For Info on NFTs: Consumer Protection and Privacy Considerations

Thinking of creating a non-fungible token (NFT) market? You’re not alone. Global NFT transactions have grown from $40.96 million in 2018 at about $25 billion in 2021. Organizations from the NBA to Taco Bell have begun implementing NFT strategies. As native blockchain artifacts, the immutability, digital scarcity, and transferability of NFTs have catalyzed growing consumer and business interest, prompting companies of all sizes to explore potential use cases ranging from autonomous works of art, NFTs related to physical products, NFT with real or virtual components.

The unique technical characteristics of NFTs, and the business models these characteristics enable, pose distinct and difficult legal questions arising from laws that were not made for, or did not anticipate, their advent. (See related Wilson Sonsini notices discussing the potential application of securities law, intellectual property law, tax law and anti-money laundering regulations to certain NFTs.) This notice focuses on consumer protection and privacy regulation. The following tips can help companies offering NFTs avoid regulatory scrutiny in these areas:

  • Implement measures to preserve the authenticity of NFTs. By all accounts, fraud is rampant in the NFT space, with stolen images proliferate on the most popular exchanges. If your NFT Marketplace is infused with fraudulent or inauthentic NFTs, NFTs that include illegal or offensive content, or NFTs that have not obtained proper clearances, this could weaken user confidence in your marketplace, harm the reputation and encourage users to seek other markets. . And without proper controls and contractual protections, you can be exposed to legal risk. In effect, the chairman of the Federal Trade Commission said its intention to scrutinize the “gatekeepers” and the “dominant intermediaries” and to “watch[] upstream” in companies enabling and profiting from illegal behavior. Rather than enforcing a “mole swipe” law against fraudulent NFT providers, his remarks suggest that the FTC would be more interested in prosecuting platforms via which NFTs are offered.

    Although Section 230 of the Communications Decency Act of 1996 may provide some level of legal protection for marketplaces that host or sell user-generated content, this law is in the crosshairs of Congress and, in any event, would not solve the damage to reputation and competition that could arise from fraudulent offers. Accordingly, you must at least clearly and expressly prohibit illegal behavior related to the sale of NFTs, and put in place measures to prevent such behavior (for example, setting up a team to handle complaints). Also, be careful not to make any inaccurate statements regarding NFTs or the extent to which you control NFTs.

  • Pay attention to tax returns. In an effort to attract business, you might be tempted to make statements about how much sellers of NFTs could earn in your market or how much buyers could earn by investing in NFTs. But you should think twice. The FTC has initiated a rule-making process to prohibit misleading tax returns, including investment or money-making opportunities. Although the FTC can already prosecute misleading or false tax returns under Section 5 of the FTC Act, the new rule in this area would allow the Commission to seek stiff penalties against non-compliant companies. And the proposed rule may not be limited to prohibiting outright deception. For example, the FTC is considering whether tax returns should be accompanied by additional disclosures of specific income information.
  • Clearly state your privacy practices. When you create an NFT marketplace, you will likely collect personal information from buyers and sellers, such as username, email address, and blockchain address. It’s a good idea to set out your personal information practices in a privacy policy. In addition to ensuring statements are accurate in privacy policies, ensure that all of your public statements (e.g., user interfaces, blog posts, press releases) about how you collect, use and share this data is accurate, not only at the time you launch your marketplace, but also over time. The FTC has taken enforcement action against many companies whose privacy claims have not kept pace with their data practices. Periodically review your data practices and disclosures to ensure they continue to be accurate.
  • Have a compliance strategy to implement consumer data rights. In some cases, such as under the upcoming amendment to the California State Privacy Act (CCPA), the New Virginia Privacy Act, and the New Colorado Privacy Act, you may not have to worry about obligations to access, correct, or delete data attached to a public blockchain because these laws exclude “public” information from the definition of personal information. However, other laws that provide data subjects with these same rights do not have a similar exclusion. Make sure you have a process in place to enforce consumer rights under applicable laws and are clear about any limitations. For example, you may not be able to comply with a request to delete data posted on the blockchain.
  • Pay special attention if your market is appealing to children. Among the variety of use cases for which NFTs are being considered, some, such as certain video games, may appeal to minors, including children under 13. Consider enforcing the Children’s Online Privacy Protection Act (COPPA) if your NFT platform, or certain content on that platform, is likely to attract a significant audience under the age of 13. If so, in many circumstances you cannot simply comply by requiring users to certify that they are over 13 or blocking child users from the site. Instead, you should follow the FTC’s guidance for providing a COPPA-compliant experience to users who indicate they are under 13. What is a COPPA Compliant Experience? There are different approaches, but this may include obtaining verifiable parental consent before collecting, using or disclosing a child’s personal information, or limiting the type of personal information you collect and the how you use this information. Failure to comply with these obligations can result in substantial fines.

For additional assistance regarding regulatory compliance regarding privacy, security and consumer protection laws, please contact Wilson Sonsini’s attorneys Dan Chase, Maneesha Mithal, Chris Olsen, Tracy Shapiro, or Libby Weingarten.