--- ticker: ABNB company: ABNB filing_type: 10-K year_current: 2026 year_prior: 2025 risks_added: 0 risks_removed: 0 risks_modified: 7 risks_unchanged: 46 source: SEC EDGAR url: https://riskdiff.com/abnb/2026-vs-2025/ markdown_url: https://riskdiff.com/abnb/2026-vs-2025/index.md generated: 2026-06-01 --- # ABNB: 10-K Risk Factor Changes 2026 vs 2025 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-06-01 > All data extracted directly from official filings. No hallucinated content. ## Summary | Status | Count | |--------|-------| | New risks added | 0 | | Risks removed | 0 | | Risks modified | 7 | | Unchanged | 46 | --- ## Modified: We may experience significant fluctuations in our results of operations, which make it difficult to forecast our future results. **Key changes:** - Reworded sentence: "Our business is seasonal, reflecting typical global travel patterns, with the peak travel season occurring in the third quarter across North America and EMEA." **Prior (2025):** Our results of operations can vary significantly and are not necessarily indicative of future performance due to seasonal fluctuations and other factors. We experience seasonality in our Nights and Experiences Booked and GBV, and seasonality in Adjusted Earnings Before Interest, Taxes, Depreciation, and Amortization ("EBITDA") that is consistent with seasonality of our revenue, which has historically been, and is expected to continue to be, highest in the third quarter when we have the most check-ins as it is the peak travel season for North America and EMEA. Revenue is recognized upon check-in, and as our business evolves, seasonal trends may change. In addition, our results of operations may fluctuate as a result of a variety of other factors, some of which are beyond our control, including: •reduced travel and cancellations due to events such as health concerns, including epidemics and pandemics, natural disasters, wars, political instability, regional hostilities or law enforcement demands, and other regulatory actions; •global macroeconomic conditions; •periods with increased investments in our platform for existing offerings, new offerings and initiatives, marketing, and the accompanying growth in headcount; •our ability to maintain growth and effectively manage that growth; •increased competition; •our ability to expand our operations in new and existing regions; •changes in governmental or other regulations affecting our business; •changes to our internal policies or strategies; •harm to our brand or reputation; and •other risks described in these Risk Factors and elsewhere in this Annual Report on Form 10-K. In addition, we may not accurately forecast our results of operations due to timing differences between when bookings are made and revenue recognition, which occurs at check-in. For example, the effect of significant downturns in bookings in a particular quarter may not be fully reflected in our financial results until future periods due to this timing difference. Our expense levels are based on revenue estimates that may be inaccurate, and fixed expenses may lead to greater-than-expected losses if revenue falls short. Incorrect assumptions or failure to address risks could materially affect our business, results of operations, and financial condition. **Current (2026):** Our results of operations can vary significantly and are not necessarily indicative of future performance due to seasonal fluctuations and other factors. Our business is seasonal, reflecting typical global travel patterns, with the peak travel season occurring in the third quarter across North America and EMEA. We experience seasonality in our Nights and Seats Booked, GBV, Adjusted EBITDA and FCF. Holiday timing and other events can also shift quarterly performance. As our business evolves, seasonal trends may change. In addition, our results of operations may fluctuate as a result of a variety of other factors, some of which are beyond our control, including: •reduced travel and cancellations due to events such as health concerns, including epidemics and pandemics, natural disasters, wars, political instability, regional hostilities or law enforcement demands, and other regulatory actions; •global macroeconomic conditions; •periods with increased investments in our platform for existing offerings, new offerings and initiatives, marketing, and the accompanying growth in headcount; •our ability to maintain growth and effectively manage that growth; •increased competition; •our ability to expand our operations in new and existing regions; •changes in governmental or other regulations affecting our business; •changes to our internal policies or strategies; •harm to our brand or reputation; and •other risks described in these Risk Factors and elsewhere in this Annual Report on Form 10-K. In addition, we may not accurately forecast our results of operations due to timing differences between when bookings are made and revenue recognition, which occurs at check-in. For example, the effect of significant downturns in bookings in a particular quarter may not be fully reflected in our financial results until future periods due to this timing difference. Our expense levels are based on revenue estimates that may be inaccurate, and fixed expenses may lead to greater-than-expected losses if revenue falls short. Incorrect assumptions or failure to address risks could materially affect our business, results of operations, and financial condition. --- ## Modified: Our use of artificial intelligence and machine learning gives rise to legal, business, and operational risks, which may result in diminished performance, regulatory scrutiny, social impacts, reputational harm, and liability arising from the use of this technology. **Key changes:** - Reworded sentence: "We currently use AI and machine learning technologies ("AI and ML Technologies") in our offerings, for example with respect to fraud detection, search, enabling customized features and enhancing community support." - Reworded sentence: "Our ability to continue to adopt, integrate, and use such technologies at the scale we may need may be dependent on access to specific third-party software, and infrastructure, such as processing hardware or third-party AI models, and we cannot control the quality, availability, or pricing of such third-party software and infrastructure, especially in a highly competitive environment." - Reworded sentence: "The regulatory and intellectual property frameworks governing the use and protection of AI and ML Technologies and its outputs are rapidly evolving, and we cannot predict how future legislation and regulation will impact our ability to offer and protect products or services that we develop which leverage AI and ML Technologies." **Prior (2025):** We currently use AI and ML Technologies in our offerings, for example with respect to fraud detection, search, enabling customized features and enhancing community support. The rapid evolution of AI and ML Technologies will continue to require the application of significant resources to adopt, develop, test, integrate, and maintain AI and ML Technologies included in our offerings in order to remain competitive and to help implement these 24 24 24 Table of Contents Table of Contents technologies responsibly and minimize unintended or harmful impacts. There are significant risks involved in adopting, developing, maintaining, and deploying these technologies, and there can be no assurance that the usage of such technologies will enhance our products or services or be beneficial to our business, including our efficiency or profitability. In particular, AI and ML Technologies may be incorrectly designed or implemented; may be trained or reliant on incomplete, inadequate, inaccurate, biased, or otherwise poor quality data or on data to which we or third parties do not have sufficient rights; and/or may be adversely impacted by unforeseen defects, technical challenges, cybersecurity threats, third-party litigation or regulatory action, or material performance issues. Any of the above could negatively impact the performance of our products, services and business, as well as our reputation, and we could incur liability and costs resulting from the actual or perceived violation of laws or contracts to which we are a party or civil claims. In addition, AI and ML Technologies, including generative AI, may be vulnerable to adversarial user behavior or create inaccurate or misleading content or other discriminatory or unexpected results or behaviors, such as hallucinatory behavior that can generate irrelevant, unintended, nonsensical, or factually incorrect results. Our hosts, guests or others may rely on or use this flawed content or information to their detriment, which may expose us to brand or reputational harm, competitive harm, consumer complaints, legal liability, and other adverse consequences, any of which could materially adversely affect our business, results of operations, and financial condition. The use of AI and ML Technologies presents emerging ethical and social issues, and if we enable or offer solutions that draw scrutiny or controversy due to their perceived or actual impact on our customers or on society as a whole, we may experience brand or reputational harm, competitive harm, consumer complaints, legal liability, and other adverse consequences, any of which could materially adversely affect our business, results of operations, and financial condition. Development, maintenance and operation of AI and ML Technologies requires additional investment in the development of proprietary datasets, machine learning models, and systems to monitor and test for accuracy, bias, and other variables, which are complex, costly, and could impact our profit margin as we expand the use of AI and ML Technologies in our offerings. Developing, testing, and deploying AI and ML Technologies also increase associated computing costs. In addition to our proprietary technologies, we use AI and ML Technologies licensed from third parties. Our ability to continue to adopt, integrate and use such technologies at the scale we may need may be dependent on access to specific third-party software and infrastructure, such as processing hardware or third-party AI models, and we cannot control the quality, availability or pricing of such third-party software and infrastructure, especially in a highly competitive environment. If any such third-party AI and ML Technologies become incompatible with our offerings or unavailable for use or have degradations in performance, or if the providers of such models unfavorably change the terms on which their AI and ML Technologies are offered or terminate their relationship with us, our solutions may become less appealing to our customers. In addition, to