Meta Platforms Inc.: 10-K Risk Factor Changes

Companies in the internet, technology, and media industries own large numbers of patents, copyrights, trademarks, and trade secrets, and frequently enter into litigation based on allegations of infringement, misappropriation, or other violations of intellectual property or other rights. In addition, various "non-practicing entities" that own patents and other intellectual property rights often attempt to aggressively assert their rights in order to extract value from technology companies. Furthermore, from time to time we may introduce or acquire new products, including in areas where we historically have not competed, or introduce new features for existing products, which could increase our exposure to intellectual property claims from competitors, non-practicing entities, and other rights holders. From time to time, we receive notice from patent, copyright, and trademark holders and other parties alleging that certain of our products and services, trademarks, or user content, infringe their intellectual property rights. We presently are involved in a number of intellectual property lawsuits, and as we face increasing competition and develop new products and services, we expect the number of intellectual property claims against us to grow. Defending intellectual property litigation is often costly and can impose a significant burden on management and employees, and there can be no assurances that favorable final outcomes will be obtained in all cases. In addition, plaintiffs may seek, and we may become subject to, preliminary or provisional rulings in the course of any such litigation, including potential preliminary injunctions requiring us to change or cease some or all of our operations. We may decide to settle such lawsuits and disputes on terms that are unfavorable to us. Similarly, if any litigation to which we are a party is resolved adversely, we may be subject to an unfavorable judgment that may not be reversed upon appeal. The terms of such a settlement or judgment may require us to change or cease some or all of our operations or pay substantial amounts to the other party. In addition, we may have to seek a license to continue practices found to be in violation of a third party's rights, which may not be available on reasonable terms, or at all, and may significantly increase our operating costs and expenses. As a result, we may also be required to develop alternative non-infringing technology or practices, or branding or discontinue the practices or branding. The development of alternative non-infringing technology, branding or practices could require significant effort and expense, could result in less effective technology, branding or practices or otherwise negatively affect the user experience, or may not be feasible. We have experienced unfavorable outcomes in such disputes and litigation in the past, and our business, financial condition, and results of operations could be adversely affected as a result of an unfavorable resolution of the disputes and litigation referred to above.

Companies in the internet, technology, and media industries own large numbers of patents, copyrights, trademarks, and trade secrets, and frequently enter into litigation based on allegations of infringement, misappropriation, or other violations of intellectual property or other rights. In addition, various "non-practicing entities" that own patents and other intellectual property rights often attempt to aggressively assert their rights in order to extract value from technology companies. Furthermore, from time to time we may introduce or acquire new products, including in areas where we historically have not competed, which could increase our exposure to patent and other intellectual property claims from competitors and non-practicing entities. From time to time, we receive notice from patent holders and other parties alleging that certain of our products and services, or user content, infringe their intellectual property rights. We presently are involved in a number of intellectual property lawsuits, and as we face increasing competition and develop new products and services, we expect the number of patent and other intellectual property claims against us to grow. Defending patent and other intellectual property litigation is costly and can impose a significant burden on management and employees, and there can be no assurances that favorable final outcomes will be obtained in all cases. In addition, plaintiffs may seek, and we may become subject to, preliminary or provisional rulings in the course of any such litigation, including potential preliminary injunctions requiring us to cease some or all of our operations. We may decide to settle such lawsuits and disputes on terms that are unfavorable to us. Similarly, if any litigation to which we are a party is resolved adversely, we may be subject to an unfavorable judgment that may not be reversed upon appeal. The terms of such a settlement or judgment may require us to cease some or all of our operations or pay substantial amounts to the other party. In addition, we may have to seek a license to continue practices found to be in violation of a third party's rights, which may not be available on reasonable terms, or at all, and may significantly increase our operating costs and expenses. As a result, we may also be required to develop alternative non-infringing technology or practices or discontinue the practices. The development of alternative non-infringing technology or practices could require significant effort and expense, could result in less effective technology or practices or otherwise negatively affect the user experience, or may not be feasible. We have experienced unfavorable outcomes in such disputes and litigation in the past, and our business, financial condition, and results of operations could be adversely affected as a result of an unfavorable resolution of the disputes and litigation referred to above. 44 44 44 Table of Contents Table of Contents

We are engaged in ongoing privacy compliance and oversight efforts, including in connection with our modified consent order with the FTC, requirements of the GDPR, and other current and anticipated regulatory and legislative requirements around the world, such as the CCPA, as amended by the CPRA, ePrivacy Directive, DMA, DSA, the Korean Personal Information Protection Act, and the Indian Digital Personal Data Protection Act. In particular, we are maintaining a comprehensive privacy program in connection with the FTC consent order that includes substantial management and board of directors oversight, stringent operational requirements and reporting obligations, prohibitions against making misrepresentations relating to user data, a process to regularly certify our compliance with the privacy program to the FTC, and regular assessments of our privacy program by an independent third-party assessor, which has been and will continue to be challenging and costly to maintain and enhance. These compliance and oversight efforts are increasing demand on our systems and resources, and require significant new and ongoing investments, including investments in compliance processes, personnel, and technical infrastructure. We continually reallocate resources internally to assist with these efforts, and this has had, and will continue to have, an adverse impact on our other business initiatives. In addition, these efforts require substantial modifications to our business practices and make some practices such as product and ads development more difficult, time-consuming, and costly. As a result, we believe our ability to develop and launch new features, products, and services in a timely manner has been and will continue to be adversely affected. Further, our privacy compliance and oversight efforts have required, and we expect will continue to require, significant time and attention from our management and board of directors. The requirements of the FTC consent order and other privacy-related laws and regulations are complex and apply broadly to our business, and from time to time we notify relevant authorities of instances where we are not in full compliance with these requirements or otherwise discover privacy issues, and we expect to continue to do so as any such issues arise in the future. In addition, regulatory and legislative privacy requirements are constantly evolving and can be subject to significant change and uncertain interpretation. For example, we are subject to restrictions and requirements under the DMA, including in areas such as the combination of data across services and product design, which will likely be subject to further interpretation and regulatory engagement. The FTC initiated an administrative proceeding against us alleging, among other things, deficient compliance with the FTC consent order and seeking substantial modifications to the requirements of the consent order, including a prohibition on our use of minors' data for any commercial purposes, changes to the composition of our board of directors, and significant limitations on our ability to modify and launch new products. We are challenging the FTC's administrative proceeding. If the challenge is unsuccessful and the FTC is able to impose the proposed order in its current form, it would limit our ability to provide certain features and services, engage in certain business practices, require us to further increase the time, resources, and costs we spend on compliance and oversight efforts, and would adversely affect our business and financial results. If we are unable to successfully implement and comply with the mandates of the FTC consent order (including any future modifications to the order), GDPR, U.S. state privacy laws, including the CCPA, ePrivacy Directive, DMA, DSA, or other regulatory or legislative requirements, or if any relevant authority believes that we are in violation of the consent order or other applicable requirements, we may be subject to regulatory or governmental investigations or lawsuits, which may result in significant monetary fines, judgments, penalties, or other remedies, and we may also be required to make additional changes to our business practices. Any of these events could have a material adverse effect on our business, reputation, and financial results. 43 43 43 Table of Contents Table of Contents

We are engaged in ongoing privacy compliance and oversight efforts, including in connection with our modified consent order with the FTC, requirements of the GDPR, and other current and anticipated regulatory and legislative requirements around the world, such as the CPRA, ePrivacy Directive, DMA, and DSA. In particular, we are maintaining a comprehensive privacy program in connection with the FTC consent order that includes substantial management and board of directors oversight, stringent operational requirements and reporting obligations, prohibitions against making misrepresentations relating to user data, a process to regularly certify our compliance with the privacy program to the FTC, and regular assessments of our privacy program by an independent third-party assessor, which has been and will continue to be challenging and costly to maintain and enhance. These compliance and oversight efforts are increasing demand on our systems and resources, and require significant new and ongoing investments, including investments in compliance processes, personnel, and technical infrastructure. We are reallocating resources internally to assist with these efforts, and this has had, and will continue to have, an adverse impact on our other business initiatives. In addition, these efforts require substantial modifications to our business practices and make some practices such as product and ads development more difficult, time-consuming, and costly. As a result, we believe our ability to develop and launch new features, products, and services in a timely manner has been and will continue to be adversely affected. We also expect that our privacy compliance and oversight efforts will require significant time and attention from our management and board of directors. The requirements of the FTC consent order and other privacy-related laws and regulations are complex and apply broadly to our business, and from time to time we notify relevant authorities of instances where we are not in full compliance with these requirements or otherwise discover privacy issues, and we expect to continue to do so as any such issues arise in the future. In addition, regulatory and legislative privacy requirements are constantly evolving and can be subject to significant change and uncertain interpretation. For example, we will be subject to new restrictions and requirements under the DMA, including in areas such as the combination of data across services and product design, which will likely be subject to further interpretation and regulatory engagement. If we are unable to successfully implement and comply with the mandates of the FTC consent order, GDPR, CPRA, ePrivacy Directive, DMA, DSA, or other regulatory or legislative requirements, or if we are found to be in violation of the consent order or other applicable requirements, we may be subject to regulatory or governmental investigations or lawsuits, which may result in significant monetary fines, judgments, or other penalties, and we may also be required to make additional changes to our business practices. Any of these events could have a material adverse effect on our business, reputation, and financial results.

