open source licensors generally do not provide warranties, indemnities, or other contractual protections with respect to the software (for example, non-infringement or functionality), and the source code is available for any bad actors to search for vulnerabilities. We have taken steps to protect the data that we have access to, but despite these efforts, our security measures, or those of our third-party service providers, could be insufficient or breached as a result of third-party action, malfeasance, employee errors, service provider errors, technological limitations, defects or vulnerabilities in our Platform or otherwise. There is typically no support available for open source software, and we cannot ensure that the authors of such open source software will implement or push updates to address security risks or will not abandon further development and maintenance. Any of these risks could be difficult to eliminate or manage and if not addressed, could have a negative effect on our business, results of operations, and financial condition.
Risks Related to Ownership of our Class A Common Stock
The market price of our Class A common stock has fluctuated and could decline regardless of our operating performance.
The market price of our Class A common stock has fluctuated, and may continue to fluctuate in response to various factors, including those listed in this Annual Report on Form 10-K, some of which are beyond our control and unrelated to our operating performance. If that were to happen, our investors could lose confidence in our reported financial information, the trading price of our Class A common stock could decline, and we could be subject to sanctions or investigations by the SEC or other regulatory authorities. These fluctuations could cause you to lose all or part of your investment in our Class A common stock since you might be unable to sell your shares at or above the price you paid. Factors that could cause fluctuations in the market price of our Class A common stock include the following:
•the number of shares of our Class A common stock made available for trading;
55
•sales or expectations with respect to sales of shares of our Class A common stock by holders of our Class A common stock including our directors, officers, and significant holders;
•price and volume fluctuations in the overall stock market from time to time;
•volatility in the trading prices and trading volumes of technology stocks;
•changes in operating performance and stock market valuations of other technology companies generally, or those in our industry in particular;
•failure of securities analysts to maintain coverage of us, changes in financial estimates by securities analysts who follow us, or our failure to meet these estimates or the expectations of investors;
•any plans we may have to provide or not provide disclosure about certain key metrics, financial guidance, or projections, which may increase the probability that our financial results are perceived as not in line with analysts’ expectations;
•if we do provide disclosure about certain key metrics, financial guidance, or projections, any changes to such reported items due to changes in our methodology or underlying assumptions for those items and with respect to timing or our failure to meet those projections;
•announcements by us or our competitors of new services or Platform features;
•the public’s reaction to our press releases, other public announcements, and filings with the SEC;
•rumors, market speculation, and media reports involving us or other companies in our industry;
•actual or anticipated changes in our results of operations or fluctuations in our results of operations;
•actual or anticipated developments in our business, our competitors’ businesses, or the competitive landscape generally;
•litigation involving us, our industry or both, or investigations by regulators into our operations or those of our competitors;
•actual or perceived privacy or security breaches or other incidents;
•developments or disputes concerning our intellectual property or other proprietary rights;
•announced or completed acquisitions of businesses, services, or technologies by us or our competitors;
•new laws or regulations, public expectations regarding new laws or regulations or new interpretations of existing laws or regulations applicable to our business;
•changes in accounting standards, policies, guidelines, interpretations, or principles;
•any significant change in our management or other key personnel;
•other events or factors, including those resulting from geopolitical conflicts such as in Ukraine and the Middle East, incidents of terrorism, pandemics, or wildfires, earthquakes, or severe weather and power outages or responses to these events; and
•general economic conditions and slow or negative growth of our markets.
In addition, stock markets, and the market for technology companies in particular, have experienced price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies. Stock prices of many companies, including technology companies, have fluctuated in a manner often unrelated to the operating performance of those companies. In the past, following periods of volatility in the overall market and the market price of a particular company’s securities, securities class action litigation has often been instituted against these companies. This litigation, if instituted against us, could result in substantial costs and a diversion of our management’s attention and resources. In addition, we may be subject to stockholder activism, which can lead to additional substantial costs, distract management, and impact the manner in which we operate our business in ways we cannot currently anticipate.
