Udemy Inc (UDMY) Risk Analysis

We receive, transmit, store, and otherwise process personal information and other data relating to our learners, instructors, and other individuals, such as our employees. Numerous local, municipal, state, federal, and international laws and regulations address privacy, data protection, cybersecurity, and the collection, storage, use, disclosure, protection, and other processing of certain types of data. These laws, rules, and regulations evolve frequently and their scope may continually change, through new legislation, amendments to existing legislation, and changes in enforcement, and may be inconsistent from one jurisdiction to another. For example, the E.U. General Data Protection Regulation ("GDPR") has resulted and will continue to result in significantly greater compliance burdens and costs for companies like ours. The GDPR regulates our collection, control, sharing, use, disclosure, and other processing of personal data of individuals in the E.U. Actual or alleged failure to comply with the GDPR may result in fines of up to 20 million euros or up to 4% of the annual global revenue of the infringer, whichever is greater. It may also lead to civil litigation, with the risks of damages, injunctive relief, or regulatory orders adversely impacting our processing of personal data. The United Kingdom maintains a United Kingdom version of the GDPR (combining the GDPR and the United Kingdom Data Protection Act of 2018), referred to as the U.K. GDPR, which provides for fines of up to 17.5 million British pounds sterling or 4% of global turnover, whichever is greater. The relationship between the United Kingdom and the E.U. in relation to certain aspects of data protection law is subject to uncertainty. On June 28, 2021, the European Commission announced a decision of "adequacy" concluding that the United Kingdom ensures an equivalent level of data protection to the GDPR, generally permitting personal data transfers from the European Economic Area (the "EEA") to the United Kingdom. This adequacy determination must, however, be renewed after December 2025 and is subject to modification or revocation. In June 2025, the United Kingdom adopted the Data (Use and Access) Act 2025 (the "DUAA"), which amends and supplements the U.K. GDPR and is expected to become fully effective by June 2026. We cannot fully predict whether or how the DUAA will impact the European Commission's adequacy determination with the respect to the United Kingdom, nor how the United Kingdom's data protection regime may continue to develop. Changes with respect to any of these matters may lead to additional costs and increase our risk exposure. Additionally, we are or may become subject to laws, rules, and regulations regarding cross-border transfers of personal data, including transfers of personal data outside the EEA, Switzerland and the United Kingdom. Recent developments have created complexity and uncertainty regarding transfers of personal data from the EEA to the U.S. and other jurisdictions. In 2020, the Court of Justice of the European Union (the "CJEU") invalidated the E.U.-U.S. Privacy Shield Framework (the "Privacy Shield"), under which personal data could be transferred from the EEA. The CJEU also noted that standard contractual clauses (approved by the European Commission as an adequate personal data transfer mechanism) may not necessarily be relied upon in all circumstances. In addition to other mechanisms, in limited circumstances we may rely on Privacy Shield certifications of third parties (for example, vendors and partners). The European Commission and the United Kingdom's Information Commissioner's Office have published new standard contractual clauses that are required to be implemented. Following issuance of a U.S. Executive Order, a new framework, the EU-U.S. Data Privacy Framework ("EU-U.S. DPF") was created as a successor to the Privacy Shield. Following an adequacy decision issued by the European Commission on July 10, 2023, the DPF, along with a UK extension to the EU-U.S. DPF that allows the transfer of personal data from the UK to the U.S. (the "UK DPF Extension"), is available for companies as a lawful transfer mechanism for personal data transfers to the U.S. from the EEA and UK. The Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") also has been established to serve as a lawful transfer mechanism for personal data transfers to the U.S. from Switzerland. We have self-certified to the EU-U.S. DPF, the UK DPF Extension, and the Swiss-U.S. DPF. The EU-U.S. DPF has been the subject of legal challenge, however, and more generally, these frameworks may be subject to legal challenges from privacy advocacy groups or others. Additionally, the European Commission's adequacy decision regarding the DPF provides that the DPF will be subject to future reviews and may be subject to suspension, amendment, repeal, or limitations in scope by the European Commission. These developments regarding cross-border data transfers have created uncertainty and increased the risk around our international operations and may require us to review and amend the legal mechanisms by which we make or receive personal data transfers to the U.S. and other jurisdictions. We may, among other things, be required to implement additional contractual and technical safeguards for any personal data transferred out of the EEA, Switzerland, the United Kingdom or other regions which may increase compliance costs, lead to increased regulatory scrutiny or liability, may require additional contractual negotiations, and may adversely impact our business, financial condition and operating results. The California Consumer Protection Act ("CCPA"), which went into effect on January 1, 2020, among other things, requires covered companies to provide specified disclosures to California consumers and affords such consumers the ability to opt out of certain types of data sharing and sales. