DXCM: 10-K Risk Factor Changes

Our business exposes us to the risk of product liability claims that is inherent in the testing, manufacturing and marketing of medical devices, including those which may arise from the misuse (including system hacking or other unauthorized access by third parties to our systems) or malfunction of, or design flaws in, our products. This liability may vary based on the FDA classification associated with our devices. Notably, the classification of our G6 and G7 systems as Class II medical devices is likely to weaken our ability to rely on federal preemption of state law claims that assert liability against us for harms arising from use of those systems. We may be subject to product liability claims if our products cause, or merely appear to have caused, an injury. Claims may be made by customers, healthcare providers or others selling our products. The risk of product liability claims may increase given that G6 and G7 do not require confirmatory finger sticks when making treatment decisions or finger stick tests each day for calibration, although it does require finger stick tests when symptoms do not match readings and when readings are unavailable. The risk of claims may also increase if our products are subject to a product recall or seizure. An example of the difficulty of complying with the regulatory requirements associated with the manufacture of our products, we issued notifications to our customers regarding the audible alarms and alerts associated with our receivers. 52 52 52 Although we have insurance at levels that we believe is appropriate, this insurance is subject to deductibles and coverage limitations. Our current product liability insurance may not continue to be available to us on acceptable terms, if at all, and, if available, the coverage may not be adequate to protect us against any future product liability claims. Further, if additional products are approved for marketing, we may seek additional insurance coverage. If we are unable to obtain insurance at an acceptable cost or on acceptable terms with adequate coverage or otherwise protect against potential product liability claims, we will be exposed to significant liabilities, which may harm our business. A product liability claim, recall or other claims with respect to uninsured liabilities or for amounts in excess of insured liabilities could result in significant costs and significant harm to our business. We may be subject to claims against us even if the apparent injury is due to the actions of others or misuse of the device or a partner device. Our customers, either on their own or following the advice of their physicians, may use our products in a manner not described in the products’ labeling and that differs from the manner in which it was used in clinical studies and approved by the FDA. For example, our current systems are designed to be used by an individual continuously for up to 10 days for our G6 and G7 systems, but the individual might be able to circumvent the safeguards designed into the systems and use the products for longer than 10 days. Off-label use of products by customers is common, and any such off-label use of our products could subject us to additional liability, or require design changes to limit this potential off-label use once discovered. In addition, other regulatory agencies may in the future approve similar diabetes treatment indications. We expect that such diabetes treatment indications could expose us to additional liability. These liabilities could prevent or interfere with our product commercialization efforts. Defending a suit, regardless of merit, could be costly, could divert management attention and might result in adverse publicity, which could result in the withdrawal of, or inability to recruit, clinical trial volunteers or result in reduced acceptance of our products in the market.

Our business exposes us to the risk of product liability claims that is inherent in the testing, manufacturing and marketing of medical devices, including those which may arise from the misuse (including system hacking or other unauthorized access by third parties to our systems) or malfunction of, or design flaws in, our products. This liability may vary based on the FDA classification associated with our devices. Notably, the classification of our G6 and G7 systems as Class II medical devices is likely to weaken our ability to rely on federal preemption of state law claims that assert liability against us for harms arising from use of those systems. We may be subject to product liability claims if our products cause, or merely appear to have caused, an injury. Claims may be made by customers, healthcare providers or others selling our products. The risk of product liability claims may increase given that G6 and G7 do not require confirmatory finger sticks when making treatment decisions or finger stick tests each day for calibration, although it does require finger stick tests when symptoms do not match readings and when readings are unavailable. The risk of claims may also increase if our products are subject to a product recall or seizure. An example of the difficulty of complying with the regulatory requirements associated with the manufacture of our products, we issued notifications to our customers regarding the audible alarms and alerts associated with our receivers. Although we have insurance at levels that we believe is appropriate, this insurance is subject to deductibles and coverage limitations. Our current product liability insurance may not continue to be available to us on acceptable terms, if at all, and, if available, the coverage may not be adequate to protect us against any future product liability claims. Further, if additional products are approved for marketing, we may seek additional insurance coverage. If we are unable to obtain insurance at an acceptable cost or on acceptable terms with adequate coverage or otherwise protect against potential product liability claims, we will be exposed to significant liabilities, which may harm our business. A product liability claim, recall or other claims with respect to uninsured liabilities or for amounts in excess of insured liabilities could result in significant costs and significant harm to our business. We may be subject to claims against us even if the apparent injury is due to the actions of others or misuse of the device or a partner device. Our customers, either on their own or following the advice of their physicians, may use our products in a manner not described in the products’ labeling and that differs from the manner in which it was used in clinical studies and approved by the FDA. For example, our current systems are designed to be used by an individual continuously for up to 10 days for our G6 and G7 systems, but the individual might be able to circumvent the safeguards designed into the systems and use the products for longer than 10 days. Off-label use of products by customers is common, and any such off-label use of our products could subject us to additional liability, or require design changes to limit this potential off-label use once discovered. In addition, other regulatory agencies may in the future approve similar diabetes treatment indications. We expect that such diabetes treatment indications 55 55 55 could expose us to additional liability. These liabilities could prevent or interfere with our product commercialization efforts. Defending a suit, regardless of merit, could be costly, could divert management attention and might result in adverse publicity, which could result in the withdrawal of, or inability to recruit, clinical trial volunteers or result in reduced acceptance of our products in the market. As a result of the ongoing COVID-19 pandemic, we have received and continue to receive, numerous requests from hospitals and healthcare facilities around the country regarding the use of our CGM devices to remotely monitor COVID-19 patients admitted into the hospital. As noted above, in 2020, the FDA informed us that they intend to exercise enforcement discretion and will not object to our provision of G6 CGM systems to such facilities for use in the inpatient setting during the pandemic. However, our CGM devices are currently approved only for in-home use by patients for the purpose of personal diabetes management and have not otherwise been cleared or approved by the FDA for hospital use. Given that the G6 CGM has not yet been fully evaluated or tested (by us or by the FDA) to the extent that would be required in standard circumstances for product development and marketing authorization, there could be unknown or unanticipated risks presented by use in this environment. To the extent that inpatient use of our CGM systems causes or contributes to an adverse event, we may be subjected to additional product liability lawsuits. Defending a suit, regardless of merit, could be costly, could divert management attention and might result in adverse publicity, which could result in reduced acceptance of our products in the market.

