CarGurus (CARG) Risk Analysis

We have been, and may in the future be, subject to claims and litigation alleging that we or content on our websites infringe others' intellectual property rights, including the trademarks, copyrights, patents, and other intellectual property rights of third parties, including from our competitors or non-practicing entities. We may also learn of possible infringement to our trademarks, copyrights, patents, and other intellectual property. Patent and other intellectual property litigation may be protracted and expensive, and the results are difficult to predict and may result in significant settlement costs or payment of substantial damages. We host third-party images on our website and mobile application and may be subject to third-party claims of those images infringing on intellectual property rights of third parties. Many potential litigants, including patent holding companies, have the ability to dedicate substantially greater resources to enforce their intellectual property rights and to defend claims that may be brought against them. Furthermore, a successful claimant could secure a judgment that requires us to stop offering some features or prevents us from conducting our business as we have historically done or may desire to do in the future. We might also be required to seek a license and pay royalties for the use of such intellectual property, which may not be available on commercially acceptable terms, or at all. Alternatively, we may be required to modify our marketplaces and features, which could require significant effort and expense and may ultimately not be successful. In addition, we use open source software in our platform and will use open source software in the future. From time to time, we may face claims regarding ownership of, or demanding release of, the source code, the open source software or derivative works that were developed using such software, or otherwise seeking to enforce the terms of the applicable open source license. These claims could also result in litigation, require us to purchase a costly license, or require us to devote additional product, technology, and development resources to change our platforms or services, any of which would have a negative effect on our business and operating results. Even if these matters do not result in litigation or are resolved in our favor or without significant cash settlements, these matters, and the time and resources necessary to litigate or resolve them, could harm our business, our operating results, and our reputation.

From time to time, third parties may misappropriate our data through website crawling, website scraping, or other means and aggregate this data with data from other sources. In addition, copycat websites may misappropriate data in our marketplaces and attempt to imitate our brands or the functionality of our websites, or to use data from our marketplace to develop data analytics and insights. This activity may also interfere with the operation of our marketplace. We may be unable to detect and remedy all such activities in a timely and adequate manner. Regardless of whether we can successfully enforce our rights against these third parties, any measures that we may take could require us to expend significant financial or other resources, which could harm our business, results of operations, and financial condition. In addition, to the extent that such activity creates confusion among consumers or advertisers, our brands and business could be harmed.

Various aspects of our business are, may become, or may be viewed by regulators from time to time as subject, directly or indirectly, to U.S. federal, state, and local laws and regulations and to foreign laws and regulations.

Across the retail automotive industry, consumer purchasing activity is typically greatest in the first three quarters of each year, due in part to the introduction of new vehicle models from manufacturers and the seasonal nature of consumer spending, and our consumer-marketing spend generally fluctuates accordingly. In addition, any reduction of our marketing spend in response to macroeconomic-related expense management or otherwise, and shifts in demand from dealers and consumers could impact the efficiency of our marketing spend. As our growth rates moderate or cease, the impact of these seasonality trends and other influences on our results of operations could become more pronounced. This seasonality has affected the demand for our services in the past, and may continue to in the future. In addition, the volume of wholesale vehicle sales can fluctuate from quarter to quarter as a result of macroeconomic issues, which may have a corresponding impact on our results of operations. This variability is due to several factors including the timing of used vehicles available for sale from selling customers, the seasonality of the retail market for used vehicles, and/or inventory challenges in the automotive industry, which affect the demand side of the wholesale industry. This variability has affected our Digital Wholesale segment in the past, and may continue to in the future.