We receive formal and informal inquiries from government authorities and regulators regarding our compliance with laws and regulations, many of which are evolving and subject to interpretation. We are and expect to continue to be the subject of investigations, inquiries, data requests, requests for information, actions, and audits in the United States, Europe, and around the world, particularly in the areas of privacy, data use and data protection, including with respect to processing of sensitive data, data from third parties, data for advertising purposes, data security, minors, safety, law enforcement, consumer protection, civil rights, content moderation, use of our platform for illegal, illicit, or otherwise objectionable activity, competition, AI, and machine learning. In addition, we are currently, and may in the future be, subject to regulatory orders or consent decrees. For example, data protection, competition, and consumer protection authorities in the European Union, United States, and other jurisdictions have initiated actions, investigations, or administrative orders seeking to restrict the ways in which we collect and use information, or impose sanctions, and other authorities may do the same. In addition, we have been and continue to be the subject of litigation and investigations related to the ways in which we collect and use information, including where advertisers are subject to additional regulation such as housing, employment, credit, and financial services. In addition, beginning in March 2018, we became subject to FTC, state attorneys general, and other government inquiries in the United States, Europe, and other jurisdictions in connection with our platform and user data practices as well as the misuse of certain data by a developer that shared such data with third parties in violation of our terms and policies. In July 2019, we entered into a settlement and modified consent order to resolve the FTC inquiry, which took effect in April 2020 and, among other things, required us to significantly enhance our practices and processes for privacy compliance and oversight. The state attorneys general inquiry and certain government inquiries in other jurisdictions remain ongoing. The FTC also continues to monitor us and our compliance with the modified consent order and initiated an administrative proceeding against us, which we are challenging, that alleges deficient compliance and violations of the Children's Online Privacy Protection Act (COPPA), the COPPA Rule, and Section 5 of the Federal Trade Commission Act and seeks changes to our business. If we are unsuccessful in our challenge to the FTC's action and the agency imposes its proposed order in its current form, we would be subject to significant limitations, including on our ability to launch new and modified products or use data of users under 18 years old. We also notify the IDPC, our lead European Union privacy regulator under the GDPR, and other regulators of certain other personal data breaches and privacy issues, and are subject to inquiries and investigations by the IDPC and other regulators regarding various aspects of our regulatory compliance. We have been, and may in the future be, subject to penalties, fines, and requirements to change our business practices as a result of such inquiries and investigations. In addition, we are subject to a lawsuit by the state of Texas in connection with the "tag suggestions" feature and other uses of facial recognition technology. We are also subject to various litigation and formal and informal inquiries and investigations by competition authorities in the United States, Europe, and other jurisdictions, which relate to many aspects of our business, including with respect to users and advertisers. Such inquiries, investigations, and lawsuits concern, among other things, our business practices in the areas of social networking or social media services, messaging services, digital advertising, and/or mobile or online applications, as well as our acquisitions. For example, beginning in 2019, we became the subject of antitrust inquiries and investigations by the FTC and the U.S. Department of Justice. Beginning in 2020, we became subject to a lawsuit by the FTC alleging that we violated antitrust laws, including by acquiring Instagram in 2012 and WhatsApp in 2014. The complaint seeks a permanent injunction against our company's alleged violations of the antitrust laws, and other equitable relief, including divestiture or reconstruction of Instagram and WhatsApp. In addition, in December 2022, the European Commission issued a Statement of Objections alleging that we tie Facebook Marketplace to Facebook and use data in a manner that infringes European Union competition rules. We are also subject to other government inquiries and investigations relating to our business activities and disclosure practices. For example, beginning in September 2021, we became subject to government investigations and requests relating to allegations and the release of internal company documents by a former employee. 42 42 42 Table of Contents Table of Contents Orders issued by, or inquiries or enforcement actions initiated by, government or regulatory authorities could cause us to incur substantial costs, expose us to civil and criminal liability (including liability for our personnel) or penalties (including substantial monetary remedies), interrupt or require us to change our business practices in a manner materially adverse to our business (including changes to our products or user data practices), result in negative publicity and reputational harm, divert resources and the time and attention of management from our business, or subject us to other structural or behavioral remedies that adversely affect our business, and we have experienced some of these adverse effects to varying degrees from time to time.

We receive formal and informal inquiries from government authorities and regulators regarding our compliance with laws and regulations, many of which are evolving and subject to interpretation. We are and expect to continue to be the subject of investigations, inquiries, data requests, requests for information, actions, and audits in the United States, Europe, and around the world, particularly in the areas of privacy and data protection, including with respect to minors, law enforcement, consumer protection, civil rights, content moderation, and competition. In addition, we are currently, and may in the future be, subject to regulatory orders or consent decrees. For example, data protection, competition, and consumer protection authorities in the European Union and other jurisdictions have initiated actions, investigations, or administrative orders seeking to restrict the ways in which we collect and use information, or impose sanctions, and other authorities may do the same. In addition, beginning in March 2018, we became subject to FTC, state attorneys general, and other government inquiries in the United States, Europe, and other jurisdictions in connection with our platform and user data practices as well as the misuse of certain data by a developer that shared such data with third parties in violation of our terms and policies. In July 2019, we entered into a settlement and modified consent order to resolve the FTC inquiry, which was approved by the federal court and took effect in April 2020. Among other matters, our settlement with the FTC required us to pay a penalty of $5.0 billion and to significantly enhance our practices and processes for privacy compliance and oversight. The state attorneys general inquiry and certain government inquiries in other jurisdictions remain ongoing. We also notify the IDPC, our lead European Union privacy regulator under the GDPR, and other regulators of certain other personal data breaches and privacy issues, and are subject to inquiries and investigations by the IDPC and other regulators regarding various aspects of our regulatory compliance. We have in the past been, and may in the future be, subject to fines and requirements to changes to our business practices as a result of such inquiries and investigations. In addition, we are subject to a lawsuit by the state of Texas in connection with the “tag suggestions” and other facial recognition features on our products. We are also subject to various litigation and formal and informal inquiries and investigations by competition authorities in the United States, Europe, and other jurisdictions, which relate to many aspects of our business, including with respect to users and advertisers, as well as our industry. Such inquiries, investigations, and lawsuits concern, among other things, our business practices in the areas of social networking or social media services, digital advertising, and/or mobile or online applications, as well as our acquisitions. For example, in June 2019 we were informed by the FTC that it had opened an antitrust investigation of our company. In addition, beginning in the third quarter of 2019, we became the subject of antitrust inquiries and investigations by the U.S. Department of Justice and state attorneys general. Beginning in December 2020, we also became subject to lawsuits by the FTC and the attorneys general from 46 states, the territory of Guam, and the District of Columbia in the U.S. District Court for the District of Columbia alleging that we violated antitrust laws, including by acquiring Instagram in 2012 and WhatsApp in 2014 and by maintaining conditions on access to our platform, among other things. The complaints of the FTC and attorneys general both sought a permanent injunction against our company's alleged violations of the antitrust laws, and other equitable relief, including divestiture or reconstruction of Instagram and WhatsApp. In addition, in December 2022, the European Commission issued a Statement of Objections alleging that we tie Facebook Marketplace to Facebook and use data in a manner that infringes European Union competition rules. We are also subject to other government inquiries and investigations relating to our business activities and disclosure practices. For example, 39 39 39 Table of Contents Table of Contents beginning in September 2021, we became subject to government investigations and requests relating to allegations and the release of internal company documents by a former employee. Orders issued by, or inquiries or enforcement actions initiated by, government or regulatory authorities could cause us to incur substantial costs, expose us to civil and criminal liability (including liability for our personnel) or penalties (including substantial monetary remedies), interrupt or require us to change our business practices in a manner materially adverse to our business (including changes to our products or user data practices), result in negative publicity and reputational harm, divert resources and the time and attention of management from our business, or subject us to other structural or behavioral remedies that adversely affect our business, and we have experienced some of these adverse effects to varying degrees from time to time.

