Meta Platforms (META) Risk Analysis

Governments from time to time seek to censor or moderate content available on Facebook or our other products in their country, restrict access to our products from their country partially or entirely, or impose other restrictions that may affect the accessibility of our products in their country for an extended period of time or indefinitely. For example, user access to Facebook and certain of our other products has been or is currently restricted in whole or in part in China, Iran, and North Korea. In addition, government authorities in other countries may seek to restrict user access to our products if they consider us to be in violation of their laws or a threat to public safety or for other reasons, and certain of our products have been restricted by governments in other countries from time to time. For example, in 2020, Hong Kong adopted a National Security Law that provides authorities with the ability to obtain information, remove and block access to content, and suspend user services, and if we are found to be in violation of this law then the use of our products may be restricted. Hong Kong has passed additional national security legislation in 2024. In addition, if we are required to or elect to make changes to our marketing and sales or other operations in Hong Kong as a result of the National Security Law or other legislation, our revenue and business in the region will be adversely affected. In addition, in connection with the war in Ukraine in the first quarter of 2022, access to Facebook and Instagram was restricted in Russia and the services were then prohibited by the Russian government, which has adversely affected, and will likely continue to adversely affect, our revenue and business in the region. It is also possible that government authorities could take action that impairs our ability to sell or deliver advertising, including in countries where access to our consumer-facing products may be blocked or restricted. For example, we generate meaningful revenue from a small number of resellers serving advertisers based in China, and it is possible that the Chinese, United States, or other government could take action that reduces or eliminates our China-based advertising revenue, whether as a result of the trade dispute with the United States, including any tariffs implemented by the United States or China, in response to content issues or information requests in Hong Kong or elsewhere, or for other reasons, or take other action against us, such as imposing taxes or other penalties, which could adversely affect our financial results. Similarly, if we are found to be out of compliance with certain legal requirements for companies in Turkey, the Turkish government could take action to reduce or eliminate our Turkey-based advertising revenue or otherwise adversely impact access to our products. In the event that content shown on Facebook or our other products is subject to censorship, access to our products is restricted, in whole or in part, in one or more countries, we are required to or elect to make changes to our operations, or other restrictions are imposed on our products, or our competitors are able to successfully penetrate new geographic markets or capture a greater share of existing geographic markets that we cannot access or where we face other restrictions, our ability to retain or increase our user base, user engagement, or the level of advertising by marketers may be adversely affected, we may not be able to maintain or grow our revenue as anticipated, and our financial results could be adversely affected.

We receive formal and informal inquiries from government authorities and regulators regarding our compliance with laws and regulations, many of which are evolving and subject to interpretation. We are and expect to continue to be the subject of investigations, inquiries, data requests, requests for information, actions, and audits in the United States, Europe, and around the world, particularly in the areas of privacy, data use, data combination, and data protection, including with respect to processing of sensitive data, data from third parties, data for advertising purposes, data security, minors, data subject rights, safety, law enforcement, consumer protection, civil rights, content and content moderation, use of our platform for illegal, illicit, or otherwise objectionable activity, competition, AI, generative AI, and machine learning. In addition, we are currently, and may in the future be, subject to regulatory orders or consent decrees. For example, data protection, competition, content, and consumer protection authorities in the European Union, United States, and other jurisdictions have initiated actions, investigations, or administrative orders seeking to restrict the ways in which we collect and use information, or impose sanctions, and other authorities may do the same. In addition, we have been and continue to be the subject of litigation and investigations related to the ways in which we collect and use information, including where advertisers are subject to additional regulation such as housing, employment, credit, and financial services. In addition, beginning in March 2018, we became subject to FTC, state attorneys general, and other government inquiries in the United States, Europe, and other jurisdictions in connection with our platform and user data practices as well as the misuse of certain data by a developer that shared such data with third parties in violation of our terms and policies. In July 2019, we entered into a settlement and modified consent order to resolve the FTC inquiry, which took effect in April 2020 and, among other things, required us to significantly enhance our practices and processes for privacy compliance and oversight. The state attorneys general inquiries and litigation, and certain government inquiries in other jurisdictions remain ongoing. The FTC also continues to monitor us and our compliance with the modified consent order and initiated an administrative proceeding against us, which we are challenging at the agency and in federal court, that alleges deficient compliance and