Third parties also regularly publish data about us and other mobile, gaming, and social platform companies with respect to DAUs, revenue, bookings, top experience, game charts, hours engaged, and other information concerning application usage. In addition, third parties regularly publish data about us and other mobile, gaming, and social platform companies with respect to DAUs, revenue, bookings, top experience, or game charts, hours engaged and other information concerning social game application usage. These metrics are proprietary to the provider, and in many cases do not accurately reflect the actual levels of bookings, revenue, or usage of our experiences across all platforms. There is a possibility that third parties could change their methodologies for calculating these metrics in the future. For example, short sellers have and may in the future publish reports relying in part on such metrics. These reports appear intended to decrease the price of our Class A common stock and have resulted in and may result in claims, litigation, or investigations due to any published allegations by shareholders, regulators, and others. To the extent that securities analysts or investors base their views of our business or prospects on such third-party data, including reports of short sellers, the price of our Class A common stock may be volatile and may not reflect the performance of our business. To the extent that securities analysts or investors base their views of our business or prospects on such third-party data, the price of our Class A common stock may be volatile and may not reflect the performance of our business.
56
The dual class stock structure of our common stock has the effect of concentrating voting control in David Baszucki, our Founder, President, CEO, and Chair of our Board of Directors, which limits or precludes your ability to influence corporate matters, including the election of directors and the approval of any change of control transaction.
Our Class B common stock has 20 votes per share, and our Class A common stock has one vote per share. Our Founder, President, CEO, Chair of our Board of Directors, and largest stockholder, David Baszucki, and his affiliates, beneficially own 100% of our outstanding Class B common stock, together as a single class, representing a substantial percentage of the voting power of our capital stock, which voting power may increase over time as Mr. Baszucki exercises or vests in his equity awards. Mr. Baszucki and his affiliates could exert substantial influence over matters requiring approval by our stockholders. This concentration of ownership may limit or preclude your ability to influence corporate matters for the foreseeable future, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that you may believe are in your best interest as one of our stockholders. We believe we are eligible for, but do not intend to take advantage of, the “controlled company” exemption to the corporate governance rules for NYSE-listed companies. The dual class structure of our common stock may trigger actions or publications by stockholder advisory firms or institutional investors critical of our corporate governance practices or capital structure, which could result in the trading price of our Class A common stock being adversely affected. In May 2025, we completed our reincorporation from a Delaware corporation to a Nevada corporation. Nevada law and provisions in our articles of incorporation and bylaws could make a merger, tender offer, or proxy contest difficult, thereby depressing the market price of our Class A common stock.
Nevada law and provisions in our articles of incorporation and bylaws could make a merger, tender offer, or proxy contest difficult, thereby depressing the market price of our Class A common stock.
In May 2025, we completed our reincorporation from a Delaware corporation to a Nevada corporation governed by Chapter 78 and the other applicable provisions of the Nevada Revised Statutes (“NRS”). Nevada’s “combinations with interested stockholders” statutes (NRS 78.411 through 78.444, inclusive) prohibit specified types of business “combinations” between certain Nevada corporations and any person deemed to be an “interested stockholder” for two years after such person first becomes an “interested stockholder” unless the corporation’s board of directors approves, in advance, either the combination or the transaction by which such person becomes an “interested stockholder,” or unless the combination is approved by the board of directors and sixty percent of the corporation’s voting power not beneficially owned by the interested stockholder, its affiliates, and associates. Further, in the absence of prior approval, certain restrictions may apply even after such two-year period. However, these statutes do not apply to any combination of a corporation and an interested stockholder after the expiration of four years after the person first became an interested stockholder. For purposes of these statutes, an “interested stockholder” is any person who is (1) the beneficial owner, directly or indirectly, of ten percent or more of the voting power of the outstanding voting shares of the corporation, or (2) an affiliate or associate of the corporation and at any time within the two previous years was the beneficial owner, directly or indirectly, of ten percent or more of the voting power of the then outstanding shares of the corporation. The definition of the term “combination” is sufficiently broad to cover most significant transactions between a corporation and an “interested stockholder.” These statutes generally apply to Nevada corporations with 200 or more stockholders of record. However, a Nevada corporation may elect in its articles of incorporation not to be governed by these particular laws, but if such election is not made in the corporation’s original articles of incorporation or in an amendment effective prior to the company having 200 or more stockholders of record, then the amendment (1) must be approved by the affirmative vote of the holders of stock representing a majority of the outstanding voting power of the corporation not beneficially owned by interested stockholders or their affiliates and associates, and (2) is not effective until 18 months after the vote approving the amendment and does not apply to any combination with a person who first became an interested stockholder on or before the effective date of the amendment. We have expressly elected not to be governed by these provisions in our articles of incorporation, so they do not apply to us.