the extent any third-party AI and ML Technologies are used as a vendor hosted service, any disruption, outage, or loss of information through such hosted services could disrupt our operations or solutions, damage our reputation, cause a loss of confidence in our solutions, or result in legal claims or proceedings, for which we may be unable to recover damages from the affected provider. We face competition from other companies in our industry with respect to the development and deployment of AI and ML Technologies to enhance our competitive offerings. Those other companies may develop AI and ML Technologies that are similar or superior to ours and/or are more cost-effective and/or quicker to develop, deploy and maintain. Any inability to develop, offer or deploy new AI and ML Technologies as effectively, quickly and/or as cost-efficiently as our competitors could have a materially adverse impact on our operating results, customer relationships and growth. The regulatory and intellectual property frameworks governing the use and protection of AI and ML Technologies and of its outputs are rapidly evolving, and we cannot predict how future legislation and regulation will impact our ability to offer and protect products or services that we develop which leverage AI and ML Technologies. Many federal, state and foreign government bodies and agencies have introduced or proposed additional laws and regulations. Additionally, existing laws and regulations may be interpreted in ways that would affect the operation of and availability of IP protection for our AI and ML Technologies. As a result, implementation standards, enforcement practices, and available scope of protection are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, or standards may have on our business (including our positioning with respect to our competition) and may not always be able to anticipate how to respond to these laws or regulations. Already, certain existing legal regimes (e.g., relating to data privacy) regulate certain aspects of AI and ML Technologies, and new laws regulating AI and ML Technologies are expected to continue to be proposed and enacted in the United States and globally. For further information related to AI laws and regulations that may affect our business, see the risk factor titled "Compliance with federal, state, and foreign laws relating to data privacy, data security, artificial intelligence, marketing and consumer protection involves significant expenditure and resources, and any actual or perceived failure by us or our vendors to comply may result in significant liability, litigation or other legal action against us, negative publicity, an erosion of trust, and/or result in regulatory scrutiny, fines and penalties and could materially adversely affect our business, results of operations, and financial condition." It is also possible that new laws and regulations will be adopted in the United States and in other non-U.S. jurisdictions, or that existing laws and regulations, including data privacy, consumer protection, competition laws, may be interpreted in ways that would limit our ability to use AI and ML Technologies for our business, or require us to change the way we use AI and ML Technologies in a manner that negatively affects the performance of our products, services, and business and requires us to expend resources and adjust our products or services in certain jurisdictions. Further, the cost to comply with such laws, regulations, or decisions and/or guidance interpreting existing laws, could be significant and would increase our operating expenses (such as by imposing additional reporting obligations regarding our use of AI and ML Technologies). Such an increase in operating expenses, as well as any actual or perceived failure to comply with such laws and regulations, could adversely affect our business, financial condition and results of operations. **Current (2026):** We currently use AI and machine learning technologies ("AI and ML Technologies") in our offerings, for example with respect to fraud detection, search, enabling customized features and enhancing community support. The rapid evolution of AI and ML Technologies will continue to require the application of significant resources to adopt, develop, test, integrate, and maintain AI and ML Technologies included in our offerings in order to remain competitive and to help implement these technologies responsibly and minimize unintended or harmful impacts. There are significant risks involved in adopting, developing, maintaining, and deploying these technologies, and no assurance that such technologies will enhance our products or services or be beneficial to our business, including our efficiency or profitability. In particular, AI and ML Technologies may be incorrectly designed or implemented; may be trained or reliant on incomplete, inadequate, inaccurate, biased, or otherwise poor quality data or on data to which we or third parties do not have sufficient rights; and/or may be adversely impacted by unforeseen defects, technical challenges, cybersecurity threats, third-party litigation, regulatory action, or material performance issues. Any of the above could negatively impact the performance of our products and services, as well as our reputation, and we could incur liability and costs resulting from the actual or perceived violation of laws or contracts to which we are a party or civil claims. In addition, AI and ML Technologies, including generative AI, may be vulnerable to adversarial user behavior or create inaccurate or misleading content or other discriminatory or unexpected results or behaviors, such as hallucinatory behavior, output, or results that are irrelevant, unintended, nonsensical, or factually incorrect. Our hosts, guests, or others may rely on or use this flawed output or results or information to their detriment, which may expose us to brand or reputational harm, competitive harm, consumer complaints, legal liability, and other adverse consequences, any of which could materially adversely affect our business, results of operations, and financial condition. In addition to our proprietary technologies, we use AI and ML Technologies licensed from third parties. Our ability to continue to adopt, integrate, and use such technologies at the scale we may need may be dependent on access to specific third-party software, and infrastructure, such as processing hardware or third-party AI models, and we cannot control the quality, availability, or pricing of such third-party software and infrastructure, especially in a highly competitive environment. If any such third-party models, software, or infrastructure becomes incompatible with our offerings or unavailable for use or has degradations in performance, or if the providers of such services unfavorably change the terms on which their services are offered or terminate their relationship with us, our offerings may become less appealing to our customers. In addition, to the extent any third-party infrastructure or software is used as a vendor hosted service, any disruption, outage, or loss of information through such hosted services could disrupt our operations or offerings, damage our reputation, cause a loss of confidence in our offerings, or result in legal claims or proceedings, for which we may be unable to recover damages from the affected provider. We face competition from other companies in our industry with respect to the development and deployment of AI and ML Technologies to enhance our competitive offerings. Those other companies may develop AI and ML Technologies that are similar or superior to ours and/or are more cost-effective and/or quicker to develop, deploy and maintain. Any inability to develop, offer or deploy new AI and ML Technologies as effectively, quickly and/or as cost-efficiently as our competitors could have a materially adverse impact on our operating results, customer relationships and growth. The regulatory and intellectual property frameworks governing the use and protection of AI and ML Technologies and its outputs are rapidly evolving, and we cannot predict how future legislation and regulation will impact our ability to offer and protect products or services that we develop which leverage AI and ML Technologies. Regulators (including data protection regulators) have taken, and are expected to continue to take, an increased interest in issues, such as how we and our vendors collect, maintain, process, and provide transparency on the use of personal data in this context. The increased use of AI and ML Technologies means that regulators are increasingly seeking advance engagement with businesses like ours in respect of certain types of data processing, including our lead EU data protection regulator, the Irish Data Protection Commission. In addition, certain existing legal regimes including those related to data privacy, competition, and consumer protection, may also regulate certain aspects of AI and ML Technologies, and new laws may be adopted and interpreted in ways 24 24 24 Table of Contents Table of Contents that would limit our ability to use AI and ML Technologies. This may affect our use of AI and ML Technologies and our ability to provide, improve or commercialize our services effectively and efficiently and result in increased costs. For example, in the United States, legislation related to AI and ML Technologies has been introduced at the federal level and enacted by various states. Several states - such as California, Colorado, Connecticut, and Texas - have enacted or proposed laws governing the development and deployment of AI and ML Technologies at varying degrees, typically focused on high-risk uses of AI. Many U.S. states continue to advance various AI regulatory frameworks, including requirements around transparency, risk management, and accountability for AI and ML Technologies. Further, the California Privacy Protection Agency has finalized regulations under the CCPA regarding the use of automated decision-making technology. Collectively, these developments signal an emerging trend towards a patchwork of state-level governance of AI in the United States. Further, the EU Artificial Intelligence Act (the "EU AI Act") entered into force in August 2024 (with the majority of substantive requirements applying from August 2026), and establishes a broad, risk-based governance framework for AI use, development, or provision in the EU market. Applicable requirements depend on the risk level of each AI use case, and actual or perceived contraventions could expose us to material penalties, significant legal liability, and may materially adversely affect our business, results of operations, and financial condition. With regard to China, the regulatory requirements on AI and ML