Historically, the market price of our common stock, like the securities of many other medical products companies, fluctuates and could continue to be volatile in the future, especially as our business continues to grow and our business plan continues to evolve. From January 1, 2023 through December 31, 2023, the closing price of our common stock on the Nasdaq Global Select Market was as high as $137.93 per share and as low as $75.49 per share. The market price of our common stock is influenced by many factors that are beyond our control, including the following: •securities analyst coverage or lack of coverage of our common stock or changes in their estimates of our financial performance; •actual or anticipated variations in financial condition and operating results; •future sales of our common stock by our stockholders; •investor perception of us and our industry; •announcements by us or our competitors of significant agreements, acquisitions, or capital commitments or product launches or discontinuations; •changes in market valuation or earnings of our competitors; 58 58 58 •material business or financial announcements regarding our partners; •general economic conditions; •regulatory actions; •legislation and political conditions; •global health pandemics, such as the recent COVID-19 pandemic; •the consummation of, and anticipated benefits of, our share repurchase programs; and •other events or factors, including the ongoing international conflicts, recessions, rising interest rates, inflation, local and national elections, international currency fluctuations, corruption, political instability and acts of war or terrorism. Please also refer to the factors described elsewhere in this “Risk Factors” section. In addition, the stock market in general has experienced extreme price and volume fluctuations that have often been unrelated and disproportionate to the operating performance of companies in our industry. These broad market and industry factors may materially reduce the market price of our common stock, regardless of our operating performance. Securities class action litigation has often been brought against public companies that experience periods of volatility in the market prices of their securities. Securities class action litigation could result in substantial costs and a diversion of our management’s attention and resources, which could seriously harm our business.

Historically, the market price of our common stock, like the securities of many other medical products companies, fluctuates and could continue to be volatile in the future, especially as our business continues to grow and our business plan continues to evolve. From January 1, 2022 through December 31, 2022, the closing price of our common stock on the Nasdaq Global Select Market was as high as $132.89 per share and as low as $67.99 per share. In addition, the trading prices for our common stock and other medical device companies have been highly volatile as a result of the ongoing COVID-19 pandemic. The market price of our common stock is influenced by many factors that are beyond our control, including the following: •securities analyst coverage or lack of coverage of our common stock or changes in their estimates of our financial performance; •variations in quarterly operating results; •future sales of our common stock by our stockholders; •investor perception of us and our industry; •announcements by us or our competitors of significant agreements, acquisitions, or capital commitments or product launches or discontinuations; •changes in market valuation or earnings of our competitors; •negative business or financial announcements regarding our partners; •general economic conditions; •regulatory actions; •legislation and political conditions; 61 61 61 •global health pandemics, such as the ongoing COVID-19 pandemic; •the consummation, and the anticipated benefits, of our Share Repurchase Program; and •other events or factors, including the impact or perceived impact of our four-for-one forward stock split of our common stock, ongoing conflict in Ukraine, recessions, interest rates, local and national elections, international currency fluctuations, corruption, political instability and acts of war or terrorism. Please also refer to the factors described elsewhere in this “Risk Factors” section. In addition, the stock market in general has experienced extreme price and volume fluctuations that have often been unrelated and disproportionate to the operating performance of companies in our industry. These broad market and industry factors may materially reduce the market price of our common stock, regardless of our operating performance. Securities class action litigation has often been brought against public companies that experience periods of volatility in the market prices of their securities. Securities class action litigation could result in substantial costs and a diversion of our management’s attention and resources.