The tax effects of the accounting for share-based compensation have in the past impacted, and may in the future impact, our effective tax rate, sometimes significantly, from period to period. In periods in which our stock price varies from the grant price of the share-based compensation vesting in that period, we will recognize excess tax benefits or shortfalls that will impact our effective tax rate. For example, in 2023, excess tax benefits recognized from share-based compensation decreased our provision for income taxes by $708 million and our effective income tax rate by one percentage point as compared to the tax rate without such benefits. In future periods in which our stock price varies in comparison to the grant price of the share-based compensation vesting in that period, our effective tax rate may be inversely impacted. The amount and value of share-based compensation issued relative to our earnings in a particular period will also affect the magnitude of the impact of share-based compensation on our effective tax rate. These tax effects are dependent on our stock price, which we do not control, and a decline in our stock price could significantly increase our effective tax rate and adversely affect our financial results. 37 37 37 Table of Contents Table of Contents

The tax effects of the accounting for share-based compensation may significantly impact our effective tax rate from period to period. In periods in which our stock price varies from the grant price of the share-based compensation vesting in that period, we will recognize excess tax benefits or shortfalls that will impact our effective tax rate. For example, in 2022, tax shortfalls recognized from share-based compensation increased our provision for income taxes by $471 million and our effective tax rate by two percentage points as compared to the tax rate without such shortfalls. In future periods in which our stock price varies in comparison to the grant price of the share-based compensation vesting in that period, our effective tax rate may be inversely impacted. The amount and value of share-based compensation issued relative to our earnings in a particular period will also affect the magnitude of the impact of share-based compensation on our effective tax rate. These tax effects are dependent on our stock price, which we do not control, and a decline in our stock price could significantly increase our effective tax rate and adversely affect our financial results.

We currently depend on the continued services and performance of our key personnel, including Mark Zuckerberg. Mr. Zuckerberg and certain other members of management participate in various high-risk activities, such as combat sports, extreme sports, and recreational aviation, which carry the risk of serious injury and death. If Mr. Zuckerberg were to become unavailable for any reason, there could be a material adverse impact on our operations. The loss of other key personnel, including members of management as well as key engineering, product development, marketing, and sales personnel, could also disrupt our operations and have an adverse effect on our business. In addition, we cannot guarantee we will continue to attract and retain the personnel we need to maintain our competitive position. In particular, we expect to continue to face significant challenges in hiring specialized technical personnel, particularly senior engineering talent, whether as a result of competition with other companies or other factors. As we continue to mature, the incentives to attract, retain, and motivate employees provided by our equity awards or by future arrangements may not be as effective as in the past, and if we issue significant equity to attract additional employees or to retain our existing employees, we would incur substantial additional share-based compensation expense and the ownership of our existing stockholders would be further diluted. Our ability to attract, retain, and motivate employees may also be adversely affected by stock price volatility. In addition, restrictive immigration policies or legal or regulatory developments relating to immigration may negatively affect our efforts to attract and hire new personnel as well as retain our existing personnel. If we do not succeed in attracting, hiring, and integrating excellent personnel, or retaining and motivating existing personnel, we may be unable to grow effectively.

We currently depend on the continued services and performance of our key personnel, including Mark Zuckerberg. Although we have entered into an employment agreement with Mr. Zuckerberg, the agreement has no specific duration and constitutes at-will employment. In addition, many of our key technologies and systems are custom-made for our business by our personnel. The loss of key personnel, including members of management as well as key engineering, product development, marketing, and sales personnel, could disrupt our operations and have an adverse effect on our business. 35 35 35 Table of Contents Table of Contents In addition, we cannot guarantee we will continue to attract and retain the personnel we need to maintain our competitive position. In particular, we expect to continue to face significant challenges in hiring technical personnel, particularly for engineering talent, whether as a result of competition with other companies or other factors. As we continue to mature, the incentives to attract, retain, and motivate employees provided by our equity awards or by future arrangements may not be as effective as in the past, and if we issue significant equity to attract additional employees or to retain our existing employees, we would incur substantial additional share-based compensation expense and the ownership of our existing stockholders would be further diluted. Our ability to attract, retain, and motivate employees may also be adversely affected by stock price volatility. In addition, restrictive immigration policies or legal or regulatory developments relating to immigration may negatively affect our efforts to attract and hire new personnel as well as retain our existing personnel. If we do not succeed in attracting, hiring, and integrating excellent personnel, or retaining and motivating existing personnel, we may be unable to grow effectively.

Our employee headcount and the scale and complexity of our business have increased significantly over time. The scale of our business and breadth of our products create significant challenges for our management, operational, and financial resources, including managing multiple relationships with users, marketers, developers, and other third parties, and maintaining information technology systems and internal controls and procedures that support the scale and complexity of our business. In addition, some members of our management do not have significant experience managing a large global business operation, so our management may not be able to manage our scale effectively. To effectively manage our scale, we must maintain, and continue to adapt, our operational, financial, and management processes and systems, manage our headcount and facilities, and effectively train and manage our personnel. Many of our personnel work remotely, which may lead to challenges in productivity and collaboration. In addition, from time to time, we implement organizational changes to pursue greater efficiency and realign our business and strategic priorities. For example, in 2022 and 2023, we announced several initiatives, including restructurings, employee layoffs, and measures to scale down our office facilities, but we cannot guarantee that they will achieve our intended results. These efforts also subject us to risks such as greater than anticipated costs, adverse effects on employee retention, and increased difficulty managing the scale and complexity of our business. For example, we could face delays or challenges with product development, other business and strategic initiatives, or legal and regulatory compliance, as well as other disruptions to our operations. As our organization continues to evolve, and we are required to implement and adapt complex organizational management structures, we may find it difficult to maintain the benefits of our corporate culture, including our ability to quickly develop and launch new and innovative products. Any of these developments could negatively affect our business, reputation, or financial results.

Our employee headcount and the scale and complexity of our business have increased significantly over time. The scale of our business and breadth of our products create significant challenges for our management, operational, and financial resources, including managing multiple relationships with users, marketers, developers, and other third parties, and maintaining information technology systems and internal controls and procedures that support the scale and complexity of our business. In addition, some members of our management do not have significant experience managing a large global business operation, so our management may not be able to manage our scale effectively. To effectively manage our scale, we must maintain, and continue to adapt, our operational, financial, and management processes and systems, manage our headcount and facilities, and effectively train and manage our personnel. Many of our personnel work remotely, which may lead to challenges in productivity and collaboration. In addition, from time to time, we implement organizational changes to pursue greater efficiency and realign our business and strategic priorities. For example, in 2022, we announced a layoff of approximately 11,000 employees and initiated several measures to scale down our office facilities. As our organization continues to evolve, and we are required to implement and adapt complex organizational management structures, we may find it difficult to maintain the benefits of our corporate culture, including our ability to quickly develop and launch new and innovative products. This could negatively affect our business performance.