Technologies, export controls and other relevant regulations are still evolving and have ongoing complexity and uncertainty. The positions and interpretation of these regulations by the authorities may not align with our interpretation or may not be consistent across jurisdictions, which may impact our ability, or require additional resources (which may be substantial), to develop and/or maintain related product features. Finally, existing laws and regulations and their interpretations are inconsistent across jurisdictions, and may be interpreted in ways that would affect the operation and availability of IP protection for our AI and ML Technologies. As a result, implementation standards, enforcement practices, and available scope of protection are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, or standards may have on our business (including our positioning with respect to our competition) and may not be able to anticipate how to respond to these laws or regulations. --- ## Modified: If we fail to retain or add hosts and guests, if hosts do not provide high-quality stays, experiences, and services, if new offerings and initiatives on our platform are unsuccessful, or if our community support functions are inadequate, our business, results of operations, and financial condition would be materially adversely affected. **Key changes:** - Reworded sentence: "Hosts must maintain and enhance their listings by offering a variety of desirable, competitively priced, and high-quality stays, experiences, and services, while providing exceptional hospitality and timely responses to guest inquiries." - Reworded sentence: "Our ability to attract and retain guests is crucial and can be impacted by external factors such as pandemics, natural disasters, political instability, climate change, and economic downturns, as well as business-specific factors like competition, brand perception, and platform usability." - Reworded sentence: "We continue to invest in the development of new offerings and initiatives, including innovations focused on improving the experience of our hosts and guests; however, developing and delivering these new offerings and initiatives increase our expenses and our organizational complexity, and we may experience difficulties in developing and implementing these new offerings and initiatives." - Reworded sentence: "If new offerings and initiatives on our platform are not successful, or if we fail to provide a seamless and satisfactory experience for both hosts and guests, or if our host protection programs, including those provided through AirCover for hosts, become ineffective, our business, results of operations, and financial condition could be materially adversely affected." - Reworded sentence: "During 2025, we introduced new artificial intelligence ("AI") features to help deliver customer support in certain countries and languages." **Prior (2025):** Our business success is heavily reliant on both hosts and guests engaging with our platform. Hosts must maintain and enhance their listings by offering a variety of desirable, competitively priced, and high-quality stays and experiences, while providing exceptional hospitality and timely responses to guest inquiries. These factors are largely outside our direct control, and if hosts fail to meet these expectations, or if they choose to cross-list or list exclusively with competitors, or if we are unable to attract and retain hosts in a cost-effective manner, or at all, our revenue and business operations could be adversely affected. Our ability to attract and retain guests is crucial and can be impacted by external factors such as pandemics, political instability, climate change, and economic downturns, as well as internal factors like competition, brand perception, and platform usability. Additionally, our brand and reputation are critical to our success, as they influence our ability to attract and retain hosts, guests, and employees. Any negative perceptions or incidents related to safety, security, or quality could harm our public image and business operations. Issues such as unreliable reviews, regulatory scrutiny, or negative media coverage can further damage trust within our community, materially adversely affecting our business, results of operations, and financial condition. We continue to invest in the development of new offerings and initiatives, including innovations focused on improving our host and guest experiences; however, developing and delivering these new offerings and initiatives increase our expenses and our organizational complexity, and we may experience difficulties in developing and implementing these new offerings and initiatives. Our new offerings and initiatives have a high degree of risk, as they may involve unproven businesses with which we have limited or no prior development or operating experience. There can be no assurance that our hosts and guests will adopt or respond positively to such offerings and initiatives, that we will be able to successfully manage the development and delivery of such offerings and initiatives, or that any of these offerings or initiatives will help attract and retain users on our platform and gain sufficient market acceptance to generate sufficient revenue to offset associated expenses or liabilities. If our new offerings and initiatives are not successful, or if we fail to provide a seamless and satisfactory experience for both hosts and guests, or if our host protection programs, including those provided through AirCover for hosts, become ineffective, our business, results of operations, and financial condition could be materially adversely affected. Furthermore, our growth relies on delivering high-quality support to our community, which requires significant investment in staffing, technology, infrastructure, and training. As our global customer base expands, particularly outside of North America and Europe, we face increased pressure to provide efficient, multilingual support. The vast majority of our community support is performed by third-party service providers, and our reliance on third-party service providers necessitates stringent guidance and quality control to maintain satisfactory service levels. Inadequate support or dispute resolution can harm our reputation and affect retention, leading to potential revenue reductions through refunds or coupons. The cost of maintaining robust community support is expected to rise, and efforts to reduce support requests may not offset these costs, materially adversely affecting our business, results of operations, and financial condition. **Current (2026):** Our business success is heavily reliant on both hosts and guests engaging with our platform. Hosts must maintain and enhance their listings by offering a variety of desirable, competitively priced, and high-quality stays, experiences, and services, while providing exceptional hospitality and timely responses to guest inquiries. These factors are largely outside our direct control, and if hosts fail to meet these expectations, or if they choose to cross-list or list exclusively with competitors, or if we are unable to attract and retain hosts in a cost-effective manner, or at all, our revenue and business operations could be adversely affected. Our ability to attract and retain guests is crucial and can be impacted by external factors such as pandemics, natural disasters, political instability, climate change, and economic downturns, as well as business-specific factors like competition, brand perception, and platform usability. Our brand and reputation are critical to our success, as they influence our ability to attract and retain hosts, guests, and employees. Any negative perceptions or incidents related to safety, security, or quality could harm our public image and business operations. Issues such as unreliable reviews, regulatory scrutiny, or negative media coverage can further damage trust within our community, materially adversely affecting our business, results of operations, and financial condition. We continue to invest in the development of new offerings and initiatives, including innovations focused on improving the experience of our hosts and guests; however, developing and delivering these new offerings and initiatives increase our expenses and our organizational complexity, and we may experience difficulties in developing and implementing these new offerings and initiatives. New offerings and initiatives on our platform have a high degree of risk, as they may involve unproven businesses with which we have limited or no prior development or operating experience. There can be no assurance that our hosts and guests will adopt or respond positively to such offerings and initiatives, that we will be able to successfully manage the development and delivery of such offerings and initiatives, or that any of these offerings or initiatives will help attract and retain users on our platform and gain sufficient market acceptance to generate sufficient revenue to offset associated expenses or liabilities. If new offerings and initiatives on our platform are not successful, or if we fail to provide a seamless and satisfactory experience for both hosts and guests, or if our host protection programs, including those provided through AirCover for hosts, become ineffective, our business, results of operations, and financial condition could be materially adversely affected. Furthermore, our growth relies on delivering high-quality support to our community, which requires significant investment in staffing, technology, infrastructure, and training. During 2025, we introduced new artificial intelligence ("AI") features to help deliver customer support in certain countries and languages. AI presents risks and challenges that could affect the expansion of these features, and therefore our business; for more information, see our risk factor titled "Our use of artificial intelligence and machine learning gives risk to legal, business, and operational risks, which may result in diminished performance, regulatory scrutiny, social impacts, reputational harm, and liability arising from the use of this technology." In addition, as our global customer base expands, particularly outside of North America and Europe, we face increased pressure to provide efficient, multilingual support. The vast majority of our community support is performed by third-party service providers, and our reliance on third-party service providers necessitates stringent guidance and quality control to maintain satisfactory service levels. Inadequate support or dispute resolution can harm our reputation and affect retention, and may also lead to potential revenue reductions through refunds or coupons. The cost of maintaining robust community support