We are subject to a number of foreign, federal and state laws and regulations protecting the use, disclosure, and confidentiality of certain patient and consumer health and personal information, including patient records, and restricting the use and disclosure of that protected information, including state breach notification laws. Some of these laws include the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, or HITECH, the European Union’s General Data Protection Regulation, or GDPR, the UK Data Protection Act and the UK GDPR, and the California Consumer Privacy Act as amended, or CCPA, and the Washington My Health My Data Act, among others. Various U.S. state laws and regulations may also require us to notify affected individuals and state regulators in the event of a data breach involving personal information. Penalties for failure to adequately protect personal information, notify as required, or provide timely notice vary by jurisdiction. In the U.S., most state data breach notification laws consider violations to be unfair or deceptive trade practices and give the relevant state attorneys general (“AGs”) the authority to levy fines or bring enforcement actions. Such AG investigations—which are often time consuming, expensive, and burdensome—may lead to a resolution agreement, whereby certain obligations are performed and reports are made to the AG for a period of time, and/or civil penalties. Class action lawsuits against companies which experience a data breach involving personal information are also common. Additionally, the SEC and many jurisdictions have enacted or may enact laws and regulations requiring companies to disclose or otherwise provide notifications regarding data security breaches. For example, the SEC recently adopted cybersecurity risk management and disclosure rules, which require the disclosure of information pertaining to cybersecurity incidents and cybersecurity risk management, strategy, and governance. As our customer base grows to include U.S. federal government agencies, Dexcom may also need comply with Federal Risk and Authorization Management Program and Cybersecurity Maturity Model Certification requirements. These frameworks, in addition to similar laws being enacted by other states and other jurisdictions, impose stringent cybersecurity standards and potentially significant non-compliance penalties, and involve the expenditure of significant resources and time and effort to comply. As these laws and regulations continue develop in the United States and internationally, we may be required to expend significant time and resources in order to update existing processes or implement additional mechanisms as necessary to ensure compliance with such laws. In addition, foreign data protection, privacy, and other laws and regulations can be more restrictive than those in the United States. For example, data localization laws in some countries generally mandate that certain types of data collected in a particular country be stored and/or processed within that country. We may be subject to inquiries, investigations and audits in Europe and around the world, particularly in the areas of consumer and data protection, 37 37 37 which will arise in the ordinary course of business and may increase in frequency as we continue to grow and expand our operations. Legislators and regulators may make legal and regulatory changes, or interpret and apply existing laws, in ways that make our products less useful to our customers, require us to incur substantial costs, expose us to unanticipated civil or criminal liability, or cause us to change our business practices. These changes or increased costs could negatively impact our business and results of operations in material ways. In the ordinary course of our business, we collect and store sensitive data, such as our proprietary business information and that of our clients, contractors, vendors and others as well as personally identifiable information of our customers, potential customers, vendors and others, which data may include sensitive information, in our data centers and on our networks. Our employees, contractor and vendors may also have access to and may use personal health information in the ordinary course of our business. The secure processing, maintenance and transmission of this information is critical to our operations. Despite our security measures and business controls, our information technology and infrastructure may be vulnerable to attacks by hackers (including nation states or state-sponsored organizations), viruses, malware, breaches due to employee, contractor or vendor error, or malfeasance or other disruptions or subject to the inadvertent or intentional unauthorized release of information. Any such occurrence could compromise our networks and the information stored thereon could be accessed, publicly disclosed, lost or stolen. Any such access, disclosure or other loss of information could result in legal claims or proceedings, and liability under laws that protect the privacy of personal information, including regulatory penalties, disrupt our operations and the services we provide to our clients or damage our reputation, any of which could adversely affect our profitability, revenue and competitive position. As we grow and expand our administrative, customer, or IT support services, we may also utilize the services of personnel and contractors located outside of the United States to perform certain functions. While we make every effort to review our applicable contracts and other payor requirements, a local, state, or federal government agency or one of our customers may find the use of offshore resources to be a violation of a legal or contractual requirement, which could result in termination of the contractual relationship, penalties, or changes in our business operations that could adversely affect our business, financial condition, and results of operations. Additionally, while we have implemented industry standard security measures for offshore access to protected health information and other personal information, unauthorized access or disclosure of such information by offshore personnel could result in legal claims or proceedings, and liability under laws that protect the privacy of personal information and may incur regulatory penalties, disrupt our operations and the services we provide to our clients, damage to our reputation, or result in the termination of contractual relationships, penalties or the loss of coverage, any of which could adversely affect our profitability, revenue and competitive position.