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches. Additionally, in November 2020, California voters passed the California Privacy Rights and Enforcement Act of 2020 (the "CPRA"). As of January 1, 2023, the CPRA expanded the CCPA with additional requirements that may impact our business and establishes a regulatory agency dedicated to enforcing the law. More than a dozen U.S. states have enacted comprehensive privacy laws similar to the CCPA and CPRA, including Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Minnesota, Nebraska, Florida, Kentucky, Maryland, and Rhode Island, with additional states continuing to consider similar legislation. Many of these state privacy laws have taken effect or will take effect in coming years, creating a patchwork of overlapping but different state laws and reflecting a trend of increasingly stringent privacy legislation in the U.S., which could increase our potential liability and adversely affect our business, financial condition, and results of operations. Outside of Europe, many other countries, including countries where we have operations or otherwise do business, have adopted or are considering adopting data protection legislation, including, for example, regimes adopted in Australia, India, and Mexico. Many of these data protection regimes are based upon principles underlying the GDPR or its predecessor, the E.U. Data Protection Directive, and provide for substantial obligations and penalties for non-compliance. In addition, the Personal Information Protection Law (the "PIPL"), went into effect in the People's Republic of China (the "PRC") on November 1, 2021. The PIPL shares similarities with the GDPR, including extraterritorial application, data minimization, data localization, and purpose limitation requirements, and obligations to provide certain notices and rights to PRC citizens. The PIPL allows for fines of up to 50 million renminbi or 5% of a covered company's revenue in the prior year. Aspects of the interpretation and enforcement of the CCPA, as amended by the CPRA, and other evolving federal, state, and foreign laws and regulations relating to privacy and the collection, storing, sharing, use, disclosure, protection, and other processing of certain types of data are subject to varying enforcement and new and changing interpretations by courts, and may impose different or inconsistent obligations. These laws or regulations, particularly any new or modified laws or regulations, or changes to the interpretation or enforcement of laws or regulations, that require enhanced protection of certain data or new obligations, could greatly increase the cost of providing our platform, require significant changes to our data processing practices and other aspects of our operations, or prevent us from providing our platform in jurisdictions in which we currently operate and in which we may operate in the future. Additionally, we have incurred, and may continue to incur, significant expenses in efforts to comply with privacy, data protection, and cybersecurity standards and protocols imposed by law, regulation, industry standards, or contractual obligations. We may be subject to investigation or enforcement actions by regulators if our statements, policies or practices relating to privacy, data protection, or cybersecurity are alleged to be deficient, lacking transparency, deceptive, unfair, or misrepresentative. We are also bound by contractual obligations related to our collection, use, disclosure, protection, and other processing of personal data and other types of data. Our efforts to comply with such obligations may not be successful or may have other negative consequences. With laws, regulations, and other actual and asserted obligations relating to privacy, data protection, and cybersecurity imposing new and relatively burdensome obligations and with uncertainty over their interpretation and application, we may face challenges in addressing their requirements and making necessary changes to our policies and practices and may incur significant costs and expenses in efforts to do so. Despite our efforts, our interpretations of the law or our practices, policies, or platform or other services or offerings could be inconsistent with, or fail or be alleged to fail to meet all requirements of, such laws, regulations, or obligations. Any actual or perceived failure, or consequences associated with our efforts, to comply with applicable laws or regulations or any other obligations relating to privacy, data protection, cybersecurity, or data processing, or any compromise of security that results in unauthorized access to, or use or release of data relating to learners, instructors, or other individuals could damage our reputation, discourage new and existing learners, instructors, and UB customers from using our platform, and could result in investigations, or other proceedings by governmental agencies, private claims and litigation, and fines, penalties, and other liabilities, any of which could adversely affect our business, financial condition and operating results. Even if not subject to legal challenge, concerns relating to privacy, data protection, or cybersecurity, whether or not valid, may harm our reputation and brand adversely affect our business, financial condition, and operating results.