violations of the Children's Online Privacy Protection Act (COPPA), the COPPA Rule, and Section 5 of the Federal Trade Commission Act and seeks changes to our business. If we are unsuccessful in our challenge to the FTC's action and the agency imposes its proposed order in its current form, we would be subject to significant limitations, including on our ability to launch new and modified products or use data of users under 18 years old. We also notify the IDPC, our lead European Union privacy regulator under the GDPR, and other regulators of certain other personal data breaches and privacy issues, issue similar notifications to European regulators under other laws (such as UK GDPR and Member State implementations of the ePrivacy Directive), and are subject to inquiries and investigations by the IDPC and other regulators regarding various aspects of our regulatory compliance. In addition, we are subject to inquiries and investigations by the European Commission regarding our compliance with various provisions of the DSA relating to the use of Facebook and Instagram, including matters related to elections, content reporting and appeals, third-party access to data, political content recommendations, potential deceptive advertising and disinformation, and minors and other vulnerable users. We have been, and may in the future be, subject to penalties, fines, and requirements to change our business practices as a result of such inquiries and investigations. In addition, in July 2024, we entered into a settlement to resolve a lawsuit by the state of Texas in connection with the "tag suggestions" feature and other uses of facial recognition technology. We are also subject to various litigation and formal and informal inquiries and investigations by competition authorities in the United States, Europe, and other jurisdictions, which relate to many aspects of our business, including with respect to users and advertisers. Such inquiries, investigations, and lawsuits concern, among other things, our business practices in the areas of social networking or social media services, messaging services, digital advertising, and/or mobile or online applications, as well as our acquisitions. For example, beginning in 2019, we became the subject of antitrust inquiries and investigations by the FTC and the U.S. Department of Justice. Beginning in 2020, we became subject to a lawsuit by the FTC alleging that we violated antitrust laws, including by acquiring Instagram in 2012 and WhatsApp in 2014. The complaint seeks a permanent injunction against our company's alleged violations of the antitrust laws, and other equitable relief, including divestiture or reconstruction of Instagram and WhatsApp. In addition, in November 2024, the European Commission issued a fine as a result of its finding that we tied Facebook Marketplace to Facebook and use data in a manner that infringes European Union competition rules. We are also subject to other government inquiries and investigations relating to our business activities and disclosure practices. For example, beginning in September 2021, we became subject to government investigations and requests relating to allegations and the release of internal company documents by a former employee. Orders issued by, or inquiries or enforcement actions initiated by, government or regulatory authorities could cause us to incur substantial costs, expose us to civil and criminal liability (including liability for our personnel) or penalties (including substantial monetary remedies), interrupt or require us to change our business practices in a manner materially adverse to our business (including changes to our products or user data practices), result in negative publicity and reputational harm, divert resources and the time and attention of management from our business, or subject us to other structural or behavioral remedies that adversely affect our business, and we have experienced some of these adverse effects to varying degrees from time to time.

The tax regimes we are subject to or operate under, including income and non-income taxes, are unsettled and may be subject to significant change. Changes in tax laws or tax rulings, or changes in interpretations of existing laws, could materially affect our financial position, results of operations, and cash flows. For example, the One Big Beautiful Bill Act (OBBBA) enacted in July 2025 is expected to have a significant impact on our tax obligations and effective tax rate for the third quarter of 2025. The issuance of additional regulatory or accounting guidance related to the OBBBA or other executive or Congressional actions in the United States or globally could materially increase our tax obligations and significantly impact our effective tax rate in the period such guidance is issued or such actions take effect, and in future periods. In addition, many countries have recently proposed or recommended changes to existing tax laws or have enacted new laws that could significantly increase our tax obligations in many countries where we do business or require us to change the manner in which we operate our business. Over the last several years, the Organization for Economic Cooperation and Development (OECD) has been working on a Base Erosion and Profit Shifting Project that, if implemented, would change various aspects of the existing framework under which our tax obligations are determined in many of the countries in which we do business. A number of countries have enacted legislation to implement the OECD's 15% global minimum tax regime. As additional jurisdictions enact legislation, transitional relief expires, and other provisions of the minimum tax legislation become effective, our effective tax rate and cash tax payments could increase in future years. Similarly, the European Commission and several countries have issued proposals that would apply to various aspects of the current international tax rules under which we are taxed. These proposals include changes to the existing rules to calculate income tax, as well as proposals to change or impose new types of non-income taxes, including taxes based on a percentage of revenue. For example, several