--- ticker: ABNB company: ABNB filing_type: 10-K year_current: 2024 year_prior: 2023 risks_added: 2 risks_removed: 8 risks_modified: 10 risks_unchanged: 57 source: SEC EDGAR url: https://riskdiff.com/abnb/2024-vs-2023/ markdown_url: https://riskdiff.com/abnb/2024-vs-2023/index.md generated: 2026-06-01 --- # ABNB: 10-K Risk Factor Changes 2024 vs 2023 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-06-01 > All data extracted directly from official filings. No hallucinated content. ## Summary | Status | Count | |--------|-------| | New risks added | 2 | | Risks removed | 8 | | Risks modified | 10 | | Unchanged | 57 | --- ## New in Current Filing: Our use of AI, machine learning, and automated decision making gives rise to legal, business, and operational risks. Legal, regulatory, social and ethical issues relating to the use of AI and machine learning technologies in our offerings and business may result in reputational harm and liability. The rapid evolution of AI and machine learning will require the application of resources to develop, test, and maintain our offerings to help ensure that AI and machine learning are implemented responsibly in order to minimize unintended or harmful impacts. Uncertainty around new and emerging AI applications may require additional investment in the development of proprietary datasets, machine learning models, and systems to test for accuracy, bias, and other variables, which are often complex, may be costly, and could impact our profit margin as we expand the use of AI technologies in our offerings. Developing, testing, and deploying AI technologies may also increase our costs due to the associated computing costs. There are significant risks involved in developing, maintaining, and deploying these technologies and there can be no assurance that the usage of such technologies will always enhance our products or services or be beneficial to our business, including our efficiency or profitability. In particular, AI or automated decision making technologies may be incorrectly designed or implemented; may be trained or reliant on incomplete, inadequate, inaccurate, biased, or otherwise poor quality data or on data to which the developer does not have sufficient rights; and/or may be adversely impacted by unforeseen defects, technical challenges, cyber security threats, or material performance issues. Our ability to continue to develop or use such technologies may be dependent on access to technology offered by vendors and specific third-party software and infrastructure, such as processing hardware or third-party AI models, and we cannot control the quality of vendor offerings or the availability or pricing of such third-party software and infrastructure, especially in a highly competitive environment. We face competition from other companies in our industry who use similar machine learning technologies to us. Failure to offer or deploy new AI technologies as effectively as our competitors could adversely affect our business. 18 18 18 Table of Contents Table of Contents In addition, market acceptance and consumer perceptions of AI and machine learning technologies are uncertain. AI technologies, including generative AI, may create content or information that appears correct but is factually inaccurate or flawed. Our Hosts, guests or others may rely on or use this flawed content or information to their detriment, which may expose us to brand or reputational harm, competitive harm, consumer complaints, legal liability, and other adverse consequences, any of which could materially adversely affect our business, results of operations, and financial condition. The use of AI technologies presents emerging ethical and social issues, and if we enable or offer solutions that draw scrutiny or controversy due to their perceived or actual impact on our customers or on society as a whole, we may experience brand or reputational harm, competitive harm, consumer complaints, legal liability, and other adverse consequences, any of which could materially adversely affect our business, results of operations, and financial condition. Our business also increasingly relies on machine learning, AI, and automated decision making to improve our services and tailor our interactions with our Hosts and guests. However, in recent years the use of personal data to train, or otherwise in connection with machine learning, AI and automated decision making, has come under increased regulatory scrutiny, and governments and regulators in the United States, European Union, and other places have announced the need for greater regulation regarding the use of machine learning and AI generally. New laws, guidance, and decisions in this area may limit our ability to use our machine learning and AI, or require us to make changes to our platform or operations that may decrease our operational efficiency, result in an increase to operating costs and/or hinder our ability to improve our services. For example, certain global privacy laws regulate the use of automated decision making and may require that the existence of automated decision making be disclosed to the data subject with a meaningful explanation of the logic used in such decision making in certain circumstances, and that safeguards must be implemented to safeguard individual rights, including the right to obtain human intervention and to contest any decision. Other global privacy laws allow individuals the right to opt out of certain automated processing of personal data and create other requirements that impact automated decision-making. At the federal level, the president of the United States recently issued an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, which charges multiple agencies, including The National Institute of Standards and Technology, with producing guidelines in connection with the development and use of AI. In the European Union, there is now political agreement on the EU Artificial Intelligence Act ("EU AI Act"), which establishes a comprehensive, risk-based governance framework for AI in the EU market. The EU AI Act is expected to enter into force in 2024, and the majority of the substantive requirements will apply two years later. The EU AI Act will apply to companies that develop, use and/or provide AI in the European Union and includes requirements around transparency, conformity assessments and monitoring, risk assessments, human oversight, security, accuracy, general purpose AI and foundation models, and proposes fines for breach of up to 7% of worldwide annual turnover (revenue). Additionally, in September 2022, the European Commission proposed two Directives seeking to establish a harmonized civil liability regime for AI in the European Union, in order to facilitate civil claims in respect of harm caused by AI and to include AI-enabled products within the scope of the European Union's existing strict liability regime. Once fully applicable, the EU AI Act will have a material impact on the way AI is regulated in the European Union, and together with developing guidance and/or decisions in this area, may affect our use of AI and our ability to provide, improve, or commercialize our services, and could require additional compliance measures and changes to our operations and processes. Moreover, the intellectual property ownership and license rights, including copyright, surrounding AI technologies has not been fully addressed by courts or laws or regulations, and the use or adoption of AI technologies into our offerings may result in exposure to claims of copyright infringement or other intellectual property misappropriation. As the legal and regulatory framework for AI and automated decision making evolves, we may not always be able to anticipate how to respond to these laws or regulations, and compliance may adversely impact our operations and involve significant expenditure and resources. Any failure by us to comply may result in significant liability, potential increases in civil claims against us, negative publicity, an erosion of trust, and/or increased regulation and could materially adversely affect our business, results of operations, and financial condition. --- ## New in Current Filing: Our share price has been, and may continue to be, volatile, and the value of our Class A common stock may decline. The market price of our Class A common stock has been, and may continue to be, volatile and could be subject to wide fluctuations in response to the risk factors described in this Annual Report on Form 10-K, and others beyond our control, including: •actual or anticipated fluctuations in our revenue or other operating metrics; •our actual or anticipated operating performance and the operating performance of our competitors; •changes in the financial projections we provide to the public or our failure to meet these projections; 42 42 42 Table of Contents Table of Contents •failure of securities analysts to initiate or maintain coverage of us, changes in financial estimates by any securities analysts who follow our Company, or our failure to meet the estimates or the expectations of investors; •any major change in our board of directors, management, or key personnel; •the economy as a whole and market conditions in our industry; •rumors and market speculation involving us or other companies in our industry; •announcements by us or our competitors of significant innovations, new products, services, features, integrations, or capabilities, acquisitions, strategic investments, partnerships, joint ventures, or capital commitments; •the legal and regulatory landscape and changes in the application of existing laws or adoption of new laws that impact our business, Hosts, and/or guests, including changes in short-term occupancy and tax laws; •legal and regulatory claims, litigation, or pre-litigation disputes and other proceedings; •the impact of pandemics, epidemics, or other health emergencies on the travel and accommodations industries; •other events or factors, including those resulting from war, incidents of terrorism, or responses to these events; and •sales or expected sales of our Class A common stock by us, our officers, directors, principal stockholders, and employees. In addition, stock markets, and the trading of travel companies' and technology companies' stocks in particular, have experienced significant price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies. Stock prices of many companies, including travel companies and technology companies, have fluctuated in a manner often unrelated to the operating performance of those companies. In the past, stockholders have instituted securities class action litigation following periods of stock volatility. If we were to become involved in securities litigation, it could subject us to substantial costs, divert resources and the attention of management from our business, and materially adversely affect our business, results of operations, and financial condition. --- ## No Match in Current: The COVID-19 pandemic has materially adversely impacted, and may continue to adversely impact, our business, results of operations, and financial condition. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* Since early 2020, the world has been and continues to be impacted by COVID-19 and its variants. Government regulations in response to the pandemic and changes in social behaviors have closed or limited certain government functions, businesses, or have otherwise limited social or public gatherings. Such mitigation measures that have impacted our business include travel restrictions or quarantine and shelter-in-place orders. These responses, which continue to shift as variants or outbreaks of COVID-19 continue to develop, have had and may continue to have a material adverse impact on our business and operations and on travel behavior and demand. Global economic conditions and consumer trends have shifted since early 2020 in response to the COVID-19 pandemic, and continue to persist and may have a long-lasting adverse impact on us and the travel industry independently of the progress of the pandemic. The extent of the continued impact of the COVID-19 pandemic or any future pandemic or epidemic on our business and financial results will depend largely on future developments globally and within the United States, the prevalence of local, national, and international travel restrictions (including new or reinstated restrictions as a result of COVID-19 variants or other highly infectious diseases), vaccination requirements in connection with travel, and impacts and fluctuations in demand for travel, including air travel or gas prices. To the extent the COVID-19 pandemic continues to impact our business, results of operations, and financial condition, it may also have the effect of heightening many of the other risks described in these "Risk Factors" or elsewhere in this Annual Report on Form 10-K. Any of the foregoing factors, or other cascading effects of the COVID-19 pandemic or any future pandemic or epidemic and changes in macroeconomic conditions that are not currently foreseeable, may materially adversely impact our business, results of operations, and financial condition. --- ## No Match in Current: We have previously incurred net losses and our Adjusted EBITDA and Free Cash Flow have declined in prior periods. We may once again incur net losses and see a decline in Adjusted EBITDA and Free Cash Flow and we may not be able to sustain profitability. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* Although we had net income of $1.9 billion for the year ended December 31, 2022, we incurred net losses of $4.6 billion and $352.0 million for the years ended December 31, 2020 and 2021, respectively. As of December 31, 2022, we had an accumulated deficit of $6.0 billion. Any failure to increase our revenue or any failure to manage an increase in our operating expenses could prevent us from sustaining profitability as measured by net income, operating income, or Adjusted EBITDA. Additionally, stock-based compensation expense related to restricted stock units ("RSUs") and other equity awards will continue to be a significant expense in future periods. In addition, in the first quarter of 2022, we began using corporate cash to make required tax payments associated with the vesting of employee RSUs and withhold a corresponding number of shares from employees. We anticipate that we will spend substantial funds to satisfy tax withholding and remittance obligations when we settle employee RSUs. Although we had positive Adjusted EBITDA of $1.6 billion and $2.9 billion for the years ended December 31, 2021 and 2022, respectively, we had negative Adjusted EBITDA of $(251.0) million for the year ended December 31, 2020. Our Free Cash Flow was $(777.9) million, $2.3 billion, and $3.4 billion for the years ended December 31, 2020, 2021 and 2022, respectively. While our Adjusted EBITDA and Free Cash Flow increased in 2021 and 2022, we may experience declines in Adjusted EBITDA and Free Cash Flow in the future. Adverse developments in our 10 10 10 Table of Contents Table of Contents business, including lower than anticipated revenue, higher than anticipated operating expenses, impacts of the ongoing COVID-19 pandemic and net unfavorable changes in working capital, could result in a negative trend in our Adjusted EBITDA and Free Cash Flow. If our future Adjusted EBITDA or Free Cash Flow fail to meet investor or analyst expectations, it is likely to have a materially adverse effect on our stock price. Adjusted EBITDA and Free Cash Flow are supplemental metrics that are not calculated and presented in accordance with generally accepted accounting principles in the United States of America ("U.S. GAAP" or "GAAP"). See the section titled "Management's Discussion and Analysis of Financial Condition and Results of Operations - Key Business Metrics and Non-GAAP Financial Measures" for a reconciliation of Adjusted EBITDA and Free Cash Flow to the most directly comparable financial measure stated in accordance with GAAP and for additional information. --- ## No Match in Current: The business and industry in which we participate are highly competitive, and we may be unable to compete successfully with our current or future competitors. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* We operate in a highly competitive environment and we face significant competition in attracting Hosts and guests. •Hosts. We compete to attract, engage, and retain Hosts on our platform to list their spaces and experiences. Hosts have a range of options for listing their spaces and experiences, both online and offline. It is also common for Hosts to cross-list their offerings. We compete for Hosts based on many factors, including the volume of bookings generated by our guests; ease of use of our platform (including onboarding, community support, and payments); the service fees we charge; Host protections, such as our Host Liability Insurance, Experiences Liability Insurance, and Host Damage Protection program; and our brand. •Guests. We compete to attract, engage, and retain guests on our platform. Guests have a range of options to find and book spaces, hotel rooms, serviced apartments, and other accommodations and experiences, both online and offline. We compete for guests based on many factors, including unique inventory and availability of listings, the value and all-in cost of our offerings relative to other options, our brand, ease of use of our platform, the relevance and personalization of search results, the trust and safety of our platform, and community support. We believe that our competitors include: •OTAs such as Booking Holdings (including the brands Booking.com, KAYAK, Priceline.com, and Agoda.com); Expedia Group (including the brands Expedia, Vrbo, HomeAway, Hotels.com, Orbitz, and Travelocity); Trip.com Group (including the brands Ctrip.com, Trip.com, Qunar, Tongcheng-eLong, and SkyScanner); Hopper; Meituan Dianping; Fliggy (a subsidiary of Alibaba); Despegar; MakeMyTrip; and other regional OTAs; •Internet search engines, such as Google, including its travel search products; Baidu; and other regional search engines; •Listing and meta search websites, such as TripAdvisor, Trivago, Mafengwo, AllTheRooms.com, Hometogo, Holidu, and Craigslist; •Hotel chains, such as Marriott, Hilton, Accor, Wyndham, InterContinental, OYO, and Huazhu, as well as boutique hotel chains and independent hotels; •Property management companies, such as Vacasa, Sonder, Inspirato, Evolve, Awaze, and other regional property management companies; and •Online platforms offering experiences, such as Viator, GetYourGuide, Klook, Traveloka, TUI Musement, and KKDay. Our competitors are adopting aspects of our business model, which could affect our ability to differentiate our offerings from competitors. Increased competition could result in reduced demand for our platform from Hosts and guests, slow our growth, and materially adversely affect our business, results of operations, and financial condition. Many of our current and potential competitors enjoy substantial competitive advantages over us, such as greater name and brand recognition, longer operating histories, larger marketing budgets, and loyalty programs, as well as substantially greater financial, technical, and other resources. In addition, our current or potential competitors have access to larger user bases and/or inventory for accommodations, and may provide multiple travel products, including flights. As a result, our competitors may be able to provide consumers with a better or more complete product experience and respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, or Host and guest requirements or preferences. The global travel industry has experienced significant consolidation, and we expect this trend may continue as companies attempt to strengthen or hold their market positions in a highly competitive industry. Consolidation amongst our competitors will give them increased scale and may enhance their capacity, abilities, and resources, and lower their cost structures. In addition, emerging start-ups may be able to innovate and focus on developing a new product or service faster than we can or may foresee consumer need for new offerings or technologies before we do. There are now numerous competing companies that offer homes for booking, which may be cross-listed on our platform, listed on competing platforms, and/or available through direct booking sites. Some of these competitors also aggregate property listings obtained through various sources, including the websites of property managers. Some of our Hosts have chosen to cross-list their properties, which reduces the availability of such properties on our platform. When properties are cross-listed, the price paid by guests on our platform may be or may appear to be less competitive for a number of reasons, including differences in fee structure and policies, which may cause guests to book through other services, which could materially adversely affect our business, results of operations, and financial condition. Certain property managers reach out to our Hosts and guests to incentivize them to list or book directly with them and bypass our platform, and certain Hosts may encourage transactions outside of our platform, which reduces the use of our platform and services. Some of our competitors or potential competitors have more established or varied relationships with consumers than we do, and they could use these advantages in ways that could affect our competitive position, including by entering the travel and accommodations businesses. For example, some competitors or potential competitors are creating "super-apps" where consumers can use many online services without leaving that company's app, e.g., in particular regions, such as Asia, where e-commerce transactions are conducted primarily through apps on mobile devices. If any of these platforms are successful in offering services similar to ours to consumers, or if we are unable to offer our services to consumers within these super-apps, our customer acquisition efforts could be less effective and our customer acquisition costs, 11 11 11 Table of Contents Table of Contents including our brand and performance marketing expenses, could increase, any of which could materially adversely affect our business, results of operations, and financial condition. We also face increasing competition from search engines including Google. How Google presents travel search results, and its promotion of its own travel meta-search services, such as Google Travel and Google Vacation Rental Ads, or similar actions from other search engines, and their practices concerning search rankings, could decrease our search traffic, increase traffic acquisition costs, and/or disintermediate our platform. These parties can also offer their own comprehensive travel planning and booking tools, or refer leads directly to suppliers, other favored partners, or themselves, which could also disintermediate our platform. In addition, if Google or Apple use their own mobile operating systems or app distribution channels to favor their own or other preferred travel service offerings, or impose policies that effectively disallow us to continue our full product offerings in those channels, it could materially adversely affect our ability to engage with Hosts and guests who access our platform via mobile apps or search. --- ## No Match in Current: Laws, regulations, and rules that affect the short-term rental, long-term rental, and home sharing business have limited and may continue to limit the ability or willingness of Hosts to share their spaces over our platform and expose our Hosts or us to significant penalties, which have had and could continue to have a material adverse effect on our business, results of operations, and financial condition. