---
ticker: IDXX
company: IDEXX Laboratories Inc.
filing_type: 10-K
year_current: 2024
year_prior: 2023
risks_added: 1
risks_removed: 1
risks_modified: 1
risks_unchanged: 22
source: SEC EDGAR
url: https://riskdiff.com/idxx/2024-vs-2023/
markdown_url: https://riskdiff.com/idxx/2024-vs-2023/index.md
generated: 2026-05-10
---

# IDEXX Laboratories Inc.: 10-K Risk Factor Changes 2024 vs 2023

> Source: U.S. Securities and Exchange Commission (EDGAR)  
> Generated: 2026-05-10  
> All data extracted directly from official filings. No hallucinated content.

> **[AI-Generated Summary]** The paragraph below was produced by a language
> model and may contain errors. All other content on this page is deterministically
> extracted from the original SEC filing.

> IDEXX Laboratories' risk disclosures shifted focus from human diagnostics expansion challenges to artificial intelligence governance, with the company removing its risk related to limited human point-of-care experience while adding a new risk concerning AI use in product offerings. The company substantively enhanced its data privacy and protection risk disclosure, reflecting heightened regulatory scrutiny in this area. These changes represent a strategic recalibration toward emerging technology risks while de-emphasizing a previously identified market entry challenge.

---

## Summary

| Status | Count |
|--------|-------|
| New risks added | 1 |
| Risks removed | 1 |
| Risks modified | 1 |
| Unchanged | 22 |

---

## New in Current Filing: Issues in the use of AI in our product offerings may result in reputational harm or liability

We have built, and expect to continue to build, AI into many of our product and service offerings, and we expect this element of our business to grow. We envision a future in which responsible AI operating in our devices, applications, and the cloud, helps our customers be more productive in their business activities and interactions with consumers. As with many disruptive innovations, AI presents risks and challenges that could affect its adoption, and therefore our business. AI algorithms and models may be flawed. Datasets may be insufficient or contain information that is non-representative, infringing, or otherwise subject to legal challenge. Potential government regulation related to AI use may also foreclose certain areas of AI use, cause us to modify how we use AI, and increase the burden and cost of research and development in this area, and failure to properly remediate AI usage issues may cause public confidence in AI to be undermined, which could slow adoption of AI in our offerings. The rapid evolution of AI will require the application of resources to develop, test, and maintain our products and services to help ensure that AI is implemented in a manner to minimize unintended, harmful impact and to comply with applicable law. Furthermore, over the last year, there have been multiple class action lawsuits filed against large language model developers in the Northern District of California, the Southern District of New York, and the Middle District of Tennessee concerning alleged copyright and other intellectual property violations with respect to the information used to train AI models. The outcomes of these litigations may impair our ability to provide our AI technologies.

---

## No Match in Current: Our limited experience and small scale in the human point-of-care and related human laboratory diagnostics sector could inhibit our success in this sector

*This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.*

We have limited experience in the human point-of-care and related human laboratory medical diagnostics sector, and we operate at a small scale in this area. This sector differs in many respects from the veterinary diagnostic sector. Significant differences include the impact of third-party reimbursement on diagnostic testing, more extensive regulation, greater product liability risks, larger competitors, a more segmented customer base, and more rapid technological innovation. Our limited experience and small scale in the human point-of-care and laboratory medical diagnostics sector could negatively affect our ability to successfully manage the risks and features of this sector that differ from the veterinary diagnostic sector. There can be no assurance that we will be successful in achieving growth and profitability in the human point-of-care and laboratory medical diagnostics sector comparable to the results we have achieved in the veterinary diagnostic sector.

---

## Modified: Our operations and reputation may be impaired if we, our products, or our services do not comply with our global privacy policy or evolving laws and regulations regarding data privacy and protection

**Key changes:**

- Reworded sentence: "Some of these products and services rely on third-party providers for cloud computing and storage."
- Reworded sentence: "28 28 28 While we maintain a program to monitor, assess, and comply with applicable global data privacy laws, compliance with these evolving requirements can be costly, require us to change our business practices in a manner adverse to our business or delay or impede the development and offering of innovative products and services."
- Reworded sentence: "Examples of laws and regulations that have impacted and could, in the future, impact our business include (but are not limited to): •The California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CPRA"), as well as other similar U.S."
- Reworded sentence: "•The European Union's General Data Protection Regulation ("GDPR") and similar requirements adopted by the United Kingdom ("UK") following the UK's withdrawal from the European Union ("EU") and the European Economic Area ("EEA"), which impose stringent operational requirements for controllers and processors of personal data of individuals in the EEA and UK."
- Reworded sentence: "For example, in July 2020 the Court of Justice of the European Union ("CJEU") invalidated the EU-U.S."