We are subject to a number of foreign, federal and state laws and regulations protecting the use, disclosure, and confidentiality of certain patient health and personal information, including patient records, and restricting the use and disclosure of that protected information, including state breach notification laws, the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA), the European Union’s General Data Protection Regulation (GDPR), the UK Data Protection Act and the UK GDPR, and the California Consumer Privacy Act (CCPA), among others . As our customer base grows to include U.S. federal government agencies, Dexcom may also need comply with Federal Risk and Authorization Management Program and Cybersecurity Maturity Model Certification requirements. These frameworks, in addition to similar laws being enacted by other states and counties, impose stringent cybersecurity standards and potentially significant non-compliance penalties, involve the expenditure of significant resources, the investment of significant resources and the investment of significant time and effort to comply. As these laws and regulations continue develop in the United States and internationally, we may be required to expend significant time and resources in order to update existing processes or implement additional mechanisms as necessary to ensure compliance with such cybersecurity laws. In addition, foreign data protection, privacy, and other laws and regulations can be more restrictive than those in the United States. For example, data localization laws in some countries generally mandate that certain types of data collected in a particular country be stored and/or processed within that country. We may be subject to inquiries, investigations and audits in Europe and around the world, particularly in the areas of consumer and data protection, which will arise in the ordinary course of business and may increase in frequency as we continue to grow and expand our operations. Legislators and regulators may make legal and regulatory changes, or interpret and apply existing laws, in ways that make our products less useful to our customers, require us to incur substantial costs, expose us to unanticipated civil or criminal liability, or cause us to change our business practices. These changes or increased costs could negatively impact our business and results of operations in material ways. In the ordinary course of our business, we collect and store sensitive data, such as our proprietary business information and that of our clients, contractors, vendors and others as well as personally identifiable information of our customers, vendors and others, which data may include full names, social security numbers, addresses, and birth dates, in our data centers and on our networks. Our employees, contractor and vendors may also have access to and may use personal health information in the ordinary course of our business. The secure processing, maintenance and transmission of this information is critical to our operations. Despite our security measures and business controls, our information technology and infrastructure may be vulnerable to attacks by hackers, breaches due to employee, contractor or vendor error, or malfeasance or other disruptions or subject to the inadvertent or intentional unauthorized release of information. Any such occurrence could compromise our networks and the information stored thereon could be accessed, publicly disclosed, lost or stolen. Any such access, disclosure or other loss of information could result in legal claims or proceedings, and liability under laws that protect the privacy of personal information and regulatory penalties, disrupt our operations and the services we provide to our clients or damage our reputation, any of which could adversely affect our profitability, revenue and competitive position. As we grow and expand our administrative, customer support or IT support services, we may also utilize the services of personnel and contractors located outside of the United States to perform certain functions. While we make every effort to review our applicable contracts and other payor requirements, a local, state, or federal government agency or one of our customers may find the use of offshore resources to be a violation of a legal or contractual requirement, which could result in termination of the contractual relationship, penalties, or changes in our business operations that could adversely affect our business, financial condition, and results of operations. Additionally, while we have implemented industry standard security measures for offshore access to protected health information and other personal information, unauthorized access or disclosure of such information by offshore personnel could result in legal claims or proceedings, and liability under laws that protect the privacy of personal information and regulatory penalties, disrupt our operations and the services we provide to our clients, damage to our reputation or result in the termination of contractual relationships, penalties or the loss of coverage, any of which could adversely affect our profitability, revenue and competitive position.

The U.S. Department of the Treasury’s Office of Foreign Assets Control, and the Bureau of Industry and Security at the U.S. Department of Commerce, administer certain laws and regulations that restrict U.S. persons and, in some 35 35 35 instances, non-U.S. persons, in conducting activities, and transacting business with or making investments in certain countries, governments, entities and individuals subject to U.S. economic sanctions. Due to our international operations, we are subject to such laws and regulations, which are complex, restrict our business dealings with certain countries and individuals, and are constantly changing. Further restrictions may be enacted, amended, enforced or interpreted in a manner that materially impacts our operations. Violations of these regulations are punishable by civil penalties, including fines, denial of export privileges, injunctions, asset seizures, debarment from government contracts and revocations or restrictions of licenses, as well as criminal fines and imprisonment. We have established procedures designed to assist with our compliance with such laws and regulations. However, we have only limited experience dealing with these laws and regulations and we cannot guarantee that our procedures will effectively prevent us from violating these regulations in every transaction in which we may engage. Any such violation could adversely affect our reputation, business, financial condition and results of operations.