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* Since we began our operations in 2008, there have been and continue to be legal and regulatory developments that affect the short-term rental, long-term rental, and home sharing business. Hotels and groups affiliated with hotels have engaged and will likely continue to engage in various lobbying and political efforts for stricter regulations governing our business in both local and national jurisdictions. Other private groups, such as homeowners, landlords, and condominium and neighborhood associations, have adopted contracts or regulations that purport to ban or otherwise restrict short-term rentals, and third-party lease agreements between landlords and tenants, home insurance policies, and mortgages may prevent or restrict the ability of Hosts to list their spaces. These groups and others cite concerns around affordable housing and over-tourism in major cities among other issues, and some state and local governments have implemented or considered implementing rules, ordinances, or regulations governing the short-term or long-term rental of properties and/or home sharing. For example, in December 2021, the European Commission closed a consultation in relation to a potential EU Short Term Rental Instrument which, if enacted, could have a material impact on the way short-term rentals are regulated in the European Union and the obligations on platforms (including around data sharing or the need to enforce registration schemes). In response, in November 2022, the European Commission proposed a regulation intended to enhance and harmonize transparency, registration, and reporting requirements for short term rental platforms. Specific obligations include steps to enhance the transparency of certain host information on the platform (such as host registration numbers where required locally) and reporting by the platform to local authorities (including, for example, Host information, length of stay, and number of guests). If enacted, this regulation could have a material impact on the way short-term rentals are regulated in the European Union and would require additional resources to assess our compliance and make appropriate adjustments in order to comply with its requirements. This regulation is intended to complement the DSA (defined below), such that relevant platforms, including ours, will be subject to both of these pieces of legislation. Legislation in other regions also could have a material impact on the way short-term and long-term rentals are regulated. Such regulations include ordinances that restrict or ban Hosts from short-term rentals or long-term rentals, set annual caps on the number of days Hosts can share their homes, require Hosts to register with the municipality or city, or require Hosts to obtain permission before offering short-term rentals, or impose obligations on us to assist in the enforcement of these regulations. For example, in New York City a law enacted in 2022 limits the properties that can host short-term rentals. It also contains several new obligations for short-term rental hosts and platforms. In addition, some jurisdictions regard short-term rental or home sharing as "hotel use" and claim that such use constitutes a conversion of a residential property to a commercial property. In November 2022, the Digital Services Act (the "DSA") came into force. The majority of the substantive provisions of the DSA will begin to take effect between 2023 and 2024. The DSA will govern, among other things, potential liability for illegal content on platforms, the traceability of traders, and transparency reporting obligations, including information on "monthly active recipients" in the European Union. The DSA may increase our compliance costs and require additional resources as well as changes to our processes and operations. Macroeconomic pressures and public policy concerns could continue to lead to new laws and regulations, or interpretations of existing laws and regulations, or widespread enforcement actions that limit the ability of Hosts to share their spaces. If laws, regulations, rules, or agreements significantly restrict or discourage Hosts in certain jurisdictions from sharing their properties, it would have a material adverse effect on our business, results of operations, and financial condition. While a number of cities and countries have implemented legislation to address short-term rentals, there are many others that are not yet explicitly addressing or enforcing short-term rental or long-term rental laws, and could follow suit and enact regulations with direct requirements on platforms such as Airbnb. New laws, regulations, government policies, or changes in their interpretations in the over 100,000 cities and towns where we operate entail significant challenges and uncertainties. In the event of any such changes, pre-existing bookings may not be honored and current and future listings and bookings could decline significantly, and our relationship with our Hosts and guests could be negatively impacted, which would have a materially adverse effect on our business, results of operations, and financial condition. For example, if new regulations requiring us to share Host data with such governmental organizations or to ensure that Hosts have a registration or permit number before publishing their listings or some other form of regulation are implemented, our revenue from listings there may be substantially reduced due to the departure from our platform of Hosts who do not wish to share their data or to obtain a registration or permit number. A reduction in supply and cancellations could make our platform less attractive to guests, and any reduction in the number of guests could further reduce the number of Hosts on our platform. While we seek to work with governments, we have in the past been, and are likely in the future to become, involved in disputes with government agencies regarding such laws and regulations. For example, some governments have attempted to impose fines on us regarding what they contend is illegal offering of short-term accommodations in violation of applicable laws. Certain jurisdictions have adopted laws and regulations that seek to impose various types of taxes, including lodging taxes, often known as transient or occupancy taxes, on our guests, collection and remittance obligations on our Hosts and/or us, and withholding obligations on us, as more fully described in our risk factor titled " - Uncertainty in the application of taxes to our Hosts, guests, or platform could increase our tax liabilities and may discourage Hosts and guests from conducting business on our platform." In addition, some third parties and regulators have asserted and may in the future assert that we, through our operations, are subject to regulations with respect to short-term rentals, Host registration, licensing, and other requirements for the listing of accommodations and experiences, such as real estate broker or agent 12 12 12 Table of Contents Table of Contents licenses, travel agency licenses, e-commerce platform operator, and insurance-related licenses. We could be held liable and incur significant financial and potential criminal penalties if we are found to have violated any of these regulations. In certain jurisdictions, we have resolved disputes concerning the application of these laws and regulations by agreeing, among other things, to remove listings from our platform at the request of government entities, to require Hosts to enter a permit or registration number or take other action before publishing listings on our platform, to share certain data with government agencies to assist in the enforcement of limits on short-term or long-term rentals as well as the enforcement of safety regulations, and to implement measures to confirm to the government that Hosts are operating in compliance with applicable law. When a government agency seeks to apply laws and regulations in a manner that limits or curtails Hosts' or guests' ability or willingness to list and search for accommodations in that particular geography, we have attempted and may continue to attempt through litigation or other means to defend against such application of laws and regulations, but have sometimes been and may continue to be unsuccessful in certain of those efforts. Further, if we or our Hosts and guests were required to comply with laws and regulations, government requests, or agreements with government agencies that adversely impact our relations with Hosts and guests, our business, results of operations, and financial condition would be materially adversely affected. Moreover, if we enter an agreement with a government or governmental agency to resolve a dispute, the terms of such agreement may be publicly available and could create a precedent that may lead to similar disputes in other jurisdictions and may put us in a weaker bargaining position in future disputes with other governments. --- ## No Match in Current: We are subject to regulatory inquiries, litigation, and other disputes, which have materially adversely affected and could materially adversely affect our business, results of operations, and financial condition. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* We have been, and expect to continue to be, a party to various legal and regulatory claims, litigation or pre-litigation disputes, and proceedings arising in the normal course of business. The number and significance of these claims, disputes, and proceedings have increased as our company has grown larger, the number of bookings on our platform has increased, there is increased brand awareness, and the scope and complexity of our business have expanded, and we expect they will continue to increase. We have been, and expect to continue to be, subject to various government inquiries, investigations, audits, and proceedings related to legal and regulatory requirements such as compliance with laws related to short-term rentals, long-term rentals, and home sharing, tax, escheatment, consumer protection, pricing and currency display, advertising, discrimination, data sharing, payment processing, data 14 14 14 Table of Contents Table of Contents privacy, data security, cancellation policies, and competition. In many cases, these inquiries, investigations, and proceedings can be complex, time consuming, costly to investigate, and require significant company and also management attention. For certain matters, we are implementing recommended changes to our products, operations, and compliance practices, including enabling tax collection, tax reporting, display of Host registration numbers, and removal of noncompliant listings. We are unable to predict the outcomes and implications of such inquiries, investigations, and proceedings on our business, and such inquiries, investigations, and proceedings could result in damages, large fines and penalties, and require changes to our products and operations, and materially adversely affect our brand, reputation, business, results of operations, and financial condition. In some instances, applicable laws and regulations do not yet exist or are being adopted and implemented to address certain aspects of our business, and such adoption or change in their interpretation could further alter or impact our business and subject us to future government inquiries, investigations, and proceedings. We have been involved in litigation with national governments, trade associations and industry bodies, municipalities, and other government authorities, including as a plaintiff and as a defendant, concerning laws seeking to limit or outlaw short-term and long-term rentals and to impose obligations or liability on us as a platform. In the United States, we have been involved in various lawsuits concerning whether our platform is responsible for alleged wrongful conduct by Hosts who engage in short-term rentals. Claims in such cases have alleged illegal hotel conversions, real estate license requirements, violations of municipal law around short-term occupancy or rentals, unlawful evictions, or violations of lease provisions or homeowners' association rules. Legal claims have been asserted for alleged discriminatory conduct undertaken by Hosts against certain guests, and for our own platform policies or business practices. Changes to the interpretation of the applicability of fair housing, civil rights, or other statutes to our business or the conduct of our users could materially adversely impact our business, results of operations, and financial condition. We may also become more vulnerable to third-party claims as U.S. laws such as the Digital Millennium Copyright Act ("DMCA"), the Stored Communications Act, and the Communications Decency Act ("CDA"), and non-U.S. laws such as the DSA and the European E-Commerce Directive and its national transpositions are interpreted by the courts or otherwise modified or amended, as our platform and services to our Hosts and guests continue to expand, and as we expand geographically into jurisdictions where the underlying laws with respect to the potential liability of online intermediaries such as ourselves are either unclear or less favorable. In addition, we face claims and litigation relating to fatalities, shootings, other violent acts, illness (including COVID-19), cancellations and refunds, personal injuries, property damage, carbon monoxide incidents, hidden camera incidents, and privacy violations that occurred at listings or experiences during a booking made on our platform. We also have had putative class action litigation and government inquiries, and could face additional litigation and government inquiries and fines relating to our business practices, cancellations, and other consequences due to natural disasters or other unforeseen events beyond our control such as wars, regional hostilities, health concerns, including epidemics and pandemics such as COVID-19, or law enforcement demands, and other regulatory actions. Notwithstanding the decision of the Court of Justice of the European Union ("CJEU") on December 19, 2019 ruling that Airbnb is a provider of information society services under the E-Commerce Directive, there continue to be new laws and government initiatives within the European Union attempting to regulate Airbnb as a platform. In several cases, national courts are evaluating whether certain local rules imposing obligations on platforms can be enforced against us. For example, we are challenging laws in various European jurisdictions requiring short-term rental platforms to act as withholding tax agent for Host income taxes, to collect and remit tourist taxes, and to disclose user data. Adverse rulings in these national cases are possible and could result in changes to our business practices in significant ways, increased operating and compliance costs, and lead to a loss of revenue for us. In addition, the DSA came into force in November 2022, and amends certain aspects of the E-Commerce Directive to enhance the rules that apply to platforms. In addition, in the ordinary course of business, disputes may arise because we are alleged to have infringed third parties' intellectual property or in which we agree to provide indemnification to third parties with respect to certain matters, including losses arising from our breach of such agreements or from intellectual property infringement claims, or where we make other contractual commitments to third parties. We also have indemnification agreements with certain of our directors, executive officers, and certain other employees that require us, among other things, to indemnify them against certain liabilities that may arise by reason of their status or service as directors or officers. We may be subject to litigation stemming from these obligations. We are also subject to unclaimed or abandoned property (escheatment) laws which require us to turn over to government authorities the property of others held by us that has been unclaimed for a period specified by such laws, as well as audits by government authorities regarding our escheatment practices, which may result in additional escheatment of unclaimed property and payment of interest and penalties. The laws governing unclaimed property matters are complex and subject to varying interpretations by companies and government authorities. An unfavorable audit could negatively impact our results of operations and cash flows in future periods. Adverse results in any regulatory inquiry, litigation, legal proceedings, audit, or claims may include awards of potentially significant monetary damages, including statutory damages for certain causes of action in certain jurisdictions, penalties, fines, compensation orders, injunctive relief, royalty or licensing agreements, or orders preventing us from offering certain services. Moreover, many regulatory inquiries, litigation, legal proceedings, or claims are resolved by settlements that can include both monetary and nonmonetary components. Adverse results or settlements may result in changes in our business practices in significant ways, increased operating and compliance costs, and a loss of revenue. In addition, any litigation or pre-litigation claims against us, whether or not meritorious, are time consuming, require substantial expense, and result in the diversion of significant operational resources. We use various software platforms that in some instances have limited functionality which may impede our ability to fully retrieve records. In addition, our insurance may not cover all potential claims to which we are exposed and may not be adequate to indemnify us for all liability that may be imposed. As we continue to grow, regulatory inquiries, litigation, legal proceedings, and other claims will continue to consume significant company resources and adverse results in future matters could materially adversely affect our business, results of operations, and financial condition. 15 15 15 Table of Contents Table of Contents --- ## No Match in Current: Consumer use of devices and platforms other than desktop computers creates challenges. If we are unable to operate effectively on these platforms, our business, results of operations, and financial condition could be materially adversely affected. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* People regularly access the Internet through mobile phones, tablets, handheld computers, voice-assisted speakers, television set-top devices, smart televisions, wearables, and automobile in-dash systems. These devices enable new modalities of interaction, such as conversational user interfaces, and new intermediaries, such as "super-apps" like WeChat, where consumers can use many online services without leaving a particular app. We anticipate that the use of these means of access will continue to grow and that usage through desktop computers will continue to decline, especially in certain regions of the world experiencing the highest rate of Internet adoption. The functionality and user experiences associated with these alternative devices, such as a smaller screen size or lack of a screen, may make the use of our platform through such devices more difficult than through a desktop computer, lower the use of our platform, and make it more difficult for our Hosts to upload content to our platform. In addition, consumer purchasing patterns can differ on alternative devices, and it is uncertain how the proliferation of mobile devices will impact the use of our platform and services. Mobile consumers may also be unwilling to download multiple apps from multiple companies providing similar services leading such consumers to opt to use one of our competitors' services instead of ours. As a result, brand recognition and the consumer experience with our mobile apps will likely become increasingly important to our business. In addition, these new modalities create opportunities for device or systems companies, such as Amazon, Apple, and Google, to control the interaction with our consumers and disintermediate existing platforms such as ours. We need to provide solutions for consumers who are limited in the size of the app they can support on their mobile devices and address latency issues in countries with lower bandwidth for both desktop and mobile devices. Because our platform contains data-intensive media, these issues are exacerbated. As new devices, operating systems, and platforms continue to be released, it is difficult to predict the problems we may encounter in adapting our offerings and features to them, and we may need to devote significant resources to the creation, support, and maintenance of our offerings and features. Our success will also depend on the interoperability of our offerings with a range of third-party technologies, systems, networks, operating systems, and standards, including iOS and Android; the availability of our mobile apps in app stores and in "super-app" environments; and the creation, maintenance, and development of relationships with key participants in related industries, some of which may also be our competitors. In addition, if accessibility of various apps is limited by executive order or other government actions, the full functionality of devices may not be available to our customers. Moreover, third-party platforms, services and offerings are constantly evolving, and we may not be able to modify our platform to assure its compatibility with those of third parties. If we lose such interoperability, we experience difficulties or increased costs in integrating our offerings into alternative devices or systems, or manufacturers or operating systems elect not to include our offerings, make changes that degrade the functionality of our offerings, or give preferential treatment to competitive products, the growth of our community and our business, results of operations, and financial condition could be materially adversely affected. This risk may be exacerbated by the frequency with which consumers change or upgrade their devices. In the event consumers choose devices that do not already include or support our platform or do not install our mobile apps when they change or upgrade their devices, our traffic and Host and guest engagement may be harmed. --- ## No Match in Current: Any escalation or unexpected change in circumstances in the ongoing military action between Russia and Ukraine, or sanctions, export controls, and similar measures in response to the conflict, could materially adversely affect our business, results of operations, and financial condition. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* We are actively monitoring the situation in Ukraine and assessing its impact on our business. We have suspended all operations in Russia and Belarus and certain regions of Ukraine, which is not expected to have a material impact on our operating results. However, any escalation in the conflict or unexpected change in circumstances could adversely impact the demand for travel in the region or beyond and could have a material adverse impact on our business, results of operations, and financial condition. --- ## No Match in Current: Future sales and issuances of our Class A common stock or rights to purchase our Class A common stock, including pursuant to our equity incentive plans, or other equity securities or securities convertible into our Class A common stock, could result in additional dilution of the percentage ownership of our stockholders and could cause the stock price of our Class A common stock to decline. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* In the future, we may sell Class A common stock, other series of common stock, convertible securities, or other equity securities, including preferred securities, in one or more transactions at prices and in a manner we determine from time to time. We also expect to issue Class A common stock to employees, consultants, and directors pursuant to our equity incentive plans. If we sell Class A common stock, other series of common stock, convertible securities, or other equity securities in subsequent transactions, or Class A common stock or Class B common stock is issued pursuant to equity incentive plans, investors may be materially diluted. New investors in subsequent transactions could gain rights, preferences, and privileges senior to those of holders of our Class A common stock. In addition, we made an initial contribution of 9,200,000 newly-issued shares of Class H common stock to the Host Endowment Fund in November 2020 and may in our discretion make additional contributions of Class H common stock in the future, and any future issuances of Class H common stock would be dilutive to holders of Class A common stock. However, it is our current intent that the total number of shares contributed to the Host Endowment Fund by us, when aggregated with any prior contributions, will not exceed 2% of our total shares outstanding at the time of any future contribution. We have also announced our intention to donate 400,000 shares of our Class A common stock to a charitable foundation. --- ## Modified: Changes in tax laws or tax rulings could materially affect our results of operations and financial condition. **Key changes:** - Reworded sentence: "The tax regimes we are subject to or operate under, including income and non-income taxes (including indirect taxes), are unsettled and may be subject to significant change." - Reworded sentence: "In August 2022, the Inflation Reduction Act (the "IRA") was signed into law in the United States." - Reworded sentence: "For example, in Italy, a law enacted in 2017 purports to require short-term rental platforms that process payments to withhold and remit Host income tax and collect and remit tourist tax, amongst other obligations." - Reworded sentence: "More recently, BEPS 2.0 aims to address the tax challenges arising from the digitalization of the economy, and in 2021, more than 140 countries tentatively signed on to a framework that imposes a minimum tax rate of 15%, among other provisions." - Reworded sentence: "These proposals include changes to the existing framework to calculate income tax, as well as proposals to change or impose new types of non-income taxes (including indirect taxes), including taxes based on a percentage of revenue." **Prior (2023):** The tax regimes we are subject to or operate under, including income and non-income (including indirect) taxes, are unsettled and may be subject to significant change. Changes in tax laws or tax rulings, or changes in interpretations of existing laws, could materially adversely affect our results of operations and financial condition. On August 16, 2022, the Inflation Reduction Act (the "IRA") was signed into law in the United States. Among other changes, the IRA introduced a corporate minimum tax on certain corporations with average adjusted financial statement income over a three-tax year period in excess of $1 billion and an excise tax on certain stock repurchases by certain covered corporations for taxable years beginning after December 31, 2022. The United States government may enact further significant changes to the taxation of business entities including, among other changes, an increase in the corporate income tax rate or significant changes to the taxation of income derived from international operations. The likelihood of these changes being enacted or implemented is unclear. In addition, many countries in Europe, as well as a number of other countries and states, have recently proposed or recommended changes to existing tax laws or have enacted new laws that could significantly increase our tax obligations in many countries and states where we do business or require us to change the manner in which we operate our business. For example, in Italy, a 2017 law requires short-term rental platforms that process payments to collect and remit Host income tax and tourist tax, amongst other obligations. Airbnb has challenged this law before the Italian courts and the CJEU, but if we are unsuccessful this will lead to further compliance and potentially significant prior and future tax obligations. In December 2022, the CJEU found that European law does not prohibit member states from passing legislation requiring short-term rental platforms to withhold income taxes from their hosts, however a requirement to appoint tax representative (on which the 2017 law and the withholding obligations are based) is contrary to EU law and the case will now return to the national court. Airbnb's subsidiary in Italy and subsidiary in Ireland are subject to tax audits in Italy, including in relation to permanent establishment, transfer pricing, and withholding obligations. Such audits could result in the imposition of potentially significant prior and future tax obligations. The Organization for Economic Cooperation and Development has been working on a Base Erosion and Profit Shifting Project, and issued a report in 2015 and an interim report in 2018 detailing 15 key actions aimed at ensuring profits are taxed where the economic activities generating those profits are performed and where value is created. Work continues to be undertaken by the project with regard to each action, and new recommendations are regularly made, including proposed new legislation. Recent examples include the implementation of minimum standards in local legislation to neutralize the effects of hybrid mismatches and to appropriately tax controlled foreign companies. Proposals from the OECD can result in an increased tax burden for us in jurisdictions that adopt such proposals. Of particular focus at the moment is what is known as BEPS 2.0 - the aim to address the tax challenges arising from the digitalization of the economy, and in 2021, more than 140 countries tentatively signed on to a framework that imposes a minimum tax rate of 15%, among other provisions. As this framework is subject to further negotiation and implementation by each member country, the timing and ultimate impact of any such changes on our tax obligations are uncertain. Similarly, the European Commission and several countries have issued proposals that would change various aspects of the current tax framework under which we are taxed. These proposals include changes to the existing framework to calculate income tax, as well as proposals to change or impose new types of non-income (including indirect) taxes, including taxes based on a percentage of revenue. For example, France, Italy, Spain, and the United Kingdom, among others, have each proposed or enacted taxes applicable to digital services, which includes business activities on digital platforms and would likely apply to our business. In December 2022, the EU unanimously agreed to implement the minimum tax rate legislation by December 31, 2023 in all Member States, though whether this is practically achievable is currently unknown. Several other countries including Australia, Canada, Colombia, Japan, New Zealand, Norway, Singapore, South Korea, and the United Kingdom have also committed to implement similar legislation within the same timeframe. The European Commission has conducted investigations in multiple countries focusing on whether local country tax rulings or tax law provide preferential tax treatment that violates EU state aid rules and concluded that certain countries, including Ireland, have provided illegal state aid in certain cases. These investigations may result in changes to the tax treatment of our foreign operations. Due to the large 33 33 33 Table of Contents Table of Contents and increasing scale of our international business activities, many of these