is expected to rise, and efforts to reduce support requests may not offset these costs, materially adversely affecting our business, results of operations, and financial condition. --- ## Modified: We could face liability for information or content on or accessible through our platform. **Key changes:** - Reworded sentence: "We could face claims relating to information or content that is made available on our platform." - Reworded sentence: "Although content on our platform is typically generated by hosts and guests, and not by us, claims of defamation, disparagement, negligence, warranty, personal harm, intellectual property infringement, or other alleged damages could be asserted against us, in addition to our hosts and guests." - Reworded sentence: "In the European Union, the DSA brings additional compliance requirements and potential fines." - Reworded sentence: "The EU Consumer Rights Directive and the Unfair Commercial Practices Directive, the United Kingdom Digital Market, Competition and Consumers Act 2024 ("DMCCA"), and national consumer laws impose strict consumer protection requirements, with potential fines for non-compliance and in the case of the DMCCA, an increased risk of enforcement by the UK regulator in light of enhanced powers." **Prior (2025):** 25 25 25 Table of Contents Table of Contents We could face claims relating to information or content that is made available on our platform. Our platform relies upon content that is created and posted by hosts, guests, or other third parties. Although content on our platform is typically generated by third parties, and not by us, claims of defamation, disparagement, negligence, warranty, personal harm, intellectual property infringement, or other alleged damages could be asserted against us, in addition to our hosts and guests. While we rely on legal exemptions and protections like the DMCA and CDA in the United States and the E-Commerce Directive in the European Union, varying laws and interpretations regarding immunity and responsibility across jurisdictions may limit these exemptions or defenses or create uncertainty regarding liability for information or content uploaded by hosts, guests, or other third parties. To the extent that Airbnb creates or is deemed to create or facilitate such content on the platform, these defenses may be less available. New regulations could increase our liability and compliance costs, impacting our business. In the United States, changes to the CDA could reduce protections for online platforms. In the EU, the DSA and Digital Markets Act ("DMA") introduced new compliance requirements and potential fines. Other regions, like Asia and Latin America, have or are developing regulations that could impose direct or secondary liability on platforms for harmful content. These laws may require us to implement costly measures to mitigate liability, affecting our platform's appeal and our brand reputation. The EU's Consumer Rights Directive and the Unfair Commercial Practices Directive impose strict consumer protection requirements, with potential fines for non-compliance. Consumers and certain Consumer Protection Associations may bring individual claims against us, and the Collective Redress Directive allows for class actions across the EU, increasing our litigation risk. Compliance with these evolving regulations may increase operational costs and materially adversely affect our business, results of operations, and financial condition. **Current (2026):** We could face claims relating to information or content that is made available on our platform. Our platform relies upon content that is created and posted by hosts, guests, or other third parties. Although content on our platform is typically generated by hosts and guests, and not by us, claims of defamation, disparagement, negligence, warranty, personal harm, intellectual property infringement, or other alleged damages could be asserted against us, in addition to our hosts and guests. While we rely on legal exemptions and protections like the DMCA and CDA in the United States and the E-Commerce Directive and the DSA in the European Union, varying laws and interpretations regarding immunity and responsibility across jurisdictions may limit these exemptions or defenses or create uncertainty regarding liability for information or content uploaded by hosts, guests, or other third parties. To the extent that we create or are deemed to create or facilitate such content on the platform, these defenses may be less available. New regulations could increase our liability and compliance costs, impacting our business. In the United States, changes to the CDA could reduce protections for online platforms. In the European Union, the DSA brings additional compliance requirements and potential fines. Other regions, such as Asia and Latin America, have or are developing regulations that could impose direct or secondary liability on platforms for harmful content. These laws may require us to implement costly measures to mitigate liability, affecting our platform's appeal and our brand reputation. The EU Consumer Rights Directive and the Unfair Commercial Practices Directive, the United Kingdom Digital Market, Competition and Consumers Act 2024 ("DMCCA"), and national consumer laws impose strict consumer protection requirements, with potential fines for non-compliance and in the case of the DMCCA, an increased risk of enforcement by the UK regulator in light of enhanced powers. Consumers and certain Consumer Protection Associations may bring individual claims against us, and the Collective Redress Directive allows for class actions across the European Union, increasing our litigation risk. Airbnb does not meet the thresholds to be designated as a gatekeeper platform for the purposes of the Digital Markets Act, although this could change in the future. Compliance with these evolving regulations and such designation may increase operational costs and materially adversely affect our business, results of operations, and financial condition. --- ## Modified: Compliance with federal, state, and foreign laws relating to data privacy, data security, marketing, and consumer protection involves significant expenditure and resources, and any actual or perceived failure by us or our vendors to comply may result in significant liability, litigation or other legal action against us, negative publicity, an erosion of trust, and/or result in regulatory scrutiny, fines, and penalties and could materially adversely affect our business, results of operations, and financial condition. **Key changes:** - Reworded sentence: "There are numerous federal, state, and foreign data privacy, data security, marketing, and consumer protection laws, rules, and regulations that relate to the collection, maintenance, disclosure, and processing of personal data, data breach notification laws, electronic communications laws, and marketing and consumer protection laws, rules, and regulations." - Reworded sentence: "We process personal data, such as names, dates of birth, email addresses, nationality, location information, Social Security numbers, phone numbers, and identity verification information (for example, government issued identification or passport), as well as credit card, bank account, or other financial information, from and about hosts and guests, as well as our employees, job applicants, contractors, and representatives of our third-party vendors, and other companies we do business with." - Reworded sentence: "We and our vendors must comply with various state, federal, and foreign data privacy and security laws, rules, regulations, industry standards, and other requirements, including those that generally require that we implement reasonable measures to keep such information secure and otherwise restrict the ways in which such information can be collected and used." - Reworded sentence: "In the European Union and the United Kingdom, we are subject to the European Union General Data Protection Regulation (the "EU GDPR") and to the UK General Data Protection Regulation and Data Protection Act 2018 (the "UK GDPR"), respectively (the EU GDPR and UK GDPR together referred to as the "GDPR"), both of which have resulted, and will continue to result, in significantly greater compliance burdens and costs for companies like ours." - Reworded sentence: "As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints, and/or regulatory investigations or fines, we may have to stop using certain tools and vendors and make other operational changes, including updating agreements or implementing additional safeguards which could otherwise affect the manner in which we provide our services, our ability to provide our services, and adversely affect our business, results of operations, and financial condition." **Prior (2025):** Data privacy, data security, AI, marketing and consumer protection laws, rules, and regulations are complex and rapidly evolving and we could be materially adversely affected by new legal requirements or changes to existing requirements including their interpretations and enforcement practices. Compliance with such laws may require changes to our data processing practices, potentially increasing compliance costs or adversely affecting our business. We process personal data, such as names, dates of birth, email addresses, nationality, location information, Social Security numbers, phone numbers, and identity verification information (for example, government issued identification or passport), as well as credit card, bank account or other financial information, from and about hosts and guests, as well as our employees, job applicants, contractors and representatives of our third-party vendors, and other companies we do business with. We utilize third-party vendors, some of whom process data for us and provide various services, including but not limited to digital storage technology, business technology support, and other support functions. We and our vendors must comply with various state, federal, and foreign data privacy and security laws, rules, regulations, industry standards and other requirements, including those that generally require that we implement reasonable measures to keep such information secure and otherwise restrict the ways in which such information can be collected and used. These requirements, and their application, interpretation, and amendment are constantly evolving. Additionally, we note that as the use of AI and machine learning technologies ("AI and ML Technologies") continues to grow, regulators (including data protection regulators) are expected to take an increased interest in issues, such as how we and our vendors collect, maintain and process and provide transparency on the use of personal data of our users