**Prior (2023):**

The nature of our business involves the receipt, storage and use of information, including personal data, about our customers, pet owners, suppliers, and employees. We collect and use personal data in a variety of ways. We offer products and services that collect and use personal data, including veterinary practice management systems, online customer communication tools and services, VetConnect PLUS, and two-way integration technology. Some of these products and services rely on third-party providers for cloud storage. We also engage in e-commerce through various websites and collect contact and other personal data from our customers and website visitors. In addition, we transfer information, including personal data, among IDEXX, our subsidiaries and third parties with which we have commercial relations for business purposes. Our collection, transfer, protection, security, retention, storage, disclosure, sharing and use of personal data described above are subject to expanding and increasingly complex laws and regulations in the U.S. and abroad. In addition, these laws and regulations continue to develop and are subject to frequent revisions (and generally have become more stringent over time), are subject to differing interpretations, may be applied inconsistently from jurisdiction to jurisdiction and could be deemed to be inconsistent with our current global privacy policy and data protection practices. While we maintain a program to monitor, assess, and comply with applicable global data privacy laws, compliance with these evolving requirements can be costly, require us to change our business practices in a manner adverse to our business or delay or impede the development and offering of innovative products and services. Additionally, public perception and standards related to the privacy of personal data can shift rapidly, in ways that may affect our reputation or influence regulators in the U.S. and abroad to expand or adopt more stringent regulations and laws. Examples of laws and regulations that have impacted and could, in the future, impact our business include: •The California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CPRA"), as well as any similar U.S. state laws that may apply to our business operations within a respective state and/or a U.S. federal privacy law that may be passed in the future, all of which may have conflicting requirements that would make compliance challenging. The CCPA contained certain exemptions for personal information of employees and job applicants, and personal information collected in a "business-to-business" context, each of which expired as of January 1, 2023, expanding compliance obligations under to the CCPA. •The European Union's General Data Protection Regulation ("GDPR") and similar requirements adopted by the United Kingdom ("UK") following the UK's withdrawal from the European Union ("EU") and the European Economic Area ("EEA") impose stringent operational requirements for controllers and processors of personal data of individuals in the EEA and UK. Noncompliance could result in regulatory enforcement actions resulting in monetary penalties of up to the greater of €20 million or 4% of global annual revenues, private litigation, a suspension or termination of processing activities, reputational damage, and loss of customers. •The China Personal Information Protection Law, the Brazilian General Data Protection Law, the South African Protection of Personal Information Act, the Amendments to the Japanese Act on the Protection of Personal Information, and the New Zealand Privacy Act are examples of other non-U.S. personal data protection laws to which we are subject. Additional countries in which we operate are considering adopting or expanding laws and regulations regarding personal data. An additional area of complexity concerns the restrictions on transfers of personal data from certain countries to others. For example, in July 2020 the Court of Justice of the European Union invalidated the EU-U.S. and Swiss-U.S. Privacy 27 27 27 Shield Frameworks, calling into question data transfers carried out under the European Commission's Standard Contractual Clauses ("SCCs"), which has created challenges for our transfer of personal data from the EEA, EU, and/or Switzerland to the U.S. and other third countries. Any transfers by us or our vendors of personal data are subject to potential regulatory scrutiny and may increase our exposure under the GDPR and similar laws which contain cross-border personal data transfer heightened requirements and restrictions. Any failure or perceived failure by us, the third parties with whom we work or our products and services to comply with all applicable privacy-related laws and regulations, as well as our contractual obligations, could result in damage to our reputation or legal proceedings or actions against us by governmental entities or others, any of which could have an adverse effect on our business. In addition, concerns about our practices with regard to the collection, use, retention, disclosure, or security of personal data or other privacy-related matters, even if unfounded and even if we are in compliance with applicable laws and regulations, could damage our reputation and harm our business.