jurisdictions have proposed or enacted taxes applicable to certain digital services, which include business activities on digital advertising and online marketplaces, and which apply to our business. In the absence of active OECD discussions, countries may continue imposing unilateral tax measures, such as digital services taxes, outside existing treaty frameworks. These measures may proliferate in the absence of bilateral or multilateral agreement. The European Commission has conducted investigations in multiple countries focusing on whether local country tax rulings or tax legislation provides preferential tax treatment that violates European Union state aid rules and concluded that certain member states, including Ireland, have provided illegal state aid in certain cases. These investigations may result in changes to the tax treatment of our foreign operations. In addition, ongoing volatility due to international trade may prompt foreign governments to expand regulatory authority or adopt new measures, increasing compliance risks, taxes, and operational complexities. Due to the large and expanding scale of our international business activities, many of these types of changes to the taxation of our activities described above could increase our worldwide effective tax rate, increase the amount of non-income taxes imposed on our business, and harm our financial position, results of operations, and cash flows. Such changes may also apply retroactively to our historical operations and result in taxes greater than the amounts estimated and recorded in our financial statements.

We are subject to a variety of laws and regulations in the United States and abroad that involve matters central to our business, including privacy, data use, data combination, data protection and personal information, the provision of our services to younger users, biometrics, encryption, rights of publicity, content, integrity, intellectual property, advertising, marketing, distribution, data security, data retention and deletion, data localization and storage, data disclosure, AI and machine learning, electronic contracts and other communications, competition, protection of minors, consumer protection, civil rights, accessibility, telecommunications, product liability, e-commerce, taxation, economic or other trade controls including sanctions, export controls, anti-corruption and political law compliance, securities law compliance, and online payment services. The introduction of new products, expansion of our activities in certain jurisdictions, or other actions that we may take may subject us to additional laws, regulations, or other government scrutiny. In addition, these U.S. and foreign laws and regulations may impose different obligations from each other and create the potential for significant fines to be imposed. These U.S. federal and state, EU, and other international laws and regulations, which in some cases can be enforced by private parties in addition to government entities, are constantly evolving and can be subject to significant change. As a result, the application, interpretation, and enforcement of these laws and regulations are often uncertain, particularly in the new and rapidly evolving industry in which we operate, and may be interpreted and applied inconsistently from jurisdiction to jurisdiction and inconsistently with our current policies and practices. For example, regulatory or legislative actions or litigation concerning the manner in which we display content to our users, moderate content, provide our services to younger users, or are able to use data in various ways, including for advertising, have in the past and could in the future adversely affect user growth and engagement, affect the manner in which we provide our services, or adversely affect our financial results, including by imposing significant fines that increasingly may be calculated based on global revenue. We are also subject to evolving laws and regulations that dictate whether, how, and under what circumstances we can transfer, process or receive certain data that is critical to our operations, including data shared between countries or regions in which we operate and data shared among our products and services. For example, in 2016, the European Union and United States agreed to a transfer framework for data transferred from the European Union to the United States, called the Privacy Shield, but the Privacy Shield was invalidated in July 2020 by the Court of Justice of the European Union (CJEU). In addition, the other bases upon which Meta relies to transfer such data, such as Standard Contractual Clauses (SCCs), have been subjected to regulatory and judicial scrutiny. For example, the CJEU considered the validity of SCCs as a basis to transfer user data from the European Union to the United States following a challenge brought by the Irish Data Protection Commission (IDPC). Although the CJEU upheld the validity of SCCs in July 2020, on May 12, 2023, the IDPC issued a Final Decision concluding that Meta Platforms Ireland's reliance on SCCs in respect of certain transfers of European Economic Area (EEA) Facebook user data was not in compliance with the GDPR. The IDPC issued an administrative fine of EUR €1.2 billion as well as corrective orders requiring Meta Platforms Ireland to suspend the relevant transfers and to bring its processing operations into compliance with Chapter V GDPR by ceasing the unlawful processing, including storage, of such data in the United States. We are appealing this Final Decision and it is currently subject to an interim stay from the Irish High Court. On March 25, 2022, the European Union and United States announced that they had reached an agreement in principle on a new EU-U.S. Data Privacy Framework (EU-U.S. DPF). On October 7, 2022, President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.), and on June 30, 2023, the European Union and the three additional countries making up the EEA were designated by the United States Attorney General as a "qualifying state" under Section 3(f) of the E.O. On July 10, 2023, the European Commission adopted an adequacy decision in relation to the