types of changes to the taxation of our activities described above and in our risk factor titled " - Uncertainty in the application of taxes to our Hosts, guests, or platform could increase our tax liabilities and may discourage Hosts and guests from conducting business on our platform" could increase our worldwide effective tax rate, increase the amount of non-income (including indirect) taxes imposed on our business, and materially adversely affect our business, results of operations, and financial condition. Such changes may also apply retroactively to our historical operations and result in taxes greater than the amounts estimated and recorded in our financial statements. **Current (2024):** The tax regimes we are subject to or operate under, including income and non-income taxes (including indirect taxes), are unsettled and may be subject to significant change. Changes in tax laws or tax rulings, or changes in interpretations of existing laws, could materially adversely affect our results of operations and financial condition. In August 2022, the Inflation Reduction Act (the "IRA") was signed into law in the United States. Among other changes, the IRA introduced a corporate alternative minimum tax ("CAMT") on certain corporations with average adjusted financial statement income over a three-tax year period in excess of $1 billion, and an excise tax on certain stock repurchases by certain covered corporations for taxable years beginning after December 31, 2022. We may be subject to a material amount of CAMT in the next several years but expect to fully utilize the corresponding credits generated from the CAMT in the subsequent following years. The United States government may enact further significant changes to the taxation of business entities including, among other changes, an increase in the corporate income tax rate or significant changes to the taxation of income derived from international operations. The likelihood of these changes being enacted or implemented is unclear. In addition, many countries in Europe, as well as a number of other countries and states, have recently proposed or recommended changes to existing tax laws or have enacted new laws that could significantly increase our tax obligations in many countries and states where we do business or require us to change the manner in which we operate our business. For example, in Italy, a law enacted in 2017 purports to require short-term rental platforms that process payments to withhold and remit Host income tax and collect and remit tourist tax, amongst other obligations. On December 13, 2023, without admitting any liability, Airbnb Ireland signed an agreement with the Italian Revenue Agency in settlement of the 2017-2021 audit periods for an aggregate payment of 576 million Euro ($621 million). Such agreement settles a dispute about Airbnb Ireland's obligations to withhold and remit Host income tax, including taxes, interest, and penalties, for those relevant periods. Airbnb's subsidiary in Italy and Airbnb Ireland continue to be, or could in the future be, subject to tax audits in Italy, including in relation to permanent establishment, transfer pricing, withholding obligations, and tourist taxes. Such audits could result in the imposition of additional potentially significant prior and future tax obligations. The Organization for Economic Cooperation and Development ("OECD") has been working on a Base Erosion and Profit Shifting Project ("BEPS"), and issued a report in 2015 and an interim report in 2018 detailing 15 key actions aimed at ensuring profits are taxed where the economic activities generating those profits are performed and where value is created. Work continues to be undertaken by the project with regard to each action, and new recommendations are regularly made, including proposed new legislation. Recent examples include the implementation of minimum standards in local legislation to neutralize the effects of hybrid mismatches and to appropriately tax controlled foreign companies. Proposals from the OECD can result in an increased tax burden for us in jurisdictions that adopt such proposals. More recently, BEPS 2.0 aims to address the tax challenges arising from the digitalization of the economy, and in 2021, more than 140 countries tentatively signed on to a framework that imposes a minimum tax rate of 15%, among other provisions. As this framework is subject to further negotiation and implementation by each member country, the timing and ultimate impact of any such changes on our tax obligations are uncertain. Similarly, the European Commission and several countries have issued proposals that would change various aspects of the current tax framework under which we are taxed. These proposals include changes to the existing framework to calculate income tax, as well as proposals to change or impose new types of non-income taxes (including indirect taxes), including taxes based on a percentage of revenue. For example, France, Italy, Spain, and the United Kingdom, among others, have each proposed or enacted taxes applicable to digital services, which includes business activities on digital platforms and would likely apply to our business. In December 2022, the European Union unanimously agreed to implement the minimum tax rate legislation by December 31, 2023 in all EU member states. Several other countries including Australia, Canada, Colombia, Japan, New Zealand, Norway, Singapore, South Korea, and the United Kingdom have also committed to implement similar legislation within the same timeframe. This agreement, commonly referred to as Pillar Two, could result in future additional taxes that could materially adversely affect our results of operations and financial condition. The European Commission has conducted investigations in multiple countries focusing on whether local country tax rulings or tax law provide preferential tax treatment that violates EU state aid rules and concluded that certain countries, including Ireland, have provided illegal state aid in certain cases. These investigations may result in changes to the tax treatment of our foreign operations. Due to the large and increasing scale of our international business activities, many of these types of changes to the taxation of our activities described above and in our risk factor titled "Uncertainty in the application of taxes to our Hosts, guests, or platform could increase our tax liabilities and may discourage Hosts and guests from conducting business on our platform" could increase our worldwide effective tax rate, increase the amount of non-income taxes (including indirect taxes) imposed on our business, and materially adversely affect our business, results of operations, and financial condition. Such changes may also apply retroactively to our historical operations and result in taxes greater than the amounts estimated and recorded in our financial statements. --- ## Modified: We could face liability for information or content on or accessible through our platform. **Key changes:** - Reworded sentence: "While we rely on a variety of statutory and common-law frameworks and defenses, including those provided by the DMCA, the CDA, the fair-use doctrine and various tort law defenses in the United States and the E-Commerce Directive and the DSA in the European Union and other regulations, differences between statutes, limitations on immunity or responsibility, requirements to maintain immunity or proportionate responsibility, and moderation efforts in the many jurisdictions in which we operate may affect our ability to rely on these frameworks and defenses, or create uncertainty regarding liability for information or content uploaded by Hosts and guests or otherwise contributed by third-parties to our platform." - Reworded sentence: "There may be proposed U.S." - Reworded sentence: "The European Union has also enhanced the regulation of digital services, and in November 2022, the DSA came into force with the majority of the substantive provisions taking effect in 2023 and 2024." - Reworded sentence: "In countries in Asia and Latin America, new regulations covering e-commerce or digital platforms have been passed or are being drafted, and cover consumer protection, online safety, services provided, privacy and tax." - Added sentence: "Directive (EU) 2019/2161 ("Omnibus Directive") also introduced stricter penalties (including fines) for breaches of consumer protection law, as well as additional specific information requirements for contracts concluded on online marketplaces." **Prior (2023):** We could face claims relating to information or content that is made available on our platform. Our platform relies upon content that is created and posted by Hosts, guests, or other third parties. Although content on our platform is typically generated by third parties, and not by us, claims of defamation, disparagement, negligence, warranty, personal harm, intellectual property infringement, or other alleged damages could be asserted against us, in addition to our Hosts and guests. While we rely on a variety of statutory and common-law frameworks and defenses, including those provided by the DMCA, the CDA, the fair-use doctrine and various tort law defenses in the United States and the E-Commerce Directive in the European Union and other regulations, differences between statutes, limitations on immunity or responsibility, requirements to maintain immunity or proportionate responsibility, and moderation efforts in the many jurisdictions in which we operate may affect our ability to rely on these frameworks and defenses, or create uncertainty regarding liability for information or content uploaded by Hosts and guests or otherwise contributed by third-parties to our platform. Moreover, regulators in the United States and in other countries may introduce new regulatory regimes that increase potential liability for information or content available on our platform. For example, in the United States, laws such as the CDA, which have previously been interpreted to provide substantial protection to interactive computer service providers, may change and become less predictable or unfavorable by legislative action or juridical interpretation. Additionally, there have been various federal legislative efforts to restrict the scope of the protections available to online platforms under the CDA, and current protections from liability for third-party content in the United States could decrease or change. There is proposed U.S. federal legislation seeking to hold platforms liable for user-generated content, including content related to short-term or long-term rentals. We could incur significant costs investigating and defending such claims and, if we are found liable, significant damages. The European Union is also reviewing the regulation of digital services. In November 2022, the DSA came into force. The majority of the substantive provisions of the DSA will begin to take effect between 2023 and 2024. The DSA will govern, among other things, potential liability for illegal content on platforms, traceability of traders, and transparency reporting obligations. Some European jurisdictions have also proposed or intend to pass legislation that imposes new obligations and liabilities on platforms with respect to certain types of harmful content. While the scope and timing of these proposals are currently evolving, if enacted and applied to our platform, the new rules may adversely affect our business. In countries in Asia and Latin America, generally there are not similar statutes as the CDA or E-Commerce Directive. The laws of countries in Asia and Latin America generally provide for direct liability if a platform is involved in creating such content or has actual knowledge of the content without taking action to take it down. Further, laws in some Asian countries also provide for primary or secondary liability, which can include criminal liability, if a platform failed to take sufficient steps to prevent such content from being uploaded. Because liability often flows from information or content on our platform and/or services accessed through our platform, as we continue to expand our offerings, tiers, and scope of business, both in terms of the range of offerings and services and geographical operations, we may face or become subject to additional or different laws and regulations. Our potential liability for information or content created by third parties and posted to our platform could require us to implement additional measures to reduce our exposure to such liability, may require us to expend significant resources, may limit the desirability of our platform to Hosts and guests, may cause damage to our brand or reputation, and may cause us to incur time and costs defending such claims in litigation, thereby materially adversely affecting our business, results of operations, and financial condition. In the European Union, the Consumer Rights Directive and the Unfair Commercial Practices Directive harmonized consumer rights across the EU member states. In 2018, the European Commission and a group of European consumer protection authorities (through the Consumer Protection Cooperation Network) investigated our customer terms and price display practices, which required us to make certain changes to our terms and price display practices. If Consumer Protection Regulators find that we are in breach of consumer protection laws, we may be fined or required to change our terms and processes, which may result in increased operational costs. Consumers and certain Consumer Protection Associations may also bring individual claims against us if they believe that our terms and/or business practices are not in compliance with local consumer protection laws. Currently, class actions may also be brought in certain countries in the European Union, and the Collective Redress Directive extends the right to collective redress across the European Union. **Current (2024):** We could face claims relating to information or content that is made available on our platform. Our platform relies upon content that is created and posted by Hosts, guests, or other third parties. Although content on our platform is typically generated by third parties, and not by us, claims of defamation, disparagement, negligence, warranty, personal harm, intellectual property infringement, or other alleged damages could be asserted against us, in addition to our Hosts and guests. While we rely on a variety of statutory and common-law frameworks and defenses, including those provided by the DMCA, the CDA, the fair-use doctrine and various tort law defenses in the United States and the E-Commerce Directive and the DSA in the European Union and other regulations, differences between statutes, limitations on immunity or responsibility, requirements to maintain immunity or proportionate responsibility, and moderation efforts in the many jurisdictions in which we operate may affect our ability to rely on these frameworks and defenses, or create uncertainty regarding liability for information or content uploaded by Hosts and guests or otherwise contributed by third-parties to our platform. Moreover, regulators in the United States and in other countries may introduce new regulatory regimes that increase potential liability for information or content available on our platform. For example, in the United States, laws such as the CDA, which have previously been interpreted to provide substantial protection to interactive computer service providers, may change and become less predictable or unfavorable by legislative action or juridical interpretation. Additionally, there have been various federal legislative efforts to restrict the scope of the protections available to online platforms under the CDA, and current protections from liability for third-party content in the United States could decrease or change. There may be proposed U.S. federal legislation seeking to hold platforms liable for user-generated content, including content related to short-term or long-term rentals. We could incur significant costs investigating and defending such claims and, if we are found liable, significant damages. The European Union has also enhanced the regulation of digital services, and in November 2022, the DSA came into force with the majority of the substantive provisions taking effect in 2023 and 2024. The DSA governs, among other things, potential liability for illegal content on platforms, traceability of traders, and transparency reporting obligations, including information on "monthly active recipients" in the European Union. The DSA may increase compliance costs and require additional resources as well as changes to our processes and operations. Failure to comply with the DSA can result in fines of up to 6% of total annual worldwide turnover (revenue) and recipients of services have the right to seek compensation from providers in respect of damage or loss suffered due to infringement by the provider. In parallel, the Digital Markets Act (the "DMA") came into force in November 2022 and introduced ex ante regulation of certain large online platforms. Airbnb has not been designated a gatekeeper platform for the purposes of the DMA although this could change at some point in the future. Some European jurisdictions (such as Germany) have also introduced at the national level new competition rules in relation to digital platforms that are similar in their effects to the DMA. These laws may contain certain regulatory requirements and/or obligations that could negatively impact our business. Furthermore, some of our Hosts or some of our offerings may now or in the future be subject to the European Package Travel Directive, which imposes various obligations upon package providers and upon marketers of travel packages, such as disclosure obligations to consumers and liability to consumers. Some European jurisdictions have also proposed or intend to pass legislation that imposes new obligations and liabilities on platforms with respect to certain types of harmful content. While the scope and timing of these proposals are currently evolving, if enacted and applied to our platform, the new rules may adversely affect our business. In countries in Asia and Latin America, new regulations covering e-commerce or digital platforms have been passed or are being drafted, and cover consumer protection, online safety, services provided, privacy and tax. Complying with these regulations may impact our supply, corporate structure, licensing and registration requirements, data sharing requirements, compliance costs and tax exposure. Further, the laws of countries in Asia and Latin America already generally provide for direct liability if a platform is involved in creating such content or has actual knowledge of the content without taking action to take it down. Additionally, laws in some Asian countries also provide for primary or secondary liability, which can include criminal liability, if a platform fails to take sufficient steps to prevent such content from being uploaded. Because liability often flows from information or content on our platform and/or services accessed through our platform, as we continue to expand our offerings and scope of business, both in terms of the range of offerings and services and geographical operations, we may face or become subject to additional or different laws and regulations. Our potential liability for information or content created by third parties and posted to our platform could require us to implement additional measures to reduce our exposure to such liability, may require us to expend significant resources, may limit the desirability of our platform to Hosts and guests, may cause damage to our brand or reputation, and may cause us to incur time and costs defending such claims in litigation, thereby materially adversely affecting our business, results of operations, and financial condition. In the European Union, the Consumer Rights Directive and the Unfair Commercial Practices Directive harmonized consumer rights across the EU member states. Directive (EU) 2019/2161 ("Omnibus Directive") also introduced stricter penalties (including fines) for breaches of consumer protection law, as well as additional specific information requirements for contracts concluded on online marketplaces. In 2018, the European Commission and a group of European consumer protection authorities (through the Consumer Protection Cooperation Network) investigated our customer terms and price display practices, which required us to make certain changes to our terms and price display practices. If Consumer Protection Regulators find that we are in breach of consumer protection laws, we may be fined or required to change our terms and processes, which may result in increased operational costs. Consumers and certain Consumer Protection Associations may also bring individual claims against us if they believe that our terms and/or business practices are not in compliance with local consumer protection laws. Currently, class actions may also be brought in certain countries in the European Union, and the Collective Redress Directive extends the right to collective redress across the European Union. The Collective Redress Directive replaced its predecessor in November 2020. This relatively new Directive allows for the recovery of monetary compensation by qualified entities on behalf of large classes of consumers, and greatly extends the scope to new areas, including for example misleading and comparative advertising, data privacy and data security. 20 20 20 Table of Contents Table of Contents --- ## Modified: Future sales and issuances of our Class A common stock or rights to purchase our Class A common stock, including pursuant to our equity incentive plans, or other equity securities or securities convertible into our Class A common stock, could result in additional dilution of the percentage ownership of our stockholders and could cause the stock price of our Class A common stock to decline. **Key changes:** - Reworded sentence: "Sales or issuances of a substantial number of shares of our Class A common stock, other series of common stock, convertible securities, or other equity securities, including preferred securities, in the public market, or the perception that these sales or issuances might occur in large quantities, could cause the market price of our Class A common stock to decline, could materially dilute investors, and could impair our ability to raise capital through the sale of additional equity securities." - Reworded sentence: "Moreover, new investors in subsequent transactions could gain rights, preferences, and privileges senior to those of holders of our Class A common stock." - Reworded sentence: "In addition, we have filed and may in the future file registration statements covering shares of our common stock issued pursuant to our equity incentive plans permitting the resale of such shares by non-affiliates in the public market without restriction under the Securities Act and the sale by affiliates in the public market subject to compliance with the resale provisions of Rule 144." - Removed sentence: "See also our risk factor titled " - Future sales and issuances of our Class A common stock or rights to purchase our Class A common stock, including pursuant to our equity incentive plans, or other equity securities or securities convertible into our Class A common stock, could result in additional dilution of the percentage ownership of our stockholders and could cause the stock price of our Class A common stock to decline."" **Prior (2023):** Sales of a substantial number of shares of our common stock in the public market, or the perception that these sales might occur in large quantities, could cause the market price of our Class A common stock to decline and could impair our ability to raise capital through the sale of additional equity securities. As of December 31, 2022, we had 408,288,511 shares of Class A common stock outstanding, 222,694,817 shares of Class B common stock outstanding, no shares of Class C common stock outstanding, and 9,200,000 shares of Class H common stock outstanding. Certain holders of shares of our common stock, options to purchase shares of our common stock, and warrants to purchase shares of our common stock have rights, subject to some conditions, to require us to file registration statements for the public resale of the Class A common stock issuable upon conversion of such shares or to include such shares in registration statements that we may file for us or other stockholders. Any registration statement we file to register additional shares, whether as a result of registration rights or otherwise, could cause the market price of our Class A common stock to decline or be volatile. Further, as of December 31, 2022, we had 22.0 million options outstanding and 34.4 million shares of Class A common stock issuable upon vesting of outstanding RSUs, which have been registered on Form S-8 under the Securities Act. These shares can be freely sold in the public market upon issuance, subject to applicable vesting requirements, compliance by affiliates with Rule 144, and other restrictions provided under the terms of the applicable plan and/or the award agreements entered into with participants. In addition, we filed a registration statement and may in the future file registration statements covering shares of our common stock issued pursuant to our equity incentive plans permitting the resale of such shares by non-affiliates in the public market without restriction under the Securities Act and the sale by affiliates in the public market subject to compliance with the resale provisions of Rule 144. 