In addition, our articles of incorporation and bylaws contain provisions that may make the acquisition of our company more difficult, including the following:
•certain amendments to our articles of incorporation or our bylaws will require the approval of at least 66 2/3% of our then-outstanding voting power, voting together as a single class;
•our Board of Directors is classified into three classes of directors with staggered three-year terms and stockholders will only be able to remove directors from office for cause and with the affirmative vote of the holders of not less than two-thirds (2/3) of the voting power of our then-outstanding capital stock entitled to vote in the election of directors;
•upon the conversion of our Class B common stock into Class A common stock (such that we have a single class of common stock), our stockholders will only be able to take action at a meeting of stockholders and will not be able to take action by written consent for any matter, and prior to the conversion of our Class B common stock into Class A common stock, our stockholders may only take action by written consent and without a meeting if the action is first recommended or approved by our Board of Directors;
•our articles of incorporation do not provide for cumulative voting;
57
•vacancies on our Board of Directors may be filled only by our Board of Directors and not by stockholders;
•a special meeting of our stockholders may only be called by the chairperson of our Board of Directors, our CEO, our President, or a majority of our Board of Directors;
•certain litigation against us can only be brought in courts of our state of incorporation;
•our articles of incorporation authorize 100 million shares of undesignated preferred stock, the terms of which may be established and shares of which may be issued, in each case by our Board of Directors without further action by our stockholders; and
•advance notice procedures apply for stockholders to nominate candidates for election as directors or to bring matters before an annual meeting of stockholders.
These provisions, alone or together, could discourage, delay, or prevent a transaction involving a change in control of our company. These provisions could also discourage proxy contests and make it more difficult for stockholders to elect directors of their choosing and to cause us to take other corporate actions they desire, any of which, under certain circumstances, could limit the opportunity for our stockholders to receive a premium for their shares of our Class A common stock, and could also affect the price that some investors are willing to pay for our Class A common stock.
Our bylaws provide that the Eighth Judicial District Court of Clark County, Nevada and the federal district courts of the United States will be the exclusive forums for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, stockholders, officers, or employees.59Table of ContentsOur amended and restated bylaws provide that the Court of Chancery of the State of Delaware and the federal district courts of the United States will be the exclusive forums for substantially all disputes between us and our stockholders, which could limit our stockholders’ ability to obtain a favorable judicial forum for disputes with us or our directors, officers, or employees.
Our bylaws provide that, following our reincorporation from a Delaware corporation to a Nevada corporation, the Eighth Judicial District Court of Clark County, Nevada (or, if such court does not have jurisdiction, another state district court in Nevada) is the exclusive forum for any action, suit, or proceeding, whether civil, administrative, or investigative (except for any claim as to which such court determines that there is an indispensable party not subject to the jurisdiction of such court (and the indispensable party does not consent to the personal jurisdiction of such court following such determination)):
•brought derivatively on our behalf;
•asserting a claim for breach of a fiduciary duty or other duty owed by any current or former director, stockholder, officer, or other employee or fiduciary of our company to us or our stockholders;
•for any internal action (as defined in NRS 78.046) including any action asserting a claim against us arising pursuant to any provision of NRS Chapters 78 or 92A, our articles of incorporation or our bylaws (as either may be amended from time to time), any agreement entered into pursuant to NRS 78.365, or as to which the NRS confers jurisdiction on the district court of the State of Nevada;
•to interpret, apply, enforce, or determine the validity of our articles of incorporation or our bylaws; and
•asserting a claim governed by the internal affairs doctrine.
This provision would not apply to suits prior to completion of our reincorporation from a Delaware corporation to a Nevada corporation, which will continue to be subject to the Court of Chancery of the State of Delaware. It would also not apply to suits brought to enforce any direct claim asserted under the Securities Exchange Act of 1934, as amended (the “Exchange Act”). In the event that the Eighth Judicial District Court of Clark County, Nevada does not have jurisdiction over any such action, suit, or proceeding, then any other state district court located in the State of Nevada shall be the sole and exclusive forum therefor.