United States. The adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the European Union to organizations in the United States that are included in the "Data Privacy Framework List," maintained and made publicly available by the United States Department of Commerce pursuant to the EU-U.S. DPF. The implementation of the EU-U.S. DPF and the adequacy decision are important and welcome milestones, and we have implemented steps to comply with the above corrective orders following engagement with the IDPC. The EU-U.S. DPF replaces two prior adequacy frameworks which were invalidated by the CJEU. A further invalidation of the EU-U.S. DPF by the CJEU could create considerable uncertainty and lead to us being unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations. In addition, we have been managing investigations and lawsuits in India and other jurisdictions regarding the 2021 updates to WhatsApp's terms of service and privacy policy and its sharing of certain data with other Meta products and services, including a lawsuit currently pending before the Supreme Court of India and an order by the Competition Commission of India, which we are appealing. If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads, which could adversely affect our financial results. We have been subject to other significant legislative and regulatory developments, which together with proposed or new legislation and regulations could significantly affect our business in the future. For example, we have implemented a number of product changes and controls as a result of requirements under the European General Data Protection Regulation (GDPR), and may implement additional changes in the future. The GDPR also requires submission of personal data breach notifications to our lead European Union privacy regulator, the IDPC, and includes significant penalties for non-compliance with the notification obligation as well as other requirements of the regulation. The interpretation of the GDPR is still evolving, including through decisions of the CJEU, and draft decisions in investigations by the IDPC are subject to review by other European privacy regulators as part of the GDPR's consistency mechanism, which may lead to significant changes in the final outcome of such investigations. We also face potential enforcement from European privacy regulators other than the IDPC, including where those regulators consider they must act urgently or where they believe their concerns relate only to data processing undertaken in their individual jurisdiction. As a result, the interpretation and enforcement of the GDPR, as well as the imposition and amount of penalties for non-compliance, are subject to significant uncertainty, and as it evolves, could potentially have a negative impact on our business and/or our operations. In addition, Brazil, the United Kingdom, and other countries have enacted similar data protection regulations imposing data privacy-related requirements on products and services offered to users in their respective jurisdictions. The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA), also establishes certain transparency rules and creates certain data privacy rights for users, including limitations on our use of certain sensitive personal information and more ability for users to control the purposes for which their data is shared with third parties. Other states have proposed or enacted similar comprehensive privacy laws that afford users with similar data privacy rights and controls. These laws and regulations are evolving and subject to interpretation, and resulting limitations on our advertising services, or reductions of advertising by marketers, have to some extent adversely affected, and will continue to adversely affect, our advertising business. Some states have also proposed or enacted laws specifically focused on whether and how a company can moderate content on its services, and/or on the privacy rights and controls for users under 18 years old and their parents or guardians. Like comprehensive privacy laws, these laws are evolving and subject to interpretation, and may restrict our ability to offer certain products and services provided to all or certain cohorts of users in those states, adversely affecting our advertising business. In Europe, evolving interpretation of the ePrivacy Directive's requirements regarding the use of cookies and similar technologies may lead to regulators imposing specific measures in the future which could directly impact our use of such technologies. In addition, the ePrivacy Directive and national implementation laws impose additional limitations on the use of data across messaging products and include significant penalties for non-compliance. Changes to our products or business practices as a result of these or similar developments have adversely affected, and may in the future adversely affect, our advertising business. For example, in response to regulatory developments in Europe, we announced plans to change the legal basis for behavioral advertising on Facebook and Instagram in the European Union, European Economic Area, and Switzerland from "legitimate interests" to "consent," and in November 2023 we began offering users in the region a "subscription for no ads" alternative. We are engaging with regulators on our consent model, including regarding compliance with requirements under the GDPR, DMA, and EU consumer laws. For example, in March 2024, the European Commission opened formal proceedings regarding the compliance of our "subscription for no ads" model with requirements under the DMA, and it issued preliminary findings in July 2024. In addition, the European Data Protection Board has published an opinion on the operation of such models under GDPR and European consumer protection organizations have raised concerns regarding our compliance with consumer protection laws. In response to these developments, in November 2024, we began offering users in the European Union, European Economic Area, and Switzerland who elect to continue using our services free-of-charge, supported by ads, an option to see less personalized ads (LPA), which are less relevant and effective