The U.S. Department of the Treasury’s Office of Foreign Assets Control, and the Bureau of Industry and Security at the U.S. Department of Commerce, administer certain laws and regulations that restrict U.S. persons and, in some instances, non-U.S. persons, in conducting activities, and transacting business with or making investments in certain countries, governments, entities and individuals subject to U.S. economic sanctions. Due to our international operations, we are subject to such laws and regulations, which are complex, restrict our business dealings with certain countries and individuals, and are constantly changing. Further restrictions may be enacted, amended, enforced or interpreted in a manner that materially impacts our operations. Violations of these regulations are punishable by civil penalties, including fines, denial of export privileges, injunctions, asset seizures, debarment from government contracts and revocations or restrictions of licenses, as well as criminal fines and imprisonment. We have established procedures designed to assist with our compliance with such laws and regulations. However, we have only limited experience dealing with these laws and regulations and we cannot guarantee that our procedures will effectively prevent us from violating these regulations in every transaction in which we may engage. Any such violation could adversely affect our reputation, business, financial condition and results of operations. The outbreak of the SARS-CoV-2 virus and its variants and the COVID-19 disease that it causes have also led to healthcare equipment shortages in the U.S. and around the world. For example, in 2020, certain U.S. federal government orders temporarily limited companies from exporting certain equipment (such as ventilators) to other countries. Though no such orders have been issued with respect to CGMs, if supply chain disruption causes significant shortages in CGMs or other equipment, it is possible that we could face additional barriers to exporting our devices outside of the United States.

The HIPAA Security Rule requires covered entities, including Dexcom, and business associates to implement administrative, physical, and technical safeguards to protect the integrity, confidentiality and availability of protected health information that is electronically created, received, maintained or transmitted. Covered entities are also required to report any unauthorized use or disclosure of protected health information that meets the definition of a breach under the Breach Notification Rule, to affected individuals, OCR and, depending on the number of affected individuals, the media for the affected market. In addition, HIPAA requires that business associates report breaches to their covered entity customers. Violations of HIPAA may result in criminal and civil penalties. The OCR enforces the regulations and performs compliance audits. In addition to enforcement by OCR, HITECH further authorizes state Attorneys General to bring civil actions in response to violations of HIPAA that threaten the privacy of state residents. We have adopted breach notification policies and procedures designed to comply with the applicable requirements set forth in HIPAA. We follow and maintain a HIPAA compliance plan, which we believe complies with the HIPAA privacy and security regulations, but there can be no assurance that OCR or other regulators will agree. The HIPAA Rules have and will continue to impose significant costs on us in order to comply with these standards. HIPAA establishes a federal “floor” with respect to privacy, security, and breach notification requirements and does not supersede any state laws insofar as they are broader or more stringent than HIPAA. Numerous state and certain other federal laws protect the confidentiality of health information and other personal information, including but not limited to state medical privacy laws, state laws protecting personal information, state data breach notification laws, state genetic privacy laws, human subjects research laws and federal and state consumer protection laws. These additional federal and state privacy and security-related laws may be more restrictive than HIPAA and could impose additional penalties. For example, the Federal Trade Commission uses its consumer 38 38 38 protection authority under Section 5 of the Federal Trade Act to initiate enforcement actions in response to alleged privacy violations and data breaches. Additional data protection laws exist at the state level as well. California enacted the CCPA, which came into effect January 1, 2020, was amended and expanded by the CPRA, which came into effect January 1, 2023. The CCPA and CPRA, among other things, create data privacy obligations for covered companies and provide privacy rights to California residents, including the right to opt out of certain disclosures of their information. The CCPA also creates a private right of action with statutory damages for certain data breaches, thereby potentially increasing risks associated with a data breach. In addition, other states have, or may, enact similar legislation. It remains unclear what, if any, additional modifications will be made to this legislation or how it will be interpreted. The effects of the CCPA and CPRA and other state privacy laws are significant and have required us to modify our data processing practices, and may cause us to incur substantial costs and expenses to comply, particularly given our base of operations in California. There are also a number of other legislative proposals worldwide, including in the United States at both the federal and state level, that could impose additional and potentially conflicting obligations in areas affecting our business. We expect to incur additional costs to ensure that our data privacy and security policies, procedures, and activities comply with applicable and evolving legal requirements. We are also subject to laws and regulations in foreign countries covering data privacy and other protection of health and employee information that may be more onerous than corresponding U.S. laws, including in particular the laws of Europe. For instance, in the European Union, increasingly stringent data protection and privacy rules that have and will continue to have substantial impact on the use of patient data across the healthcare industry became effective in May 2018. The GDPR applies across the European Union and includes, among other things, a requirement for prompt notice of data breaches to data subjects and supervisory authorities in certain circumstances and significant fines for non-compliance. The GDPR fine framework can be up to 20 million euros, or up to 4% of the company’s total global turnover of the preceding fiscal year, whichever is higher. The GDPR also requires companies processing personal data of individuals residing in the European Union to comply with EU privacy and data protection rules, even if the company itself does not have a physical presence in the European Union. Noncompliance could result in the imposition of fines, penalties, or orders to stop noncompliant activities. Due to the strong consumer protection aspects of the GDPR, companies subject to its purview are allocating substantial legal costs to the development of necessary policies and procedures and overall compliance efforts. Data transfer risk remains a potential issue as certain Data Protection Authorities continue to raise concerns about the transfer of data to the United States. Though a new framework to permit cross-border transfers - the EU-US Data Privacy Framework - came into effect in 2023, it may be challenged as well. We expect continued costs associated with maintaining compliance with GDPR into the future, and these provisions as interpreted by EU agencies and authorities could negatively impact our business, financial condition and results of operations. In addition to the laws discussed above, we may see more stringent state and federal privacy legislation in the future. We cannot predict where new legislation might arise, the scope of such legislation, or the potential impact to our business and operations.

