41/264 We have not historically been required to spend considerable resources to establish and maintain our brand. However, if we are unable to maintain the growth rate in the number of our Ad­Supported Users and Premium Subscribers, we may be required to expend greater resources on advertising, marketing, and other brand­building efforts to preserve and enhance consumer awareness of our brand, which would adversely affect our operating results and may not be effective. Our trademarks, trade dress, and other designations of origin are important elements of our brand. We have registered “Spotify” and other marks as trademarks in the United States and certain other jurisdictions around the world. Nevertheless, competitors or other companies may adopt marks similar to ours, or use our marks and confusingly similar terms as keywords in internet search engine advertising programs, thereby impeding our ability to build brand identity and possibly leading to confusion among our Users. We cannot assure you that our trademark applications, even for key marks, will be approved. We may face opposition from third parties to our applications to register key trademarks in foreign jurisdictions in which we have expanded or may expand our presence. If we are unsuccessful in defending against these oppositions, our trademark applications may be denied. Whether or not our trademark applications are denied, third parties may claim that our trademarks infringe upon their rights. As a result, we could be forced to pay significant settlement costs or cease the use of these trademarks and associated elements of our brand in those or other jurisdictions. Doing so could harm our brand or brand recognition and adversely affect our business, financial condition, and results of operation. Various regulations as well as self­regulation related to privacy and data security concerns pose the threat of lawsuits and other liability, require us to expend significant resources, and may harm our business, operating results, and financial condition. We collect and utilize personal and other information from and about our Users as they interact with our Service. Various laws and regulations govern the collection, use, retention, sharing, and security of the data we receive from and about our Users. Privacy groups and government bodies have increasingly scrutinized the ways in which companies link personal identities and data associated with particular users or devices with data collected through the internet, and we expect such scrutiny to continue to increase. Alleged violations of laws and regulations relating to privacy and data security, and any relevant claims, may expose us to potential liability and may require us to expend significant resources in responding to and defending such allegations and claims. Claims or allegations that we have violated laws and regulations relating to privacy and data security could in the future result in negative publicity and a loss of confidence in us by our Users and our partners. Such claims or allegations also may subject us to fines, including by data protection authorities and credit card companies, and could result in the loss of our ability to accept credit and debit card payments. Existing privacy­related laws and regulations in the United States and other countries are evolving and are subject to potentially differing interpretations, and various U.S. federal and state or other international legislative and regulatory bodies may expand or enact laws regarding privacy and data security­related matters. For example, the European Union General Data Protection Regulation (“GDPR”) will come into effect on May 25, 2018, and may require us to change our privacy and data security practices. The GDPR will implement more stringent operational requirements for processors and controllers of personal data, including, for example, requiring expanded disclosures about how personal information is to be used, limitations on retention of information, mandatory data breach notification requirements, and higher standards for data controllers to demonstrate that they have obtained valid consent or have another legal basis in place to justify their data processing activities. The GDPR provides that EU member states may make their own additional laws and regulations in relation to certain data processing activities, which could limit our ability to use and share personal data or could require localized changes to our operating model. Under the GDPR, fines of up to €20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be assessed for non­compliance. These new laws also could cause our costs to increase and result in further administrative costs to providing our Service. We also are subject to evolving EU laws on data export, as we may at times transfer personal data from the EU to other jurisdictions. For example, in 2015, the Court of Justice of the European Union invalidated the U.S.­ 34