Our bylaws further provide that the federal district courts of the U.S. will be the exclusive forum for resolving any claim asserting a cause of action arising under the Securities Act. These exclusive-forum provisions may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, stockholders, officers, or other employees, which may discourage lawsuits against us and our directors, stockholders, officers, and other employees. These exclusive-forum provisions may limit a stockholder’s ability to bring a claim in a judicial forum that it finds favorable for disputes with us or our directors, officers, or other employees, which may discourage lawsuits against us and our directors, officers, and other employees. Any person or entity purchasing or otherwise acquiring any interest in any of our securities shall be deemed to have notice of and consented to these provisions. There has been uncertainty as to whether a court would enforce such provisions, and the enforceability of similar choice of forum provisions in other companies’ charter documents in Delaware has been challenged in legal proceedings; however, Nevada law (specifically, NRS 78.046) expressly permits the articles of incorporation or bylaws of a corporation, to the extent not inconsistent with any applicable jurisdictional requirements and the laws of the U.S., to include such provisions. We also note that stockholders cannot waive compliance (or consent to noncompliance) with the federal securities laws and the rules and regulations thereunder. It is possible that a court could find these types of provisions to be inapplicable or unenforceable, and if a court were to find either exclusive-forum provision in our bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the dispute in other jurisdictions, which could significantly harm our business. It is possible that a court could find these types of provisions to be inapplicable or unenforceable, and if a court were to find either exclusive-forum provision in our amended and restated bylaws to be inapplicable or unenforceable in an action, we may incur additional costs associated with resolving the dispute in other jurisdictions, which could significantly harm our business.
58
Our articles of incorporation include a jury trial waiver that could limit the ability of our stockholders to bring or demand a jury trial for internal actions.
Our articles of incorporation provide that, to the fullest extent permitted by the NRS and not inconsistent with any applicable laws of the U.S., any and all internal actions (as defined in NRS 78.046) to be tried in any court of the State of Nevada must be tried before the presiding judge as the trier of fact, and not before a jury. Our articles of incorporation further provide that this requirement operates as a waiver of the right of trial by jury by each party to any internal action to which such requirement applies. However, this requirement does not limit or otherwise affect our stockholders’ right to a jury trial in any action, suit or proceeding that is not an internal action. This waiver is expressly authorized by statute in an amendment to NRS 78.046 enacted in May 2025 pursuant to Assembly Bill No. 239 adopted by the Nevada legislature, but the enforceability of this waiver has not yet been adjudicated in a court of competent jurisdiction.
We do not expect to pay dividends or other distributions in the foreseeable future.We do not expect to pay dividends in the foreseeable future.
We have never declared nor paid cash dividends or other distributions on our capital stock.We have never declared nor paid cash dividends on our capital stock. We currently intend to retain any future earnings to finance the operation and expansion of our business, and we do not anticipate declaring or paying any dividends or other distributions to holders of our capital stock in the foreseeable future. We currently intend to retain any future earnings to finance the operation and expansion of our business, and we do not anticipate declaring or paying any dividends to holders of our capital stock in the foreseeable future. Consequently, you may need to rely on sales of our Class A common stock after price appreciation, which may never occur, as the only way to realize any future gains on your investment.
Risks Related to our Indebtedness
We may not be able to generate sufficient cash to service our debt and other obligations, including our obligations under the 2030 Notes.
Our ability to make payments on our indebtedness, including the 2030 Notes, and our other obligations will depend on our financial and operating performance, which is subject to prevailing economic and competitive conditions and to certain financial, business, and other factors beyond our control. We cannot assure you that we will maintain a level of cash flows from operating activities sufficient to permit us to pay the principal, premium, if any, and interest on our indebtedness, including the 2030 Notes, and other obligations.
If we are unable to service our debt and other obligations from cash flows, we may need to refinance or restructure all or a portion of our debt obligations prior to maturity.60Table of ContentsIf we are unable to service our debt and other obligations from cash flows, we may need to refinance or restructure all or a portion of our debt obligations prior to maturity. Our ability to refinance or restructure our debt and other obligations will depend on various factors, including the condition of the capital markets and our financial condition at such time. Any refinancing or restructuring could be at higher interest rates, less favorable terms, or may require us to comply with more onerous covenants, which could further restrict our business operations. If our cash flows are insufficient to service our debt and other obligations, we may not be able to refinance or restructure any of these obligations on commercially reasonable terms or at all. Any refinancing or restructuring could have a material adverse effect on our business, results of operations, or financial condition.