The Administrative Simplification Provisions of HIPAA extensively regulate the use and disclosure of individually identifiable health information, known as “protected health information,” and require covered entities, including health plans and most health care providers, to implement administrative, physical and technical safeguards to protect the security of such information. Certain provisions of the security and privacy regulations 40 40 40 apply to business associates (entities that handle protected health information on behalf of covered entities), and business associates are subject to direct liability for violation of these provisions. In addition, a covered entity may be subject to penalties as a result of a business associate violating HIPAA, if the business associate is found to be an agent of the covered entity. Dexcom is a covered entity under HIPAA and may also function in a business associate capacity to other covered entities. Covered entities must report breaches of unsecured protected health information to affected individuals without unreasonable delay and notification must also be made to the U.S. Department of Health & Human Services, Office for Civil Rights, or OCR and, in certain situations involving large breaches, to the media. Various U.S. state laws and regulations may also require us to notify affected individuals and state agencies in the event of a data breach involving individually identifiable information. Violations of the HIPAA privacy and security regulations may result in criminal and civil penalties. The OCR enforces the regulations and performs compliance audits. In addition to enforcement by OCR, state attorneys general are authorized to bring civil actions seeking either injunction or damages in response to violations that threaten the privacy of state residents. We follow and maintain a HIPAA compliance plan, which we believe complies with the HIPAA privacy and security regulations, but there can be no assurance that OCR or other regulators will agree. The HIPAA privacy regulations and security regulations have and will continue to impose significant costs on us in order to comply with these standards. There are numerous other laws and legislative and regulatory initiatives at the federal and state levels addressing privacy and security concerns. For example, from time-to-time, the OCR issues bulletins that outline its interpretations of HIPAA as applied to specific use cases. On December 1, 2022, OCR issued a bulletin on the requirements under HIPAA for online tracking technologies (e.g., cookies, pixels) to protect the privacy and security of health information. This bulletin outlined OCR’s position on the use of online tracking technology vendors, when certain information received by such vendors constitutes protected health information under HIPAA, and accordingly, when business associate agreements must be executed between covered entities, like Dexcom, and such vendors. Dexcom is assessing its responsibilities under the bulletin and determining its next steps in order to comply with OCR’s guidance in the bulletin. We also remain subject to federal or state privacy-related laws that are more restrictive than the privacy regulations issued under HIPAA. These laws vary and could impose additional penalties. For example, the Federal Trade Commission uses its consumer protection authority to initiate enforcement actions in response to alleged privacy and data security violations. California enacted the California Consumer Privacy Act, or CCPA, which came into effect January 1, 2020, was amended and expanded by the California Privacy Rights Act, or CPRA, passed on November 3, 2020, which took effect January 1, 2023. The CCPA and CPRA, among other things, create data privacy obligations for covered companies and provide privacy rights to California residents, including the right to opt out of certain disclosures of their information. The CCPA also creates a private right of action with statutory damages for certain data breaches, thereby potentially increasing risks associated with a data breach. In addition, other states have, or may, enact similar legislation. It remains unclear what, if any, additional modifications will be made to this legislation or how it will be interpreted. The effects of the CCPA and CPRA are significant and will likely require us to modify our data processing practices, and may cause us to incur substantial costs and expenses to comply, particularly given our base of operations in California. There are also a number of other legislative proposals worldwide, including in the United States at both the federal and state level, that could impose additional and potentially conflicting obligations in areas affecting our business. We are also subject to laws and regulations in foreign countries covering data privacy and other protection of health and employee information that may be more onerous than corresponding U.S. laws, including in particular the laws of Europe. For instance, in the European Union, increasingly stringent data protection and privacy rules that have and will continue to have substantial impact on the use of patient data across the healthcare industry became effective in May 2018. The EU General Data Protection Regulation, or GDPR, applies across the European Union and includes, among other things, a requirement for prompt notice of data breaches to data subjects and supervisory authorities in certain circumstances and significant fines for non-compliance. The GDPR fine framework can be up to 20 million euros, or up to 4% of the company’s total global turnover of the preceding fiscal year, whichever is higher. The GDPR also requires companies processing personal data of individuals residing in the European Union to comply with EU privacy and data protection rules, even if the company itself does not have a physical presence in the European Union. Noncompliance could result in the imposition of fines, penalties, or orders to stop noncompliant activities. Due to the strong consumer protection aspects of the GDPR, companies subject to its purview are allocating substantial legal costs to the development of necessary policies and procedures and overall compliance efforts. Data transfer risk remains a potential issue as certain Data Protection Authorities continue to raise concerns 41 41 41 about the transfer of data to the United States. Though a new framework may be put in place, it may be challenged as well. We expect continued costs associated with maintaining compliance with GDPR into the future, and these provisions as interpreted by EU agencies, could negatively impact our business, financial condition and results of operations. In addition to the laws discussed above, we may see more stringent state and federal privacy legislation in the future, as the increased cyber-attacks during the ongoing COVID-19 pandemic have once again put a spotlight on data privacy and security in the U.S. and other jurisdictions. We cannot predict where new legislation might arise, the scope of such legislation, or the potential impact to our business and operations.