We are subject to a variety of laws and regulations in the United States and abroad that involve matters central to our business, including privacy, data use, data protection and personal information, the provision of our services to younger users, biometrics, encryption, rights of publicity, content, integrity, intellectual property, advertising, marketing, distribution, data security, data retention and deletion, data localization and storage, data disclosure, AI and machine learning, electronic contracts and other communications, competition, protection of minors, consumer protection, civil rights, accessibility, telecommunications, product liability, e-commerce, taxation, economic or other trade controls including sanctions, anti-corruption and political law compliance, securities law compliance, and online payment services. The introduction of new products, expansion of our activities in certain jurisdictions, or other actions that we may take may subject us to additional laws, regulations, or other government scrutiny. In addition, foreign data protection, privacy, content, competition, consumer protection, and other laws and regulations can impose different obligations or be more restrictive than those in the United States, and create the potential for significant fines to be imposed. These U.S. federal and state, EU, and other international laws and regulations, which in some cases can be enforced by private parties in addition to government entities, are constantly evolving and can be subject to significant change. As a result, the application, interpretation, and enforcement of these laws and regulations are often uncertain, particularly in the new and rapidly evolving industry in which we operate, and may be interpreted and applied inconsistently from jurisdiction to jurisdiction and inconsistently with our current policies and practices. For example, regulatory or legislative actions or litigation concerning the manner in which we display content to our users, moderate content, provide our services to younger users, or are able to use data in various ways, including for advertising, could adversely affect user growth and engagement. Such actions could affect the manner in which we provide our services or adversely affect our financial results, including by imposing significant fines that increasingly may be calculated based on global revenue. We are also subject to evolving laws and regulations that dictate whether, how, and under what circumstances we can transfer, process or receive certain data that is critical to our operations, including data shared between countries or regions in which we operate and data shared among our products and services. For example, in 2016, the European Union and United States agreed to a transfer framework for data transferred from the European Union to the United States, called the Privacy Shield, but the Privacy Shield was invalidated in July 2020 by the Court of Justice of the European Union (CJEU). In addition, the other bases upon which Meta relies to transfer such data, such as Standard Contractual Clauses (SCCs), have been subjected to regulatory and judicial scrutiny. For example, the CJEU considered the validity of SCCs as a basis to transfer user data from the European Union to the United States following a challenge brought by the Irish Data Protection Commission (IDPC). Although the CJEU upheld the validity of SCCs in July 2020, on May 12, 2023, the IDPC issued a Final Decision concluding that Meta Platforms Ireland's reliance on SCCs in respect of certain transfers of European Economic Area (EEA) Facebook user data was not in compliance with the GDPR. The IDPC issued an administrative fine of EUR €1.2 billion as well as corrective orders requiring Meta Platforms Ireland to suspend the relevant transfers and to bring its processing operations into compliance with Chapter V GDPR by ceasing the unlawful processing, including storage, of such data in the United States. We are appealing this decision and the corrective orders are currently subject to an interim stay from the Irish High Court. On March 25, 2022, the European Union and United States announced that they had reached an agreement in principle on a new EU-U.S. Data Privacy Framework (EU-U.S. DPF). On October 7, 2022, President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.), and on June 30, 2023, the European Union and the three additional countries making up the EEA were designated by the United States Attorney General as a "qualifying state" under Section 3(f) of the E.O. On July 10, 2023, the European Commission adopted an adequacy decision in relation to the United States. The adequacy decision concludes that the United States ensures an adequate level of protection for personal data transferred from the European Union to organizations in the United States that are included in the "Data Privacy Framework List," maintained and made publicly available by the United States Department of Commerce pursuant to the EU-U.S. DPF. The implementation of the EU-U.S. DPF and the adequacy decision are important and welcome milestones, and we are implementing steps to comply with the above corrective orders following engagement with the IDPC. If we are required to take additional steps to comply with the corrective orders, this could increase the cost and complexity of delivering our products and services in Europe. Furthermore, the EU-U.S. DPF replaces two prior adequacy frameworks which were invalidated by the CJEU. A further invalidation of the EU-U.S. DPF by the CJEU could create 40 40 40 Table of Contents Table of Contents considerable uncertainty and lead to us being unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations. We have been subject to other significant legislative and regulatory developments, which together with proposed or new legislation and regulations could significantly affect our business in the future. For example, we have implemented a number of product changes and controls as a result of requirements under the European General Data Protection Regulation (GDPR), and may implement additional changes in the future. The GDPR also requires submission of personal data breach notifications to our lead European Union privacy regulator, the IDPC, and includes significant penalties for non-compliance with the notification obligation as well as other requirements of the regulation. The interpretation of the GDPR is still evolving, including through decisions of the CJEU, and draft decisions in investigations by the IDPC are subject to review by other European privacy regulators as part of the GDPR's consistency mechanism, which may lead to significant changes in the final outcome of such investigations. As a result, the interpretation and enforcement of the GDPR, as well as the imposition and amount of penalties for non-compliance, are subject to significant uncertainty, and as it evolves, could potentially have a negative impact on our business and/or our operations. In addition, Brazil, the United Kingdom, and other countries have enacted similar data protection regulations imposing data privacy-related requirements on products and services offered to users in their respective jurisdictions. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), also establishes certain transparency rules and creates certain data privacy rights for users, including limitations on our use of certain sensitive personal information and more ability for users to control the purposes for which their data is shared with third parties. Other states have proposed or enacted similar comprehensive privacy laws that afford users with similar data privacy rights and controls. These laws and regulations are evolving and subject to interpretation, and resulting limitations on our advertising services, or reductions of advertising by marketers, have to some extent adversely affected, and will continue to adversely affect, our advertising business. Some states have also proposed or enacted laws specifically focused on the privacy rights and controls for users under 18 years old and their parents or guardians. Like comprehensive privacy laws, these laws are evolving and subject to interpretation, and may restrict our ability to offer certain products and services provided to all or certain cohorts of users in those states, adversely affecting our advertising business. In Europe, regulators continue to enforce guidance concerning the ePrivacy Directive's requirements regarding the use of cookies and similar technologies, and may impose specific measures in the future which could directly impact our use of such technologies. In addition, the ePrivacy Directive and national implementation laws impose additional limitations on the use of data across messaging products and include significant penalties for non-compliance. Changes to our products or business practices as a result of these or similar developments have adversely affected, and may in the future adversely affect, our advertising business. For example, in response to regulatory developments in Europe, we announced plans to change the legal basis for behavioral advertising on Facebook and Instagram in the EU, EEA, and Switzerland from "legitimate interests" to "consent," and in November 2023 we began offering users in the region a "subscription for no ads" alternative. We are continuing to engage with regulators on our new consent model, including regarding compliance with requirements under the GDPR, DMA, and EU consumer laws. These or any similar developments in the future may negatively impact our user growth and engagement, revenue, and financial results. Similarly, there are a number of legislative proposals or recently enacted laws in the European Union, the United States, at both the federal and state level, as well as other jurisdictions that could impose new obligations or limitations in areas affecting our business. For example, the DMA in the European Union imposes restrictions and requirements on companies like ours, including in areas such as the combination of data across services, mergers and acquisitions, and product design. The DMA also includes significant penalties for non-compliance, and its key requirements will be enforceable against designated gatekeeper companies beginning in March 2024. The DMA has caused, and may in the future cause, us to incur significant compliance costs and make changes to our products or business practices. The requirements under the DMA will likely be subject to further interpretation and regulatory engagement. Pending or future proposals to modify competition laws in the United States and other jurisdictions could have similar effects. Further, the Digital Services Act (DSA) in the European Union, which started to apply to our business as of August 2023, imposes certain restrictions and requirements for our products and services and subjects us to increased compliance costs. The DSA also includes significant penalties for non-compliance. In addition, some countries, such as India and Turkey, are considering or have passed legislation implementing data protection requirements, new competition requirements, or requiring local storage and processing of data or similar requirements that could require substantial changes to our products, increase the cost and complexity of delivering our services, cause us to cease the offering of our products and services in certain countries, and/or result in fines or other penalties. New legislation or regulatory decisions that restrict our ability to collect and use information about minors may also result in limitations on our advertising services or our ability to offer products and services to minors in certain jurisdictions. 41 41 41 Table of Contents Table of Contents These laws and regulations, as well as any associated claims, inquiries, or investigations or any government actions, have led to, and may in the future lead to, unfavorable outcomes including increased compliance costs, loss of revenue, delays or impediments in the development of new products, negative publicity and reputational harm, increased operating costs, diversion of management time and attention, and remedies that harm our business, including fines or demands or orders that we modify or cease existing business practices.