We operate in a highly competitive environment, as the market for online learning is relatively new, fragmented, and rapidly evolving, with limited barriers to entry. We compete for learners, enterprise customers, and instructors: - Learners: We compete for learners based on our course catalog, instructors, and learning tools. - UB customers: We compete for customers based on our up-to-date content, the breadth and depth of that content across the full range of core business functions, and advanced product features that optimize self-paced learning and enable organizations to effectively drive programmatic learning. - Instructors: We compete for instructors based on our ability to promote monetization opportunities. Our competition includes corporate training offerings, direct-to-consumer training offerings, specialized content training offerings, and free online resources used to gather and share knowledge and skills. We expect our existing competitors and new entrants to the online learning market to continually evolve and improve their business models. If these or other market participants introduce new or improved delivery of online education and technology-enabled services that are more compelling or widely accepted than ours, our ability to grow our revenue and achieve profitability could suffer. The emergence of enhanced generative AI capabilities could provide competitors with an advantage. Several new and existing companies in the online education industry provide or may provide offerings similar to what we offer on our platform, and, despite any exclusivity arrangements we have with our instructors, these companies may nonetheless pursue relationships with our instructors that may reduce, or stop altogether, the content our instructors produce for our platform. In addition, enterprise customers may choose to continue using or develop their own online learning or training solutions in-house rather than pay for our platform. We believe that our ability to successfully compete depends on a range of factors, both within and beyond our control, including: - the availability or development of alternative online learning platforms that are more compelling to learners, instructors, or organizations than ours;- changes in pricing policies and terms offered by our competitors or by us, including the 2024 change to our instructor revenue sharing model;- the ability to adapt to or compete with new technologies and changes in requirements of our learners, instructors, and UB customers;- the ability to adapt to disruptive innovation that may significantly alter or transform the competitive landscape, such as natural language processing, AI and machine learning;- costs associated with acquiring and retaining learners, instructors, and UB customers;- the ability of our current and future competitors to establish relationships with customers;- industry consolidation and the number and rate of new entrants;- difficulties with software development that could delay or prevent the development, introduction or implementation of platform modifications and enhancements; and - costs associated with improving and maintaining our platform. Current and potential competitors (including any new entrants into the market) may enjoy substantial competitive advantages over us, such as greater name recognition, longer operating histories, market- or industry-specific knowledge, more successful marketing capabilities, more successful adaptation to or integration of emerging technologies such as AI, and substantially greater financial, technical, and other resources than we have. Our current or new competitors may adopt certain aspects of our business model, which could reduce our ability to differentiate our services. Furthermore, online educational content is not typically marketed exclusively through any single channel and, accordingly, our competitors could aggregate a set of online learning courses similar to ours. Competition may intensify as our competitors raise additional capital or as new participants, including established companies, enter the markets in which we compete. Our ability to grow our business and achieve profitability could be impaired if we cannot compete successfully.

We believe that maintaining and enhancing our reputation and brand recognition is critical to our ability to attract and retain learners, instructors, and UB customers, as well as commercial and strategic partners, and that the importance of our reputation and brand recognition will continue to increase as competition in the markets in which we operate continues to develop. Our success in this arena will depend on a range of factors, both within and beyond our control. Factors affecting our reputation and brand recognition that are within our control include our ability to: - market our platform effectively and efficiently;- maintain a useful, innovative, and reliable platform;- maintain a high satisfaction among learners, instructors, and UB customers;- provide a high quality and perceived value for our platform;- successfully differentiate our platform from competing offerings;- maintain a consistently high level of customer service; and - prevent any actual or perceived data security breach or incident or data loss, or misuse or perceived misuse of our platform. Additionally, our reputation and brand recognition may be affected by factors that are beyond our control, such as: - the actions of competitors or other third parties;- the quality and quantity of, as well as the nature and subject matter of, content available from instructors on our platform;- positive or negative publicity, including with respect to events or activities attributed to us, our employees, instructors, or our commercial partners;- interruptions, delays, or attacks on our platform; and - litigation or legal developments. Damage to our reputation and brand, from the factors listed above or otherwise, may reduce demand for our platform and have an adverse effect on our business, operating results and financial condition. Moreover, any attempts to rehabilitate our reputation and brand recognition may be costly and time-consuming, and there can be no assurance that any such efforts will ultimately be successful.