and/ or hosts in that context. Our technology platform incorporates the use of AI and ML Technologies, for example, for fraud detection, search, enabling customized features and enhancing community support. Enhanced scrutiny of the use of AI and ML Technologies means that regulators may increasingly seek advance engagement with businesses like ours in respect of certain types of data processing. In addition, certain existing legal regimes, including those relating to data privacy and consumer protection, regulate certain aspects of AI and ML Technologies, and new laws regulating AI and ML Technologies have been or may be enacted or have entered into force in jurisdictions that we operate. This may affect our use of AI and ML Technologies and our ability to provide, improve or commercialize our services effectively and efficiently and result in increased costs. For example, in the United States, California enacted seventeen new laws in 2024 that further regulate the use of AI and ML Technologies and provide consumers with additional protections around companies' use of AI and ML Technologies, such as requiring companies to disclose certain uses of generative AI. Other states have also passed AI-focused legislation, such as Colorado's Artificial Intelligence Act, which will require developers and deployers of "high-risk" AI systems to implement certain safeguards against algorithmic discrimination, and Utah's Artificial Intelligence Policy Act, which establishes disclosure requirements and accountability measures for the use of generative AI in certain consumer interactions. Other legislation has been introduced or proposed at the federal and state level, and there remains uncertainty at the federal level regarding the regulation of AI and ML Technologies. Further, the EU Artificial Intelligence Act (the "EU AI Act") entered into force in August 2024, and establishes a comprehensive, risk-based governance framework for AI in the EU market. The majority of the substantive requirements will apply from August 2026. The EU AI Act applies to companies that develop, use and/or provide AI in the EU and - depending on the AI use case - includes requirements around transparency, conformity assessments and monitoring, risk assessments, human oversight, security, accuracy, general purpose AI and foundation models, and fines for breach of up to 7% of worldwide annual turnover. These regulations may impact our ability to use, procure and commercialize AI and ML Technologies in the future, and we may need to expend resources to adjust our products or services, including if the laws are not consistent across jurisdictions. In the European Union and the UK, we are subject to the European Union General Data Protection Regulation (the "EU GDPR") and to the UK General Data Protection Regulation and Data Protection Act 2018 (the "UK GDPR"), respectively (the EU GDPR and UK GDPR together referred to as the "GDPR"), both of which have resulted, and will continue to result, in significantly greater compliance burdens and costs for companies like ours. The GDPR comprehensively regulates our use of personal data, including cross-border transfers of personal data out of Europe. Many large geographies in which we operate, including Australia, Brazil, Canada, China, India, and South Korea have passed or are in the process of passing comparable or other robust data privacy and security legislation or regulation, which may lead to additional costs and increase our overall risk exposure. In relation to cross-border transfers of personal data outside of Europe, we expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, the European Commission approval of the current EU-US Data Privacy Framework for data transfers to certified entities in the United States may be challenged, which could also lead to challenges to, or impact the effectiveness of, other data transfer mechanisms such as the standard contractual clauses (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism). In general, we expect that international transfers to the United States and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators and we cannot guarantee the ongoing efficacy of our data transfer mechanisms. It is also possible that transfers of personal data outside the United States could be restricted or impacted by developments at the federal level. As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints, and/or regulatory investigations or fines, we may have to stop using certain tools and vendors and make other operational changes, including updating agreements or implementing additional safeguards which could otherwise affect the manner in which we provide our services, our ability to provide our services and adversely affect our business, results of operations, and financial condition. 22 22 22 Table of Contents Table of Contents From time to time, we receive correspondence, and are subject to more formal inquiries, from regulators including the Irish Data Protection Commission, our lead EU data protection regulator, regarding our personal data processing activities. To date, we have not received any fines in respect of statutory inquiries and have in place an internal process to review and process such inquiries to ensure we respond appropriately and update our privacy compliance with any findings. In the United States, there are numerous federal and state data privacy and security laws, rules, and regulations governing the collection, maintenance, disclosure and processing of personal data, including federal and state data privacy laws, data breach notification laws, electronic communications laws, and marketing and consumer protection laws. For example, the Federal Trade Commission ("FTC") and state regulators enforce a variety of data privacy issues, such as misrepresentations in privacy policies or failures to appropriately protect information about individuals, as unfair or deceptive acts or practices in or affecting commerce in violation of the FTC Act or similar state laws. Additionally, the GLBA and its implementing regulations, restrict and impose certain requirements on the processing of personal data, including notice to individuals of privacy practices and requirements for the safeguarding and proper destruction of personal data. Moreover, as we send marketing messages via email and short message service, or SMS, text messages, we are subject to the CAN-SPAM Act, which imposes certain obligations regarding the content of emails and providing and honoring opt-outs, and the Telephone Consumer Protection Act, which imposes restrictions on the ability to send text messages without prior consent. The U.S. government, including Congress, the FTC, the CFPB and the Department of Commerce, has announced that it is reviewing the need for greater regulation for the collection of information concerning personal data processing practices and consumer behavior on the Internet, including regulation aimed at restricting certain targeted advertising practices. In addition, numerous states have enacted or are in the process of enacting state level data privacy laws and regulations governing the processing of state residents' personal data that have and may continue to require us to modify our data processing practices and policies and incur related costs and expenses. For example, the California Consumer Privacy Act ("CCPA") provides enhanced data privacy rights to California residents, such as affording residents the right to access and delete their data and to opt out of certain sharing and sales of personal data. The CCPA imposes a range of other compliance obligations and imposes severe statutory damages, which could lead to injunctive relief or agreed settlements providing for ongoing audit and reporting requirements, as well as a private right of action, for certain data breaches. This private right of action has increased the risks associated with data breach litigation. The enactment of the CCPA prompted a wave of similar legislative developments in other states, which creates a patchwork of overlapping but different state laws. For example, since the CCPA went into effect, comprehensive privacy statutes that share similarities with the CCPA are now in effect and enforceable in other states. Many other states have passed or proposed similar laws and there remains increased interest at the federal level as well. We are also subject to evolving EU and UK privacy laws on cookies, tracking technologies and e-marketing. In the European Union and United Kingdom, informed consent is required for the placement of certain cookies or similar tracking technologies on an individual's device and for direct electronic marketing. Recent European court and regulator decisions are driving increased attention to cookies and similar tracking technologies, which may lead to additional costs and increase our overall risk exposure. Further, the majority of the substantive provisions of the DSA took effect in February 2024. The DSA governs, among other things, our potential liability for illegal services/products or content on our platform, obligations around traceability of business users, and requires enhanced transparency measures. In particular our obligations to diligence the services offered on our platform could require significant additional resources. Further, the DSA contains general requirements that user interfaces may not deceive or manipulate users which are yet to be clarified further by guidance. The DSA may increase our compliance costs, require changes to our user interfaces, processes, operations, and business practices which may adversely affect our ability to attract, retain and provide our services to customers, and may otherwise adversely affect our business, operations and financial condition. Failure to comply with the DSA can result in fines of up to 6% of total annual worldwide turnover and recipients of services have the right to seek compensation from providers in respect of damage or loss suffered due to infringement by the provider to comply with the DSA. Similarly, in the United Kingdom, the Online Safety Act 2023, or the OSA, establishes an extensive regulatory framework for certain user-to-user and search services and imposes obligations to protect users from illegal content which, if applicable, may increase compliance costs and may otherwise adversely affect our business, operations and financial condition. Failure to comply with the OSA can result in fines of up to 10% of total annual worldwide turnover or £18 million (whichever is greater). Various other governments and consumer agencies around the world have also called for new regulation and changes in industry practices for protecting personal information collected and maintained electronically. Together, these