We are subject to a variety of laws and regulations in the United States and abroad that involve matters central to our business, including privacy, data use, data protection and personal information, biometrics, encryption, rights of publicity, content, integrity, intellectual property, advertising, marketing, distribution, data security, data retention and deletion, data localization and storage, data disclosure, artificial intelligence and machine learning, electronic contracts and other communications, competition, protection of minors, consumer protection, civil rights, accessibility, telecommunications, product liability, e-commerce, taxation, economic or other trade controls including sanctions, anti-corruption and political law compliance, securities law compliance, and online payment services. The introduction of new products, expansion of our activities in certain jurisdictions, or other actions that we may take may subject us to additional laws, regulations, or other government scrutiny. In addition, foreign data protection, privacy, content, competition, consumer protection, and other laws and regulations can impose different obligations or be more restrictive than those in the United States. These U.S. federal, state, and foreign laws and regulations, which in some cases can be enforced by private parties in addition to government entities, are constantly evolving and can be subject to significant change. As a result, the application, interpretation, and enforcement of these laws and regulations are often uncertain, particularly in the new and rapidly evolving industry in which we operate, and may be interpreted and applied inconsistently from jurisdiction to jurisdiction and inconsistently with our current policies and practices. For example, regulatory or legislative actions or litigation affecting the manner in which we display content to our users, moderate content, or obtain consent to various practices could adversely affect user growth and engagement. Such actions could affect the manner in which we provide our services or adversely affect our financial results. We are also subject to evolving laws and regulations that dictate whether, how, and under what circumstances we can transfer, process and/or receive certain data that is critical to our operations, including data shared between countries or regions in which we operate and data shared among our products and services. For example, in 2016, the European Union and United States agreed to a transfer framework for data transferred from the European Union to the United States, called the Privacy Shield, but the Privacy Shield was invalidated in July 2020 by the Court of Justice of the European Union (CJEU). In addition, the other bases upon which Meta relies to transfer such data, such as Standard Contractual Clauses (SCCs), have been subjected to regulatory and judicial scrutiny. For example, the CJEU considered the validity of SCCs as a basis to transfer user data from the European Union to the United States following a challenge brought by the Irish Data Protection Commission (IDPC). Although the CJEU upheld the validity of SCCs in July 2020, our continued reliance on 37 37 37 Table of Contents Table of Contents SCCs will be the subject of future regulatory consideration. In particular, in August 2020, we received a preliminary draft decision from the IDPC that preliminarily concluded that Meta Platforms Ireland's reliance on SCCs in respect of European Union/European Economic Area Facebook user data does not achieve compliance with the GDPR and preliminarily proposed that such transfers should therefore be suspended. In February 2022, we received a revised preliminary draft decision in which the IDPC maintained its preliminary conclusion that these transfers should be suspended. The IDPC's draft decision was then further refined and shared on July 6, 2022 with other European data protection regulators (CSAs) as part of the GDPR's consistency mechanism. Separately, on March 25, 2022, the European Union and United States announced that they had reached an agreement in principle on a new EU-U.S. Data Privacy Framework (EU-U.S. DPF). On October 7, 2022, President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.), and on December 13, 2022, the European Commission published its draft adequacy decision on the proposed new EU-U.S. DPF. On January 19, 2023, the IDPC referred the inquiry to a vote by the European Data Protection Board (EDPB), pursuant to the dispute resolution process under Article 65 GDPR, in respect of elements of the draft decision over which consensus could not be reached between concerned supervisory authorities. We believe a final decision in this inquiry may issue as early as the first quarter of 2023. Although the E.O. is a significant and positive step, if no adequacy decision is adopted by the European Commission and we are unable to continue to rely on SCCs or rely upon other alternative means of data transfers from the European Union to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations. In addition, we have been managing investigations and lawsuits in Europe, India, and other jurisdictions regarding the 2016 and 2021 updates to WhatsApp's terms of service and privacy policy and its sharing of certain data with other Meta products and services, including a lawsuit currently pending before the Supreme Court of India. If we are unable to transfer data between and among countries and regions in which we operate, or if we are restricted from sharing data among our products and services, it could affect our ability to provide our services, the manner in which we provide our services or our ability to target ads, which could adversely affect our financial results. We have been subject to other significant legislative and regulatory developments in the past, and proposed or new legislation and regulations could significantly affect our business in the future. For example, we have implemented a number of product changes and controls as a result of requirements under the European General Data Protection Regulation (GDPR), and may implement additional changes in the future. The GDPR also requires submission of personal data breach notifications to our lead European Union privacy regulator, the IDPC, and includes significant penalties for non-compliance with the notification obligation as well as other requirements of the regulation. The interpretation of the GDPR is still evolving and draft decisions in investigations by the IDPC are subject to review by other European privacy regulators as part of the GDPR's consistency mechanism, which may lead to significant changes in the final outcome of such investigations. As a result, the interpretation and enforcement of the GDPR, as well as the imposition and amount of penalties for non-compliance, are subject to significant uncertainty. In addition, Brazil, the United Kingdom, and other countries have enacted similar data protection regulations imposing data privacy-related requirements on products and services offered to users in their respective jurisdictions. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), also establishes certain transparency rules and create new data privacy rights for users, including limitations on our use of certain sensitive personal information and more ability for users to control the purposes for which their data is shared with third parties. Other states have proposed or enacted similar comprehensive privacy laws that afford users with similar data privacy rights and controls. These laws and regulations are evolving and subject to interpretation, and resulting limitations on our advertising services, or reductions of advertising by marketers, have to some extent adversely affected, and will continue to adversely affect, our advertising business. For example, state regulators in California and Colorado are considering adopting regulations that could further limit how companies can use personal information for advertising purposes. In Europe, regulators continue to issue guidance concerning the ePrivacy Directive's requirements regarding the use of cookies and similar technologies, and may impose specific measures in the future which could directly impact our use of such technologies. In addition, the ePrivacy Directive and national implementation laws impose additional limitations on the use of data across messaging products and include significant penalties for non-compliance. Changes to our products or business practices as a result of these or similar developments have in the past adversely affected, and may in the future adversely affect, our advertising business. Similarly, there are a number of legislative proposals or recently enacted laws in the European Union, the United States, at both the federal and state level, as well as other jurisdictions that could impose new obligations or limitations in areas affecting our business. For example, the DMA in the European Union imposes new restrictions and requirements on companies like ours, including in areas such as the combination of data across services, mergers and acquisitions, and product design. The DMA also includes significant penalties for non-compliance, and its key requirements will be enforceable against designated gatekeeper companies in early 2024. We expect the DMA will cause us to incur significant compliance costs and make additional changes to our products or business practices. The requirements under the DMA will likely be subject to further interpretation and regulatory engagement. Pending or future proposals to 38 38 38 Table of Contents Table of Contents modify competition laws in the United States and other jurisdictions could have similar effects. Further, the Digital Services Act (DSA) in the European Union, which will apply to our business as early as June 2023, will impose new restrictions and requirements for our products and services and may significantly increase our compliance costs. The DSA also includes significant penalties for non-compliance. In addition, some countries, such as India and Turkey, are considering or have passed legislation implementing data protection requirements or requiring local storage and processing of data or similar requirements that could increase the cost and complexity of delivering our services, cause us to cease the offering of our products and services in certain countries, or result in fines or other penalties. New legislation or regulatory decisions that restrict our ability to collect and use information about minors may also result in limitations on our advertising services or our ability to offer products and services to minors in certain jurisdictions. These laws and regulations, as well as any associated claims, inquiries, or investigations or any other government actions, have in the past led to, and may in the future lead to, unfavorable outcomes including increased compliance costs, loss of revenue, delays or impediments in the development of new products, negative publicity and reputational harm, increased operating costs, diversion of management time and attention, and remedies that harm our business, including fines or demands or orders that we modify or cease existing business practices.

We have significant international operations. We currently make Facebook available in more than 100 different languages, and we have offices or data centers in approximately 40 different countries. We may enter new international regions where we have limited or no experience in marketing, selling, and deploying our products. Our products are generally available globally, but some or all of our products or functionality may not be available in certain regions due to legal and regulatory complexities. For example, several of our products are not generally available in China. We also outsource certain operational functions to third parties globally. If we fail to deploy, manage, or oversee our international operations successfully, our business may suffer. In addition, we are subject to a variety of risks inherent in doing business internationally, including: •political, social, or economic instability; •risks related to legal, regulatory, and other government scrutiny applicable to U.S. companies with sales and operations in foreign jurisdictions, including with respect to privacy, tax, law enforcement, content, trade compliance, supply chain, competition, consumer protection, intellectual property, environmental, health and safety, licensing, and infrastructure matters; •potential damage to our brand and reputation due to compliance with local laws, including potential censorship or requirements to provide user information to local authorities; •enhanced difficulty in reviewing content on our platform and enforcing our community standards across different languages and countries; •fluctuations in currency exchange rates and compliance with currency controls; •foreign exchange controls and tax and other regulations and orders that might prevent us from repatriating cash earned in countries outside the United States or otherwise limit our ability to move cash freely, and impede our ability to invest such cash efficiently; •higher levels of credit risk and payment fraud; •enhanced difficulties of integrating any foreign acquisitions; •burdens of complying with a variety of foreign laws, including laws related to taxation, content removal, content 33 33 33 Table of Contents Table of Contents moderation, data localization, data protection, competition, e-commerce and payments, and regulatory oversight; •reduced protection for intellectual property rights in some countries; •difficulties in staffing, managing, and overseeing global operations and the increased travel, infrastructure, and legal compliance costs associated with multiple international locations, including difficulties arising from personnel working remotely; •compliance with statutory equity requirements and management of tax consequences; and •geopolitical events affecting us, our marketers or our industry, including trade disputes, armed conflicts, and pandemics. In addition, we must manage the potential conflicts between locally accepted business practices in any given jurisdiction and our obligations to comply with laws and regulations, including anti-corruption laws or regulations applicable to us, such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act 2010. We also must manage our obligations to comply with laws and regulations related to import and export controls, trade restrictions, and sanctions, including regulations established by the U.S. Office of Foreign Assets Control. Government agencies and authorities have a broad range of civil and criminal penalties they may seek to impose against companies for violations of anti-corruption laws or regulations, import and export controls, trade restrictions, sanctions, and other laws, rules, and regulations. If we are unable to expand internationally and manage the complexity of our global operations successfully, our financial results could be adversely affected. We also may be required to or elect to cease or modify our operations or the offering of our products and services in certain regions, including as a result of the risks described above, which could adversely affect our business, user growth and engagement, and financial results.