44 44 44 Table of Contents Table of Contents Sales, short sales, or hedging transactions involving our equity securities, whether or not we believe them to be prohibited, could adversely affect the price of our Class A common stock. In November 2020, we issued 9,200,000 shares of our Class H common stock to our Host Endowment Fund and we have announced our intention to donate 400,000 shares of our Class A common stock to a charitable foundation, each of which has resulted or will result in substantial dilution to our existing stockholders. We may issue our shares of common stock or securities convertible into our common stock from time to time in connection with financings, acquisitions, investments, or otherwise. Any such issuance and any issuance of Class A common stock upon the conversion of Class B or Class H common stock could result in substantial dilution to our existing stockholders and cause the trading price of our Class A common stock to decline. See also our risk factor titled " - Future sales and issuances of our Class A common stock or rights to purchase our Class A common stock, including pursuant to our equity incentive plans, or other equity securities or securities convertible into our Class A common stock, could result in additional dilution of the percentage ownership of our stockholders and could cause the stock price of our Class A common stock to decline." **Current (2024):** Sales or issuances of a substantial number of shares of our Class A common stock, other series of common stock, convertible securities, or other equity securities, including preferred securities, in the public market, or the perception that these sales or issuances might occur in large quantities, could cause the market price of our Class A common stock to decline, could materially dilute investors, and could impair our ability to raise capital through the sale of additional equity securities. As of December 31, 2023, we had 437.8 million shares of Class A common stock issued and outstanding, 199.8 million shares of Class B common stock Issued and outstanding, no shares of Class C common stock issued or outstanding, and 9.2 million shares of Class H common stock issued and none outstanding. Certain holders of shares of our common stock, options to purchase shares of our common stock, and warrants to purchase shares of our common stock have rights, subject to some conditions, to require us to file registration statements for the public resale of the Class A common stock issuable upon conversion of such shares or to include such shares in registration statements that we may file for us or other stockholders. Any registration statement we file to register additional shares, whether as a result of registration rights or otherwise, could cause the market price of our Class A common stock to decline or be volatile. Moreover, new investors in subsequent transactions could gain rights, preferences, and privileges senior to those of holders of our Class A common stock. Stock-based compensation expense related to restricted stock units ("RSUs") and other equity awards will continue to be a significant expense in future periods. In addition, in the first quarter of 2022, we began using corporate cash to make required tax withholding payments associated with the vesting of employee RSUs and withhold a corresponding number of shares from employees. We anticipate that we will spend substantial funds to satisfy tax withholding and remittance obligations when employee RSUs vest and settle. Further, as of December 31, 2023, we had 7.2 million options outstanding and 30.3 million shares of Class A common stock issuable upon vesting of outstanding RSUs, which have been registered on Form S-8 under the Securities Act. These shares can be freely sold in the public market upon issuance, subject to applicable vesting requirements, compliance by affiliates with Rule 144, and other restrictions provided under the terms of the applicable plan and/or the award agreements entered into with participants. In addition, we have filed and may in the future file registration statements covering shares of our common stock issued pursuant to our equity incentive plans permitting the resale of such shares by non-affiliates in the public market without restriction under the Securities Act and the sale by affiliates in the public market subject to compliance with the resale provisions of Rule 144. Sales, short sales, or hedging transactions involving our equity securities, whether or not we believe them to be prohibited, could adversely affect the price of our Class A common stock. In November 2020, we issued 9.2 million shares of our Class H common stock to our Host Endowment Fund and we have announced our intention to donate 400,000 shares of our Class A common stock to a charitable foundation, each of which has resulted or will result in substantial dilution to our existing stockholders. We may issue our shares of common stock or securities convertible into our common stock from time to time in connection with financings, acquisitions, investments, or otherwise. Any such issuance and any issuance of Class A common stock upon the conversion of Class B or Class H common stock could result in substantial dilution to our existing stockholders and cause the trading price of our Class A common stock to decline. --- ## Modified: The multi-series structure of our common stock has the effect of concentrating voting control with certain holders of our common stock, including our directors, executive officers, and 5% stockholders, and their respective affiliates. This ownership will limit or preclude other stockholders' ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. **Key changes:** - Reworded sentence: "Our Class A common stock has one vote per share, our Class B common stock has 20 votes per share, our Class C common stock has no votes per share, and our Class H common stock has no votes per share." - Reworded sentence: "Furthermore, our founders, who collectively hold a majority of the voting power of our outstanding capital stock, are party to a Voting Agreement under which each founder and his affiliates and certain other entities agree to vote their shares for the election of each individual founder to our board of directors." **Prior (2023):** The market price of our Class A common stock has been, and may continue to be, volatile and could be subject to wide fluctuations in response to the risk factors described in this Annual Report on Form 10-K, and others beyond our control, including: •actual or anticipated fluctuations in our revenue or other operating metrics; •our actual or anticipated operating performance and the operating performance of our competitors; •changes in the financial projections we provide to the public or our failure to meet these projections; •failure of securities analysts to initiate or maintain coverage of us, changes in financial estimates by any securities analysts who follow our company, or our failure to meet the estimates or the expectations of investors; •any major change in our board of directors, management, or key personnel; •the economy as a whole and market conditions in our industry; •rumors and market speculation involving us or other companies in our industry; •announcements by us or our competitors of significant innovations, new products, services, features, integrations, or capabilities, acquisitions, strategic investments, partnerships, joint ventures, or capital commitments; •the legal and regulatory landscape and changes in the application of existing laws or adoption of new laws that impact our business, Hosts, and/or guests, including changes in short-term occupancy and tax laws; •legal and regulatory claims, litigation, or pre-litigation disputes and other proceedings; •the COVID-19 pandemic and its impact on the travel and accommodations industries; •other events or factors, including those resulting from war, incidents of terrorism, or responses to these events; and •sales or expected sales of our Class A common stock by us, our officers, directors, principal stockholders, and employees. In addition, stock markets, and the trading of travel companies' and technology companies' stocks in particular, have experienced significant price and volume fluctuations that have affected and continue to affect the market prices of equity securities of many companies. Stock prices of many companies, including travel companies and technology companies, have fluctuated in a manner often unrelated to the operating performance of those companies. These fluctuations may be even more pronounced in the trading market for our Class A common stock following our recent initial public offering as a result of the supply and demand forces for newly public companies. In the past, stockholders have instituted securities class action litigation following periods of stock volatility. If we were to become involved in securities litigation, it could subject us to substantial costs, divert resources and the attention of management from our business, and materially adversely affect our business, results of operations, and financial condition. The multi-series structure of our common stock has the effect of concentrating voting control with certain holders of our common stock, including our directors, executive officers, and 5% stockholders, and their respective affiliates, who held in the aggregate 92.1% of the voting power of our capital stock as of December 31, 2022. This ownership will limit or preclude other stockholders' ability to influence corporate matters, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. 43 43 43 Table of Contents Table of Contents Our Class A common stock has one vote per share, our Class B common stock has 20 votes per share, our Class C common stock has no votes per share, and our Class H common stock has no votes per share. As of December 31, 2022, the holders of our outstanding Class B common stock beneficially owned 34.8% of our outstanding capital stock and held 91.6% of the voting power of our outstanding capital stock, with our directors, executive officers, and holders of more than 5% of our common stock, and their respective affiliates, beneficially owning 38.5% of our outstanding capital stock and holding 92.1% of the voting power of our outstanding capital stock. Because of the 20-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively continue to control a significant percentage of the combined voting power of our common stock and therefore are able to control all matters submitted to our stockholders for approval until all such outstanding shares of Class B common stock have converted into shares of our Class A common stock. Furthermore, our founders, who collectively held 73.9% of the voting power of our outstanding capital stock as of December 31, 2022, are party to a Voting Agreement under which each founder and his affiliates and certain other entities agree to vote their shares for the election of each individual founder to our board of directors. We and each of our founders are party to a Nominating Agreement under which we and the founders are required to take certain actions to include the founders in the slate of nominees nominated by our board of directors for the applicable class of directors, include them in our proxy statement, and solicit proxies or consents in favor of electing each founder to our board of directors. This concentrated control will limit or preclude your ability to influence corporate matters for the foreseeable future, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that stockholders may believe are in their best interest. Future transfers by holders of Class B common stock will generally result in those shares converting to Class A common stock, subject to limited exceptions, such as certain transfers effected for estate planning purposes or transfers among our founders, if all of our founders agree to such transfers. Each share of our Class B common stock is convertible at any time at the option of the Class B holder into one share of Class A common stock. The conversion of Class B common stock to Class A common stock will have the effect, over time, of increasing the relative voting power of those holders of Class B common stock who retain their shares in the long term. As a result, it is possible that one or more of the persons or entities holding our Class B common stock could gain significant voting control as other holders of Class B common stock sell or otherwise convert their shares into Class A common stock. In addition, the conversion of Class B common stock to Class A common stock would dilute holders of Class A common stock in terms of voting power within the Class A common stock. In addition, any future issuances of common stock would be dilutive to holders of Class A common stock. For example, because our Class C common stock carries no voting rights (except as otherwise required by law), if we issue Class C common stock in the future, the holders of Class B common stock may be able to elect all of our directors and to determine the outcome of most matters submitted to a vote of our stockholders for a longer period of time than would be the case if we issued Class A common stock rather than Class C common stock in such transactions. Further, each outstanding share of Class H common stock will convert into a share of Class A common stock on a share-for-share basis upon the sale of such share of Class H common stock to any person or entity that is not our subsidiary, which would dilute holders of Class A common stock in terms of voting power within the Class A common stock. **Current (2024):** Our Class A common stock has one vote per share, our Class B common stock has 20 votes per share, our Class C common stock has no votes per share, and our Class H common stock has no votes per share. Because of the 20-to-one voting ratio between our Class B and Class A common stock, the holders of our Class B common stock collectively continue to control a significant percentage of the combined voting power of our common stock and therefore are able to control all matters submitted to our stockholders for approval until all such outstanding shares of Class B common stock have converted into shares of our Class A common stock. Furthermore, our founders, who collectively hold a majority of the voting power of our outstanding capital stock, are party to a Voting Agreement under which each founder and his affiliates and certain other entities agree to vote their shares for the election of each individual founder to our board of directors. We and each of our founders are party to a Nominating Agreement under which we and the founders are required to take certain actions to include the founders in the slate of nominees nominated by our board of directors for the applicable class of directors, include them in our proxy statement, and solicit proxies or consents in favor of electing each founder to our board of directors. This concentrated control will limit or preclude your ability to influence corporate matters for the foreseeable future, including the election of directors, amendments of our organizational documents, and any merger, consolidation, sale of all or substantially all of our assets, or other major corporate transaction requiring stockholder approval. In addition, this may prevent or discourage unsolicited acquisition proposals or offers for our capital stock that stockholders may believe are in their best interest. Future transfers by holders of Class B common stock will generally result in those shares converting to Class A common stock, subject to limited exceptions, such as certain transfers effected for estate planning purposes or transfers among our founders, if all of our founders agree to such transfers. Each share of our Class B common stock is convertible at any time at the option of the Class B holder into one share of Class A common stock. The conversion of Class B common stock to Class A common stock will have the effect, over time, of increasing the relative voting power of those holders of Class B common stock who retain their shares in the long term. As a result, it is possible that one or more of the persons or entities holding our Class B common stock could gain significant voting control as other holders of Class B common stock sell or otherwise convert their shares into Class A common stock. In addition, the conversion of Class B common stock to Class A common stock would dilute holders of Class A common stock in terms of voting power within the Class A common stock. In addition, any future issuances of common stock would be dilutive to holders of Class A common stock. For example, because our Class C common stock carries no voting rights (except as otherwise required by law), if we issue Class C common stock in the future, the holders of Class B common stock may be able to elect all of our directors and to determine the outcome of most matters submitted to a vote of our stockholders for a longer period of time than would be the case if we issued Class A common stock rather than Class C common stock in such transactions. Further, each outstanding share of Class H common stock will convert into a share of Class A common stock on a share-for-share basis upon the sale of such share of Class H common stock to any person or entity that is not our subsidiary, which would dilute holders of Class A common stock in terms of voting power within the Class A common stock. --- ## Modified: If our new offerings and initiatives are unsuccessful, we may fail to grow, and our business, results of operations, and financial condition would be materially adversely affected. **Key changes:** - Reworded sentence: "We continue to invest in the development of new offerings and initiatives, including innovations focused on improving our Host and guest experiences." - Reworded sentence: "There can be no assurance that our Hosts and guests will adopt or respond positively to such offerings and initiatives, that we will be able to successfully manage the development and delivery of such offerings and initiatives, or that any of these offerings or initiatives will help attract and retain users on our platform and gain sufficient market acceptance to generate sufficient revenue to offset associated expenses or liabilities." - Reworded sentence: "If we do not realize the expected benefits of our investments in new offerings and initiatives, we may fail to grow and our business, results of operations, and financial condition would be materially adversely affected." **Prior (2023):** 23 23 23 Table of Contents Table of Contents We need to continue to invest in the development of new offerings and initiatives that differentiate us from our competitors, such as Airbnb Experiences. Developing and delivering these new offerings and initiatives increase our expenses and our organizational complexity, and we may experience difficulties in developing and implementing these new offerings and initiatives. Our new offerings and initiatives have a high degree of risk, as they may involve unproven businesses with which we have limited or no prior development or operating experience. There can be no assurance that consumer demand for such offerings and initiatives will exist or be sustained at the levels that we anticipate, that we will be able to successfully manage the development and delivery of such offerings and initiatives, or that any of these offerings or initiatives will gain sufficient market acceptance to generate sufficient revenue to offset associated expenses or liabilities. It is also possible that offerings developed by others will render our offerings and initiatives noncompetitive or obsolete. Further, these efforts entail investments in our systems and infrastructure, payments platform, and increased legal and regulatory compliance expenses, could distract management from current operations, and will divert capital and other resources from our more established offerings and geographies. Even if we are successful in developing new offerings and initiatives, regulatory authorities may subject us or our Hosts and guests to new rules, taxes, or restrictions or more aggressively enforce existing rules, taxes, or restrictions, that could increase our expenses or prevent us from successfully commercializing these initiatives. If we do not realize the expected benefits of our investments, we may fail to grow and our business, results of operations, and financial condition would be materially adversely affected. **Current (2024):** We continue to invest in the development of new offerings and initiatives, including innovations focused on improving our Host and guest experiences. Developing and delivering these new offerings and initiatives increase our expenses and our organizational complexity, and we may experience difficulties in developing and implementing these new offerings and initiatives. Our new offerings and initiatives have a high degree of risk, as they may involve unproven businesses with which we have limited or no prior development or operating experience. There can be no assurance that our Hosts and guests will adopt or respond positively to such offerings and initiatives, that we will be able to successfully manage the development and delivery of such offerings and initiatives, or that any of these offerings or initiatives will help attract and retain users on our platform and gain sufficient market acceptance to generate sufficient revenue to offset associated expenses or liabilities. It is also possible that offerings developed by others will render our offerings 9 9 9 Table of Contents Table of Contents and initiatives noncompetitive or obsolete. Further, these efforts entail investments in our systems and infrastructure, payments platform, and increased legal and regulatory compliance expenses, could distract management from current operations, and will divert capital and other resources from our more established offerings and initiatives. Even if we are successful in developing new offerings and initiatives, regulatory authorities may subject us or our Hosts and guests to new rules, taxes, or restrictions or more aggressively enforce existing rules, taxes, or restrictions, that could increase our expenses or prevent us from successfully commercializing these initiatives. If we do not realize the expected benefits of our investments in new offerings and initiatives, we may fail to grow and our business, results of operations, and financial condition would be materially adversely affected. --- ## Modified: Compliance with federal, state, and foreign laws relating to data privacy and data security involves significant expenditure and resources, and any failure by us or our vendors to comply may result in significant liability, negative publicity, an erosion of trust, and/or increased regulation and could materially adversely affect our business, results of operations, and financial condition. **Key changes:** - Reworded sentence: "We collect, store, handle, transmit, use, and otherwise process personal data, such as names, dates of birth, email addresses, phone numbers, and identity verification information (for example, government issued identification or passport), as well as credit card or other financial information, from and about Hosts and guests, as well as our employees, job applicants, contractors and representatives of our third-party vendors, and other companies we do business with." - Reworded sentence: "Since we are subject to the supervision of relevant data protection authorities under both the EU GDPR and the UK GDPR, we could be fined under each of those regimes independently in respect of the same breach." - Reworded sentence: "Further, the UK framework may in the future start to diverge from the EU framework, and these changes may lead to additional costs and increase our overall risk exposure." - Reworded sentence: "For example, the California Consumer Privacy Act ("CCPA") took effect in January 2020." - Reworded sentence: "The CCPA provided new and enhanced data privacy rights to California residents, such as affording consumers the right to access and delete their information and to opt out of certain sharing and sales of personal information." **Prior (2023):** Data privacy and data security laws, rules, and regulations are complex, and their interpretation is rapidly evolving, making implementation and enforcement, and thus compliance requirements, ambiguous, uncertain, and potentially inconsistent. Compliance with such laws may require changes to our data collection, use, transfer, disclosure, other processing, and certain other related business practices and may thereby increase compliance costs or have other material adverse effects on our business. As part of Host and guest registration and business processes, we collect and use personal data, such as names, dates of birth, email addresses, phone numbers, and identity verification information (for example, government issued identification or passport), as well as credit card or other financial information that Hosts and guests provide to us. The laws of many states and countries require businesses that maintain such personal data to implement reasonable measures to keep such information secure and otherwise restrict the ways in which such information can be collected and used. For example, the GDPR, which became effective on May 25, 2018, has resulted and will continue to result in significantly greater compliance burdens and costs for companies like ours. The GDPR regulates our collection, control, processing, sharing, disclosure, and other use of data that can directly or indirectly identify a living individual ("personal data"), and imposes stringent data protection requirements with significant penalties, and the risk of civil litigation, for noncompliance. Failure to comply with the GDPR may result in fines of up to 20 million Euros or up to 4% of the annual global revenue of the infringer, whichever is greater. It may also lead to civil litigation, with the risks of damages or injunctive relief, or regulatory orders adversely impacting the ways in which our business can use personal data. Many large geographies in which we operate, including Australia, Brazil, Canada, China, and India, have passed or are in the process of passing comparable or other robust data privacy and security legislation or regulation, which may lead to additional costs and increase our overall risk exposure. In addition, from January 1, 2021 (when the transitional period following Brexit expired), we are also subject to the GDPR, which, together with the amended UK Data Protection Act of 2018, retains the GDPR in UK national law. Both regimes have the ability to fine up to the greater of 20 million Euros (17 million British Pounds) or 4% of global turnover, respectively. The UK framework may in the future start to diverge from the EU framework, and these changes may lead to additional costs and increase our overall risk exposure. Additionally, we are subject to laws, rules, and regulations regarding cross-border transfers of personal data, including laws relating to transfer of personal data outside the European Economic Area ("EEA"). Recent legal developments in Europe have created complexity and uncertainty regarding transfers of personal data from the EEA and United Kingdom to the United States and other jurisdictions. On July 16, 2020, the CJEU invalidated the EU-US Privacy Shield Framework ("Privacy Shield") under which personal data could be transferred from the EEA to US entities that had self-certified under the Privacy Shield scheme. While the CJEU upheld the adequacy of the standard contractual clauses (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism, and potential alternative to the Privacy Shield), it noted that reliance on them alone may not necessarily be sufficient in all circumstances; this has created uncertainty and increased the risk around our international operations. Following the CJEU's ruling, there has been increased regulatory action in this area and several decisions by EU Data Protection Authorities that transfer to the United States, including transfer to well-known U.S. service providers, are unlawful. As the enforcement landscape further develops, and supervisory authorities issue further decisions and guidance on personal data export mechanisms, including circumstances where the standard contractual clauses cannot be used or if our use of certain products and vendors is the subject of investigation, we could suffer additional costs, complaints, or fines, have to stop using certain tools and vendors and make other operational changes, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services, the geographical location or segregation of our relevant systems and operations, and could materially adversely affect our business, results of operations and financial condition. In addition to other mechanisms (particularly standard contractual clauses), we previously relied on our own Privacy Shield certification and, in limited instances, the Privacy Shield certifications of third parties (for example, vendors and partners) for the purposes of transferring personal data from the EEA and United Kingdom to the United States. We continue to rely on the standard contractual clauses to transfer personal data outside the EEA and United Kingdom, including to the United States. Additionally, in certain circumstances, we rely on derogations provided for by law. These recent developments may require us to review and amend the legal mechanisms by which we make and/ or receive personal data transfers to the United States and other jurisdictions. As our lead supervisory authority, the European Data Protection Board, and other data protection regulators issue