Our platform involves the processing of significant amounts of data relating to learners, instructors, and UB customers interacting with our platform, including personal data and personal information. Additionally, we collect and store certain sensitive and proprietary information, and personal information, in the operation of our business, including trade secrets, intellectual property, employee data, and other confidential data. We engage third-party service providers to store and otherwise process certain data, including sensitive and personal information. Our service providers have been, and in the future may be, the targets of cyberattacks, malicious software, phishing schemes, fraud, intentional and unintentional insider threats, and other risks to the confidentiality, security, integrity, and availability of their systems and the data they process for us. Our ability to monitor our service providers' cybersecurity is limited, and third parties may be able to circumvent those security measures, resulting in the unauthorized access to, misuse, disclosure, loss, unavailability, destruction or other processing of data they process for us, including sensitive and personal information. There have been and may continue to be significant supply chain attacks, and we cannot guarantee that our or our third-party providers' systems and networks have not been breached or that they do not contain exploitable defects or bugs that could result in a breach of or disruption to our systems and networks or the systems and networks of third parties that support us and our services. While we have taken measures to protect our own proprietary and confidential information, as well as the personal data and confidential information that we otherwise process, and measures to protect our platform, we, our third-party service providers, other third parties on which we rely, and the networks and systems used in our business, including those of third-party service providers, have been subject to, and we, our service providers and our platform may in the future be subject to, cybersecurity attacks or other security breaches or incidents. Cybersecurity attacks may take the form of denial of service attacks, attacks using ransomware or other malware, or other attacks, and can come from insider threats as well as individual hackers, criminal groups, and state-sponsored organizations. These sources have used AI and machine learning to launch more automated, targeted and sophisticated attacks against targets. They can also implement social engineering techniques to induce our employees, contractors, or customers to disclose passwords or other sensitive information or take other actions to gain access to data, and these social engineering attacks have become more sophisticated as attackers leverage AI and "deepfake" technologies to craft increasingly convincing fraudulent communications and scenarios. Additionally, we and many other companies with whom we interact increasingly rely on automated systems and processes, which creates and heightens certain security threats. Further, we and our platform otherwise may be subject to security breaches and incidents resulting from employee or contractor error or malfeasance, including as a result of intentional or accidental misuse of authorized access to our systems. These and other threats may be heightened by geopolitical tensions and conflicts. We also may be more susceptible to cyberattacks and other security breaches and other security incidents while many of our employees work remotely, because we have less ability to implement, monitor, and enforce our information security and data protection policies. More generally, we cannot guarantee that applicable recovery systems, security and data encryption protocols, network protection mechanisms, and other procedures of ourselves or our third-party service providers, or other third parties on which we rely, are or will be adequate to prevent network and service interruption, system failure or loss, corruption, or unauthorized access to, or disclosure, acquisition, unavailability, destruction, or other processing of, data, including personal data and other sensitive information that we or they process or maintain. Moreover, our platform could be breached or disrupted if vulnerabilities in our platform are exploited by unauthorized third parties. Techniques used to obtain unauthorized access change frequently and the volumes of cybersecurity attacks and of security breaches and incidents generally are increasing. We and our third-party service providers, and other third parties on which we rely, may be unable to implement adequate preventative measures or stop any attacks while they are occurring. A cybersecurity attack or security breach or incident could delay, disrupt or