If our cash flows are insufficient to fund our debt and other obligations and we are unable to refinance or restructure these obligations, we could face substantial liquidity problems and may be forced to reduce or delay investments and capital expenditures, or to sell material assets or operations to meet our debt and other obligations. We cannot assure you that we would be able to implement any of these alternative measures on satisfactory terms (if at all) or that the proceeds from such alternatives would be adequate to meet any debt or other obligations then due. If it becomes necessary to implement any of these alternative measures, our business, results of operations, or financial condition could be materially and adversely affected.
Our indebtedness could have adverse consequences to us.
Our indebtedness could have adverse consequences to us, including the following:
•making it more difficult for us to satisfy our obligations with respect to the 2030 Notes and our other indebtedness;
•requiring us to dedicate a substantial portion of our cash flow from operations to debt service payments on our and our subsidiaries’ debt, which reduces the funds available for working capital, capital expenditures, acquisitions, and other general corporate purposes;
•requiring us to comply with restrictive covenants in the Indenture, which limit the manner in which we conduct our business;
•limiting our flexibility in planning for, or reacting to, changes in the industry in which we operate;
•placing us at a competitive disadvantage compared to any of our less leveraged competitors;
•increasing our vulnerability to both general and industry-specific adverse economic conditions; and
59
•limiting our ability to obtain additional debt or equity financing to fund future working capital, capital expenditures, acquisitions, or other general corporate requirements and increasing our cost of borrowing.
General Risks
If we are unable to maintain effective disclosure and internal controls over financial reporting, our ability to produce timely and accurate financial statements or comply with applicable regulations may be impaired.
We are subject to the reporting requirements of the Exchange Act, the Sarbanes-Oxley Act, and the rules and regulations of the listing standards of the NYSE.We are subject to the reporting requirements of the Securities Exchange Act of 1934, as amended (“the Exchange Act”), the Sarbanes-Oxley Act, and the rules and regulations of the listing standards of the NYSE. The Sarbanes-Oxley Act requires, among other things, that we maintain effective disclosure controls and procedures and internal control over financial reporting. Our disclosure controls and other procedures are designed to ensure that information required to be disclosed by us in the reports that we will file with the SEC is recorded, processed, summarized, and reported within the time periods specified in SEC rules and forms and that information required to be disclosed in reports under the Exchange Act is accumulated and communicated to our principal executive and financial officers.
Our current controls and any new controls that we develop may become inadequate because of changes in conditions in our business.61Table of ContentsOur current controls and any new controls that we develop may become inadequate because of changes in conditions in our business. In addition, changes in accounting principles or interpretations could also challenge our internal controls and require that we establish new business processes, systems, and controls to accommodate such changes. If these new systems, controls, or standards and the associated process changes do not operate as intended, it could adversely affect our financial reporting systems and processes, our ability to produce timely and accurate financial reports, or the effectiveness of internal control over financial reporting. Moreover, our business may be harmed if we experience problems with any new systems and controls that result in delays in their implementation or increased costs to correct any post-implementation issues that may arise. We have identified in the past, and may identify in the future, deficiencies in our controls, which could harm our results of operations or cause us to fail to meet our reporting obligations and may result in a restatement of our financial statements for prior periods. If we are not able to, or if we are perceived as being unable to, comply with the requirements of the Sarbanes-Oxley Act in a timely manner, or if we are unable to, or if we are perceived as being unable to, maintain proper and effective internal controls over financial reporting, we may not be able to produce timely and accurate financial statements. If that were to happen, our investors could lose confidence in our reported financial information, the trading price of our Class A common stock could decline, and we have been and could be subject to increased regulatory scrutiny, including sanctions or investigations by the SEC or other regulatory authorities. If that were to happen, our investors could lose confidence in our reported financial information, the trading price of our Class A common stock could decline, and we could be subject to sanctions or investigations by the SEC or other regulatory authorities. Any failure to implement and maintain effective internal control over financial reporting also could adversely affect the results of periodic management evaluations and annual independent registered public accounting firm attestation reports.
Catastrophic events may disrupt our business.