further guidance on personal data export mechanisms, including 24 24 24 Table of Contents Table of Contents circumstances where the standard contractual clauses cannot be used, and/or take further or start taking enforcement action, we could suffer additional costs, have to stop using certain tools and vendors and make operational changes, suffer complaints and/or regulatory investigations or fines, and/or if we are otherwise unable to transfer personal data between and among countries and regions in which we operate, it could affect the manner in which we provide our services and our ability to provide our services, the geographical location or segregation of our relevant systems and operations, and could materially adversely affect our business, results of operations, and financial condition. In the United States, there are numerous federal and state data privacy and security laws, rules, and regulations governing the collection, use, storage, sharing, transmission, and other processing of personal information, including federal and state data privacy laws, data breach notification laws, and consumer protection laws. One such federal law is the Gramm-Leach-Bliley Act of 1999 ("GLBA") and its implementing regulations, which restricts certain collection, processing, storage, use, and disclosure of personal information, requires notice to individuals of privacy practices, and provides individuals with certain rights to prevent the use and disclosure of certain nonpublic or otherwise legally protected information. These rules also impose requirements for the safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. The U.S. government, including Congress, the Federal Trade Commission and the Department of Commerce, has announced that it is reviewing the need for greater regulation for the collection of information concerning consumer behavior on the Internet, including regulation aimed at restricting certain targeted advertising practices. In addition, numerous states have enacted or are in the process of enacting state level data privacy laws and regulations governing the collection, use, and processing of state residents' personal data. For example, the CCPA took effect on January 1, 2020. The CCPA established a new privacy framework for covered businesses such as ours, and may continue to require us to modify our data processing practices and policies and incur compliance related costs and expenses. The CCPA provides new and enhanced data privacy rights to California residents, such as affording consumers the right to access and delete their information and to opt out of certain sharing and sales of personal information. The CCPA also prohibits covered businesses from discriminating against consumers (for example, charging more for services) for exercising any of their CCPA rights. The CCPA imposes severe statutory damages as well as a private right of action for certain data breaches of specific categories of personal information. This private right of action has increased the risks associated with data breach litigation. In November 2020, California voters passed the California Privacy Rights and Enforcement Act of 2020 ("CPRA"). The CPRA went into effect on January 1, 2023. The CPRA modifies and expands the CCPA with additional data privacy compliance requirements that may impact our business, and establishes a regulatory agency dedicated to enforcing those requirements. In addition, Virginia, Colorado, Utah, and Connecticut recently passed comprehensive privacy laws that take effect in 2023 and will impose obligations similar to or more stringent than those we may face under other data privacy and security laws. Together, these laws will add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs, could impact strategies and availability of previously useful data, and could result in increased compliance costs and/or changes in business practices and policies. Various other governments and consumer agencies around the world have also called for new regulation and changes in industry practices and many have enacted different and often contradictory requirements for protecting personal information collected and maintained electronically. Compliance with numerous and contradictory requirements of different jurisdictions is particularly difficult and costly for an online business such as ours, which collects personal information from Hosts, guests, and other individuals in multiple jurisdictions. If any jurisdiction in which we operate adopts news laws or changes its interpretation of its laws, rules, or regulations relating to data residency or localization such that we are unable to comply in a timely manner or at all, we could risk losing our rights to operate in such jurisdictions. While we have invested and continue to invest significant resources to comply with privacy regulations around the world, many of these regulations expose us to the possibility of material penalties, significant legal liability, changes in how we operate or offer our products, and interruptions or cessation of our ability to operate in key geographies, any of which could materially adversely affect our business, results of operations, and financial condition. Furthermore, to improve the trust and safety on our platform, we conduct certain verification procedures aimed at our Hosts, guests, and listings in certain jurisdictions. Such verification procedures may include utilizing public information on the Internet, accessing public databases such as court records, utilizing third-party vendors to analyze Host or guest data, or physical inspection. These types of activities may expose us to the risk of regulatory enforcement from privacy regulators, consumer protection agencies, consumer credit reporting agencies, and civil litigation. When we are required to disclose personal data pursuant to demands from, or give data access to, government agencies, including tax authorities, state and city regulators, law enforcement agencies, and intelligence agencies, our Hosts, guests, and data privacy and security regulators could perceive such disclosure as a failure by us to comply with data privacy and data security policies, notices, and laws, which could result in proceedings or actions against us in the same or other jurisdictions. Conversely, if we do not provide the requested information to government agencies due to a disagreement, such as on the interpretation of the law, we are likely to face enforcement action from such government, engage in litigation, face increased regulatory scrutiny, and experience an adverse impact on our relationship with governments or our ability to offer our services within certain jurisdictions. Any of the foregoing could materially adversely affect our brand, reputation, business, results of operations, and financial condition. Our business also increasingly relies on machine learning, artificial intelligence, and automated decision making to improve our services and tailor our interactions with our customers. However, in recent years use of these methods has come under increased regulatory scrutiny. New laws, guidance, and/or decisions in this area may limit our ability to use our machine learning and artificial intelligence, or require us to make changes to our platform or operations that may decrease our operational efficiency, result in an increase to operating costs and/or hinder our ability to improve our services. For example, there are specific rules on the use of automated decision making under global privacy laws that require the existence of automated decision making to be disclosed to the data subject with a meaningful explanation of the logic used in such decision making in certain circumstances, and safeguards must be implemented to safeguard individual rights, including the right to obtain human intervention and to contest any decision. Further, California recently introduced a law requiring disclosure of chatbot functionality and more US states are contemplating similar laws. Any failure or perceived failure by us to comply with consumer protection, data privacy or data security laws, rules, and regulations; policies; or enforcement notices and/or assessment notices (for a compulsory audit) could result in proceedings or actions against us by individuals, 25 25 25 Table of Contents Table of Contents consumer rights groups, government agencies, or others. We may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, and diversion of internal resources. We could incur significant costs in investigating and defending such claims and, if found liable, pay significant damages or fines or be required to make changes to our business. Further, these proceedings and any subsequent adverse outcomes may subject us to significant negative publicity, and an erosion of trust. If any of these events were to occur, our business, results of operations, and financial condition could be materially adversely affected. **Current (2024):** Data privacy and data security laws, rules, and regulations are complex, and their interpretation is rapidly evolving, making implementation and enforcement, and thus compliance requirements, ambiguous, uncertain, and potentially inconsistent. Compliance with such laws may require changes to our data collection, use, transfer, disclosure, other processing, and certain other related business practices and may thereby increase compliance costs or have other material adverse effects on our business. We collect, store, handle, transmit, use, and otherwise process personal data, such as names, dates of birth, email addresses, phone numbers, and identity verification information (for example, government issued identification or passport), as well as credit card or other financial information, from and about Hosts and guests, as well as our employees, job applicants, contractors and representatives of our third-party vendors, and other companies we do business with. We also depend on third-party vendors to operate our business, a number of which process data on our behalf. We and our vendors are subject to a variety of state, federal, and foreign data privacy laws, rules, regulations, industry standards and other requirements, including those that generally require that we implement reasonable measures to keep such information secure and otherwise restrict the ways in which such information can be collected and used. These requirements, and their application, interpretation, and amendment are constantly evolving and developing. For example, in the European Union and the UK, we are subject to the European Union General Data Protection Regulation (the "EU GDPR") and to the United Kingdom General Data Protection Regulation and Data Protection Act 2018 (the "UK GDPR"), respectively (the EU GDPR and UK GDPR together referred to as the "GDPR"), both of which have resulted, and will continue to result in significantly greater compliance burdens and costs for companies like ours. The GDPR regulates our collection, control, processing, sharing, disclosure, and other use of data that can directly or indirectly identify a living individual ("personal data"), and imposes stringent data protection requirements with significant penalties, and the risk of civil litigation, for noncompliance. Since we are subject to the supervision of relevant data protection authorities under both the EU GDPR and the UK GDPR, we could be fined under each of those regimes independently in respect of the same breach. Penalties for certain breaches are up to the greater of 20 million Euro or GBP 17.5 million, or up to 4% of the annual global revenue of the infringer, whichever is greater. It may also lead to civil litigation, with the risks of damages or injunctive relief, or regulatory orders adversely impacting the ways in which our business can use personal data. Further, the UK framework may in the future start to diverge from the EU framework, and these changes may lead to additional costs and increase our overall risk exposure. From time to time we receive correspondence from regulators including the Data Protection Commission, our lead EU data protection regulator, regarding our personal data processing activities. We have been and are currently subject to a small number of statutory inquiries in respect of data processing under the GDPR, although we do not consider this particularly unusual for a business of our size and the level of personal data processed. To date, we have not received any fines in respect of such inquiries and have in place an internal process to review and process such inquiries to ensure we respond appropriately and update our privacy compliance with any findings. Additionally, we are subject to laws, rules, and regulations regarding cross-border transfers of personal data, including laws relating to transfer of personal data outside the European Economic Area ("EEA") and the UK. Case law from the Court of Justice of the European Union ("CJEU") states that reliance on the standard contractual clauses (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism) alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. In October 2022, President Biden signed an Executive Order on 'Enhancing Safeguards for United States Intelligence Activities' which introduced new redress mechanisms and binding safeguards to address the concerns raised by the CJEU in relation to data transfers from the EEA to the United States under the standard contractual clauses, and which formed the basis of the new EU-US Data Privacy Framework ("DPF"), as released in December 2022. The European Commission adopted its Adequacy Decision in relation to the DPF in July 2023 rendering the DPF effective as an EU GDPR transfer mechanism to U.S. entities self-certified under the DPF. In October 2023, the UK Extension to the DPF came into effect (as approved by the UK Government) as a UK GDPR data transfer mechanism to U.S. entities self-certified under the UK Extension to the DPF. 25 25 25 Table of Contents Table of Contents We currently rely on the EU standard contractual and the UK Addendum to the EU clauses standard contractual clauses and the UK International Data Transfer Agreement as relevant to transfer personal data outside the EEA and the UK with respect to both intragroup and third-party transfer. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the DPF Adequacy Decision to be challenged and international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints, and/or regulatory investigations or fines, we may have to stop using certain tools and vendors and make other operational changes, including updating agreements or implementing additional safeguards which could otherwise affect the manner in which we provide our services and our ability to provide our services; and could adversely affect our business, results of operations, and financial condition. Many large geographies in which we operate, including Australia, Brazil, Canada, China, India, and South Korea, have passed or are in the process of passing comparable or other robust data privacy and security legislation or regulation, which may lead to additional costs and increase our overall risk exposure. Additionally, we note that as the use of AI continues to grow, data protection regulators may take an increased interest in how we process personal data of our users and/ or hosts. This may mean that regulators seek advance engagement with businesses like ours in respect of certain types of data processing. This may affect our use of AI and our ability to provide, improve or commercialize our services effectively and efficiently and result in increased costs. In the United States, there are numerous federal and state data privacy and security laws, rules, and regulations governing the collection, use, storage, sharing, transmission, and other processing of personal information, including federal and state data privacy laws, data breach notification laws, electronic communications laws, and marketing and consumer protection laws. For example, the Federal Trade Commission and state regulators enforce a variety of data privacy issues, such as misrepresentations in privacy policies or failures to appropriately protect information about individuals, as unfair or deceptive acts or practices in or affecting commerce in violation of the Federal Trade Commission Act or similar state laws. Additionally, the Gramm-Leach-Bliley Act of 1999 ("GLBA") and its implementing regulations, which restrict certain collection, processing, storage, use, and disclosure of personal information, require notice to individuals of privacy practices, and provides individuals with certain rights to prevent the use and disclosure of certain nonpublic or otherwise legally protected information. These rules also impose requirements for the safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. The U.S. government, including Congress, the Federal Trade Commission and the Department of Commerce, has announced that it is reviewing the need for greater regulation for the collection of information concerning consumer behavior on the Internet, including regulation aimed at restricting certain targeted advertising practices. In addition, numerous states have enacted or are in the process of enacting state level data privacy laws and regulations governing the collection, use, and processing of state residents' personal data. For example, the California Consumer Privacy Act ("CCPA") took effect in January 2020. The CCPA established a new privacy framework for covered businesses such as ours, and may continue to require us to modify our data processing practices and policies and incur compliance related costs and expenses. The CCPA provided new and enhanced data privacy rights to California residents, such as affording consumers the right to access and delete their information and to opt out of certain sharing and sales of personal information. The CCPA also prohibits covered businesses from discriminating against consumers (for example, charging more for services) for exercising any of their CCPA rights. The CCPA imposes severe statutory damages and could lead to injunctive relief or agreed settlements providing for ongoing audit and reporting requirements, as well as a private right of action, for certain data breaches. This private right of action has increased the risks associated with data breach litigation. In November 2020, California voters passed the California Privacy Rights and Enforcement Act of 2020 ("CPRA"). The CPRA went into effect in January 2023. The CPRA modifies and expands the CCPA with additional data privacy compliance requirements that may impact our business, and establishes a regulatory agency dedicated to enforcing those requirements. In addition, the enactment of the CCPA is prompting a wave of similar legislative developments in other states, which creates the potential for a patchwork of overlapping but different state laws. For example, since the CCPA went into effect, comprehensive privacy statutes that share similarities with the CCPA are now in effect and enforceable in Virginia, Colorado, Utah, and Connecticut, and will be taking effect in other U.S. states in 2024 and beyond. Many other states are currently reviewing or proposing the need for greater regulation of the collection, sharing, use and other processing of information related to individuals for advertising purposes or otherwise, and there remains increased interest at the federal level as well. Together, these laws will add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs and cyber security, could impact strategies and availability of previously useful data, and could result in increased compliance costs and/or changes in business practices and policies. Various other governments and consumer agencies around the world have also called for new regulation and changes in industry practices and many have enacted different and often contradictory requirements for protecting personal information collected and maintained electronically. Compliance with numerous and contradictory requirements of different jurisdictions is particularly difficult and costly for an online business such as ours, which collects personal information from Hosts, guests, and other individuals in multiple jurisdictions. If any jurisdiction in which we operate adopts new laws or changes its interpretation of its laws, rules, or regulations relating to data residency or localization such that we are unable to comply in a timely manner or at all, we could risk losing our rights to operate in such jurisdictions. As in many cases these laws are relatively new and the interpretation and application of these laws is uncertain there may be litigation, claims and enforcement relating to data privacy and the processing of personal data may involve new interpretations of privacy laws. For example, there has been a noticeable increase in class actions in the U.S. where plaintiffs have utilized a variety of laws, including state wiretapping laws, in relation to the use of tracking technologies, such as cookies and pixels. Any failure or perceived failure by us to comply with data privacy and data security laws, rules, or regulations could expose us to material penalties, significant legal liability, changes in how we operate or offer our products, and interruptions or cessation of our ability to operate in key geographies, any of which could materially adversely affect our business, results of operations, and financial condition. Furthermore, to improve the trust and safety on our platform, we conduct certain verification procedures aimed at our Hosts, guests, and listings in certain jurisdictions. Such verification procedures may include utilizing public information on the Internet, accessing public 26 26 26 Table of Contents Table of Contents databases such as court records, utilizing third-party vendors to analyze Host or guest data, or physical inspection. These types of activities may expose us to the risk of regulatory enforcement from privacy regulators, consumer protection agencies, consumer credit reporting agencies, and civil litigation. When we are required to disclose personal data pursuant to demands from, or give data access to, government agencies, including tax authorities, state and city regulators, law enforcement agencies, and intelligence agencies, our Hosts, guests, and data privacy and security regulators could perceive such disclosure as a failure by us to comply with data privacy and data security policies, notices, and laws, which could result in proceedings or actions against us in the same or other jurisdictions. Conversely, if we do not provide the requested information to government agencies due to a disagreement, such as on the interpretation of the law, we are likely to face enforcement action from such government, engage in litigation, face increased regulatory scrutiny, and experience an adverse impact on our relationship with governments or our ability to offer our services within certain jurisdictions. Any of the foregoing could materially adversely affect our brand, reputation, business, results of operations, and financial condition. Any failure or perceived failure by us to comply with consumer protection, data privacy or data security laws, rules, and regulations; policies; industry standards; or enforcement notices and/or assessment notices (for a compulsory audit) could result in proceedings or actions against us by individuals, consumer rights groups, government agencies, or others. We may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, and diversion of internal resources. We could incur significant costs in investigating and defending such claims and, if found liable, pay significant damages or fines or be required to make changes to our business. Further, these proceedings and any subsequent adverse outcomes may subject us to significant negative publicity, and an erosion of trust. If any of these events were to occur, our business, results of operations, and financial condition could be materially adversely affected. --- ## Modified: Our IT Systems are highly complex, and any undetected errors could materially adversely affect our business, results of operations, and financial condition. **Key changes:** - Reworded sentence: "Our platform is a complex system composed of many interoperating components and software, including algorithms that incorporate machine learning and exhibit characteristics of AI." - Reworded sentence: "Our (or our suppliers' or services providers') IT Systems, including open source software that is incorporated into the code, may now or in the future contain a range of cybersecurity risks and threats, including bugs, vulnerabilities, or backdoors." - Reworded sentence: "Any errors, bugs, vulnerabilities, or backdoors discovered in our IT Systems released to production or found in third-party software, including open source software, that is incorporated into our code, any misconfigurations of our IT Systems, or any unintended interactions between IT Systems could result in poor system performance, an interruption in the availability of our platform, incorrect payments, incorrect calculations, search ranking problems, Host account takeovers, fraudulent listings, issues with chatbot behavior, inadvertent failure to effectively comply with legal, tax, or regulatory requirements, negative publicity, damage to our reputation, loss of existing and potential Hosts and guests, loss of revenue, liability for damages, a failure to comply with certain legal or tax reporting obligations, and regulatory inquiries or other proceedings, any of which could materially adversely affect our business, results of operations, and financial condition." **Prior (2023):** Our platform is a complex system composed of many interoperating components and software, including algorithms that incorporate machine learning and exhibit characteristics of artificial intelligence. Our business is dependent upon our ability to prevent system interruption on our platform, to effectively implement updates to our systems and to appropriately monitor and maintain our systems. Our software, including open source software that is incorporated into our code, may now or in the future contain undetected errors, bugs, vulnerabilities, or backdoors. Some errors, bugs, vulnerabilities, or backdoors in our software code have not been and may not be discovered until after the code has been released. We have, from time to time, found defects or errors in our system and software limitations that have resulted in, and may discover additional issues in the future that could result in, platform unavailability or system disruption, or the inability of our systems to implement timely updates that are required for regulatory compliance. For example, defects or errors have resulted in and could result in the delay in making payments to Hosts or overpaying or underpaying Hosts, which would impact our cash position and may cause Hosts to lose trust in our payment operations. Any errors, bugs, vulnerabilities, or backdoors discovered in our code or systems released to production or found in third-party software, including open source software, that is incorporated into our code, any misconfigurations of our systems, or any unintended interactions between systems could result in poor system performance, an interruption in the availability of our platform, incorrect payments, incorrect calculations, search ranking problems, Host account takeovers, fraudulent listings, issues with chatbot behavior, inadvertent failure to effectively comply with legal, tax, or regulatory requirements, negative publicity, damage to our reputation, loss of existing and potential Hosts and guests, loss of revenue, liability for damages, a failure to comply with certain legal or tax reporting obligations, and regulatory inquiries or other proceedings, any of which could materially adversely affect our business, results of operations, and financial condition. **Current (2024):** Our platform is a complex system composed of many interoperating components and software, including algorithms that incorporate machine learning and exhibit characteristics of AI. Our business is dependent upon our ability to prevent system interruption on our platform, to effectively implement updates to our systems and to appropriately monitor and maintain our systems. Our (or our suppliers' or services providers') IT Systems, including open source software that is incorporated into the code, may now or in the future contain a range of cybersecurity risks and threats, including bugs, vulnerabilities, or backdoors. Some errors, bugs, vulnerabilities, or backdoors in our IT Systems have not been and may not be discovered until after the code has been released. We have, from time to time, found defects or errors in our IT Systems and software limitations that have resulted in, and may discover additional issues in the future that could result in, platform unavailability or system disruption, or the inability of our systems to implement timely updates that are required for regulatory compliance. For example, defects or errors have resulted in and could result in the delay in making payments to Hosts or overpaying or underpaying Hosts, which would impact our cash position and may cause Hosts to lose trust in our payment operations. Any errors, bugs, vulnerabilities, or backdoors discovered in our IT Systems released to production or found in third-party software, including open source software, that is incorporated into our code, any misconfigurations of our IT Systems, or any unintended interactions between IT Systems could result in poor system performance, an interruption in the availability of our platform, incorrect payments, incorrect calculations, search ranking problems, Host account takeovers, fraudulent listings, issues with chatbot behavior, inadvertent failure to effectively comply with legal, tax, or regulatory requirements, negative publicity, damage to our reputation, loss of existing and potential Hosts and guests, loss of revenue, liability for damages, a failure to comply with certain legal or tax reporting obligations, and regulatory inquiries or other proceedings, any of which could materially adversely affect our business, results of operations, and financial condition. 