e
qui
pment; and the practice of the professions of pharmacy, medical, dental, and behavioral healthcare services, including
limitations on the corporate practice of medicine in certain states.
Health-related legislation at the federal and state level may have an adverse effect on our business or require us to modify
certain aspects of our operations. For example, in the U.S., the Drug Enforcement Administration ("DEA") and various other
regulatory authorities regulate the purchase, distribution, maintenance and dispensing of pharmaceuticals and controlled
substances. We are required to hold valid DEA and state-level licenses, meet various security and operating standards and
comply with the federal and various state controlled substance acts and related regulations governing the sale, dispensing,
disposal and holding of controlled substances. The DEA, the U.S. Food and Drug Administration and state regulatory
authorities have broad enforcement powers, including the ability to seize or recall products and impose significant criminal,
civil and administrative sanctions for violations of these laws and regulations. In addition, there has been recent heightened
governmental and public scrutiny of pharmaceutical product pricing, which has resulted in federal and state legislation and
regulations, executive orders and other initiatives and proposals designed to increase transparency in pharmaceutical product
pricing and reform government program reimbursement methodologies (for example, the Inflation Reduction Act, which
includes, among other matters, policies designed to impact drug prices and reduce drug spending by the federal government).
Other health reform efforts at the federal and state levels may also impact our business or require us to modify certain aspects of
our operations. We may not be able to predict the nature or success of reform initiatives, and the resulting uncertainties may
have an adverse effect on our business.
We are also governed by foreign, national and state laws and regulations of general applicability, including laws and regulations
related to competition and antitrust matters; protection of the environment and health and safety matters, including exposure to,
and the management and disposal of, hazardous substances; food and drug safety, including drug supply chain security
requirements; trade, consumer protection, and safety, including the availability, sale, price label accuracy, advertisement, and
promotion of products we sell and the financial services we offer (including through our digital channels, stores and clubs as
well as our ONE fintech joint venture); anti-money laundering prohibitions; consumer financial protection laws; economic,
trade, and other sanctions matters; licensure, certification, and enrollment with government programs; data privacy and security
and the sharing and interoperability of data; working conditions, health and safety, equal employment opportunity, employee
benefit and other labor and employment matters; and health and wellness related regulations for our pharmacy operations
outside of the U.S. In addition, certain financial services we offer or make available are subject to legal and regulatory
requirements, including those intended to help detect and prevent money laundering, fraud and other illicit activity as well as
consumer financial protections laws and U.S. sanctions. Increasing governmental and societal attention to ESG matters,
including expanding mandatory and voluntary reporting diligence, and disclosure topics such as climate change, sustainability
(including with respect to our supply chain), natural resources, waste reduction, energy, human capital, and risk oversight could
expand the nature, scope, and complexity of matters that we are required to control, assess, and report.
Moreover, we are also subject to data privacy and protection laws regulating the collection, use, retention, disclosure, transfer
and processing of personal information, such as the California Consumer Privacy Act ("CCPA"), which was significantly
modified by the California Privacy Rights Act ("CPRA"), new comprehensive privacy legislation passed in Connecticut (the
Connecticut Data Protection Act), Colorado (the Colorado Privacy Act), Utah (the Utah Privacy Act) and Virginia (the
Consumer Data Protection Act), each of which go into effect in 2023, as well as other laws and regulations such as the Illinois
Biometric Information Privacy Act, the European Union's General Data Protection Regulation ("GDPR"), the United
Kingdom's General Data Protection Regulation (which implements the GDPR into U.K. law), China's Personal Information
Protection Act, and similar legislation in Quebec (An Act to modernize legislative provisions as regards the protection of
personal information, SQ 2021, c 25). The potential effects of these laws are far-reaching, continue to evolve, and may require
us to modify our data processing practices and policies and to incur substantial costs and expenses to comply. These and other
privacy and cybersecurity laws may carry significant potential penalties for noncompliance. For example, in the case of non-
compliance with a material provision of the GDPR (such as non-adherence to the core principles of processing personal data),
regulators have the authority to levy a fine in an amount that is up to the greater of €20 million or 4% of global annual turnover
in the prior year. These administrative fines are discretionary and based, in each case, on a multi-factored approach. Residents
in jurisdictions with comprehensive privacy laws have expanded rights to access, correct and require deletion of their personal
information, opt out of certain personal information sharing and receive detailed information about how their personal
information is used. Laws such as those in California, Connecticut, Colorado, Illinois, Utah, and Virginia may allow civil
penalties for violations, and CCPA and CPRA provide a private right of action for data breaches. Furthermore, our marketing
and customer engagement activities are subject to communications privacy laws such as the Telephone Consumer Protection
Act. We may be subjected to penalties and other consequences for noncompliance, including changing some portions of our
business. Even an unsuccessful challenge by customer or regulatory authorities of our activities could result in adverse
publicity, impact our reputation and could require a costly response from and defense by us.
The impact of new laws, regulations and policies and the related interpretations, as well as changes in enforcement practices or
regulatory scrutiny as to existing laws and regulations (including, but not limited to, in the U.S., shifting enforcement priorities
for existing antitrust, competition, and pricing laws, as well as proposed new rules and regulations) generally cannot be
predicted, and changes in applicable laws, regulations and policies and the related interpretations and enforcement practices of
25