than our premium ad offerings. In April 2025, the European Commission issued a final decision that our "subscription for no ads" model does not comply with such requirements. We made significant modifications to LPA since the European Commission issued its final decision. We have appealed the European Commission's decision but cannot rule out that further fines or modifications to our model may be imposed during the appeal process, which could result in a materially worse user experience for European users and a significant impact to our European business and revenue as early as later in the third quarter of 2025. These or any similar developments in the future may negatively impact our user growth and engagement, revenue, and financial results. Similarly, there are a number of legislative proposals or recently enacted laws in the European Union, the United States, at both the federal and state level, as well as other jurisdictions that could impose new obligations or limitations in areas affecting our business. For example, the DMA in the European Union imposes restrictions and requirements on companies like ours, including in areas such as the combination of data across services, mergers and acquisitions, and product design. The DMA also includes significant penalties for non-compliance, and its key requirements are enforceable against designated gatekeeper companies as of March 2024. The DMA has caused, and may in the future cause, us to incur significant compliance costs and make changes to our products or business practices. The requirements under the DMA will likely be subject to further interpretation and regulatory engagement. Pending or future proposals to modify competition laws in a number of jurisdictions could have similar effects. Further, the DSA, which started to apply to our business as of August 2023, imposes certain restrictions and requirements for our products and services, subjects us to increased compliance costs, and includes significant penalties for non-compliance. The interpretation and enforcement of the DMA and the DSA, as well as the imposition and amount of penalties for non-compliance, are subject to significant uncertainty. In addition, some countries, such as the UK, India, and Turkey, are considering or have passed legislation implementing data protection requirements, new competition requirements, or requiring local storage and processing of data or similar requirements that could require substantial changes to our products, increase the cost and complexity of delivering our services, cause us to cease the offering of our products and services in certain countries, and/or result in fines or other penalties. We are also subject to new legislation or regulatory decisions that restrict our ability to collect and use information about minors or also limit our advertising services or our ability to offer products and services to minors in certain jurisdictions. For example, several U.S. states, including Arkansas, California, Florida, New York, Texas, and Utah, among others, have passed laws restricting our ability to offer services to minors without parental consent or otherwise limiting the services that we can provide to minors. While enforcement of a number of these statutes (or parts of them) has been enjoined or stayed as a result of legal challenges to them, it is possible that the decisions to enjoin these statutes may be overturned, the injunctive orders may expire, and certain statutes are coming into effect that may not be subject to injunctions. Should enforcement of one or more of these statutes not be enjoined, we may not be able to comply with certain of these statutes by their respective effective dates. We are facing similar challenges in other jurisdictions, including Europe and Asia-Pacific. For example, various EU member states are currently considering a range of legislation from mandatory age verification requirements to banning minor access to social media services. In addition, recent legislation in Australia imposes a social media ban for users under 16 years old that is expected to be effective by December 2025, requiring certain social media companies to take reasonable steps to ensure under 16 year olds do not create user accounts. As a result of legislative proposals, new laws, and evolving interpretation of existing laws in Europe, Asia-Pacific, and other jurisdictions, we are also, and expect to continue to be, subject to new requirements relating to allegedly fraudulent or illegal activities by third parties on our platform, which could continue to cause us to incur significant compliance costs or make changes to our products or business practices, and could subject us to additional fines and penalties or liability for losses to users or other third parties in such transactions. In addition, the Province of British Columbia has considered, and may in the future consider, a bill that would permit the government to recover public health-related costs potentially associated with providing goods and services in British Columbia, including potentially social media services. We are also subject to disclosure, reporting, and diligence requirements regarding our social and environmental risks and initiatives. There has been increased focus on these initiatives by many regulators, investors, and other stakeholders and any actual or perceived failure by us to comply with applicable federal, state, local or international laws and regulations could result in legal and regulatory proceedings against us and materially and adversely affect our business, financial condition, and results of operations. These laws and regulations, as well as any associated claims, inquiries, or investigations or any government actions, have led to, and may in the future lead to, unfavorable outcomes including increased compliance costs, changes to our products, loss of revenue, delays or impediments in the development of new products, negative publicity and reputational harm, increased operating costs, diversion of management time and attention, and remedies that harm our business, including fines, damages, or orders that we modify or cease existing business practices.