28 28 28 Table of Contents Table of Contents --- ## Modified: Growing focus on evolving environmental, social, and governance issues by shareholders, customers, regulators, politicians, employees, and other stakeholders may impose additional risks and costs on our business. **Key changes:** - Reworded sentence: "In particular, companies, including Airbnb, face heightened expectations with respect to their practices, disclosures, and performance in relation to environmental sustainability, climate change, biodiversity, diversity, equity and inclusion, human rights, energy and water consumption, human capital management, data privacy and security, and supply chains (including human rights issues), among other topics." - Reworded sentence: "Notwithstanding our commitments to stakeholders and intentions with respect to other constituencies, if we fail to meet rapidly evolving investor, regulator, and other stakeholder expectations on ESG matters, if we are perceived not to have responded appropriately or in a timely manner to ESG issues that are material, or perceived to be material, to our business (including failing to pursue or achieve our stated goals, targets and objectives within the timelines we announce, failing to satisfy reporting and disclosure expectations or requirements, or if there are real or perceived inaccuracies in the data and information we report or if we are exposed to greenwashing initiatives), if we fail to accurately report ESG-related data or fail to accurately report the challenges associated with our ESG initiatives or the degree to which we will or will not be able to meet our ESG-related commitments, or if we fail to fully understand, reflect, disclose, mitigate or manage risks associated with environmental or social matters, we may experience harm to our brand and reputation, adverse press coverage, a reduction in our attractiveness as an investment, greater regulatory scrutiny and potential legal claims, greater difficulties in attracting and retaining customers and talent, increased costs associated with our legal compliance, insurance, or access to capital, and as a consequence, our business, results of operations, financial condition, and/or stock price could be materially adversely affected." - Added sentence: "Certain market participants, including major institutional investors and capital providers, use third-party benchmarks and scores to assess companies' ESG profiles in making investment or voting decisions, and unfavorable such scores could negatively impact us." - Added sentence: "Some external parties oppose companies' efforts on certain ESG-related matters." - Added sentence: "Both advocates and opponents to certain ESG matters are increasingly resorting to a range of activism forms, including media campaigns and litigation, to advance their perspectives." **Prior (2023):** ESG matters have become an area of growing and evolving focus among our shareholders and other stakeholders, including among customers, employees, regulators, politicians, and the general public in the United States and abroad. In particular, companies, including Airbnb, face heightened expectations with respect to their practices, disclosures, and performance in relation to climate change, diversity, equity and inclusion, human rights, energy and water consumption, human capital management, data privacy and security, and supply chains (including human rights issues), among other topics. We are committed to maintaining strong relationships with all of our key stakeholders, including our Hosts, guests, the communities within which we operate in, employees, and shareholders and we have taken and continue to take steps to serve each of our stakeholder groups. We also endeavor to maintain productive relationships with regulators and other constituencies with whom we engage. Notwithstanding our commitments to stakeholders and intentions with respect to other constituencies, if we fail to meet evolving investor, regulator, and other stakeholder expectations on ESG matters, if we are perceived not to have responded appropriately or in a timely manner to ESG issues that are material, or perceived to be material, to our business (including failing to pursue or achieve our stated goals, targets and objectives within the timelines we announce, failing to satisfy reporting and disclosure expectations or requirements, or if there are real or perceived inaccuracies in the data and information we report), if we fail to accurately report ESG-related data, or if we fail to fully understand, reflect, disclose, mitigate or manage risks associated with environmental or social matters, we may experience harm to our brand and reputation, adverse press coverage, a reduction in our attractiveness as an investment, greater regulatory scrutiny and potential legal claims, greater difficulties in attracting and retaining customers and talent, increased costs associated with our legal compliance, insurance, or access to capital, and as a consequence, our business, results of operations, financial condition, and/or stock price could be materially adversely affected. We also expect to incur additional costs and require additional resources to monitor, report, and comply with our various ESG commitments and reporting obligations. **Current (2024):** ESG matters have become an area of growing and evolving focus among our shareholders and other stakeholders, including among customers, employees, regulators, politicians, and the general public in the United States and abroad. In particular, companies, including Airbnb, face heightened expectations with respect to their practices, disclosures, and performance in relation to environmental sustainability, climate change, biodiversity, diversity, equity and inclusion, human rights, energy and water consumption, human capital management, data privacy and security, and supply chains (including human rights issues), among other topics. The current regulatory landscape regarding climate change and other ESG-related matters, both within the United States and in many other locations where we operate worldwide, is evolving at a pace, and is likely to continue to develop in ways, that require our business to adapt and require us to make certain disclosures regarding our operations and our commitments. Many U.S. states, either individually or through multi-state regional initiatives, have begun to address greenhouse gas emissions, including disclosure requirements relating thereto, and some U.S. states, for example, California, have also adopted various ESG-related efforts, initiatives and requirements. As a result, governments are, and may continue to, enact new laws and regulations and/or view matters or interpret laws and regulations differently than they have in the past, including laws and regulations which are responsive to ESG trends or otherwise seek to reduce the carbon emissions relating to travel and set minimum energy efficiency requirements, which could materially adversely affect our business, results of operations, and financial condition. The legislative landscape continues to be in a state of constant change as well as legal challenge with respect to these laws and regulations, making it difficult to predict with certainty the ultimate impact they will have on our business in the aggregate. We incur significant expenses and commit significant resources so that our platform can comply with applicable laws and regulations; however, there is no assurance that we will be able to fully implement technical upgrades and other system implementations in a timely manner since implementations often involve building new infrastructure and tools, which contain the inherent risk of unplanned errors and defects, and in certain instances we may be unable to respond to legislation or regulation in a way that fully mitigates any negative impacts our business. We are committed to maintaining strong relationships with all of our key stakeholders, including our Hosts, guests, the communities within which we operate in, employees, and shareholders and we have taken and continue to take steps to serve each of our stakeholder groups. We also endeavor to maintain productive relationships with regulators and other constituencies with whom we engage. Notwithstanding our commitments to stakeholders and intentions with respect to other constituencies, if we fail to meet rapidly evolving investor, regulator, and other stakeholder expectations on ESG matters, if we are perceived not to have responded appropriately or in a timely manner to ESG issues that are material, or perceived to be material, to our business (including failing to pursue or achieve our stated goals, targets and objectives within the timelines we announce, failing to satisfy reporting and disclosure expectations or requirements, or if there are real or perceived inaccuracies in the data and information we report or if we are exposed to greenwashing initiatives), if we fail to accurately report ESG-related data or fail to accurately report the challenges associated with our ESG initiatives or the degree to which we will or will not be able to meet our ESG-related commitments, or if we fail to fully understand, reflect, disclose, mitigate or manage risks associated with environmental or social matters, we may experience harm to our brand and reputation, adverse press coverage, a reduction in our attractiveness as an investment, greater regulatory scrutiny and potential legal claims, greater difficulties in attracting and retaining customers and talent, increased costs associated with our legal compliance, insurance, or access to capital, and as a consequence, our business, results of operations, financial condition, and/or stock price could be materially adversely affected. We also expect to incur additional costs and require additional resources to monitor, report, and comply with our various ESG commitments and reporting obligations. Certain market participants, including major institutional investors and capital providers, use third-party benchmarks and scores to assess companies' ESG profiles in making investment or voting decisions, and unfavorable such scores could negatively impact us. Some external parties oppose companies' efforts on certain ESG-related matters. Both advocates and opponents to certain ESG matters are increasingly resorting to a range of activism forms, including media campaigns and litigation, to advance their perspectives. To the extent we are subject to such activism, it may require us to incur costs or otherwise adversely impact our business. This and other stakeholder expectations will likely lead to increased costs as well as scrutiny that could heighten all of the risks identified in this risk factor. --- ## Modified: The business and industry in which we participate are highly competitive, and we may be unable to compete successfully with our current or future competitors. **Key changes:** - Reworded sentence: "We operate in a highly competitive environment and we face significant competition in attracting Hosts and guests." - Removed sentence: "The complexity of our platform and changes required to comply with the large number of disparate requirements can lead to compliance gaps if our internal resources cannot keep up with the pace of regulatory change and new requirements imposed on our platform, or if our platform does not work as intended or has errors or bugs." - Reworded sentence: "The complexity of our 11 11 11 Table of Contents Table of Contents platform and changes required to comply with the large number of disparate requirements can lead to compliance gaps if our internal resources cannot keep up with the pace of regulatory change and new requirements imposed on our platform, or if our platform does not work as intended or has errors or bugs." - Reworded sentence: "See our risk factor titled "We could face liability for information or content on or accessible through our platform." There are laws that apply to us, and there are laws that apply to our Hosts and/or guests." - Reworded sentence: "See our risk factor titled "Changes in tax laws or tax rulings could materially affect our results of operations and financial condition." With respect to online payment services, in June 2023 the European Commission proposed replacing the current Payment Services Directive ("PSD2") with a new directive on the same topic ("PSD3") and a new regulation on the same ("PSR")." **Prior (2023):** Hosts list, and guests search for, stays and experiences on our platform in more than 220 countries and regions, and in over 100,000 cities and towns throughout the world. There are national, state, local, and foreign laws and regulations in jurisdictions that relate to or affect our business. Moreover, the laws and regulations of each jurisdiction in which we operate are distinct and may result in inconsistent or ambiguous interpretations among local, regional, or national laws or regulations applicable to our business. Compliance with laws and regulations of different jurisdictions imposing varying standards and requirements is burdensome for businesses like ours, imposes added cost and increases potential liability to our business, and makes it difficult to realize business efficiencies and economies of scale. For example, we incur significant operational costs to comply with requirements of jurisdictions and cities that have disparate requirements around tax collection, tax reporting, Host registration, limits on lengths of stays, and other regulations, each of which require us to dedicate significant resources to provide the infrastructure and tools needed on our platform for our Hosts to meet these legal requirements and for us to fulfill any obligations we may have. The complexity of our platform and changes required to comply with the large number of disparate requirements can lead to compliance gaps if our internal resources cannot keep up with the pace of regulatory change and new requirements imposed on our platform, or if our platform does not work as intended or has errors or bugs. Environmental, health, and safety requirements have also become increasingly stringent, and our costs, and our Hosts' costs, to comply with such requirements may increase as a result. New or revised laws and regulations or new interpretations of existing laws and regulations, such as those related to climate change, could affect the operation of our Hosts' properties or result in significant additional expense and operating restrictions on us. It may be difficult or impossible for us to investigate or evaluate laws or regulations in all cities, countries, and regions. The application of existing laws and regulations to our business and platform can be unclear and may be difficult for Hosts, guests, and us to understand and apply, and are subject to change, as governments or government agencies seek to apply legacy systems of laws or adopt new laws to new online business models in the travel and accommodations industries, including ours. Uncertain and unclear application of such laws and regulations to Host and guest activity and our platform could cause and has caused some Hosts and guests to leave or choose not to use our platform, reduce supply and demand for our platform and services, increase the costs of compliance with such laws and regulations, and increase the threat of litigation or enforcement actions related to our platform, all of which would materially adversely affect our business, results of operations, and financial condition. See also our risk factor titled " - We could face liability for information or content on or accessible through our platform." There are laws that apply to us, and there are laws that apply to our Hosts and/or guests. While we require our Hosts and guests to comply with their own independent legal obligations under our terms of service, we have limited means of enforcing or ensuring the compliance of our Hosts and guests with all applicable legal requirements. Sometimes governments try to hold us responsible for laws that apply to our Hosts and/or guests. Whether applicable to us, our Hosts, and/or our guests, the related consequences arising out of such laws and regulations, including penalties for violations of and costs to maintain compliance with such laws and regulations, have had and could continue to have a material adverse effect on our reputation, business, results of operations, and financial condition. We take certain measures to comply, and to help Hosts comply, with laws and regulations, such as requiring registration numbers to be displayed on a listing profile for listings in some jurisdictions where such registration is required. These measures, changes to them, and any future measures we adopt could increase friction on our platform, and reduce the number of listings available on our platform from Hosts and bookings by guests, and could reduce the activity of Hosts and guests on our platform. We may be subject to additional laws and regulations which could require significant changes to our platform that discourage Hosts and guests from using our platform. Our newer offerings, such as Airbnb Experiences, are subject to similar or other laws, regulations, and regulatory actions. In particular, if we become more involved in Hosts' listings and conduct related to bookings, then we are more likely to draw scrutiny and additional regulations from governments and undercut various defenses we may have to claims or attempts to regulate us, which further constrain our business and impose additional liability on us as a platform. In addition to laws and regulations directly applicable to the short-term rental, long-term rental, and home sharing business as discussed in our risk factor titled " - Laws, regulations, and rules that affect the short-term rental, long-term rental, and home sharing business have limited and may continue to limit the ability or willingness of Hosts to share their spaces over our platform and expose our Hosts or us to significant penalties, which could have a material adverse effect on our business, results of operations, and financial condition," we are subject to laws and regulations governing our business practices, the Internet, e-commerce, and electronic devices, including those relating to taxation, data privacy, data security, pricing, content, advertising, discrimination, consumer protection, protection of minors, copyrights, 13 13 13 Table of Contents Table of Contents distribution, messaging, mobile communications, electronic device certification, electronic waste, electronic contracts, communications, Internet access, competition, and unfair commercial practices. We are also subject to laws and regulations governing the provision of online payment services and insurance services, the design and operation of our platform, and the operations, characteristics, and quality of our platform and services. We are also subject to federal, state, local, and foreign laws regulating employment, employee working conditions, including wage and hour laws, employment dispute and employee bargaining processes, collective and representative actions, employment classification, and other employment compliance requirements. As a result of the COVID-19 pandemic, many jurisdictions have adopted and may continue to adopt or modify laws, rules, regulations, and/or decrees intended to address the COVID-19 pandemic, including implementing travel restrictions, such as vaccination requirements for travel to and/or from certain regions. In addition, many jurisdictions have limited social mobility and gatherings. As the COVID-19 pandemic or related restrictions continue, governments, corporations, and other authorities may continue to implement restrictions or policies that could further restrict the ability of our Hosts and guests to participate on our platform. There is increased governmental interest in regulating technology companies in areas including platform content, data privacy, data security, intellectual property protection, ethical marketing, tax, data localization and data access, artificial intelligence or algorithm-based bias or discrimination, competition, and real estate broker related activities. In addition, increasing governmental interest in, and public awareness of, the impacts and effects of climate change and greater emphasis on sustainability by federal, state, and international governments could lead to further regulatory efforts to address the carbon impact of housing and travel. In particular, the current regulatory landscape regarding climate change (including disclosure requirements and requirements regarding energy and water use and efficiency), both within the United States and in many other locations where we operate worldwide, is evolving at a pace, and is likely to continue to develop in ways, that require our business to adapt. Many U.S. states, either individually or through multi-state regional initiatives, have begun to address greenhouse gas emissions, including disclosure requirements relating thereto, and some U.S. states have also adopted various environmental, social and governance ("ESG")-related efforts, initiatives and requirements. As a result, governments may enact new laws and regulations and/or view matters or interpret laws and regulations differently than they have in the past, including laws and regulations which are responsive to ESG trends or otherwise seek to reduce the carbon emissions relating to travel and set minimum energy efficiency requirements, which could materially adversely affect our business, results of operations, and financial condition. In particular, stricter regulation in relation to energy and water use and efficiency requirements could lead to a reduced number of listings in affected jurisdictions. The legislative landscape continues to be in a state of constant change as well as legal challenge with respect to these laws and regulations, making it difficult to predict with certainty the ultimate impact they will have on our business in the aggregate. We incur significant expenses and commit significant resources so that our platform can comply with applicable laws and regulations; however, there is no assurance that we will be able to fully implement technical upgrades and other system implementations in a timely manner since implementations often involve building new infrastructure and tools, which contain the inherent risk of unplanned errors and defects, and in certain instances we may be unable to respond to legislation or regulation in a way that fully mitigates any negative impacts our business. Any new or existing laws and regulations applicable to existing or future business areas, including amendments to or repeal of existing laws and regulations, or new interpretations, applications, or enforcement of existing laws and regulations, could expose us to substantial liability, including significant expenses necessary to comply with such laws and regulations, and materially adversely impact bookings on our platform, thereby materially adversely affecting our business, results of operations, and financial condition. For example, the UK laws and regulations that impact our UK and EU operations, including those relating to payment processing, data privacy and data security, legal protection for platforms, workers' rights, and intellectual property changed or may change following the United Kingdom's departure from the European Union. The Omnibus Directive also introduces stricter penalties for breaches of consumer protection law. This includes an introduction of fines as a mandatory element of penalties in some situations and higher amounts, as well as additional information requirements. The Collective Redress Directive replaced its predecessor in November 2020. This relatively new Directive allows for the recovery of monetary compensation on behalf of large classes of consumers, and greatly extends the scope to new areas, including for example misleading and comparative advertising, data privacy and data security. The European Union is also enhancing the regulation of digital services, and in November 2022, the DSA came into force. The majority of the substantive provisions of the DSA will begin to take effect between 2023 and 2024. The DSA will govern, among other things, potential liability for illegal content on platforms, traceability of traders, and transparency reporting obligations, including information on "monthly active recipients" in the European Union. The DSA may increase compliance costs and require additional resources as well as changes to our processes and operations. In parallel, the Digital Markets Act (the "DMA") came into force in November 2022 and introduces ex ante regulation of certain large online platforms. We do not anticipate being designated a regulated gatekeeper platform for the purposes of the DMA although this could change at some point in the future. Some European jurisdictions (such as Germany) have also introduced new competition rules in relation to digital platforms similar to the DMA at the national level. These laws may contain certain regulatory requirements and/or obligations that could negatively impact the business of companies like