We have significant international operations and plan to continue the international expansion of our business operations and the translation of our products. We currently make Facebook available in more than 100 different languages, 31 31 31 Table of Contents Table of Contents and we have offices or data centers in approximately 40 different countries. We may enter new international markets where we have limited or no experience in marketing, selling, and deploying our products. Our products are generally available globally, but some or all of our products or functionality may not be available in certain markets due to legal and regulatory complexities. For example, several of our products are not generally available in China. We also outsource certain operational functions to third parties globally. If we fail to deploy, manage, or oversee our international operations successfully, our business may suffer. In addition, we are subject to a variety of risks inherent in doing business internationally, including: •political, social, or economic instability; •risks related to legal, regulatory, and other government scrutiny applicable to U.S. companies with sales and operations in foreign jurisdictions, including with respect to privacy, tax, law enforcement, content, trade compliance, supply chain, competition, consumer protection, intellectual property, environmental, health and safety, licensing, and infrastructure matters; •potential damage to our brand and reputation due to compliance with local laws, including potential censorship or requirements to provide user information to local authorities; •enhanced difficulty in reviewing content on our platform and enforcing our community standards across different languages and countries; •fluctuations in currency exchange rates and compliance with currency controls; •foreign exchange controls and tax and other regulations and orders that might prevent us from repatriating cash earned in countries outside the United States or otherwise limit our ability to move cash freely, and impede our ability to invest such cash efficiently; •higher levels of credit risk and payment fraud; •enhanced difficulties of integrating any foreign acquisitions; •burdens of complying with a variety of foreign laws, including laws related to taxation, content removal, content moderation, data localization, data protection, e-commerce and payments, and regulatory oversight; •reduced protection for intellectual property rights in some countries; •difficulties in staffing, managing, and overseeing global operations and the increased travel, infrastructure, and legal compliance costs associated with multiple international locations, including difficulties arising from personnel working remotely; •compliance with statutory equity requirements and management of tax consequences; and •geopolitical events affecting us, our marketers or our industry, including trade disputes, armed conflicts, and pandemics. In addition, we must manage the potential conflicts between locally accepted business practices in any given jurisdiction and our obligations to comply with laws and regulations, including anti-corruption laws or regulations applicable to us, such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act 2010. We also must manage our obligations to comply with laws and regulations related to import and export controls, trade restrictions, and sanctions, including regulations established by the U.S. Office of Foreign Assets Control. Government agencies and authorities have a broad range of civil and criminal penalties they may seek to impose against companies for violations of anti-corruption laws or regulations, import and export controls, trade restrictions, sanctions, and other laws, rules, and regulations. If we are unable to expand internationally and manage the complexity of our global operations successfully, our financial results could be adversely affected. We also may be required to or elect to cease or modify our operations or the offering of our products and services in certain regions, including as a result of the risks described above, which could adversely affect our business, user growth and engagement, and financial results. 32 32 32 Table of Contents Table of Contents

•our ability to compete effectively; •fluctuations in our financial results; •unfavorable media coverage and other risks affecting our ability to maintain and enhance our brands; •our ability to build, maintain, and scale our technical infrastructure, and risks associated with disruptions in our service, catastrophic events, and crises; •operating our business in multiple countries around the world; •acquisitions and our ability to successfully integrate our acquisitions; •litigation, including class action lawsuits;

•our ability to compete effectively; •fluctuations in our financial results; •unfavorable media coverage and other risks affecting our ability to maintain and enhance our brands; •the COVID-19 pandemic, including its impact on our advertising business; •acquisitions and our ability to successfully integrate our acquisitions; •our ability to build, maintain, and scale our technical infrastructure, and risks associated with disruptions in our service; •operating our business in multiple countries around the world; •litigation, including class action lawsuits;

Our ability to retain, increase, and engage our user base and to increase our revenue depends heavily on our ability to continue to evolve our existing products and to create successful new products, both independently and in conjunction with developers or other third parties. We may introduce significant changes to our existing products or acquire or introduce new and unproven products, including using technologies with which we have little or no prior development or operating experience. For example, we have relatively limited experience with consumer hardware products and virtual and augmented reality technology, which may adversely affect our ability to successfully develop and market these evolving products and technologies. We are also making significant investments in artificial intelligence (AI) initiatives across our business. For example, we recently launched new AI features on our products, including conversational AIs, stickers, and editing tools. We continue to incur substantial costs, and we may not be successful in generating profits, in connection with these efforts. In addition, we have invested, and expect to continue to invest, significant resources in growing our messaging products to support increasing usage of such products. We have historically monetized messaging in only a limited fashion, and we may not be successful in our efforts to generate meaningful revenue or profits from messaging over the long term. We also recently commenced implementation of end-to-end encryption across our messaging services on Facebook and Instagram, which has been subject to governmental and regulatory scrutiny in multiple jurisdictions. 21 21 21 Table of Contents Table of Contents If our new products or changes to existing products fail to engage users, marketers, or developers, or if our business plans are unsuccessful, we may fail to attract or retain users or to generate sufficient revenue, operating margin, or other value to justify our investments, and our business may be adversely affected.

Our ability to retain, increase, and engage our user base and to increase our revenue depends heavily on our ability to continue to evolve our existing products and to create successful new products, both independently and in conjunction with developers or other third parties. We may introduce significant changes to our existing products or acquire or introduce new and unproven products, including using technologies with which we have little or no prior development or operating experience. For example, we do not have significant experience with consumer hardware products or virtual or augmented reality technology, which may adversely affect our ability to successfully develop and market these products and technologies. We continue to incur substantial costs, and we may not be successful in generating profits, in connection with these efforts. We are also making significant investments in artificial intelligence (AI) initiatives, including to recommend relevant unconnected content across our products, enhance our advertising tools, and develop new product features using generative AI. These efforts, including the introduction of new products or changes to existing products, may result in new or enhanced governmental or regulatory scrutiny, litigation, ethical concerns, or other complications that could adversely affect our business, reputation, or financial results. We have also invested, and expect to continue to invest, significant resources in growing our messaging products to support increasing usage of such products. We have historically monetized messaging in only a limited fashion, and we may not be successful in our efforts to generate meaningful revenue or profits from messaging over the long term. In addition, we are moving forward with plans to implement end-to-end encryption across our messaging services, as well as facilitate cross-app communication between these platforms, which are subject to governmental and regulatory scrutiny in multiple jurisdictions. If our new products or changes to existing products fail to engage users, marketers, or developers, or if our business plans are unsuccessful, we may fail to attract or retain users or to generate sufficient revenue, operating margin, or other value to justify our investments, and our business may be adversely affected.

Several of our products offer Payments functionality, including enabling our users to purchase tangible, virtual, and digital goods from merchants and developers that offer applications using our Payments infrastructure, send money to other users, and make donations to certain charitable organizations, among other activities. We are subject to a variety of laws and regulations in the United States, Europe, and elsewhere, including those governing anti-money laundering and counter-terrorist financing, money transmission, stored value, gift cards and other prepaid access instruments, electronic funds transfer, virtual currency, consumer protection, charitable fundraising, economic sanctions, and import and export restrictions. In addition, we could become subject to new consumer protection laws and regulations that may be adopted or amended, including those related to payments activity as well as sharing, collection, and use of payments-related data. Depending on how our Payments products evolve, we may also be subject to other laws and regulations including those governing gambling, banking, and lending. In some jurisdictions, the application or interpretation of these laws and regulations is not clear. We have received certain payments licenses in the United States, the European Economic Area, and other jurisdictions for our regulated Payments-related products and activities. These licenses increase flexibility in how our use of Payments may evolve, help mitigate regulatory uncertainty, and will generally require us to demonstrate compliance with many domestic and foreign laws in relation to our regulated Payments products and activities. Our efforts to comply with these laws and regulations could be costly and result in diversion of management time and attention and may still not guarantee compliance. In the event that we are found to be in violation of any such legal or regulatory requirements, we may be subject to monetary fines or other penalties such as a cease and desist order, or we may be required to make product changes, any of which could have an adverse effect on our business and financial results. In addition, we are subject to a variety of additional risks as a result of Payments transactions, including: increased costs and diversion of management time and attention and other resources to address bad transactions or customer disputes; potential fraudulent or otherwise illegal activity by users, developers, employees, or third parties; restrictions on the investment of consumer funds used to transact Payments; and additional disclosure and reporting requirements. We have also launched payments functionality on certain of our applications and may in the future undertake additional payments initiatives, including as part of our metaverse efforts, which may subject us to many of the foregoing risks and additional licensing requirements.