We rely and expect to continue to rely on a combination of confidentiality, assignment, and license agreements with our employees, consultants, and third parties with whom we have relationships, as well as trademark, copyright, patent, trade secret, and domain name protection laws, to protect our proprietary rights. In the United States and internationally, we have filed various applications for protection of certain aspects of our intellectual property, and we currently hold a significant number of registered trademarks and issued patents in multiple jurisdictions and have acquired patents and patent applications from third parties. Third parties may knowingly or unknowingly infringe our proprietary rights, third parties may challenge proprietary rights held by us, and pending and future trademark and patent applications may not be approved. In addition, effective intellectual property protection may not be available in every country in which we operate or intend to operate our business. In any or all of these cases, we may be required to expend significant time and expense in order to prevent infringement or to enforce our rights. Although we have generally taken measures to protect our proprietary rights, there can be no assurance that others will not offer products or concepts that are substantially similar to ours and compete with our business. In addition, we regularly contribute software source code under open source and other permissive licenses and have made other technology we developed available under such licenses, and we include open source software in our products. Additionally, our AI is trained on data sets that may include open source software and the outputs of our AI may be subject to open source license restrictions or obligations. As a result of our open source contributions and the use of open source in our products, we may license or be required to license or disclose code and/or innovations that turn out to be material to our business and may also be exposed to increased litigation risk. If the protection of our proprietary rights is inadequate to prevent unauthorized use or appropriation by third parties, the value of our brands and other intangible assets may be diminished and competitors may be able to more effectively mimic our products, services, and methods of operations. Any of these events could have an adverse effect on our business and financial results.

Our products and internal systems rely on software and hardware, including software and hardware developed or maintained internally and/or by third parties (including open source software and the operating systems and browsers which users rely on to run our applications and access our systems), that is highly technical and complex. In addition, our products and internal systems depend on the ability of such software and hardware to store, retrieve, process, and manage immense amounts of data. The software and hardware on which we rely has contained, and will in the future contain, errors, bugs, or vulnerabilities, and our systems are subject to certain technical limitations that may compromise our ability to meet our objectives. Some errors, bugs, or vulnerabilities inherently may be difficult to detect and may only be discovered after the code has been released for external or internal use. Errors, bugs, vulnerabilities, design defects, or technical limitations within the software and hardware on which we rely, or human error or malfeasance in using such systems, have led to, and may in the future lead to, outcomes including a negative experience or other adverse effects for users and marketers who use our products, compromised ability of our products to perform in a manner consistent with our terms, contracts, or policies, delayed product introductions or enhancements, targeting, measurement, or billing errors, compromised ability to protect the data of our users and/or our intellectual property or other data, or reductions in our ability to provide some or all of our services. For example, we make commitments to our users as to how their data will be collected, used, shared, and retained within and across our products, and our systems are subject to errors, bugs and technical limitations that may prevent us from fulfilling these commitments reliably. In addition, any errors, bugs, vulnerabilities, or defects in our systems or the software and hardware on which we rely, failures to properly address or mitigate the technical limitations in our systems, or associated degradations or interruptions of service or failures to fulfill our commitments to our users, have led to, and may in the future lead to, outcomes including damage to our reputation, loss of users, loss of marketers, loss of revenue, regulatory inquiries, litigation, or liability for fines, damages, or other remedies, any of which could adversely affect our business and financial results.