ours. Furthermore, some of our Hosts or some of our offerings may now or in the future be subject to the European Package Travel Directive, which imposes various obligations upon package providers and upon marketers of travel packages, such as disclosure obligations to consumers and liability to consumers. Our efforts to influence legislative and regulatory proposals have an uncertain chance of success, could be limited by laws regulating lobbying or advocacy activity in certain jurisdictions, and even if successful, could be expensive and time consuming, and could divert the attention of management from operations. **Current (2024):** We operate in a highly competitive environment and we face significant competition in attracting Hosts and guests. •Hosts. We compete to attract, engage, and retain Hosts on our platform to list their spaces and experiences. Hosts have a range of options for listing their spaces and experiences, both online and offline. It is also common for Hosts to cross-list their offerings. We compete for Hosts based on many factors, including the volume of bookings generated by our guests; ease of use of our platform (including onboarding, community support, and payments); the service fees we charge; Host protections, such as our Host Liability Insurance, Experiences Liability Insurance, and Host Damage Protection program; and our brand. •Guests. We compete to attract, engage, and retain guests on our platform. Guests have a range of options to find and book spaces, hotel rooms, serviced apartments, and other accommodations and experiences, both online and offline. We compete for guests based on many factors, including unique inventory and availability of listings, the value and all-in cost of our offerings relative to other options, our brand, ease of use of our platform, the relevance and personalization of search results, the trust and safety of our platform, and community support. We believe that our competitors include: •OTAs such as Booking Holdings (including the brands Booking.com, KAYAK, Priceline.com, and Agoda.com), Expedia Group (including the brands Expedia, Vrbo, HomeAway, Hotels.com, Orbitz, and Travelocity), Trip.com Group (including the brands Ctrip.com, Trip.com, Qunar, Tongcheng-eLong, and SkyScanner), Hopper, Fliggy (a subsidiary of Alibaba), Despegar, MakeMyTrip, and other regional OTAs; 10 10 10 Table of Contents Table of Contents •Internet search engines, such as Google, including its travel search products, Baidu, and other regional search engines; •Listing and meta search websites, such as TripAdvisor, Trivago, Mafengwo, AllTheRooms.com, Hometogo, Holidu, and Craigslist; •Hotel chains, such as Marriott, Hilton, Accor, Wyndham, InterContinental, OYO, and Huazhu, as well as boutique hotel chains and independent hotels; •Property management companies, such as Vacasa, Sonder, Inspirato, Evolve, Awaze, and other regional property management companies; and •Online platforms offering experiences, such as Viator, GetYourGuide, Klook, Traveloka, TUI Musement, and KKDay. Our competitors are adopting aspects of our business model, which could affect our ability to differentiate our offerings from competitors. Increased competition could result in reduced demand for our platform from Hosts and guests, slow our growth, and materially adversely affect our business, results of operations, and financial condition. Many of our current and potential competitors enjoy substantial competitive advantages over us, such as greater name and brand recognition, longer operating histories, larger marketing budgets, and loyalty programs, as well as substantially greater financial, technical, and other resources. In addition, our current or potential competitors have access to larger user bases and/or inventory for accommodations, and may provide multiple travel products, including flights. As a result, our competitors may be able to provide consumers with a better or more complete product experience and respond more quickly and effectively than we can to new or changing opportunities, technologies, standards, or Host and guest requirements or preferences. The global travel industry has experienced significant consolidation, and we expect this trend may continue as companies attempt to strengthen or hold their market positions in a highly competitive industry. Consolidation amongst our competitors will give them increased scale and may enhance their capacity, abilities, and resources, and lower their cost structures. In addition, emerging start-ups may be able to innovate and focus on developing a new product or service faster than we can or may foresee consumer need for new offerings or technologies before we do. There are now numerous competing companies that offer homes for booking, which may be cross-listed on our platform, listed on competing platforms, and/or available through direct booking sites. Some of these competitors also aggregate property listings obtained through various sources, including the websites of property managers. Some of our Hosts have chosen to cross-list their properties, which reduces the availability of such properties on our platform. When properties are cross-listed, the price paid by guests on our platform may be or may appear to be less competitive for a number of reasons, including differences in fee structure and policies, which may cause guests to book through other services, which could materially adversely affect our business, results of operations, and financial condition. Certain property managers reach out to our Hosts and guests to incentivize them to list or book directly with them and bypass our platform, and certain Hosts may encourage transactions outside of our platform, which reduces the use of our platform and services. Some of our competitors or potential competitors have more established or varied relationships with consumers than we do, and they could use these advantages in ways that could affect our competitive position, including by entering the travel and accommodations businesses. For example, some competitors or potential competitors are creating "super-apps" where consumers can use many online services without leaving that company's app, e.g., in particular regions, such as Asia, where e-commerce transactions are conducted primarily through apps on mobile devices. If any of these platforms are successful in offering services similar to ours to consumers, or if we are unable to offer our services to consumers within these super-apps, our customer acquisition efforts could be less effective and our customer acquisition costs, including our brand and performance marketing expenses, could increase, any of which could materially adversely affect our business, results of operations, and financial condition. We also face increasing competition from search engines including Google. How Google presents travel search results, and its promotion of its own travel meta-search services, such as Google Travel and Google Vacation Rental Ads, or similar actions from other search engines, and their practices concerning search rankings, could decrease our search traffic, increase traffic acquisition costs, and/or disintermediate our platform. These parties can also offer their own comprehensive travel planning and booking tools, or refer leads directly to suppliers, other favored partners, or themselves, which could also disintermediate our platform. In addition, if Google or Apple use their own mobile operating systems or app distribution channels to favor their own or other preferred travel service offerings, or impose policies that effectively disallow us to continue our full product offerings in those channels, it could materially adversely affect our ability to engage with Hosts and guests who access our platform via mobile apps or search. We are subject to a wide variety of laws, regulations and rules applicable to short-term rental and home sharing businesses, or that govern our business practices, including among others, e-commerce, data privacy, advertising, consumer protection, employment law, and commercial practices. Such laws and regulations are complex, evolving, and sometimes inconsistent and have limited and may continue to limit the ability or willingness of Hosts to share their spaces through our platform and expose our users or us to regulatory inquiries, litigation or other disputes and to significant liabilities, including taxes, compliance costs, fines, and criminal or other penalties, which have had and could continue to have a material adverse effect on our business, results of operations, and financial condition. Hosts list, and guests search for, stays and experiences on our platform in more than 220 countries and regions across the globe. There are national, state, local, and foreign laws and regulations in jurisdictions that relate to or affect our business and, since we began our operations in 2008, there have been and continue to be legal and regulatory developments and inconsistent or ambiguous interpretations among local, regional, or national laws or regulations that affect the short-term rental, long-term rental, and home sharing business. Compliance Costs Compliance with laws and regulations of different jurisdictions imposing varying standards and requirements is burdensome for businesses like ours, imposes added cost and increases potential liability to our business, and makes it difficult to realize business efficiencies and economies of scale. For example, we incur significant operational costs to comply with requirements of jurisdictions and cities that have disparate requirements around tax collection, tax reporting, Host registration, limits on lengths of stays, and other regulations, each of which require us to dedicate significant resources to provide the infrastructure and tools needed on our platform for our Hosts to meet these legal requirements and for us to fulfill any obligations we may have. Environmental, health, and safety requirements have also become increasingly stringent, and our costs, and our Hosts' costs, to comply with such requirements may increase as a result. The complexity of our 11 11 11 Table of Contents Table of Contents platform and changes required to comply with the large number of disparate requirements can lead to compliance gaps if our internal resources cannot keep up with the pace of regulatory change and new requirements imposed on our platform, or if our platform does not work as intended or has errors or bugs. Additionally, new or revised laws and regulations or new interpretations of existing laws and regulations, could further affect the operation of our Hosts' properties or result in significant additional expense and operating restrictions on us. It may be difficult or impossible for us to investigate or evaluate laws or regulations in all cities, countries, and regions. The application of existing laws and regulations to our business and platform can be unclear and may be difficult for Hosts, guests, and us to understand and apply, and are subject to change, as governments or government agencies seek to apply legacy systems of laws or adopt new laws to new online business models in the travel and accommodations industries, including ours. Uncertain and unclear application of such laws and regulations to Host and guest activity and our platform could cause and has caused some Hosts and guests to leave or choose not to use our platform, reduce supply and demand for our platform and services, increase the costs of compliance with such laws and regulations, and increase the threat of litigation or enforcement actions related to our platform, all of which would materially adversely affect our business, results of operations, and financial condition. See our risk factor titled "We could face liability for information or content on or accessible through our platform." There are laws that apply to us, and there are laws that apply to our Hosts and/or guests. While we require our Hosts and guests to comply with their own independent legal obligations under our terms of service, we have limited means of enforcing or ensuring the compliance of our Hosts and guests with all applicable legal requirements. Sometimes governments try to hold us responsible for laws that apply to our Hosts and/or guests. Whether applicable to us, our Hosts, and/or our guests, the related consequences arising out of such laws and regulations, including penalties for violations of and costs to maintain compliance with such laws and regulations, have had and could continue to have a material adverse effect on our reputation, business, results of operations, and financial condition. See our risk factor titled "Changes in tax laws or tax rulings could materially affect our results of operations and financial condition." With respect to online payment services, in June 2023 the European Commission proposed replacing the current Payment Services Directive ("PSD2") with a new directive on the same topic ("PSD3") and a new regulation on the same ("PSR"). The European Commission in parallel proposed a Financial Data Access Regulation ("FIDA"). PSD3 and the PSR will include amendments to strong customer authentication and anti-fraud obligations amongst other day to day requirements, and FIDA requires data holders (including payment institutions and EMIs) to provide customer data, including both personal and non-personal data to other data holders. PSD3, the PSR and FIDA are still in draft, however when finalized and in-force, they may increase our compliance costs and require additional resources as well as changes to our processes and operations. In addition, in January 2023, the UK HM Treasury published a review of the UK Payment Services Regulations 2017 ("UK PSR") and call for evidence. The review and call for evidence contained minimal information on areas of reform, other than a handful of areas including strong customer authentication requirements, information requirements regarding currency conversion charges, and notice provisions for the termination of customer contracts. Should the UK decide to reform the UK PSR, this may increase our compliance costs and require additional resources as well as changes to our processes and operations. We take certain measures to comply, and to help Hosts comply with laws and regulations, such as requiring registration numbers to be displayed on a listing profile for listings in some jurisdictions where such registration is required. These measures, changes to them, and any future measures we adopt could increase friction on our platform, and reduce the number of listings available on our platform from Hosts and bookings by guests, and could reduce the activity of Hosts and guests on our platform. We may be subject to additional laws and regulations which could require significant changes to our platform that discourage Hosts and guests from using our platform. Furthermore, if we become more involved in Hosts' listings and conduct related to bookings, then we are more likely to draw scrutiny and additional regulations from governments and undercut various defenses we may have to claims or attempts to regulate us, which further constrain our business and impose additional liability on us as a platform. Regulatory Developments Hotels and groups affiliated with hotels have engaged and will likely continue to engage in various lobbying and political efforts for stricter regulations governing our business in both local and national jurisdictions. Other private groups, such as homeowners, landlords, and condominium and neighborhood associations, have adopted contracts or regulations that purport to ban or otherwise restrict short-term rentals, and third-party lease agreements between landlords and tenants, home insurance policies, and mortgages may prevent or restrict the ability of Hosts to list their spaces. These groups and others cite concerns around affordable housing and over-tourism in major cities among other issues, and some state and local governments have implemented or considered implementing rules, ordinances, or regulations governing the short-term or long-term rental of properties and/or home sharing. Legislation could have a material impact on the way short-term and long-term rentals are regulated. Such regulations include ordinances that restrict or ban Hosts from short-term rentals or long-term rentals, set annual caps on the number of days Hosts can share their homes, require Hosts to register with the municipality or city, or require Hosts to obtain permission before offering short-term rentals, or impose obligations on us to assist in the enforcement of these regulations. For example, in New York City a law enacted in 2022 limits the properties that can host short-term rentals. It also contains several new obligations for short-term rental hosts and platforms. Existing, and changes to, laws and regulations such as these may limit Hosts' ability and willingness to list on our platform and may result in significant fines, liabilities, and penalties to the Company. In addition, some jurisdictions regard short-term rental or home sharing as "hotel use" and claim that such use constitutes a conversion of a residential property to a commercial property. Macroeconomic pressures and public policy concerns could continue to lead to new laws and regulations, or interpretations of existing laws and regulations, or widespread enforcement actions that limit the ability of Hosts to share their spaces or impose obligations upon us. For example, the European Union's regulation on short-term rentals (the "EU STR Regulation") is expected to enter into force in April 2024 and EU member states will have two years to give effect to the new rules under the regulation. The EU STR Regulation includes steps to enhance the transparency of certain host information on platforms (such as host registration numbers where required locally) and monthly reporting by platforms to local authorities (including, for example, host information, length of stay, and number of guests). The EU STR Regulation could have a material impact on the way short-term rentals are regulated in the European Union and will require us to invest additional resources to assess our compliance and make appropriate 12 12 12 Table of Contents Table of Contents adjustments in order to comply with its requirements. If laws, regulations, rules, or agreements significantly restrict or discourage Hosts in certain jurisdictions from sharing their properties, it would have a material adverse effect on our business, results of operations, and financial condition. While a number of cities and countries have implemented legislation to address short-term rentals, there are many others that are not yet explicitly addressing or enforcing short-term rental or long-term rental laws, and could follow suit and enact regulations with direct requirements on platforms such as Airbnb. New laws, regulations, government policies, or changes in their interpretations entail significant challenges and uncertainties. In the event of any such changes, pre-existing bookings may not be honored and current and future listings and bookings could decline significantly, and our relationship with our Hosts and guests could be negatively impacted, which would have a materially adverse effect on our business, results of operations, and financial condition. For example, if new regulations requiring us to share Host data with governmental organizations or to ensure that Hosts have a registration or permit number before publishing their listings or some other form of regulation are implemented, our revenue from listings there may be substantially reduced due to the departure from our platform of Hosts who do not wish to share their data or to obtain a registration or permit number. A reduction in supply and cancellations could make our platform less attractive to guests, and any reduction in the number of guests could further reduce the number of Hosts on our platform. While we seek to work with governments, we have in the past been, and are likely in the future to become, involved in disputes with government agencies regarding laws and regulations. For example, some governments have attempted to impose fines on us regarding what they contend is illegal offering of short-term accommodations in violation of applicable laws. Certain jurisdictions have adopted laws and regulations that seek to impose various types of taxes, including lodging taxes, often known as transient or occupancy taxes, on our guests, collection and remittance obligations on our Hosts and/or us, and withholding obligations on us, as more fully described in our risk factor titled "Uncertainty in the application of taxes to our Hosts, guests, or platform could increase our tax liabilities and may discourage Hosts and guests from conducting business on our platform" and "Changes in tax laws or tax rulings could materially affect our results of operations and financial condition." In addition, some third parties and regulators have asserted and may in the future assert that we, through our operations, are subject to regulations with respect to short-term rentals, Host registration, licensing, and other requirements for the listing of accommodations and experiences, such as real estate broker or agent licenses, travel agency licenses, e-commerce platform operator, and insurance-related licenses. We could be held liable and incur significant financial and potential criminal penalties if we are found to have violated any of these regulations. In certain jurisdictions, we have resolved disputes concerning the application of these laws and regulations by agreeing, among other things, to remove listings from our platform at the request of government entities, to require Hosts to enter a permit or registration number or take other action before publishing listings on our platform, to share certain data with government agencies to assist in the enforcement of limits on short-term or long-term rentals as well as the enforcement of safety regulations, and to implement measures to confirm to the government that Hosts are operating in compliance with applicable law. When a government agency seeks to apply laws and regulations in a manner that limits or curtails Hosts' or guests' ability or willingness to list and search for accommodations in that particular geography, we have attempted and may continue to attempt through litigation or other means to defend against such application of laws and regulations, but have sometimes been and may continue to be unsuccessful in certain of those efforts. Further, if we or our Hosts and guests were required to comply with laws and regulations, government requests, or agreements with government agencies that adversely impact our relations with Hosts and guests, our business, results of operations, and financial condition could be materially adversely affected. Moreover, if we enter an agreement with a government or governmental agency to resolve a dispute, the terms of such agreement may be publicly available and could create a precedent that may lead to similar disputes in other jurisdictions and may put us in a weaker bargaining position in future disputes with other governments. In addition to laws and regulations directly applicable to the short-term rental, long-term rental, and home sharing business, we are subject to laws and regulations governing the provision of online payment services and insurance services, the design and operation of our platform, and the operations, characteristics, and quality of our platform and services. As a result of such laws and regulations in connection with our insurance services, from time to time we are subject to review, inquiries or examinations by local insurance regulators to ensure compliance with such rules and regulations, including licensing requirements. We are also subject to laws and regulations governing our business practices, the Internet, e-commerce, and electronic devices, including those relating to taxation, data privacy, data security, pricing, content, advertising, discrimination, consumer protection, protection of minors, copyrights, distribution, messaging, mobile communications, electronic device certification, electronic waste, electronic contracts, communications, Internet access, competition, and unfair commercial practices as well as federal, state, local, and foreign laws regulating employment, employee working conditions, including wage and hour laws, employment dispute and employee bargaining processes, collective and representative actions, employment classification, and other employment compliance requirements. Violation of these laws could subject the company to fines and penalties, including in some cases, criminal penalties. There is also increased governmental interest in regulating technology companies in areas including platform content, data privacy, data security, intellectual property protection, ethical marketing, tax, data localization and data access, AI or algorithm-based bias or discrimination, competition, and real estate broker related activities. In addition, increasing governmental interest in, and public awareness of, the impacts and effects of climate change and greater emphasis on sustainability by federal, state, and international governments could lead to further regulatory efforts to address the carbon impact of housing and travel, which risks are more fully described in our risk factor titled "Growing focus on evolving environmental, social, and governance issues ("ESG") by shareholders, customers, regulators, politicians, employees, and other stakeholders may impose additional risks and costs on our business". Any new or existing laws and regulations applicable to existing or future business areas, including amendments to or repeal of existing laws and regulations, or new interpretations, applications, or enforcement of existing laws and regulations, could expose us to substantial liability, including significant expenses necessary to comply with such laws and regulations, and/or civil or criminal penalties, and materially adversely impact bookings on our platform, thereby materially adversely affecting our business, results of operations, and financial condition. Our efforts to influence legislative and regulatory proposals have an uncertain chance of success, could be limited by laws regulating lobbying or advocacy activity in certain jurisdictions, and even if successful, could be expensive and time consuming, and could divert the attention of management from operations. 