Several of our products offer Payments functionality, including enabling our users to purchase tangible, virtual, and digital goods from merchants and developers that offer applications using our Payments infrastructure, send money to other users, and make donations to certain charitable organizations, among other activities. We are subject to a variety of laws and regulations in the United States, Europe, and elsewhere, including those governing anti-money laundering and counter-terrorist financing, money transmission, stored value, gift cards and other prepaid access instruments, electronic funds transfer, virtual currency, consumer protection, charitable fundraising, trade sanctions, and import and export restrictions. Depending on how our Payments products evolve, we may also be subject to other laws and regulations including those governing gambling, banking, and lending. In some jurisdictions, the application or interpretation of these laws and regulations is not clear. To increase flexibility in how our use of Payments may evolve and to mitigate regulatory uncertainty, we have received certain payments licenses in the United States, the European Economic Area, and other jurisdictions, which will generally require us to demonstrate compliance with many domestic and foreign laws in these areas. Our efforts to comply with these laws and regulations could be costly and result in diversion of management time and effort and may still not guarantee compliance. In the event that we are found to be in violation of any such legal or regulatory requirements, we may be subject to monetary fines or other penalties such as a cease and desist order, or we may be required to make product changes, any of which could have an adverse effect on our business and financial results. In addition, we are subject to a variety of additional risks as a result of Payments transactions, including: increased costs and diversion of management time and effort and other resources to deal with bad transactions or customer disputes; potential fraudulent or otherwise illegal activity by users, developers, employees, or third parties; restrictions on the 41 41 41 Table of Contents Table of Contents investment of consumer funds used to transact Payments; and additional disclosure and reporting requirements. We have also launched payments functionality on certain of our applications and may in the future undertake additional payments initiatives, including as part of our metaverse efforts, which may subject us to many of the foregoing risks and additional licensing requirements.

We have designed and built our own data centers and key portions of our technical infrastructure through which we serve our products, and we plan to continue to significantly expand the size of our infrastructure primarily through data centers, subsea and terrestrial fiber optic cable systems, and other projects. The infrastructure expansion we are undertaking is complex and involves projects in multiple locations around the world, including in developing regions that expose us to increased risks relating to anti-corruption compliance, trade compliance, and political challenges, among others. We have changed, suspended, and terminated certain of these projects as a result of various factors, and may continue to do so in the future. Additional unanticipated delays or disruptions in the completion of these projects, including due to the availability of components, power, or network capacity, or any shortage of labor necessary in building portions of such projects, challenges in obtaining required government or regulatory approvals, or other geopolitical challenges or actions by governments, whether as a result of trade disputes or otherwise, may lead to increased project costs, operational inefficiencies, interruptions in the delivery or degradation of the quality or reliability of our products and services, or impairment of assets on our balance sheet. For example, like others in our industry, we rely on certain third-party equipment and components for our technical infrastructure that are manufactured by a small number of third parties, often with significant operations in a single region such as Asia. Any of the foregoing delays or disruptions, including actions by governments or geopolitical events such as international conflicts, could result in tariffs, sanctions, export controls, and other measures that restrict international trade, could reduce or eliminate the ability of our suppliers, manufacturers, or other third-party providers to continue their operations to manufacture, or limit or eliminate our ability to purchase, key components of our technical infrastructure. In addition, there may be issues related to this infrastructure that are not identified during the testing phases of design and implementation, which may only become evident after we have started to fully utilize the underlying equipment, that could further degrade the user experience or increase our costs. Further, much of our technical infrastructure is located outside the United States, and action by a foreign government, or our response to such government action, has resulted, and may result in the future, in the impairment of a portion of our technical infrastructure, which may interrupt the delivery or degrade the quality or reliability of our products and lead to a negative user experience or increase our costs. Any of these events could adversely affect our business, reputation, or financial results.

We have designed and built our own data centers and key portions of our technical infrastructure through which we serve our products, and we plan to continue to significantly expand the size of our infrastructure primarily through data centers, subsea and terrestrial fiber optic cable systems, and other projects. The infrastructure expansion we are undertaking is complex and involves projects in multiple locations around the world, including in emerging markets that expose us to increased risks relating to anti-corruption compliance and political challenges, among others. We have in the past suspended, and may in the future suspend, certain of these projects as a result of the COVID-19 pandemic or other factors. Additional unanticipated delays or disruptions in the completion of these projects, including due to any shortage of labor necessary in building portions of such projects, or availability of components, challenges in obtaining required government or regulatory approvals, or other geopolitical challenges or actions by governments, whether as a result of the pandemic, trade disputes, or otherwise, may lead to increased project costs, operational inefficiencies, interruptions in the delivery or degradation of the quality or reliability of our products, or impairment of assets on our balance sheet. In addition, there may be issues related to this infrastructure that are not identified during the testing phases of design and implementation, which may only become evident after we have started to fully utilize the underlying equipment, that could further degrade the user experience or increase our costs. Further, much of our technical infrastructure is located outside the United States, and action by a foreign government, or our response to such government action, has resulted in the past, and may result in the future, in the impairment of a portion of our technical infrastructure, which may interrupt the delivery or degrade the quality or reliability of our products and lead to a negative user experience or increase our costs. Any of these events could adversely affect our business, reputation, or financial results.

We incur significant expenses in operating our business, and we expect our expenses to continue to increase in the future as we broaden our user base, as users increase the amount and types of content they consume and the data they share with us, for example with respect to video, as we develop and implement new products, as we market new and existing products and promote our brands, as we continue to expand our technical infrastructure, as we continue to invest in new and unproven technologies, including AI and machine learning, and as we continue our efforts to focus on privacy, safety, security, and content review. We have recently undertaken cost reduction measures in light of a more challenging operating environment, which may adversely affect these or other business initiatives, and some of these measures have involved, and may in the future involve, up-front charges and outlays of cash to reduce certain longer-term expenses. In addition, from time to time we are subject to settlements, judgments, fines, or other monetary penalties in connection with legal and regulatory developments that may be material to our business. We are also continuing to increase our investments in new platforms and technologies, including as part of our efforts related to building the metaverse. Some of these investments, particularly our significant investments in Reality Labs, have generated only limited revenue and reduced our operating margin and profitability, and we expect the adverse financial impact of such investments to continue for the foreseeable future. For example, our investments in Reality Labs reduced our 2023 overall operating profit by approximately $16.12 billion, and we expect our Reality Labs investments and operating losses to increase meaningfully in 2024. If our investments are not successful longer-term, our business and financial performance will be harmed.

Operating our business is costly, and we expect our expenses to continue to increase in the future as we broaden our user base, as users increase the amount and types of content they consume and the data they share with us, for example with respect to video, as we develop and implement new products, as we market new and existing products and promote our brands, as we continue to expand our technical infrastructure, as we continue to invest in new and unproven technologies, including artificial intelligence and machine learning, and as we continue our efforts to focus on privacy, safety, security, and content review. We have recently undertaken cost reduction measures in light of a more challenging operating environment, which may adversely affect these or other business initiatives, and some of these measures have involved, and may in the future involve, up-front charges and outlays of cash to reduce certain longer-term expenses. In addition, from time to time we are subject to settlements, judgments, fines, or other monetary penalties in connection with legal and regulatory developments that may be material to our business. We are also continuing to increase our investments in new platforms and technologies, including as part of our efforts related to building the metaverse. Some of these investments, particularly our significant investments in virtual and augmented reality, have generated only limited revenue and reduced our operating margin and profitability, and we expect the adverse financial impact of such investments to continue for the foreseeable future. For example, our investments in Reality Labs reduced our 2022 overall operating profit by approximately $13.72 billion, and we expect our investments to increase in the future. If our investments are not successful longer-term, our business and financial performance will be harmed.