interrupt our platform and services and may deter learners, instructors, or organizations from using our platform, and we and our service providers may face difficulties or delays in identifying, remediating, and otherwise responding to any cybersecurity attack or other security breach or incident. In addition, any actual or perceived cybersecurity attack or security breach or incident could damage our reputation and brand, expose us to a risk of claims, litigation, regulatory investigations or other proceedings and possible fines, penalties, or other liability and require us to expend significant capital and other resources. We incur significant costs in an effort to detect and prevent security breaches and other security-related incidents, including costs associated with training our employees to identify and avoid potential security risks, and we expect our costs will increase as we make improvements to our systems and processes to prevent future breaches and incidents. Some jurisdictions have enacted laws requiring companies to notify individuals of data security breaches involving certain types of personal data. Any disclosures relating to an actual or perceived cybersecurity attack or other security breach or incident suffered by us or any of our third-party service providers, or other third parties on which we rely, could lead to negative publicity and any such disclosures, or any belief that a cybersecurity attack, or a security breach or incident, has impacted us, our platform, or our service providers, or other third parties on which we rely, may cause our learners, instructors, or UB customers to lose confidence in the security of our platform and the effectiveness of the cybersecurity measures we and our service providers utilize. Further, any limitations of liability provisions in our customer and user agreements, contracts with third-party service providers, or other contracts may not be enforceable or adequate or otherwise protect us from any liabilities or damages with respect to any particular claim relating to a security breach or incident or other security-related matter. While our insurance policies include liability coverage for certain of these matters, subject to applicable deductibles, any cybersecurity attack or other security breach or other incident, could subject us to claims or damages that exceed our insurance coverage. Our insurance coverage might not be adequate for liabilities actually incurred relating to any security breach or incident, such insurance may not continue to be available to us in the future on economically reasonable terms, or at all, and insurers may deny us coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our financial condition, operating results, and reputation.

Amazon Web Services provides distributed computing infrastructure platforms for business operations, commonly referred to as "cloud" computing services. We currently run a significant portion of our platform's computing on Amazon Web Services, and any significant disruption of, or interference with, our use of Amazon Web Services would negatively impact our operations and our business would be seriously harmed. If learners or instructors are unable to access our platform through Amazon Web Services or encounter difficulties in doing so, we may lose learners, instructors, and UB customers. The level of service provided by Amazon Web Services may also impact the adoption and perception of our platform. If Amazon Web Services experiences interruptions in service regularly or for a prolonged basis, or other similar issues, our business would be seriously harmed. Hosting costs will also increase if and as our base of learners, instructors, and UB customers grows, and our business, financial condition, and results of operations may be adversely affected if we are unable to grow our revenue faster than the cost of using Amazon Web Services or similar providers increases. Amazon Web Services may take actions beyond our control that could seriously harm our business, including discontinuing or limiting access to Amazon Web Services, increasing pricing terms, terminating our contract, establishing more favorable terms with one or more of our competitors, and modifying or interpreting its terms of service or other policies in a manner that impacts our ability to administer our business and operations.

Beginning in 2023, we became self-insured for certain medical benefits, up to certain stop-loss limits. We accrue these costs based on known claims and estimates of incurred but not reported claims. Our actual liabilities may exceed our estimates of losses. We may also experience an unexpectedly large number of claims that result in costs or liabilities in excess of our projections, which could cause us to record additional expenses.