We are subject to taxes in the United States and numerous foreign jurisdictions, where a number of our subsidiaries are organized. The tax laws in the United States and in other countries in which we and our subsidiaries do business could change on a prospective or retroactive basis, and any such changes could adversely affect our business and financial condition. Further, due to economic and political conditions, tax rates in various jurisdictions may be subject to change. Our effective tax rates could be affected by numerous factors, including changes in the mix of earnings in countries with differing statutory tax rates, changes in the valuation of deferred tax assets and liabilities, and changes in tax laws or their interpretation, both in and outside the United States. There is growing pressure in many jurisdictions, including the United States, and from multinational organizations such as the OECD and the European Union to amend existing international tax rules in order to render them more responsive to current global business practices. For example, the OECD has published a package of measures for reform of the international tax rules as a product of its BEPS initiative, which was endorsed by the G20 finance ministers. Many of the initiatives in the BEPS package require amendments to the domestic tax legislation of various jurisdictions. Separately, the European Union is asserting that a number of country-specific favorable tax regimes and rulings in certain member states may violate, or have violated, European Union law, and may require rebates of some or all of the associated tax benefits to be paid by benefited taxpayers in particular cases. In 2016, the European Union adopted the “Anti-Tax Avoidance Directive,” which requires European Union member states to implement measures to prohibit tax avoidance practices, and Germany published the European Union Anti-Tax Avoidance Directive Implementation Law on June 30, 2021. We have a significant presence in the European Union, as well as significant sales in the European Union, such that any changes in tax laws in the European Union will impact our business. The overall impact of such legislation in European Union member states is uncertain, and our business and financial condition could be adversely affected by any laws impacting our tax rate. The U.S. government has recently enacted comprehensive tax legislation that includes significant changes to the taxation of business entities. These changes include, among others, (I) a permanent reduction to the corporate income tax rate, (ii) a partial limitation on the deductibility of business interest expense, (iii) a shift of the U.S. taxation of multinational corporations from a tax on worldwide income to a territorial system (along with certain rules designed to prevent erosion of the U.S. income tax base) and (iv) a one-time tax on accumulated offshore earnings held in cash and illiquid assets, with the latter taxed at a lower rate. The overall impact of this tax reform is uncertain, and our business and financial condition could be adversely affected. In addition, it is uncertain if and to what extent various states will conform to the newly enacted federal tax law. On October 8, 2021, the OECD announced the OECD/G20 Inclusive Framework on BEPS which agreed to a two-pillar solution to address tax challenges arising from digitalization of the economy. On December 20, 2021, the OECD released Pillar Two Model Rules defining the global minimum tax rules, which contemplate a 15% minimum tax rate. The OECD continues to release additional guidance on these rules and the Framework calls for law enactment by OECD and G20 members to take effect in 2024 or 2025. These changes, when enacted by various countries in which we do business, may increase our taxes in these countries. Changes to these and other areas in relation to international tax reform, including future actions taken by foreign governments, could increase uncertainty and may adversely affect our tax rate and cash flow in future years. 57 57 57 Our tax returns and other tax matters also are subject to examination by the U.S. Internal Revenue Service and other tax authorities and governmental bodies. We regularly assess the likelihood of an adverse outcome resulting from these examinations to determine the adequacy of our provision for taxes. We cannot guarantee the outcome of these examinations. If our effective tax rates were to increase, particularly in the United States, or in other countries implementing legislation to reform existing tax legislation, including the European Union and Germany, or if the ultimate determination of our taxes owed is for an amount in excess of amounts previously accrued, our financial condition, operating results and cash flows could be adversely affected.