•government restrictions on access to Facebook or our other products, or other actions that impair our ability to sell advertising, in their countries; •complex and evolving U.S. and foreign privacy, data use and data protection, content, competition, consumer protection, and other laws and regulations, including the General Data Protection Regulation (GDPR), Digital Markets Act (DMA), and Digital Services Act (DSA); 15 15 15 Table of Contents Table of Contents •the impact of government investigations, enforcement actions, and settlements, including litigation and investigations by privacy, consumer protection, and competition authorities; •our ability to comply with regulatory and legislative privacy requirements, including our consent order with the Federal Trade Commission (FTC);

•government restrictions on access to Facebook or our other products, or other actions that impair our ability to sell advertising, in their countries; •complex and evolving U.S. and foreign privacy, data use and data protection, content, competition, consumer protection, and other laws and regulations; 14 14 14 Table of Contents Table of Contents •the impact of government investigations, enforcement actions, and settlements, including litigation and investigations by privacy and competition authorities; •our ability to comply with regulatory and legislative privacy requirements, including our consent order with the Federal Trade Commission (FTC);

Although our board of directors has authorized a share repurchase program that does not have an expiration date, the program does not obligate us to repurchase any specific dollar amount or to acquire any specific number of shares of our Class A common stock. The specific timing and amount of any share repurchases, and the specific timing and amount of any 38 38 38 Table of Contents Table of Contents dividend payments, will depend on prevailing share prices, general economic and market conditions, company performance, and other considerations. We cannot guarantee that the repurchase program will be fully consummated or that it will enhance long-term stockholder value. The repurchase program and dividend payments could affect the trading price of our stock and increase volatility, and any announcement of a termination of this repurchase program or dividend payments may result in a decrease in the trading price of our stock. In addition, this repurchase program and dividend payments will diminish our cash reserves.

Although our board of directors has authorized a share repurchase program that does not have an expiration date, the program does not obligate us to repurchase any specific dollar amount or to acquire any specific number of shares of our Class A common stock. We cannot guarantee that the program will be fully consummated or that it will enhance long-term stockholder value. The program could affect the trading price of our stock and increase volatility, and any announcement of a termination of this program may result in a decrease in the trading price of our stock. In addition, this program will diminish our cash reserves.

•the occurrence of security breaches, improper access to or disclosure of our data or user data, and other cyber incidents, as well as intentional misuse of our services and other undesirable activity on our platform; •our ability to obtain, maintain, protect, and enforce our intellectual property rights; and

•the occurrence of security breaches, improper access to or disclosure of our data or user data, and other cyber incidents or undesirable activity on our platform; •our ability to obtain, maintain, protect, and enforce our intellectual property rights; and

We have experienced, and expect to continue to experience, intentional misuse of our services and user data by third parties, as well as other undesirable, illicit, or high-risk activity on our platform. We are making significant investments in privacy, safety, security, and content review efforts to combat these activities, including investigations and audits of platform applications, as well as other enforcement efforts. We have discovered and announced, and anticipate that we will continue to discover and announce, additional incidents of misuse of user data or other undesirable or illicit activity by third parties. We will not discover all such incidents or activity, whether as a result of our data or technical limitations, including our lack of visibility over our encrypted services, the scale of activity on our platform, the allocation of resources to other projects, or other factors, and we may be notified of such incidents or activity by the independent privacy assessor required under our modified consent order with the FTC, government authorities, the media, or other third parties. Such incidents and activities include the use of user data or our systems in a manner inconsistent with our terms, contracts or policies, the existence of false or undesirable user accounts, election interference, improper advertising practices, activities that threaten people's safety or well-being on- or offline (such as acts of violence, terrorism, improper promotion or distribution of pharmaceuticals and illicit drugs, human exploitation, child exploitation, and illegal gaming), instances of spamming, surveillance, scraping, data harvesting, unsecured datasets, or spreading misinformation, or other fraudulent or otherwise illegal activity. We may also be unsuccessful in our efforts to enforce our policies or otherwise prevent or remediate any such incidents. Consequences of any of the foregoing developments include negative effects on user trust and engagement, harm to our reputation and brands, changes to our business practices in a manner adverse to our business, and adverse effects on our business and financial results. Such developments have subjected, and may in the future subject, us to additional litigation 46 46 46 Table of Contents Table of Contents and regulatory inquiries, which could subject us to monetary penalties and damages, divert management's time and attention, and lead to enhanced regulatory oversight.

In addition to our efforts to mitigate cybersecurity risks, we are making significant investments in privacy, safety, security, and content review efforts to combat misuse of our services and user data by third parties, including investigations and audits of platform applications, as well as other enforcement efforts. As a result of these efforts we have discovered and announced, and anticipate that we will continue to discover and announce, additional incidents of misuse of user data or other undesirable activity by third parties. We may not discover all such incidents or activity, whether as a result of our data or technical limitations, including our lack of visibility over our encrypted services, the scale of activity on our platform, the allocation of resources to other projects, or other factors, and we may be notified of such incidents or activity by the independent privacy assessor required under our modified consent order with the FTC, the media, or other third parties. Such incidents and activities have in the past, and may in the future, include the use of user data or our systems in a manner inconsistent with our terms, contracts or policies, the existence of false or undesirable user accounts, election interference, improper advertising practices, activities that threaten people's safety on- or offline, or instances of spamming, scraping, data harvesting, unsecured datasets, or spreading misinformation. We may also be unsuccessful in our efforts to enforce our policies or otherwise remediate any such incidents. Consequences of any of the foregoing developments include negative effects on user trust and engagement, harm to our reputation and brands, changes to our business practices in a manner adverse to our business, and adverse effects on our business and financial results. Any such developments may also subject us to additional litigation and regulatory inquiries, which could subject us to monetary penalties and damages, divert management's time and attention, and lead to enhanced regulatory oversight.

We are subject to the risk of public health crises such as pandemics, earthquakes, adverse weather conditions, other natural disasters, terrorism, geopolitical conflict, other physical security threats, power loss, cyber-attacks, and other catastrophic events and crises. For example, the COVID-19 pandemic previously significantly impacted our business and results of operations. In particular, the pandemic resulted in authorities implementing numerous preventative measures from time to time to contain or mitigate the outbreak of the virus, such as travel bans and restrictions, limitations on business activity, quarantines, and shelter-in-place orders, which caused business slowdowns or shutdowns in certain affected countries and regions. These developments led to volatility in the demand for and pricing of our advertising services at various points throughout the pandemic, and we may experience similar effects in the future as a result of the pandemic or other catastrophic events. Such events also expose our business, operations, and workforce to a variety of other risks, including: 28 28 28 Table of Contents Table of Contents •volatility in the size of our user base and user engagement; •delays in product development or releases, or reductions in manufacturing production and sales of consumer hardware, as a result of inventory shortages, supply chain or labor shortages; •significant volatility and disruption of global financial markets, which could cause fluctuations in currency exchange rates or negatively impact our ability to access capital in the future; •illnesses to key employees, or a significant portion of our workforce, which may result in inefficiencies, delays, and disruptions in our business; and •increased volatility and uncertainty in the financial projections we use as the basis for estimates used in our financial statements. Any of these developments may adversely affect our business, harm our reputation, or result in legal or regulatory actions against us.

We are subject to public health crises such as the COVID-19 pandemic, which has previously significantly impacted, and may in the future impact, our business and results of operations. For example, the COVID-19 pandemic resulted in authorities implementing numerous preventative measures from time to time to contain or mitigate the outbreak of the virus, such as travel bans and restrictions, limitations on business activity, quarantines, and shelter-in-place orders, which have previously caused, and may in the future cause, business slowdowns or shutdowns in certain affected countries and regions. These developments led to volatility in the demand for and pricing of our advertising services at various points throughout the pandemic, and we may experience similar effects in the future. In addition to the impact on our advertising business, the pandemic exposes our business, operations, and workforce to a variety of other risks, including: •volatility in the size of our user base and user engagement, particularly for our messaging products, whether as a result of shelter-in-place measures or other factors; •delays in product development or releases, or reductions in manufacturing production and sales of consumer hardware, as a result of inventory shortages, supply chain or labor shortages; •increased misuse of our products and services or user data by third parties, including improper advertising practices or other activity inconsistent with our terms, contracts, or policies, misinformation or other illicit or objectionable material on our platforms, election interference, or other undesirable activity; •significant volatility and disruption of global financial markets, which could cause fluctuations in currency exchange rates or negatively impact our ability to access capital in the future; •illnesses to key employees, or a significant portion of our workforce, which may result in inefficiencies, delays, and disruptions in our business; and 26 26 26 Table of Contents Table of Contents •increased volatility and uncertainty in the financial projections we use as the basis for estimates used in our financial statements. Any of these developments may adversely affect our business, harm our reputation, or result in legal or regulatory actions against us.