existing and proposed laws add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs and cybersecurity, which could impact strategies, and could result in increased compliance costs and/or changes in business practices and policies. Compliance with numerous and often contradictory requirements of different jurisdictions is particularly difficult for an online business such as ours, which collects personal information from hosts, guests, and other individuals in multiple jurisdictions. If any jurisdiction in which we operate adopts new laws or changes its interpretation of its laws, rules, or regulations relating to data residency or localization such that we are unable to comply in a timely manner or at all, we could risk losing our rights to operate in such jurisdictions. As in many cases these laws are relatively new and the interpretation and application of these laws is uncertain. There may be litigation, claims and enforcement relating to data privacy, and the processing of personal data may involve new interpretations of privacy laws. For example, there has been a noticeable increase in class actions in the United States where plaintiffs have utilized a variety of laws, including state wiretapping laws, in relation to the use of tracking technologies, such as cookies and pixels. Furthermore, to help improve the trust and safety on our platform, we conduct certain verification procedures aimed at our hosts, guests, and listings in certain jurisdictions. Such verification procedures may include utilizing public information on the Internet, accessing public databases such as court records, utilizing third-party vendors to analyze host or guest data, or physical inspection. These types of activities expose us to requirements of other laws and regulations, and to the risk of regulatory engagement and/or enforcement from privacy regulators, consumer protection agencies, consumer credit reporting agencies, and civil litigation. When we are required to disclose personal data to government agencies, such as tax authorities and law enforcement agencies, this could be perceived by third parties as non-compliance with data privacy and security laws, potentially leading to legal proceedings or actions 23 23 23 Table of Contents Table of Contents against us. Conversely, if we refuse to provide requested information due to a disagreement, such as on the interpretation of the law, we may face actions, litigation, and increased regulatory scrutiny, which could harm our relationships with governments and limit our ability to operate in certain regions. Any of the foregoing could materially adversely affect our brand, reputation, business, results of operations, and financial condition. Any failure or perceived failure by us and/or our vendors or third-party providers to comply with data privacy and data security laws, rules, or regulations could expose us to material penalties, significant legal liability, changes in how we operate or offer our products, and interruptions or cessation of our ability to operate in key geographies, any of which could materially adversely affect our business, results of operations, and financial condition. For example, as we are subject to both the EU GDPR and the UK GDPR, we could be fined under each regime independently in respect of the same breach. Penalties for certain breaches are up to the greater of €20 million or £17.5 million, or up to 4% of the annual global revenue of the infringer, whichever is greater. In addition, any failure or perceived failure to comply with consumer protection, marketing, data privacy or data security laws, rules, and regulations; policies; industry standards; or enforcement notices and/or assessment notices (for a compulsory audit) could lead to legal actions by individuals, consumer rights groups, government agencies, or others. We may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation, injunctive relief, or damages liabilities, as well as associated costs, and diversion of internal resources or other regulatory orders adversely impacting the ways our business can use personal data. These proceedings could be costly to litigate, whether or not they have merit, and result in negative publicity and erode trust, potentially requiring us to make costly changes to our business practices. If these events occur, they could materially and adversely impact our business operations, financial condition, and overall results. **Current (2026):** There are numerous federal, state, and foreign data privacy, data security, marketing, and consumer protection laws, rules, and regulations that relate to the collection, maintenance, disclosure, and processing of personal data, data breach notification laws, electronic communications laws, and marketing and consumer protection laws, rules, and regulations. These laws, rules, and regulations are complex and rapidly evolving, and we could be materially adversely affected by new legal requirements or changes to existing requirements including their interpretations and enforcement practices. Compliance with such laws may require changes to our data processing practices, potentially increasing compliance costs or adversely affecting our business. We process personal data, such as names, dates of birth, email addresses, nationality, location information, Social Security numbers, phone numbers, and identity verification information (for example, government issued identification or passport), as well as credit card, bank account, or other financial information, from and about hosts and guests, as well as our employees, job applicants, contractors, and representatives of our third-party vendors, and other companies we do business with. We utilize third-party vendors, some of whom process data for us and provide various services, including but not limited to digital storage technology, business technology support, and other support functions. We and our vendors must comply with various state, federal, and foreign data privacy and security laws, rules, regulations, industry standards, and other requirements, including those that generally require that we implement reasonable measures to keep such information secure and otherwise restrict the ways in which such information can be collected and used. These requirements, and their application, interpretation, and amendment are constantly evolving. In the European Union and the United Kingdom, we are subject to the European Union General Data Protection Regulation (the "EU GDPR") and to the UK General Data Protection Regulation and Data Protection Act 2018 (the "UK GDPR"), respectively (the EU GDPR and UK GDPR together referred to as the "GDPR"), both of which have resulted, and will continue to result, in significantly greater compliance burdens and costs for companies like ours. The GDPR comprehensively regulates our use of personal data, including cross-border transfers of personal data out of the EEA and the United Kingdom. Ongoing legal developments in these regions may further impact our compliance obligations. Many large geographies in which we operate, including Australia, Brazil, Canada, China, India, and South Korea, have passed or are in the process of passing comparable or other robust data privacy and security legislation or regulation, which may lead to additional costs and increase our overall risk exposure. We expect that the ongoing legal complexity and uncertainty surrounding data privacy and security, including international transfers of personal data will continue. Specifically, cross-border transfers outside of the EEA and the United Kingdom, including those to the United States and other jurisdictions, will likely continue to face enhanced scrutiny from regulators. Consequently, we cannot guarantee the ongoing effectiveness of our current data transfer mechanisms. It is also possible that transfers of personal data outside the United States could be restricted or impacted by developments at the federal level. As the regulatory guidance and enforcement landscape in relation to data transfers continue to develop, we could suffer additional costs, complaints, and/or regulatory investigations or fines, we may have to stop using certain tools and vendors and make other operational changes, including updating agreements or implementing additional safeguards which could otherwise affect the manner in which we provide our services, our ability to provide our services, and adversely affect our business, results of operations, and financial condition. For example, in 2025 the DOJ issued a new rule, to implement Executive Order 14117 aimed at preventing access to "bulk U.S. sensitive personal data" and "government-related data" by "countries of concern" (including China, Russia, Iran, North Korea, Cuba, and Venezuela). The rule is new, complex, and has yet to be enforced, and as such, there is a risk that our interpretation of its applicability, scope, and requirements is incorrect, incomplete, or misapplied. Compliance with the rule may require us to stop or restrict certain data transfers, alter the geographic scope of our operations, cease doing business with certain third parties or cease using certain tools or vendors, or change how data flows throughout our business, any of which could materially impact our business operations or hinder our ability to grow our business. Non-compliance with the rule could result in significant civil or criminal penalties, which could materially adversely affect our business, results of operations, and financial condition. From time to time, we receive correspondence, and are subject to more formal inquiries, from regulators including the Irish Data Protection Commission, our lead EU data protection regulator, regarding our personal data processing activities. Additionally, required engagement with data regulators may require us to make changes in our product and/or delay product rollouts. To date, we have not received any fines in respect of statutory inquiries relating to personal data protection and have in place an internal process to review and process such inquiries to ensure we respond appropriately and update our privacy compliance with any findings. In the United States, the Federal Trade Commission ("FTC") and state regulators enforce a variety of data privacy issues, such as misrepresentations in privacy policies or failures to appropriately protect information about individuals, as unfair or deceptive acts or practices in or affecting commerce in violation of the FTC Act or similar state laws. Additionally, the GLBA and its implementing regulations restrict and impose certain requirements on the processing of personal data, including notice to individuals of privacy practices and requirements for the safeguarding and proper destruction of personal