Natural disasters or other catastrophic events may cause damage or disruption to our operations, international commerce, and the global economy, and thus could harm our business. We have our headquarters and a large employee presence in San Mateo, California, an area which in recent years has been increasingly susceptible to fires, severe weather events, and power outages, any of which could disrupt our operations, and which contains active earthquake zones. In the event of a major earthquake, hurricane, or other catastrophic event such as fire, power loss, rolling blackouts or power loss, telecommunications failure, pandemic, geopolitical conflicts such as in Ukraine and the Middle East, cyber-attack, war, or other physical security threats, including violence or terrorist attacks, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our Platform development, lengthy interruptions in our Platform, breaches of security, and loss of critical data, all of which would harm our business, results of operations, and financial condition. In the event of a major earthquake, hurricane, or catastrophic event such as fire, power loss, rolling blackouts or power loss, telecommunications failure, pandemic, geopolitical conflict such as the Russian invasion of Ukraine and Hamas’ attack against Israel and the ensuing war, cyber-attack, war, other physical security threats or terrorist attack, we may be unable to continue our operations and may endure system interruptions, reputational harm, delays in our Platform development, lengthy interruptions in our Platform, breaches of security, and loss of critical data, all of which would harm our business, results of operations, and financial condition. Certain catastrophic events would also cause disruptions to the internet or the economy as a whole. Global climate change could also result in natural disasters occurring more frequently or with more intense effects, which could cause business interruptions. A future health crisis like the COVID-19 pandemic, as well as the actions taken by various governments, businesses, and individuals in response, may also impact our business, operations, and financial results in ways that we may not be able to accurately predict. In addition, the insurance we maintain would likely not be adequate to cover our losses resulting from disasters or other business interruptions. Our disaster recovery plan may not be sufficient to address all aspects of any unanticipated consequence or incident, we may not be able to maintain business continuity at profitable levels or at all, and our insurance may not be sufficient to compensate us for the losses that could occur.
Our operations are subject to the effects of changing inflation rates and volatile global economic conditions.Our operations are subject to the effects of a rising rate of inflation and volatile global economic conditions.
The U.S., Europe, and other key global markets have recently experienced historically high levels of inflation. If the inflation rate continues to remain high, it will likely affect all of our expenses, including, but not limited to, employee compensation expenses and energy expenses and it may reduce consumer discretionary spending, which could affect the buying power of our users and creators and lead to a reduced demand for our Platform. If the inflation rate continues to increase, it will likely affect all of our expenses, including, but not limited to, employee compensation expenses and energy expenses and it may reduce consumer discretionary spending, which could affect the buying power of our users, developers, and creators and lead to a reduced demand for our Platform.
60
Geopolitical developments, such as changes in tariff policies of the U.S. and the retaliatory tariff and non-tariff responses by other countries, the prospect of further changes in tariff and trade policies and responses, geopolitical conflicts such as in Ukraine and the Middle East, continued tensions with China, the responses by central banking authorities to control inflation, and future U.S. federal government shutdowns, can increase levels of political and economic unpredictability globally and increase the volatility of global financial markets. Adverse macroeconomic conditions, including lower consumer confidence, persistent unemployment, wage and income stagnation, slower growth or a recession, changes to fiscal and monetary policy, inflation, changes in interest rates, foreign exchange fluctuations, economic and trade sanctions, the availability and cost of credit, and the strength of the economies in which we and our users are located, have adversely affected and may continue to adversely affect our consolidated financial condition and results of operations. Adverse macroeconomic conditions, including lower consumer confidence, persistent unemployment, wage and income stagnation, slower growth or recession, changes to fiscal and monetary policy, inflation, higher interest rates, currency fluctuations, economic and trade sanctions, the availability and cost of credit, and the strength of the economies in which we and our users are located, have adversely affected and may continue to adversely affect our consolidated financial condition and results of operations.
Additionally, we maintain cash balances at third-party financial institutions in excess of the Federal Deposit Insurance Corporation (the “FDIC”) insurance limit. If the financial conditions affecting the banking industry and financial markets cause additional banks and financial institutions to enter receivership or become insolvent, our ability to access our existing cash, cash equivalents and investments, or to draw on our existing lines of credit, may be threatened and could have a material adverse effect on our business and financial condition.
Item 1B. Unresolved Staff Comments
None.