13 13 13 Table of Contents Table of Contents Regulatory Inquiries, Litigation & Disputes We have been, and expect to continue to be, subject to legal and regulatory claims, litigation or pre-litigation disputes, and proceedings arising in the normal course of business, including various government inquiries, investigations, audits, and proceedings related to legal and regulatory requirements such as compliance with laws related to short-term rentals, long-term rentals, and home sharing, tax, escheatment, insurance services, employee related claims, consumer protection, pricing and currency display, advertising, discrimination, data sharing, payment processing, data privacy, data security, cancellation policies, and competition. In many cases, these inquiries, investigations, and proceedings can be complex, time consuming, costly to investigate, and require significant company and also management attention. For certain matters, we are implementing recommended changes to our products, operations, and compliance practices, including enabling tax collection, tax reporting, display of Host registration numbers, and removal of noncompliant listings. As our Company has grown larger, the number of bookings on our platform and brand awareness has increased, and the scope and complexity of our business have expanded, the number and significance of these claims, disputes, and proceedings have increased and we expect will continue to increase. We are unable to predict the outcomes and implications of such inquiries, investigations, and proceedings on our business, and such inquiries, investigations, and proceedings could result in damages, large fines and penalties, and require changes to our products and operations, and materially adversely affect our brand, reputation, business, results of operations, and financial condition. In some instances, applicable laws and regulations do not yet exist or are being adopted and implemented to address certain aspects of our business, and such adoption or change in their interpretation could further alter or impact our business and subject us to future government inquiries, investigations, and proceedings. We have been involved in litigation with national governments, trade associations and industry bodies, municipalities, and other government authorities, including as a plaintiff and as a defendant, concerning laws seeking to limit or outlaw short-term and long-term rentals and to impose obligations or liability on us as a platform. In the United States, we have been involved in various lawsuits concerning whether our platform is responsible for alleged wrongful conduct by Hosts who engage in short-term rentals. Claims in such cases have alleged illegal hotel conversions, real estate license requirements, violations of municipal law around short-term occupancy or rentals, unlawful evictions, or violations of lease provisions or homeowners' association rules. Legal claims have been asserted for alleged discriminatory conduct undertaken by Hosts against certain guests, and for our own platform policies or business practices. Changes to the interpretation of the applicability of fair housing, civil rights, or other statutes to our business or the conduct of our users could materially adversely impact our business, results of operations, and financial condition. We may also become more vulnerable to third-party claims as U.S. laws such as the Digital Millennium Copyright Act ("DMCA"), the Stored Communications Act, and the Communications Decency Act ("CDA"), and non-U.S. laws such as the Digital Services Act ("DSA"), the EU STR Regulation and the European E-Commerce Directive and their national transpositions are interpreted by the courts or otherwise modified or amended, as our platform and services to our Hosts and guests continue to expand, and as we expand geographically into jurisdictions where the underlying laws with respect to the potential liability of online intermediaries such as ourselves are either unclear or less favorable. In addition, we face claims and litigation relating to fatalities, shootings, other violent acts, illness (including COVID-19), cancellations and refunds, personal injuries, property damage, carbon monoxide incidents, hidden camera incidents, and privacy violations that occurred at listings or experiences during a booking made on our platform. We also have had putative class action litigation and government inquiries, and could face additional litigation and government inquiries and fines relating to our business practices, cancellations, and other consequences due to natural disasters or other unforeseen events beyond our control. Laws and government initiatives within the European Union have been attempting to regulate online platforms, including Airbnb. In several cases, national courts are evaluating whether certain local rules imposing obligations on platforms can be enforced against us. Most recently, the DSA came into force in November 2022, amending certain aspects of the E-Commerce Directive, and imposing on online platforms a number of content moderation and transparency obligations as of February 2024. In addition, in the ordinary course of business, disputes may arise because we are alleged to have infringed third parties' intellectual property or in which we agree to provide indemnification to third parties with respect to certain matters, including losses arising from our breach of such agreements or from intellectual property infringement claims, or where we make other contractual commitments to third parties. We also have indemnification agreements with certain of our directors, executive officers, and certain other employees that require us, among other things, to indemnify them against certain liabilities that may arise by reason of their status or service as directors or officers. We may be subject to litigation stemming from these obligations. We are also subject to unclaimed or abandoned property (escheatment) laws which require us to turn over to government authorities the property of others held by us that has been unclaimed for a period specified by such laws, as well as audits by government authorities regarding our escheatment practices, which may result in additional escheatment of unclaimed property and payment of interest and penalties. The laws governing unclaimed property matters are complex and subject to varying interpretations by companies and government authorities. An unfavorable audit could negatively impact our results of operations and cash flows in future periods. Adverse results in any regulatory inquiry, litigation, legal proceedings, audit, or claims may include awards of potentially significant monetary damages, including statutory damages for certain causes of action in certain jurisdictions, penalties, civil and criminal fines, compensation orders, injunctive relief, royalty or licensing agreements, or orders preventing us from offering certain services. Moreover, many regulatory inquiries, litigation, legal proceedings, or claims are resolved by settlements that can include both monetary and nonmonetary components. Adverse results or settlements may result in changes in our business practices in significant ways, increased operating and compliance costs, and a loss of revenue. In addition, any litigation or pre-litigation claims against us, whether or not meritorious, are time consuming, require substantial expense, and result in the diversion of significant operational resources. Moreover, our insurance may not cover all potential claims to which we are exposed and may not be adequate to indemnify us for all liability that may be imposed. As we continue to grow, regulatory inquiries, litigation, legal proceedings, and other claims will continue to consume significant Company resources and adverse results in future matters could materially adversely affect our business, results of operations, and financial condition. 14 14 14 Table of Contents Table of Contents --- ## Modified: If we or our third-party providers fail to protect Confidential Information and/or experience security incidents, there may be damage to our brand and reputation, material financial penalties, and legal liability, along with a decline in use of our platform, which would materially adversely affect our business, results of operations, and financial condition. **Key changes:** - Reworded sentence: "We rely on computer systems, hardware, software, technology infrastructure and online sites and networks for both internal and external operations that are critical to our business (collectively, "IT Systems")." - Reworded sentence: "The techniques used by threat actors to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and often are unknown until launched against a target." - Added sentence: "Remote and hybrid working arrangements at our Company (and at many third-party providers) also increase cybersecurity risks due to the challenges associated with managing remote computing assets and security vulnerabilities that are present in many non-corporate and home networks." - Reworded sentence: "We and other companies in our industry have dealt with incidents involving such insiders exfiltrating and stealing Confidential Information and illegally diverting funds." - Reworded sentence: "In addition, bad actors have targeted and will continue to target our Hosts and guests directly with attempts to breach the security of their accounts or management systems, such as through social engineering or phishing attacks where a third party attempts to infiltrate our systems or acquire information by posing as a legitimate inquiry or electronic communication, which are fraudulent identity theft schemes designed to appear as legitimate communications from us or from our Hosts or guests, partners, or vendors." **Prior (2023):** There are risks of security breaches both on and off our systems as we increase the types of technology we use to operate our platform, including mobile apps and third-party payment processing providers, and as we collaborate with third parties that may need to process our Host or guest data or have access to our infrastructure. The evolution of technology systems introduces ever more complex security risks that are difficult to predict and defend against. Further, there has been a surge in widespread cyber-attacks during the COVID-19 pandemic. The increase in the frequency and scope of cyber-attacks during the COVID-19 pandemic has exacerbated data security risks. An increasing number of companies, including those with significant online operations, have recently disclosed breaches of their security, some of which involved sophisticated tactics and techniques allegedly attributable to organized criminal enterprises or nation-state actors. While we take measures to guard against the type of activity that can lead to data breaches, the techniques used by bad actors to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and often are unknown until launched against a target. As such, we may be unable to anticipate these tactics and techniques or to implement adequate preventative measures. Further, with a large geographically disparate employee base, we are not immune from the possibility of a malicious insider compromising our information systems and infrastructure. This risk has grown in light of the greater adoption of remote work. We also have a distributed community support organization including third-party providers that have access to personal information and systems. We and other companies in our industry have dealt with incidents involving such insiders exfiltrating the personal data of customers, stealing corporate trade secrets and key financial metrics, and illegally diverting funds. No series of measures can fully safeguard against a sufficiently determined and skilled insider threat. In addition, bad actors have targeted and will continue to target our Hosts and guests directly with attempts to breach the security of their accounts or management systems, such as through phishing attacks where a third party attempts to infiltrate our systems or acquire information by posing as a legitimate inquiry or electronic communication, which are fraudulent identity theft schemes designed to appear as legitimate communications from us or from our Hosts or guests, partners, or vendors. We have seen many instances of our Hosts and guests falling prey to such schemes, which result in their accounts being taken over by fraudsters intent on perpetrating fraud against them, other users, and our platform. Bad actors may also employ other schemes aimed at defrauding our Hosts or guests in ways that we may not anticipate or be able to adequately guard against. Even if phishing and spamming attacks and other fraud schemes are not carried out through our systems, victims may nevertheless seek recovery from us. Because of our prominence, we believe that we are a particularly attractive target for such attacks. Though it is difficult to determine what, if any, harm may directly result from any specific scheme or attack, any failure to maintain performance, reliability, security, and availability of our offerings, services, and technical infrastructure to the satisfaction of our Hosts and guests may harm our reputation and our ability to retain existing Hosts and guests and attract new Hosts and guests. The ability of fraudsters to directly target our Hosts and guests with fraudulent communications, or cause an account takeover, exposes us to significant financial fraud risk, including costly litigation, which is difficult to fully mitigate. Generally, our practice is to encrypt certain sensitive data when it is in transit and at rest. However, advances in computer capabilities, increasingly sophisticated tools and methods used by hackers and cyber terrorists, new discoveries in the field of cryptography, or other developments may result in our failure or inability to adequately protect sensitive data. Our information technology infrastructure may be vulnerable to computer viruses or physical or electronic intrusions that our security measures may not detect. We have experienced security incidents in the past, and we may face additional attempted security intrusions in the future. Any circumvention of our security measures could result in the misappropriation of confidential or proprietary information, interrupt our operations, result in financial loss, damage our computers or those of our Hosts and guests, or otherwise cause damage to our reputation and business. Further, the ability to bypass our information security controls could degrade our trust and safety programs, which could expose individuals to a risk of physical harm or violence. If there is a breach of our computer systems and we know or suspect that certain personal data has been exfiltrated, accessed, or used inappropriately, we may need to inform privacy regulators across the world, as well as the Hosts or guests whose data was stolen, accessed, or misused. This may subject us to significant regulatory fines and penalties. Further, under certain regulatory schemes, such as the CCPA, we may be liable for statutory damages on a per breached record basis, irrespective of any actual damages or harm to the individual. This means that in the event of a breach we could face government scrutiny or consumer class actions alleging statutory damages amounting to hundreds of millions, and possibly billions of dollars. We rely on third-party service providers, including financial institutions, to process some of our data and that of our Hosts and guests, including payment information, and any failure by such third parties to prevent or mitigate security breaches or improper access to, or disclosure of, such information could have adverse consequences for us similar to an incident directly on our systems. We have acquired and will continue to acquire companies that are vulnerable to security breaches, and we may be responsible for any security breaches of these newly acquired companies. While we conduct due diligence of these companies, we do not have access to the full operating history of the companies and cannot be certain there have not been security breaches prior to our acquisition. We expend, and expect to continue to expend, significant resources to protect against security related incidents and address problems caused by such incidents. Even if we were to expend more resources, regulators and complainants may not deem our efforts sufficient, and 26 26 26 Table of Contents Table of Contents regardless of the expenditure, the risk of security related incidents cannot be fully mitigated. We have a heightened risk of security breaches due to some of our operations being located in certain international jurisdictions. Any actual or alleged security breaches or alleged violations of federal, state, or foreign laws or regulations relating to data privacy and data security could result in mandated user notifications, litigation, government investigations, significant fines, and expenditures; divert management's attention from operations; deter people from using our platform; damage our brand and reputation; force us to cease operations for some length of time; and materially adversely affect our business, results of operations, and financial condition. Defending against claims or litigation based on any security breach or incident, regardless of their merit, will be costly and may cause reputation harm. The successful assertion of one or more large claims against us that exceed available insurance coverage, denial of coverage as to any specific claim, or any change or cessation in our insurance policies and coverages, including premium increases or the imposition of large deductible requirements, could have a material adverse effect on our business, results of operations, and financial condition. **Current (2024):** We rely on computer systems, hardware, software, technology infrastructure and online sites and networks for both internal and external operations that are critical to our business (collectively, "IT Systems"). We own and manage some of these IT Systems but also rely on third parties for a range of IT Systems and related products and services, including cloud computing services. We and certain of our third-party providers collect, maintain and process data about Hosts, guests, employees and others, including personal data (such as email addresses, nationality, location information, Social Security numbers and other government identifiers, payment card information, and bank account information) as well as proprietary information belonging to our business such as trade secrets (collectively with personal data, "Confidential Information"). We face numerous and evolving cybersecurity risks that threaten the confidentiality, integrity, and availability of our and our third-party providers' IT Systems as we increase the types of technology we use to operate our platform, including mobile apps and third-party payment processing providers, and as we collaborate with third parties that may need to process our Host or guest data or have access to our infrastructure. These cybersecurity risks are from diverse threat actors, such as state-sponsored organizations, opportunistic hackers and hacktivists, as well as through diverse attack vectors, such as social engineering/phishing, company insiders, suppliers or providers, and as a result of human or technological error, including misconfigurations, bugs, or other vulnerabilities in software and hardware. The evolution of technology systems introduces ever more complex security risks that are difficult to predict and defend against, including AI. Further, there was a surge in widespread cyber-attacks during the COVID-19 pandemic, and geopolitical conflicts continue to increase and exacerbate our cybersecurity risks and potential for cybersecurity incidents. An increasing number of companies, including those with significant online operations, have recently disclosed breaches of their security, some of which involved sophisticated tactics and techniques allegedly attributable to organized criminal enterprises or nation-state actors. The techniques used by threat actors to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and often are unknown until launched against a target. As such, we cannot ensure that we will be able to anticipate, investigate, remediate, or recover from future attacks or incidents, or to avoid material impact to our IT Systems, Confidential Information or business. There can also be no assurance that our cybersecurity risk management program and processes, including our policies, controls or procedures, will be fully implemented, complied with or effective in protecting our IT Systems and Confidential Information. Further, with a large geographically disparate employee base, we are not immune from the possibility of a malicious insider compromising our information systems and infrastructure. This risk has grown in light of the greater adoption of remote work. Remote and hybrid working arrangements at our Company (and at many third-party providers) also increase cybersecurity risks due to the challenges associated with managing remote computing assets and security vulnerabilities that are present in many non-corporate and home networks. We also have a distributed community support organization including third-party providers that have access to personal information and systems. We and other companies in our industry have dealt with incidents involving such insiders exfiltrating and stealing Confidential Information and illegally diverting funds. We and other companies in our industry have also dealt with third parties and insiders manipulating information (e.g., reviews). No series of measures can fully safeguard against a sufficiently determined and skilled insider threat. In addition, bad actors have targeted and will continue to target our Hosts and guests directly with attempts to breach the security of their accounts or management systems, such as through social engineering or phishing attacks where a third party attempts to infiltrate our systems or acquire information by posing as a legitimate inquiry or electronic communication, which are fraudulent identity theft schemes designed to appear as legitimate communications from us or from our Hosts or guests, partners, or vendors. We have seen many instances of our Hosts and guests falling prey to such schemes, which result in their accounts being taken over by fraudsters intent on perpetrating fraud against them, other users, and our platform. Bad actors may also employ other schemes aimed at defrauding our Hosts or guests in ways that we may not anticipate or be able to adequately guard against. Even if phishing and spamming attacks and other fraud schemes are not carried out through our IT Systems, victims may nevertheless seek recovery from us. Because of our prominence, we believe that we are a particularly attractive target for such attacks. Though it is difficult to determine what, if any, harm may directly result from any specific scheme or attack, any failure to maintain performance, reliability, security, and availability of our offerings, services, and IT Systems to the satisfaction of our Hosts and guests may harm our reputation and our ability to retain existing Hosts and guests and attract new Hosts and 27 27 27 Table of Contents Table of Contents guests. The ability of fraudsters to directly target our Hosts and guests with fraudulent communications, or cause an account takeover, exposes us to significant fraud risk, including costly litigation, which is difficult to fully mitigate. Generally, our practice is to encrypt certain sensitive data when it is in transit and at rest. However, advances in computer capabilities, increasingly sophisticated tools and methods used by hackers and cyber terrorists, new discoveries in the field of cryptography and AI, or other developments may result in our failure or inability to adequately protect sensitive data. Our IT Systems may be vulnerable to computer viruses or physical or electronic intrusions that our security measures may not detect. We and certain of our third-party service providers have experienced cyberattacks and other security incidents in the past, and we expect such attacks and incidents to continue in varying degrees. Any cyberattack or security incident threatens the confidentiality, integrity, and availability of our IT Systems and Confidential Information and could result in the misappropriation of Confidential Information and could materially adversely affect our operations, financial condition, IT Systems or those of our Hosts and guests, or could otherwise cause damage to our reputation and business. Further, the ability to bypass our information security controls could degrade our trust and safety programs, which could expose individuals to a risk of physical harm or violence. If there is a breach of our IT Systems and we know or suspect that certain Confidential Information has been exfiltrated, accessed, or used inappropriately, we may need to inform privacy regulators across the world, as well as our employees and the Hosts or guests whose data was stolen, accessed, or misused. This may subject us to significant regulatory fines and penalties. Further, under certain regulatory schemes, such as the CCPA, we may be liable for statutory damages on a per breached record basis, irrespective of any actual damages or harm to the individual. This means that in the event of a breach we could face government scrutiny or consumer class actions alleging statutory damages amounting to hundreds of millions, and possibly billions of dollars. We rely on third-party service providers, including financial institutions, to process some of our data and that of our Hosts and guests, including payment information, and successful security incidents that disrupt or result in unauthorized access to third-party IT Systems of data processed therein could have adverse consequences for us similar to an incident directly on our IT Systems, including financially and operationally. We have acquired and will continue to acquire companies whose IT Systems are vulnerable to security incidents and have vulnerabilities, and we may be responsible for any security incidents of these newly acquired companies. While we conduct due diligence of these companies, we do not have access to the full operating history of the companies, including measures implemented to protect their IT Systems and Confidential Information, and cannot be certain there have not been security incidents prior to or vulnerabilities that still exist at the time of our acquisition, which exposes us to significant cybersecurity, operational and financial risk. We expend, and expect to continue to expend, significant resources to protect our IT Systems and Confidential Information and remediate or recover from cyberattacks and security incidents. However, regulators and complainants may not deem our efforts sufficient, and regardless of the expenditure, the risk of security incidents cannot be fully mitigated. We have a heightened risk of cyberattacks and security incidents due to some of our operations being located in certain international jurisdictions. Any actual or alleged security breaches or alleged impact to the availability, integrity, or confidentiality of our IT Systems or Confidential Information or alleged violations of federal, state, or foreign laws or regulations relating to data privacy and data security could result in mandated user notifications, legal claims or proceedings (such as class actions), government investigations and enforcement actions, significant fines, and expenditures; divert management's attention from operations; incur significant incident response, system restoration, or remediation and future compliance costs; deter people from using our platform; damage our brand and reputation; force us to cease operations for some length of time; and materially adversely affect our business, results of operations, and financial condition. Defending against claims or litigation based on any security breach or incident, regardless of their merit, will be costly and may cause reputation harm. We cannot guarantee that any costs and liabilities incurred in relation to an attack or incident will be covered by our existing insurance policies or that applicable insurance will be available to us in the future on economically reasonable terms or at all. Therefore, the successful assertion of one or more large claims against us that exceed available insurance coverage, denial of coverage as to any specific claim, or any change or cessation in our insurance policies and coverages, including premium increases or the imposition of large deductible requirements, could have a material adverse effect on our business, results of operations, and financial condition. --- *Data sourced from SEC EDGAR. Last updated 2026-06-01.*