data. Moreover, as we send marketing messages via email and short message service, or SMS, text messages, we are subject to the CAN-SPAM Act, and the Telephone Consumer Protection Act, which impose certain obligations on us. The U.S. government, including Congress, the FTC, the CFPB, and the Department of Commerce, has announced that it is reviewing the need for greater regulation for the collection of information concerning personal data processing practices and consumer behavior on the Internet, including regulation aimed at restricting certain targeted advertising practices. In addition, numerous states have enacted or are in the process of enacting state level data privacy laws and regulations governing the processing of state residents' personal data that have 22 22 22 Table of Contents Table of Contents and may continue to require us to modify our data processing practices and policies and incur related costs and expenses. For example, the California Consumer Privacy Act ("CCPA") provides enhanced data privacy rights to California residents, allows for statutory damages, and provides a private right of action for certain data breaches, increasing the risk of litigation. The enactment of the CCPA prompted a wave of similar legislative developments in over a third of other states, which created a patchwork of overlapping but different state laws. We are also subject to evolving privacy laws on cookies, tracking technologies, and e-marketing. In the European Union and United Kingdom, informed consent is required for the placement of certain cookies or similar tracking technologies on an individual's device and for direct electronic marketing. Recent European court and regulator decisions are driving increased attention to cookies and similar tracking technologies, which may lead to additional costs and increase our overall risk exposure. Further, the DSA governs, among other things, our potential liability for illegal services/products or content on our platform, obligations around traceability of business users, and requires enhanced transparency measures. In particular our obligations to diligence the services offered on our platform could require significant additional resources. Further, the DSA contains general requirements that user interfaces may not deceive or manipulate users. Similarly, in the United Kingdom, the Online Safety Act 2023 (the "OSA") establishes an extensive regulatory framework for certain user-to-user and search services and imposes obligations to protect users from illegal content. The DSA, and the OSA may increase our compliance costs, expose us to potential regulatory action and liability, require further changes to our user interfaces, processes, operations, and business practices, which may adversely affect our ability to attract, retain, and provide our services to customers, and may otherwise adversely affect our business, results of operations, and financial condition. Various other governments and consumer agencies around the world have also called for new regulation and changes in industry practices for protecting personal information collected and maintained electronically. Together, these existing and proposed laws add additional complexity, variation in requirements, restrictions, and potential legal risk, and require additional investment in resources to compliance programs and cybersecurity, which could impact strategies, and could result in increased compliance costs and/or changes in business practices and policies. Compliance with numerous and often contradictory requirements of different jurisdictions is particularly difficult for an online business such as ours, which collects personal information from hosts, guests, and other individuals in multiple jurisdictions. If any jurisdiction in which we operate adopts new laws or changes its interpretation of its laws, rules, or regulations relating to data residency or localization such that we are unable to comply in a timely manner or at all, we could risk losing our rights to operate in such jurisdictions. In many cases these laws are relatively new and the interpretation and application of these laws is uncertain. There may be litigation, claims, and enforcement relating to data privacy, and the processing of personal data may involve new interpretations of privacy laws. For example, there has been a noticeable increase in class actions in the United States where plaintiffs have attempted to bring claims pursuant to a variety of laws, including state wiretapping laws, in relation to the use of tracking technologies, such as cookies and pixels. Furthermore, to help improve the trust and safety on our platform, we conduct certain verification procedures aimed at our hosts, guests, and listings in certain jurisdictions. Such verification procedures may include utilizing public information on the Internet, accessing public databases such as court records, utilizing third-party vendors to analyze host or guest data, or physical inspection. These types of activities expose us to requirements of other laws and regulations, and to the risk of regulatory engagement and/or enforcement from privacy regulators, consumer protection agencies, consumer credit reporting agencies, and civil litigation. Any failure or perceived failure by us and/or our vendors or third-party providers to comply with data privacy and data security laws, rules, or regulations could expose us to material penalties, significant legal liability, changes in how we operate or offer our products and services, and interruptions or cessation of our ability to operate in key geographies, any of which could materially adversely affect our business, results of operations, and financial condition. In addition, any failure or perceived failure to comply with consumer protection, marketing, data privacy, breach notification, or data security laws, rules, and regulations; policies; industry standards; or enforcement notices and/or assessment notices (for a compulsory audit) could lead to legal actions by individuals, consumer rights groups, government agencies, or others. We may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation, injunctive relief, or damages liabilities, as well as associated costs, and diversion of internal resources or other regulatory orders adversely impacting the ways our business can use personal data. These proceedings could be costly to litigate, whether or not they have merit, and result in negative publicity and erode trust, potentially requiring us to make costly changes to our business practices. If these events occur, they could materially adversely affect our business, results of operations, and financial condition. --- ## Modified: Changes in tax laws or tax rulings could materially adversely affect our business, results of operations and financial condition. **Key changes:** - Added sentence: "For example, the U.S." - Removed sentence: "In the year ended December 31, 2024, we accrued approximately $95 million of corporate alternative minimum tax, and approximately $20 million of excise tax on stock repurchases." - Reworded sentence: "For example, Italy passed a law in 2017, purporting to require short-term rental platforms that process payments to withhold and remit host income tax and collect and remit tourist tax, amongst other obligations." - Reworded sentence: "In December 2024, Airbnb Ireland signed a similar agreement in settlement of the 2022 audit period for an aggregate payment of 139 million Euro ($150 million)." - Reworded sentence: "federal and state governments, countries in the European Union, and a number of other countries and organizations such as the Organization for Economic Cooperation and Development (the "OECD"), are actively considering changes to existing tax laws that could increase our tax obligations in jurisdictions where we do business." **Prior (2025):** We are subject to evolving global tax regimes, which could materially adversely affect our business, results of operations, and financial condition. The U.S. Inflation Reduction Act (the "IRA") introduced a corporate alternative minimum tax and an excise tax on stock repurchases. In the year ended December 31, 2024, we accrued approximately $95 million of corporate alternative minimum tax, and approximately $20 million of excise tax on stock repurchases. Additionally, the U.S. government may implement further changes, such as increasing the corporate income tax rate or altering the taxation of international income. Many countries in Europe, as well as a number of other countries and states, have recently proposed or recommended changes to existing tax laws or have enacted new laws that could significantly increase our tax obligations in many countries and states where we do business or require us to change the manner in which we operate our business. For example, in Italy, a law enacted in 2017 purports to require short-term rental platforms that process payments to withhold and remit host income tax and collect and remit tourist tax, amongst other obligations. In December 2023, without admitting any liability, Airbnb Ireland signed an agreement with the Italian Revenue Agency in settlement of the 2017-2021 audit periods for an aggregate payment of 576 million Euro ($621 million). Additionally, in December 2024, Airbnb Ireland signed a similar agreement in settlement of the 2022 audit period for an aggregate payment of 139 million Euro ($150 million). Such agreements settle a dispute about Airbnb Ireland's obligations to withhold and remit host income tax, including taxes, interest, and penalties, for those relevant periods. Airbnb's subsidiary in Italy and Airbnb Ireland continue to be, or could in the future be, subject to tax audits in Italy, including in relation to permanent establishment, transfer pricing, withholding obligations, and tourist taxes. Such audits could result in the imposition of additional potentially significant prior and future tax obligations. The Organization for Economic Cooperation and Development (the "OECD") is coordinating negotiations among more than 140 countries with the goal of achieving consensus around substantial changes to international tax policies, including the implementation of a minimum global effective tax rate of 15%. Our effective tax rate and cash tax payments could increase in future years as a result of these changes. The European Commission is also conducting investigations into preferential tax treatments, which may lead to changes in how our foreign operations are taxed. As our international business expands, these developments could raise our effective tax rate and non-income tax obligations, materially adversely affecting our business, results of operations, and financial conditions. Additionally, some changes may