Crypto and Web3 Under Consumer Protection Scrutiny
In the world of crypto and Web3, a great deal of attention has focused on who is responsible for regulation and any sector-specific regulations that would follow: Are tokens securities, commodities, currencies, or something else, and what laws apply if so? But innovators should not lose track of consumer protection laws that apply as a backstop and don’t require any sector-specific regulations at all. As the technology becomes increasingly mainstream, agencies like the Federal Trade Commission (FTC) and potentially the Consumer Financial Protection Bureau (CFPB), as well as State Attorneys General, can enforce consumer protection laws in areas like security, privacy, marketing, and consumer financial losses.
Ventures that must deal with an uncertain patchwork of regulation – including those involving non-fungible tokens (NFTs) – still must navigate these consumer protection laws. In particular, interest in NFTs has surged in the last year, raising a number of legal and intellectual property questions. Unlike cryptocurrencies, NFTs are not interchangeable – for example, while one bitcoin can be exchanged for another bitcoin, an NFT is unique. But even if not a digital currency, consumers still engage with NFTs on a blockchain, which is a new frontier for many consumers and an area of interest for regulators and enforcers.
Notably, digital assets have some unique features that are bound to raise the interest of regulators. A key concern is that consumers will lose the value of their digital assets through a hack, a scam, or otherwise. And where there is risk of consumer confusion or loss, there will be government interest. Below we outline a few areas in which regulatory scrutiny can arise.
First, there is a risk of loss of digital assets from hacks and security deficiencies of platforms that store or control digital assets. Regulators have increasingly sought to mandate cybersecurity safeguards and have been active in cybersecurity enforcement, so this is an area where interest will continue to grow. For example, the FTC recently revealed that it was investigating the data security practices of a company operating a cryptocurrency exchange. The company experienced a data breach in December 2021 that led to estimated consumer losses in the range of $150 million and $200 million in crypto equivalents.
Notably, the FTC indicated that its investigation was under both Section 5 of the FTC Act (15 U.S.C. § 45), and the Gramm-Leach-Bliley Act (GLBA), under which the FTC enforces its Safeguards Rule. That Rule mandates certain data security safeguards for “financial institutions” outside the banking system (e.g., fintechs) and can be enforced by the FTC and CFPB. And in December 2022, new Safeguards Rule changes will mandate a range of specific requirements on covered companies. At the same time, the CFPB has weighed in on the data security obligations of fintechs to protect their customers’ personal data. While these rules focus on safeguards to protect consumer data, many of the security measures involved could apply equally to protection of customer assets. Companies should closely watch the extent to which the FTC, CFPB, and others will apply existing data security enforcement and regulatory tools to scrutinize digital asset cybersecurity.
Second, there is a tension between ownership of digital assets and privacy. Digital assets like bitcoin and most cryptocurrencies involve transactions posted to a public blockchain – meaning there is limited transactional privacy if someone has the means of tracking transactions. Indeed, in cases where users have sought additional privacy using protocols like Tornado Cash, regulators have sought to stop their use out of concerns related to sanctions and money laundering. However, consumers may not understand what tradeoffs are involved and may inadvertently assume a measure of privacy with transactions. While the privacy features of crypto transactions have not been a high-profile issue to date (outside of the consideration of potential central bank digital currencies), given all the regulatory interest in privacy at both the federal and state level and inclusion of privacy considerations in the President’s recent Executive Order on Digital Assets, the issue should be top of mind for any crypto ventures.
Third, advertising and marketing rules apply even if a digital asset is not a security. The U.S. Securities and Exchange Commission (SEC) has made headlines by alleging that celebrities like Kim Kardashian and others touted securities without adequate disclosures, but the FTC has brought enforcement actions and signaled interest in scrutinizing undisclosed celebrity influencer endorsements, including on social media. The FTC has brought enforcement actions under the FTC Act against ventures involving crypto and repeatedly warned about crypto ventures promising outsized returns that cannot be delivered. In a sector filled with hype, even aspirational claims of potential success can look like a deceptive claim to a regulator, without adequate support or disclosures.
Fourth, the volatility in value of many digital assets is likely to raise concerns around consumer loss. Rapid fluctuations involving the value of bitcoin and other digital assets have left consumers short in many cases. Here too, companies that deal with digital assets will be held to representations they make under laws against deceptive practices. Do consumers understand the potential risks in terms of valuation or loss of digital assets? Do consumers understand any restrictions placed on withdrawal of digital assets stored with intermediaries? When a company freezes the ability of consumers to withdraw funds from their accounts or otherwise restricts access, it should be ready for questions from federal and state consumer protection regulators.
Ultimately, in the world of consumer protection, the classification of digital assets matters less than the conduct. Regulators and enforcers will look at the conduct of companies dealing with digital assets and, if they perceive an issue with security, privacy, marketing, or any consumer loss, determine if laws involving deceptive or unfair practices should apply.
Wiley’s Digital Assets, Cryptocurrencies, and Blockchain team helps entities implement compliant digital asset products, services, and strategies, including in the area of NFTs, and engage with regulators. Please reach out to any of the authors with additional questions.