The size of our active user base and our users' level of engagement across our products are critical to our success. Our financial performance has been and will continue to be significantly determined by our success in adding, retaining, and engaging active users of our products that deliver ad impressions, particularly for Facebook and Instagram. We have experienced, and expect to continue to experience, fluctuations and declines in the size of our active user base in one or more markets from time to time, particularly in markets where we have achieved higher penetration rates. User growth and engagement are also impacted by a number of other factors, including competitive products and services, such as TikTok, that have reduced some users' engagement with our products and services, as well as global and regional business, macroeconomic, and geopolitical conditions. For example, the COVID-19 pandemic led to increases and decreases in the size and engagement of our active user base from period to period at different points during the pandemic. In addition, in connection with the war in Ukraine, access to Facebook and Instagram was restricted in Russia and these services were then prohibited by the Russian government, which contributed to slight decreases in the size of our active user base following the onset of the war. Any future declines in the size of our active user base may adversely impact our ability to deliver ad impressions and, in turn, our financial performance. If people do not perceive our products to be useful, reliable, and trustworthy, we may not be able to attract or retain users or otherwise maintain or increase the frequency and duration of their engagement. A number of other social networking companies that achieved early popularity have since seen their active user bases or levels of engagement decline, in some cases precipitously. There is no guarantee that we will not experience a similar erosion of our active user base or engagement levels. Our user engagement patterns have changed over time, and user engagement can be difficult to measure, particularly as we and our competitors introduce new and different products and services. Any number of factors can negatively affect user retention, growth, and engagement, including if: - users increasingly engage with other competitive products or services;- we fail to introduce new features, products, or services that users find engaging or if we introduce new products or services, or make changes to existing products and services, that are not favorably received;- users feel that their experience is diminished as a result of the decisions we make with respect to the frequency, prominence, format, size, and quality of ads that we display;- users have difficulty installing, updating, or otherwise accessing our products on mobile devices as a result of actions by us or third parties that we rely on to distribute our products and deliver our services;- user behavior on any of our products changes, including decreases in the quality and frequency of content shared on our products and services;- we are unable to continue to develop products for mobile devices that users find engaging, that work with a variety of mobile operating systems and networks, and that achieve a high level of market acceptance;- there are decreases in user sentiment due to questions about the quality or usefulness of our products or our user data practices, concerns about the nature of content made available on our products, or concerns related to privacy, safety, security, well-being, or other factors;- we are unable to manage and prioritize information to ensure users are presented with content that is appropriate, interesting, useful, and relevant to them;- we are unable to obtain or attract engaging third-party content;- we are unable to successfully maintain or grow usage of and engagement with applications that integrate with our products;- users adopt new technologies where our products may be displaced in favor of other products or services, or may not be featured or otherwise available;- there are changes mandated by legislation, government and regulatory authorities, or litigation that adversely affect our products or users;- we are unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, or are otherwise limited in our business operations, as a result of European courts invalidating the EU-U.S. DPF or regulators, courts, or legislative bodies determining that the legal bases we rely upon to transfer user data from the European Union to the United States are invalid;- there is decreased engagement with our products, decreased efficiency of our advertising products, or failure to accept our terms of service, as part of changes that we have implemented or may implement in the future, whether voluntarily, in connection with the GDPR, the European Union's ePrivacy Directive, the DMA, the DSA, the DMCC, U.S. state privacy laws including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA), youth social media laws, or other laws, regulations, or regulatory actions, or otherwise;- technical or other problems prevent us from delivering our products in a rapid and reliable manner or otherwise affect the user experience, such as security breaches or failure to prevent or limit spam or otherwise objectionable content, or users feel their experience is diminished as a result of our efforts to protect the security and integrity of our platform;- we adopt terms, policies, or procedures related to areas such as sharing, content, user data, or advertising, or we take, or fail to take, actions to enforce our policies, that result in our removal of users from our platform or are perceived negatively by our users or the general public, including as a result of decisions or recommendations from the independent Oversight Board regarding content on our platform;- we elect to focus our product decisions on longer-term initiatives that do not prioritize near-term user growth and engagement (for example, we have announced plans to focus product decisions on optimizing the young adult experience in the long term);- we make changes in our user account login or registration processes or changes in how we promote different products and services across our family of products;- initiatives designed to attract and retain users and engagement, including the use of evolving technologies such as generative artificial intelligence, are unsuccessful or discontinued, whether as a result of actions by us, our competitors, or