**Current (2024):**

The nature of our business involves the receipt, storage and use of information, including personal data, about our customers, pet owners, suppliers, and employees. We collect and use personal data in a variety of ways. We offer products and services that collect and use personal data, including veterinary practice management systems, online customer communication tools and services, VetConnect PLUS, and two-way integration technology. Some of these products and services rely on third-party providers for cloud computing and storage. We also engage in e-commerce through various websites and collect contact and other personal data from our customers and website visitors. In addition, we transfer information, including personal data, among IDEXX, our subsidiaries and third parties with which we have commercial relations for business purposes. Our collection, transfer, protection, security, retention, storage, disclosure, sharing and use of personal data described above are subject to expanding and increasingly complex laws and regulations in the U.S. and abroad. In addition, these laws and regulations continue to develop and are subject to frequent revisions (and generally have become more stringent over time), are subject to differing interpretations, may be applied inconsistently from jurisdiction to jurisdiction and could be deemed to be inconsistent with our current global privacy policy and data protection practices. 28 28 28 While we maintain a program to monitor, assess, and comply with applicable global data privacy laws, compliance with these evolving requirements can be costly, require us to change our business practices in a manner adverse to our business or delay or impede the development and offering of innovative products and services. Additionally, public perception and standards related to the privacy of personal data can shift rapidly, in ways that may affect our reputation or influence regulators in the U.S. and abroad to expand or adopt more stringent regulations and laws. Examples of laws and regulations that have impacted and could, in the future, impact our business include (but are not limited to): •The California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CPRA"), as well as other similar U.S. state laws that may apply to our business operations within a respective state and/or a U.S. federal privacy law that may be passed in the future, all of which may have conflicting requirements that would make compliance challenging. •The European Union's General Data Protection Regulation ("GDPR") and similar requirements adopted by the United Kingdom ("UK") following the UK's withdrawal from the European Union ("EU") and the European Economic Area ("EEA"), which impose stringent operational requirements for controllers and processors of personal data of individuals in the EEA and UK. •The China Personal Information Protection Law, the Brazilian General Data Protection Law, the South African Protection of Personal Information Act, the Amendments to the Japanese Act on the Protection of Personal Information, the New Zealand Privacy Act, and the India Digital Personal Data Protection Act. An additional area of complexity concerns the restrictions on transfers of personal data from certain countries to others. For example, in July 2020 the Court of Justice of the European Union ("CJEU") invalidated the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, calling into question data transfers carried out under the European Commission's ("EC") Standard Contractual Clauses ("SCCs"), which has created challenges for our transfer of personal data from the EEA, EU, and/or Switzerland to the U.S. and other third countries. Although the EC adopted an adequacy decision for the newly-authorized EU-U.S. Data Privacy Framework ("EU-U.S. DPF") administered by the U.S. Department of Commerce in July 2023 enabling U.S. companies who certify to the EU-U.S. DPF to rely on it as a valid data transfer mechanism, the adequacy decision is likely to face challenge, including at the CJEU. In July 2023, the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") went into effect, governing transfers of Swiss personal data, and in October 2023, the UK Extension to the EU-U.S. DPF came into force, to facilitate transfers of personal data from the UK to the U.S. We currently rely on a mixture of mechanisms to transfer certain personal data from the EEA, Switzerland, and the UK to the U.S. and other third countries including the EU-U.S. DPF, the Swiss-U.S. DPF, and the UK Extension to the EU-U.S. DPF. We expect the existing legal complexity and uncertainty regarding international personal data transfers to continue. In particular, we expect the EU-U.S. DPF adequacy decision to be challenged and international transfers to the U.S. and to other jurisdictions more generally to continue to be subject to enhanced scrutiny by regulators. Any transfers by us or our vendors of personal data are subject to potential regulatory scrutiny and may increase our exposure under the GDPR, UK GDPR, and similar laws which contain cross-border personal data transfer heightened requirements and restrictions (such as the new Chinese government standard contract for cross-border personal data transfers). Any failure or perceived failure by us, the third parties with whom we work or our products and services to comply with all applicable privacy-related laws and regulations, as well as our contractual obligations, could result in damage to our reputation or legal proceedings or actions against us by governmental entities or others, any of which could have an adverse effect on our business. In addition, concerns about our practices with regard to the collection, use, retention, disclosure, or security of personal data or other privacy-related matters, even if unfounded and even if we are in compliance with applicable laws and regulations, could damage our reputation and harm our business.

---

*Data sourced from SEC EDGAR. Last updated 2026-05-10.*