Item 1C. Cybersecurity
Managing cybersecurity risk is a critical component of our overall risk management effort. We operate in an industry that is prone to cybersecurity threats and attacks, and we believe our prominence and scale, and the volume of sensitive data on our systems, make us a particularly attractive target. Our risk management strategy accounts for the scale and complexity of our operations, which span multiple jurisdictions across the globe and rely on a large network of employees, contractors, vendors, partners, and creators. Additionally, we depend on software and hardware that is highly technical and complex, creating an environment where cybersecurity risks are constantly evolving. To navigate these risks, we maintain an enterprise-wide information security program that is designed to identify, protect, detect, and respond to significant cybersecurity risks and threats and we have integrated this program into our overall enterprise risk management systems and processes. We routinely assess material risks from cybersecurity threats, including taking reasonable steps to detect any potential unauthorized occurrence on or behaviors conducted through our information systems that may result in adverse effects to the confidentiality, integrity, or availability of our information systems or any information residing therein. We maintain an incident response plan designed to identify, evaluate, respond to, and recover from a cybersecurity incident. The plans are designed to be flexible so that they may be adapted to an array of potential scenarios, and provide for the creation of cross-functional incident response teams in the event of a cybersecurity incident. We also periodically conduct testing, simulations, and tabletop exercises to help support our overall preparedness for a cybersecurity incident.
Risk Management and Strategy
We conduct periodic risk assessments to identify significant cybersecurity threats that may affect information systems that are vulnerable to such cybersecurity threats and regularly review these risk assessments for changes in our business practices and the external cybersecurity landscape as well as the impacts of our security processes. These risk assessments include identification of reasonably foreseeable internal and external risks and evaluation of the likelihood and potential damage that could result from the realization of such risks.
Following our risk assessments, we evaluate when and how to design, implement, and maintain reasonable safeguards to minimize the identified risks and address any identified gaps in existing safeguards, and proceed with such design, implementation, and maintenance as deemed appropriate. However, at any given time, we may face cybersecurity risks and threats that our existing safeguards do not fully mitigate, so we work on an ongoing basis to enhance our information security program. We devote significant resources and designate high-level personnel, including our Chief Information Security Officer (“CISO”) who reports to our Chief People and Systems Officer, to manage the risk assessment and mitigation process. Our CISO has served in various roles in information technology and information security for over 15 years, including leading information security initiatives and incident response at two other large public companies and serving as the Chief Security Officer for the Arkansas Department of Human Services and working for the United States Department of Defense. He has an MS in Information Assurance from the University of Advanced Technology in Arizona and a BS in Computer Science from the University of Arkansas at Little Rock.
61
All employees receive cybersecurity training during their onboarding. In addition, we have implemented a cybersecurity awareness program designed to educate employees on best security practices, emerging risk areas, and how to identify and report security threats. We include security expectations in employee performance management systems. We also engage third-party service providers in connection with our risk assessment process and certain risk management processes. Our collaboration with these third-party service providers includes threat assessments, risk analyses, assessments of the capability, maturity, and effectiveness of our cybersecurity program, policies, and practices, and consultations on opportunities and potential enhancements to strengthen our cybersecurity program.
We perform risk-tiered information security risk reviews for certain third-party service providers who have access to sensitive Company, user or employee information, reviewing areas such as data protection, endpoint management and protection, access management, phishing, business continuity, incident response management, and, more recently, use of AI and AI subprocessors.We perform risk-tiered information security risk reviews for certain third-party service providers who have access to sensitive Company, user or employee information, reviewing areas such as data protection, endpoint management and protection, phishing, business continuity, and incident response management. We contractually require certain third-party service providers with access to our information technology systems, sensitive business data, and/or personal information to implement and maintain appropriate security controls and provide for contractual restrictions on their ability to use our data. Certain of our service providers are contractually required to notify us promptly of information security incidents that may affect our systems or data, including personal information.
We also share and receive threat intelligence with federal, state, and local government agencies, peers, and other organizations, information sharing and analysis centers, and cybersecurity associations. We also share and receive threat intelligence with federal, state, and local government agencies, peers and other organizations, information sharing and analysis centers, and cybersecurity associations.