other third parties, or otherwise;- third-party initiatives that may enable greater use of our products, including low-cost or discounted data plans, are scaled back or discontinued, or the pricing of data plans otherwise increases;- there is decreased engagement with our products as a result of taxes imposed on the use of social media or other mobile applications in certain countries, internet shutdowns, or other actions by governments that affect the accessibility of our products in their countries (for example, beginning in the first quarter of 2022, our user growth and engagement were adversely affected by the war in Ukraine and service restrictions imposed by the Russian government);- we fail to provide adequate customer service to users, marketers, developers, or other partners;- we, developers whose products are integrated with our products, or other partners and companies in our industry are the subject of adverse media reports or other negative publicity, including as a result of our or their user data practices; or - our current or future products, such as our development tools and application programming interfaces that enable developers to build, grow, and monetize applications, reduce user activity on our products by making it easier for our users to interact and share on third-party applications. From time to time, certain of these factors have negatively affected user retention, growth, and engagement to varying degrees. If we are unable to maintain or increase our user base and user engagement, particularly for our significant revenue-generating products like Facebook and Instagram, our revenue and financial results may be adversely affected. Any significant decrease in user retention, growth, or engagement could render our products less attractive to users, marketers, and developers, which is likely to have a material and adverse impact on our ability to deliver ad impressions and, accordingly, our revenue, business, financial condition, and results of operations. As the size of our active user base fluctuates in one or more markets from time to time, we will become increasingly dependent on our ability to maintain or increase levels of user engagement and monetization in order to grow revenue.

We believe that our brands have significantly contributed to the success of our business. We also believe that maintaining and enhancing our brands is critical to maintaining and expanding our base of users, marketers, and developers. Many of our new users are referred by existing users. Maintaining and enhancing our brands will depend largely on our ability to continue to provide useful, reliable, trustworthy, and innovative products, which we may not do successfully. We may introduce new products, terms of service, or policies that users do not like, which may negatively affect our brands. Additionally, the actions of our developers or advertisers may affect our brands if users do not have a positive experience using third-party applications integrated with our products or interacting with parties that advertise through our products. We will also continue to experience media, legislative, or regulatory scrutiny of our actions or decisions regarding user privacy, data use, encryption, content, product design, algorithms, advertising, competition, generative AI, superintelligence, younger users, and other issues, including actions or decisions in connection with elections or geopolitical events, which has adversely affected, and may in the future adversely affect, our reputation and brands. For example, in January 2025, we announced certain changes to our content policies and enforcement efforts to further free expression on our platform and mitigate over-enforcement of certain of our content policies. Beginning in September 2021, we became the subject of media, legislative, and regulatory scrutiny as a result of a former employee's allegations and release of internal company documents relating to, among other things, our algorithms, advertising and user metrics, and content enforcement practices, as well as misinformation and other undesirable activity on our platform, and user well-being. In addition, in March 2018, we announced developments regarding the misuse of certain data by a developer that shared such data with third parties in violation of our terms and policies. We also may fail to respond expeditiously or appropriately to the sharing of content on our services, or to practices by advertisers or developers, that are illegal, illicit, or in violation of our policies, or fail to otherwise enforce our policies, address objectionable content or practices on our services, or address other user concerns, which has occurred in the past and which could erode confidence in our brands. Our brands may also be negatively affected by the actions of users that are deemed to be hostile or inappropriate to other users, by the actions of users acting under false or inauthentic identities, by the use of our products or services to disseminate information that is deemed to be misleading (or intended to manipulate opinions), by perceived or actual efforts by governments to obtain access to user information for security-related purposes or to censor certain content on our platform, by the use of our products or services for illicit or objectionable ends, including, for example, any such actions around geopolitical events or elections in the United States and around the world, by decisions or recommendations regarding content on our platform from the independent Oversight Board, by research or media reports concerning the perceived or actual impacts of our products or services on user well-being, by our decisions regarding whether to enforce against content or suspend or disable participation on our platform by persons who violate our community standards or terms of service, or by any negative sentiment associated with our management. Maintaining and enhancing our brands will require us to make substantial investments and these investments may not be successful. Certain of our actions, such as the foregoing matter regarding developer misuse of data and concerns around our handling of political speech and advertising, hate speech, and other content, as well as user well-being issues, have eroded confidence in our brands and may continue to do so in the future. If we fail to successfully promote and maintain our brands or if we incur excessive expenses in this effort, our business and financial results may be adversely affected.