Managing a global organization requires significant resources and management attention. We currently maintain operations outside of the United States, including in Ireland, Turkey, India, Australia, and Mexico, and we plan to expand our international operations in the future. We generated 60% of our total revenue outside of North America during both the three months ended June 30, 2025 and 2024, and 61% of our total revenue outside of North America during both the six months ended June 30, 2025 and 2024. Based on our instructor registration records, we estimate that a majority of our instructors are located outside the United States. Any further international expansion efforts that we may undertake may not be as successful as we expect or at all. Additionally, conducting international operations subjects us to risks that we have not generally faced in the United States. These risks include: - the cost and resources required to localize our services, which requires the translation of our websites into foreign languages and adaptation for local practices and regulatory requirements;- competition with local market participants who understand the local market better than we do or who have pre-existing relationships with our potential learners and UB customers in those markets;- greater reliance on third-party resellers and other commercial partners for the distribution and marketing of our offerings;- legal uncertainty regarding the operations of our platform and our liability for the content and services provided by our instructors, including as a result of evolving local laws or a lack of clear precedent of applicable law;- the burdens of complying with a wide variety of foreign laws and legal standards;- lack of familiarity with and unexpected changes in foreign regulatory requirements;- adapting to variations in methods of payment from learners and UB customers;- difficulties in managing and staffing international operations;- fluctuations in currency exchange rates;- risks associated with foreign tax regimes, trade tariffs, foreign investment restrictions or requirements, or similar issues, which could negatively impact international adoption of our offerings;- potentially adverse tax consequences, including the complexities of foreign value added tax systems, digital services tax and restrictions on the repatriation of earnings;- increased financial accounting, reporting, and other regulatory burdens and complexities, as well as difficulties in implementing and maintaining adequate internal controls over the same;- political, social, and economic instability abroad, wars and other armed conflicts, terrorist attacks, and security concerns in general, including Russia's invasion of Ukraine and the ongoing conflicts in the Middle East;- reduced or varied protection for intellectual property rights in some countries; and - higher telecommunications and internet service provider costs. Operating in international markets also requires significant management attention and financial resources. The investment and additional resources required to establish operations and manage growth in other countries may not produce desired levels of revenue or profitability. Our strategic and other relationships with partners overseas may also subject us to additional regulatory scrutiny in the United States and other jurisdictions. Operating in international markets could also increase our business exposure to the effects of trade and economic sanctions regulations. See "-We are subject to governmental export and import controls and regulations that could impair our ability to compete in international markets and subject us to liability if we are not in full compliance with applicable laws." Further, as we continue to expand internationally, we could also become subject to increased difficulties in collecting accounts receivable (including as a result of international sanctions or other trade restrictions affecting the geographies in which we or our learners or customers are present), repatriating money without adverse tax consequences, and risks relating to foreign currency exchange rate fluctuations. We have not engaged in currency hedging activities to limit risk of exchange rate fluctuations, and while we may decide to do so in the future, the availability and effectiveness of these hedging transactions may be limited. Changes in exchange rates affect our costs and earnings, and may also affect the book value of our assets located outside the United States and the amount of our stockholders' equity.

Our business and operations could be materially and adversely affected by catastrophic events, such as earthquakes, floods, fires, telecommunications failures, power losses, break-ins, acts of terrorism, wars and other armed conflicts, political or geopolitical crises, inclement weather and public health emergencies. In particular, our corporate headquarters are located in San Francisco, California, an earthquake-sensitive area and one that has been increasingly vulnerable to wildfires, and damage to or total destruction of our executive offices resulting from earthquakes may not be covered in whole or in part by any insurance we may have. If catastrophic events were to cause damage to our properties or interrupt our operations, our results of operations would suffer. Global climate change may result in natural disasters, such as drought, wildfires, severe storms, flooding, and heat waves, occurring more frequently or with greater intensity. We may not be able to effectively adapt our operations to avoid disruptions arising from the occurrence of such events, and our business could be affected adversely as a result.

We conduct our business across more than 180 countries around the world. As we continue to expand our international operations, we will become more exposed to the effects of fluctuations in currency exchange rates. This exposure is the result of selling in multiple currencies and operating in foreign countries where the functional currency is the local currency. During the six months ended June 30, 2025, 27% of our sales were denominated in currencies other than U.S. dollars, including euros, Indian rupees, British pounds sterling, Brazilian reais, and Japanese yen. Similarly, we incur expenses in multiple currencies. As a result, fluctuations in the value of the U.S. dollar against these foreign currencies may result in negative impacts to our revenue, costs and profit margins. Because we conduct business in currencies other than U.S. dollars, but report our results of operations in U.S. dollars, we also face remeasurement exposure to fluctuations in currency exchange rates, which could hinder our ability to predict our future results and earnings and could materially impact our results of operations. We do not currently maintain a program to hedge exposures to non-U.S. dollar currencies.