Table of Contents
identifying, measuring and reporting ESG metrics, including ESG-related disclosures that may be required of public companies by the SEC and other
regulators, and such standards may change over time, which could result in significant revisions to our current goals, reported progress in achieving such goals,
or ability to achieve such goals in the future. For example, the proliferation of climate and other ESG disclosure requirements at the local, national and
international levels have required and may continue to require significant effort and resources and could result in changes to our current ESG goals in order to
comply with differing requirements.
If our ESG practices do not meet evolving investor or other stakeholder expectations and standards, then our reputation, our ability to attract or retain
employees, and our attractiveness as an investment, business partner, acquiror or service provider could be negatively impacted. Further, our failure or
perceived failure to pursue or fulfill our goals and objectives or to satisfy various reporting standards on a timely basis, or at all, could have similar negative
impacts or expose us to government enforcement actions and private litigation.
Legal and Regulatory Risks
Privacy concerns and laws as well as evolving regulation of cloud computing, AI services, cross-border data transfer restrictions and other domestic
or foreign regulations may limit the use and adoption of our services and adversely affect our business.
Regulation related to the provision of services over the Internet is evolving, as federal, state and foreign governments continue to adopt new, or modify
existing, laws and regulations addressing data privacy, cybersecurity, data protection, data sovereignty and the collection, processing, storage, hosting, transfer
and use of data, generally. In some cases, data privacy laws and regulations, such as the EU’s General Data Protection Regulation (“GDPR”), impose
obligations directly on Salesforce as both a data controller and a data processor, as well as on many of our customers. In addition, domestic data privacy laws,
such as the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), and laws that have recently passed and/or
gone into effect in many other states similarly impose new obligations on us and many of our customers, potentially as both a covered business and service
provider. These laws continue to evolve, including most recently with India’s Digital Personal Data Protection Act 2023, and as various jurisdictions introduce
similar proposals, which often include subsequent rules and regulation, we and our customers become subject to additional regulatory burdens. New EU laws
related to the use of data, including in the DSA, the Data Act and AI Act, may impose additional rules and restrictions on the use of the data in our products and
services.
In addition, various safe harbors have historically been provided to those who hosted content provided by others, such as safe harbors from monetary
damages for copyright infringement arising from copyrighted content provided by customers and others and for defamation and other torts arising from
information provided by customers and others. There is an increasing demand for repealing or limiting these safe harbors by either judicial decision or
legislation, and we have active legal proceedings that have been impacted by the repeal or limiting of safe harbors that were previously available to us. Loss of
these safe harbors may require altering or limiting some of our services or may require additional contractual terms to avoid liabilities for our customers’
misconduct.
Although we monitor the regulatory, judicial and legislative environment and have invested in addressing these developments, these laws may require us
to make additional changes to our practices and services to enable us or our customers to meet the new legal requirements, and may also increase our potential
liability exposure through new or higher potential penalties for noncompliance, including as a result of penalties, fines and lawsuits related to data breaches.
Furthermore, privacy laws and regulations are subject to differing interpretations and may be inconsistent among jurisdictions. These and other requirements
are causing increased scrutiny among customers, particularly in the public sector and highly regulated industries, and may be perceived differently from
customer to customer. These developments could reduce demand for our services, require us to take on more onerous obligations in our contracts, restrict our
ability to store, transfer and process data or, in some cases, impact our ability or our customers' ability to offer our services in certain locations, to deploy our
solutions, to reach current and prospective customers, or to derive insights from customer data globally. For example, on July 16, 2020, the Court of Justice of
the European Union (“CJEU”) invalidated the EU-U.S. Privacy Shield Framework, one of the mechanisms that allowed companies, including Salesforce, to
transfer personal data from the European Economic Area (“EEA”) to the United States. Even though the CJEU decision upheld the Standard Contractual
Clauses (“SCCs”) as an adequate transfer mechanism, the decision created uncertainty around the validity of all EU-to-U.S. data transfers. While the EU and
U.S. governments have since adopted the EU-U.S. Data Privacy Framework to foster EU-to-U.S. data transfers and address the concerns raised in the
aforementioned CJEU decision, it is uncertain whether this framework will be overturned in court like the previous two EU-U.S. bilateral cross-border transfer
frameworks. As a result, regulators may continue to be inclined to interpret the CJEU’s decision, and the logic behind it, as significantly restricting certain
cross-border transfers and the cost and complexity of providing our services in certain markets may increase. Certain countries outside of the EEA have also
passed or are considering passing laws requiring varying degrees of local data residency. By way of further example, statutory damages available through a
private right of action for certain data breaches under the CPRA and potentially other states’ laws, may increase our and our customers’ potential liability and
the demands our customers place on us.
57