We are subject to taxes in the United States and numerous foreign jurisdictions, where a number of our subsidiaries are organized. The tax laws in the United States and in other countries in which we and our subsidiaries do business could change on a prospective or retroactive basis, and any such changes could adversely affect our business and financial condition. Further, due to economic and political conditions, tax rates in various jurisdictions may be subject to change. Our effective tax rates could be affected by numerous factors, including changes in the mix of earnings in countries with differing statutory tax rates, changes in the valuation of deferred tax assets and liabilities, and changes in tax laws or their interpretation, both in and outside the United States. There is growing pressure in many jurisdictions, including the United States, and from multinational organizations such as the OECD and the European Union to amend existing international tax rules in order to render them more responsive to current global business practices. Our tax returns and other tax matters also are subject to examination by the U.S. Internal Revenue Service and other tax authorities and governmental bodies. We regularly assess the likelihood of an adverse outcome resulting from these examinations to determine the adequacy of our provision for taxes. We cannot guarantee the outcome of these examinations. If our effective tax rates were to increase, particularly in the United States, or in other countries implementing legislation to reform existing tax legislation, including the European Union and Germany, or if the ultimate determination of our taxes owed is for an amount in excess of amounts previously accrued, our financial condition, operating results and cash flows could be adversely affected.

In connection with the sale of the 2023 Notes, we entered into warrant transactions with the option counterparties pursuant to which we sold warrants for the purchase of our common stock, or the 2023 Warrants. The 2023 Warrant transactions could separately have a dilutive effect to the extent that the market price per share of our common stock exceeds the exercise price of the 2023 Warrants, which is $49.60. We do not make any representation or prediction as to the direction or magnitude of any potential effect that the 2023 Warrants may have on our common stock. In addition, we do not make any representation that the option counterparties will engage in these transactions or that these transactions, once commenced, will not be discontinued without notice.

In connection with the sale of the 2023 Notes, we entered into convertible note hedge, or the 2023 Note Hedge, transactions with certain financial institutions, or option counterparties. We also entered into warrant transactions with the option counterparties pursuant to which we sold warrants for the purchase of our common stock, or the 2023 Warrants. The 2023 Note Hedge transactions are expected generally to reduce the potential dilution upon any conversion of the 2023 Notes and/or offset any cash payments we are required to make in excess of the principal amount of converted 2023 Notes. The 2023 Warrant transactions could separately have a dilutive effect to the extent that the market price per share of our common stock exceeds the exercise price of the 2023 Warrants, which is $49.60. The option counterparties and/or their respective affiliates may modify their hedge positions by entering into or unwinding various derivatives with respect to our common stock and/or purchasing or selling our common stock in secondary market transactions prior to the maturity of 2023 Notes (and are likely to do so during any observation period related to a conversion of 2023 Notes, or following any repurchase of Notes by us on any fundamental change repurchase date (as defined in the indenture for the 2023 Notes) or otherwise). This activity could also cause or avoid an increase or a decrease in the market price of our common stock or the 2023 Notes, which could affect note holders’ ability to convert the 2023 Notes and, to the extent the activity occurs during any observation period related to a conversion of the 2023 Notes, it could affect the amount and value of the consideration that note holders will receive upon conversion of the 2023 Notes. The potential effect, if any, of these transactions and activities on the market price of our common stock or the 2023 Notes will depend in part on market conditions and cannot be ascertained at this time. Any of these activities could adversely affect the value of our common stock and the value of the 2023 Notes (and as a result, the value of the consideration, the amount of cash and/or the number of shares, if any, that note holders would receive upon the conversion of the 2023 Notes) and, under certain circumstances, the ability of the note holders to convert the 2023 Notes. We do not make any representation or prediction as to the direction or magnitude of any potential effect that the transactions described above may have on the price of the 2023 Notes or our common stock. In addition, we do not make any representation that the option counterparties will engage in these transactions or that these transactions, once commenced, will not be discontinued without notice.

The option counterparties to the 2028 Capped Calls are financial institutions, and we will be subject to the risk that any or all of them may default under the 2028 Capped Calls. Our exposure to the credit risk of these counterparties is not secured by any collateral. Recent global economic conditions have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If a counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings, with a claim equal to our exposure at that time under our transactions with that option counterparty. Our exposure will depend on many factors but, generally, an increase in our exposure will be correlated to an increase in the market price and in the volatility of our common stock. In addition, upon a default by an option counterparty, we may suffer adverse tax consequences and more dilution than we currently anticipate with respect to our common stock. We can provide no assurances as to the financial stability or viability of the counterparties with respect to the 2028 Capped Calls. 62 62 62

The option counterparties are financial institutions, and we will be subject to the risk that any or all of them may default under the 2023 Note Hedge transactions. Our exposure to the credit risk of the option counterparties will not be secured by any collateral. Recent global economic conditions have resulted in the actual or perceived failure or financial difficulties of many financial institutions. If an option counterparty becomes subject to insolvency proceedings, we will become an unsecured creditor in those proceedings, with a claim equal to our exposure at that time under our transactions with that option counterparty. Our exposure will depend on many factors but, generally, an increase in our exposure will be correlated to an increase in the market price and in the volatility of our common stock. In addition, upon a default by an option counterparty, we may suffer adverse tax consequences and more dilution than we currently anticipate with respect to our common stock. We can provide no assurances as to the financial stability or viability of the option counterparties.