Crypto and Web3 Under Consumer Protection Control | Wiley Rein LLP
In the crypto and Web3 world, a lot of attention has focused on WHO is responsible for regulation and any sector-specific regulations that will follow: Are tokens securities, commodities, currencies or something else, and if so, what laws apply? But innovators should not lose track of consumer protection laws that apply as a backstop and require no sector-specific regulations at all. As the technology becomes increasingly mainstream, agencies such as the Federal Trade Commission (FTC) and potentially the Consumer Financial Protection Bureau (CFPB), as well as state attorneys general, may enforce consumer protection laws in areas such as security, privacy, marketing and consumer. financial losses.
Businesses that must deal with an uncertain patchwork of regulation – including those involving non-fungible tokens (NFTs) – must still navigate these consumer protection laws. In particular, interest in NFTs has increased over the past year, raising a number of legal and intellectual property issues. Unlike cryptocurrencies, NFTs are not fungible – for example, while one bitcoin can be exchanged for another bitcoin, an NFT is unique. However, even though it is not a digital currency, consumers still engage NFTs on a blockchain, which is a new frontier for many consumers and an area of interest for regulators and enforcers.
In particular, digital assets have some unique features that are sure to raise the interest of regulators. A key concern is that consumers will lose the value of their digital assets through a hack, fraud or otherwise. And where there is a risk of consumer confusion or loss, there will be government interests. Below we outline some areas where regulatory scrutiny may arise.
First, there is one risk of loss of digital assets from hacks and security flaws in platforms that store or control digital assets. Regulators have increasingly sought to mandate cybersecurity safeguards and have been active in cybersecurity enforcement, so this is an area where interest will continue to grow. For example, the FTC recently disclosed that it was investigating the data security practices of a company that operates a cryptocurrency exchange. The company experienced a data breach in December 2021 that led to estimated consumer losses of $150 million and $200 million in crypto equivalents.
Specifically, the FTC indicated that the investigation was under both Section 5 of the FTC Act (15 USC § 45), and the Gramm-Leach-Bliley Act (GLBA), under which the FTC enforces its safeguards rule. This rule imposes certain data security measures on “financial institutions” outside the banking system (eg, fintechs) and is enforceable by the FTC and CFPB. And in December 2022, new security rule changes will impose a number of specific requirements on covered companies. At the same time, the CFPB has weighed in on the data security obligations of fintechs to protect customers’ personal data. While these rules focus on safeguards to protect the consumer datamay many of the security measures involved apply equally to the protection of the customer assets. Companies should pay close attention to the extent to which the FTC, CFPB and others will use existing data security enforcement and regulatory tools to scrutinize the cybersecurity of digital assets.
Second, there is a tension between ownership of digital assets and privacy. Digital assets such as bitcoin and most cryptocurrencies involve transactions posted to a public blockchain – meaning there is limited transaction privacy if anyone has the ability to track transactions. In fact, in cases where users have sought additional privacy by using protocols such as Tornado Cash, regulators have tried to stop their use due to concerns related to sanctions and money laundering. However, consumers may not understand the trade-offs involved and may inadvertently assume a measure of privacy with transactions. Although the privacy features of crypto transactions have not been a high-profile topic to date (outside of the consideration of potential central bank digital currencies), given all the regulatory interest in privacy at both the federal and state levels and the inclusion of privacy concerns in the President’s recent Executive Order on Digital Assets, should be the question on the mind of any crypto bet.
Third, advertising and marketing rules apply even if a digital asset is not a security. The US Securities and Exchange Commission (SEC) has made headlines by alleging that celebrities like Kim Kardashian and others touted securities without adequate disclosures, but the FTC has taken enforcement actions and signaled an interest in scrutinizing undisclosed celebrity influencer endorsements, including on social media. The FTC has filed enforcement actions under the FTC Act against businesses involving crypto and has repeatedly warned about crypto businesses promising large returns that cannot be delivered. In a sector filled with hype, even ambitious claims of potential success can look like a misleading claim to a regulator, without adequate backing or disclosures.
Fourthly volatility in the value of many digital assets is likely to raise concern around consumer losses. Rapid fluctuations involving the value of bitcoin and other digital assets have left consumers shortchanged in many cases. Here too, companies dealing in digital assets will be held to account for representations they make under laws against deceptive practices. Do consumers understand the potential risks of valuation or loss of digital assets? Do consumers understand any restrictions on withdrawal of digital assets stored with intermediaries? When a company freezes consumers’ ability to withdraw money from their accounts or otherwise restricts access, it should be ready for questions from federal and state consumer protection regulators.
Ultimately, in the world of consumer protection, the classification of digital assets matters less than the behavior. Regulators and enforcers will look at the behavior of companies dealing with digital assets and, if they perceive a problem with security, privacy, marketing or loss of consumers, decide whether laws involving deceptive or unfair practices should apply.
[View source.]