Some functions of our marketplaces involve the storage and transmission of consumers' information, such as IP addresses and site activity data, contact information of users who connect with dealers, credit applications, and other financial data and profile information of users who create accounts on our marketplaces as well as dealers' information. We also process and store personal and confidential information of our vendors, partners, and employees, and we employ third-party service providers, such as payment processing providers, who also regularly have access to customer and consumer data. Some of this information may be sensitive, and any cybersecurity attack, data breach, or other security incident impacting such information, including the unauthorized acquisition or access, compromise, or loss of such information, against us or our third-party service providers could expose us to a risk of loss or exposure of this information, which could result in potential liability, litigation (including class action litigation) or regulatory action, and remediation costs. We rely on encryption and authentication technology licensed from third parties to effect secure transmission of such information, and we also rely on our third-party service providers to use sufficient security measures to protect such information. Despite all of our efforts designed to protect this information, none of our security measures or those of our third-party service providers provide absolute security, and they may not be effective in preventing a future failure of our systems. Like all information systems and technology, our websites, mobile applications, and information systems, and those of our third-party service providers, are subject to computer viruses, break-ins, phishing attacks, attempts to overload the systems with denial-of-service or other attacks, ransomware, and similar incidents or disruptions from unauthorized use of our or our third-party service providers'systems, any of which could lead to interruptions, delays, or website shutdowns, and could cause loss of critical data and the unauthorized disclosure, access, acquisition, alteration, or use of personal or other confidential information. If we or our third-party service providers experience compromises to data security that result in website or mobile application performance or availability problems, the complete shutdown of our websites or mobile applications, or the loss or unauthorized disclosure, access, acquisition, alteration, or use of confidential information, consumers, customers, advertisers, partners, vendors, and employees may lose trust and confidence in us, and consumers may decrease the use of our websites or stop using our websites entirely, dealers may stop or decrease their subscriptions with us, and advertisers may decrease or stop advertising on our websites. Further, outside parties have attempted and will likely continue to attempt to fraudulently induce employees, consumers, or advertisers to disclose sensitive information in order to gain access to our information or our information of consumers, dealers, advertisers, and employees. As cyber-attacks increase in frequency and sophistication, our cyber-security and disaster recovery plans may not be effective in anticipating, preventing, and effectively responding to all potential cyber-risk exposures. In addition, because the techniques used to obtain unauthorized access, disable, or degrade service or sabotage systems constantly evolve, often are not recognized until after having been launched against a target, and may originate from less regulated and remote areas around the world, we may be unable to proactively address these techniques or to implement adequate measures for prevention and detection. For example, as AI continues to evolve, cybercriminals could also use AI to develop malicious code and sophisticated phishing attempts. Any or all of the issues above could adversely affect our brand reputation, negatively impact our ability to attract new consumers, and increase engagement by existing consumers, cause existing consumers to reduce or stop the use of our marketplaces or close their accounts, cause existing dealers and advertisers to cancel their contracts, cause employees to terminate their employment, cause employment candidates to be unwilling to pursue employment opportunities or accept employment offers, and/or subject us to governmental or third-party lawsuits, investigations, regulatory fines, or other actions or liability, thereby harming our business, results of operations, and financial condition. Although we carry privacy, data breach, and network security liability insurance, we cannot be certain that our coverage will be adequate for liabilities actually incurred or sufficient to compensate us for the potentially significant losses, or that insurance will continue to be available to us on economically reasonable terms or at all. There are numerous federal, national, state, and local laws and regulations in the U.S. and around the world regarding privacy and the collection, processing, storage, sharing, disclosure, use, cross-border transfer, and protection of personal information and other data. These laws and regulations are evolving, are subject to differing interpretations, may be costly to comply with, may result in regulatory fines, penalties, or on-going monitoring, may subject us to investigations and/or third-party lawsuits, may be inconsistent between countries and state-level jurisdictions, and may conflict with other requirements. We seek to comply with applicable industry standards and are subject to the terms of our privacy policies and privacy-related obligations to third parties, as well as all applicable laws and regulations relating to privacy and data protection. However, given the recency of these laws and the lack of enforcement examples so far, especially in the U.S., it is possible that these obligations may be interpreted and applied in new ways or in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices and that new regulations could be enacted. Several proposals have recently become effective or are pending, as applicable, before federal, state, local, and foreign legislative and regulatory bodies that could significantly affect our business, which we refer to collectively as the Privacy Regulations. The Privacy Regulations include the EU's General Data Protection Regulation, the California Consumer Protection Act, and an additional 18 separate U.S. state consumer privacy laws that are currently in effect or will be going into effect over the next year (Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia). Certain of the Privacy Regulations have already required, and certain others may further require, us to change our policies and procedures and may in the future require us to make changes to our marketplaces and other products. These and other requirements could reduce demand for our marketplaces and other offerings, require us to take on more onerous obligations in our contracts, and restrict our ability to store, transfer, and process data, which may seriously harm our business. Similarly, the gradual industry shift away from relying on third-party cookies may require us to change our policies and procedures and, if we are not in compliance, may also seriously harm our business. We may not be entirely successful in our efforts to effectively transition away from third-party cookies as well as comply with the evolving regulations to which we are subject due to various factors within our control, such as limited internal resource allocation, or outside our control, such as a lack of vendor cooperation, new regulatory interpretations, or lack of regulatory guidance in respect of certain Privacy Regulations and other statutory requirements. Any failure or perceived failure by us to comply with U.S. and international data protection laws and regulations, our privacy policies, or our privacy-related obligations to consumers, customers, employees, and other third parties, or any compromise of security that results in the unauthorized release or transfer of data, which could include personal information or other user data, may result in governmental investigations, enforcement actions, regulatory fines, litigation, criminal penalties, or public statements against us by consumer advocacy groups or others, and could cause consumers and dealers to lose trust in us, which could significantly impact our brand reputation and have an adverse effect on our business. Additionally, if any third party that we share information with experiences a security breach or fails to comply with its privacy-related legal obligations or commitments to us, such matters may put employee, consumer, or dealer information at risk and could, in turn, expose us to claims for damages, regulatory fines, penalties, or litigation and harm our reputation, business, and operating results.