apply retroactively, leading to unexpected tax liabilities beyond our current estimates. **Current (2026):** We are subject to evolving global tax regimes, which could materially adversely affect our business, results of operations, and financial condition. For example, the U.S. Inflation Reduction Act (the "IRA") introduced a corporate alternative minimum tax and an excise tax on stock repurchases. Additionally, the U.S. government may implement further changes, such as increasing the corporate income tax rate or altering the taxation of international income. Many countries in Europe, as well as a number of other countries and states, have recently proposed or recommended changes to existing tax laws or have enacted new laws that could significantly increase our tax obligations in many countries and states where we do business or require us to change the manner in which we operate our business. For example, Italy passed a law in 2017, purporting to require short-term rental platforms that process payments to withhold and remit host income tax and collect and remit tourist tax, amongst other obligations. In December 2023, without admitting any liability, Airbnb Ireland signed an agreement with the Italian Revenue Agency in settlement of the 2017-2021 audit periods for an aggregate payment of 576 million Euro ($621 million). In December 2024, Airbnb Ireland signed a similar agreement in settlement of the 2022 audit period for an aggregate payment of 139 million Euro ($150 million). In January 2025, Airbnb Ireland signed a similar agreement in settlement of the 2023 audit period for an aggregate payment of 179 million Euro ($186 million). Such agreements settled the dispute about Airbnb Ireland's obligations to withhold and remit host income tax, including taxes, interest, and penalties, for those relevant periods. Airbnb Ireland commenced withholding on host payments related to Italian listings in 2024. However, Airbnb's subsidiary in Italy and Airbnb Ireland continue to be, or could in the future be, subject to tax audits in Italy, including in relation to permanent establishment, transfer pricing, withholding obligations, and tourist taxes. Such audits could result in the imposition of additional potentially significant prior and future tax obligations. The U.S. federal and state governments, countries in the European Union, and a number of other countries and organizations such as the Organization for Economic Cooperation and Development (the "OECD"), are actively considering changes to existing tax laws that could increase our tax obligations in jurisdictions where we do business. For example, the 15% global minimum tax under Pillar Two of the OECD Base Erosion and Profit Shifting ("BEPS") Project could increase our overall taxes and have a materially adverse impact on our business, results of operations, and financial conditions. The European Commission is also conducting investigations into preferential tax treatments, which may lead to changes in how our foreign operations are taxed. As our international business expands, these developments could raise our effective tax rate and non-income tax obligations, materially adversely affecting our business, results of operations, and financial conditions. Additionally, some changes may apply retroactively, leading to unexpected tax liabilities beyond our current estimates. --- ## Modified: Evolving focus on environmental, social, and governance issues by shareholders, customers, regulators, politicians, employees, and other stakeholders may impose additional risks and costs on our business. **Key changes:** - Reworded sentence: "There continues to be scrutiny on climate change, environmental sustainability, human capital, human rights, data privacy and other ESG matters among our shareholders and other stakeholders, including customers, employees, regulators, politicians, and the general public in the United States and abroad." - Reworded sentence: "For example, many ESG initiatives (including related metrics and targets) are based on methodologies, standards, and data that are still evolving or are subject to variable interpretation; as with other companies, our approach to such matters evolves, including as a result of changes in technology, stakeholder responses, or other factors that may be in or out of our control." - Reworded sentence: "Responding to such issues involves inherent costs, and any failure to successfully navigate stakeholder expectations could have a material adverse effect on our business, results of operations, and financial condition." - Reworded sentence: "For example, the EU Corporate Sustainability Reporting Directive ("CSRD") imposes stringent requirements on in scope companies to disclose detailed information." **Prior (2025):** ESG matters are an area of growing and evolving focus among our shareholders and other stakeholders, including customers, employees, regulators, politicians, and the general public in the United States and abroad. Companies like Airbnb face heightened expectations regarding matters such as environmental sustainability, diversity, human rights, and data privacy. We engage in various initiatives to serve our stakeholders in these and other areas, and to respond to stakeholder expectations regarding ESG, but such initiatives can be costly and may not have the desired effect. For example, many ESG initiatives (including related metrics and targets) are based on methodologies, standards, and data that are still evolving or are subject to variable interpretation; as with other companies, our approach to such matters evolves, and we cannot guarantee that our approach, either now or in future, will align with the expectations or preferences of any particular stakeholder or that certain disclosures will not be considered erroneous or subject to misinterpretation. Moreover, stakeholders have varying and sometimes conflicting perceptions of ESG matters. Both advocates and opponents of various issues are increasingly resorting to activism (including media campaigns and litigation) to advocate for their positions. Responding to such issues involves inherent costs, and any failure to successfully navigate stakeholder expectations could negatively impact our business, results of operations, financial condition, and stock price. The regulatory landscape for ESG issues is also rapidly evolving, and various policymakers, including the European Union and State of California, among others, have adopted (or are considering adopting) requirements for climate- or other ESG-related disclosures or other actions. We may face risks related to sustainability reporting obligations under the evolving regulatory landscape in the European Union. Specifically, the Corporate Sustainability Reporting Directive ("CSRD") and the Corporate Sustainability Due Diligence Directive ("CSDDD") impose stringent requirements on companies to disclose detailed information regarding their ESG practices. Furthermore, the transposition of the CSRD by EU member states will also impact the scope of these requirements. Many member states have not yet transposed the directive, adding another layer of uncertainty to compliance efforts. Additionally, the EU's Omnibus Simplification Package introduces further complexity and uncertainty in the European Union. Compliance involves significant expenses and resources, with risks of errors in implementing necessary changes. These requirements are not uniform, and may not be interpreted or applied uniformly, which may increase the cost and complexity of compliance, as well as any related risks. Various of our suppliers and other stakeholders are subject to similar risks, which may exacerbate, or create additional, risks on such matters. 20 20 20 Table of Contents Table of Contents **Current (2026):** There continues to be scrutiny on climate change, environmental sustainability, human capital, human rights, data privacy and other ESG matters among our shareholders and other stakeholders, including customers, employees, regulators, politicians, and the general public in the United States and abroad. Companies like Airbnb face heightened expectations regarding such matters due to our size and geographical reach, as well as our brand recognition and public commitments. We engage in various initiatives to serve our stakeholders in these and other areas, and to respond to stakeholder expectations regarding ESG, but such initiatives can be costly and may not have the desired effect. For example, many ESG initiatives (including related metrics and targets) are based on methodologies, standards, and data that are still evolving or are subject to variable interpretation; as with other companies, our approach to such matters evolves, including as a result of changes in technology, stakeholder responses, or other factors that may be in or out of our control. We cannot guarantee that our approach, either now or in future, will align with the expectations or preferences of any particular stakeholder or that certain disclosures will not be considered erroneous or subject to misinterpretation. Moreover, stakeholders have varying and sometimes conflicting perceptions of ESG matters. Both advocates and opponents of various issues are increasingly resorting to activism (including media campaigns and litigation) to advocate for their positions. Responding to such issues involves inherent costs, and any failure to successfully navigate stakeholder expectations could have a material adverse effect on our business, results of operations, and financial condition. The regulatory landscape for ESG issues is also rapidly evolving, and various policymakers, including the European Union and State of California, among others, have adopted (or are considering adopting) requirements for climate- or other ESG-related disclosures or other actions, including undertaking value chain due diligence. We may face risks related to sustainability reporting obligations under the evolving regulatory landscape in the European Union. For example, the EU Corporate Sustainability Reporting Directive ("CSRD") imposes stringent requirements on in scope companies to disclose detailed information. We may also face risks as a result of the application of existing and new rules concerning greenwashing, particularly in the EU, where those new rules will amend existing consumer protection laws in relation to environmental claims made by companies. These requirements may not be interpreted or applied uniformly, which may increase the cost and complexity of compliance, as well as any related risks. Various of our suppliers and other stakeholders are subject to similar risks, which may exacerbate, or create additional, risks related to such matters. --- *Data sourced from SEC EDGAR. Last updated 2026-06-01.*