Governance
Our CISO, and management committee on cybersecurity consisting of our Chief People and Systems Officer, Chief Legal Officer, Chief Financial Officer, and CISO , are primarily responsible for assessing and managing our material risks from cybersecurity threats and overseeing our cybersecurity policies and processes, including those described in “Risk Management and Strategy” above. The processes by which our CISO, and our management committee on cybersecurity, are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents includes both manual reviews and automated reviews of our systems and data, a bug bounty program, self-reporting, participation in information sharing forums on cybersecurity, proactive education of our service providers, and product and application security reviews.
The ACC reports to the full Board of Directors regarding its oversight activities, including specific updates on cybersecurity risks. In addition to the ACC reports, the full Board of Directors receives periodic briefings directly from our CISO concerning the efficacy and status of our cyber risk management program.
In the event of a cybersecurity incident, the CISO is equipped with a well-defined incident response plan to guide response actions. This incident response plan includes immediate actions to assess and mitigate the impact of the incident, long-term strategies for remediation and prevention of future incidents, and provides for internal notification of the incident functional areas (e. This incident response plan includes immediate actions to mitigate the impact of the incident, long-term strategies for remediation and prevention of future incidents, and provides for internal notification of the incident functional areas (e. g. legal) as well as senior leadership and the ACC, as appropriate. legal) as well as senior leadership and the ACC of the Board of Directors, as appropriate.
Our CISO provides briefings to the ACC at least quarterly regarding, among other topics, recent notable cybersecurity incidents, even if immaterial, and our response, cybersecurity systems testing results, our cybersecurity threat landscape, which includes emerging risks and threats, compliance with regulatory requirements, and industry standards.64Table of ContentsOur CISO provides briefings to the ACC at least quarterly regarding, among other topics, recent notable cybersecurity incidents, even if immaterial, and the Company’s response, cybersecurity systems testing results, the cybersecurity landscape and emerging risks and threats, compliance with regulatory requirements and industry standards.
62
Notwithstanding the extensive approach we take to cybersecurity, including managing associated risks, we may not be successful in managing risks from cybersecurity threats, including identifying, preventing, or mitigating a cybersecurity incident that could have a material adverse effect on us. While we maintain cybersecurity insurance, the costs related to cybersecurity threats or disruptions may not be fully insured.
For additional information regarding the cybersecurity risks we face, please refer to Item 1A, “Risk Factors,” in this annual report on Form 10-K, including the risk factors entitled “Risks Related to Our Business: Security compromises of our Platform, our private information, and our users’ private information could disrupt our internal operations and harm public perception of our Platform, which could cause our business and reputation to suffer.”
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| EPRT | 53 minutes ago |
| APH | 54 minutes ago |
| VKTX | 57 minutes ago |
| RCL | an hour ago |
| AUR | an hour ago |
| QTWO | an hour ago |
| AMCX | an hour ago |
| FR | an hour ago |
| GLIBA | an hour ago |
| ALB | an hour ago |
| RNR | an hour ago |
| WPC | an hour ago |
| R | an hour ago |
| CFLT | an hour ago |
| HUBS | an hour ago |
| WHR | an hour ago |
| AR | 2 hours ago |
| EGP | 2 hours ago |
| AM | 2 hours ago |
| MGM | 2 hours ago |
| RFAI | 2 hours ago |
| EQIX | 2 hours ago |
| RBLX | 2 hours ago |
| CRBG | 2 hours ago |
| TFIN | 2 hours ago |
| STAG | 2 hours ago |
| SITM | 2 hours ago |
| DVA | 2 hours ago |
| JNJ | 2 hours ago |
| KMPR | 2 hours ago |
| TMUS | 2 hours ago |
| NBIX | 2 hours ago |
| HXL | 3 hours ago |
| NVR | 3 hours ago |
| TXT | 3 hours ago |
| BWA | 5 hours ago |
| BKH | 5 hours ago |
| ACBM | 5 hours ago |
| SYK | 6 hours ago |
| BMY | 6 hours ago |
| MA | 7 hours ago |
| HLT | 8 hours ago |
| RPRX | 9 hours ago |
| NNN | 9 hours ago |
| NVCT | 10 hours ago |
| AVTR | 10 hours ago |
| LEU | 10 hours ago |
| FNMA | 11 hours ago |
| U | 11 hours ago |
| SHOP | 11 hours ago |
