The California Consumer Privacy Act of 2018 (CCPA), which goes into effect on Jan. 1, 2020, has signaled a new push in the United States to strengthen and broaden privacy regulations, similar to the trends seen in the European Union through the passage and implementation of the General Data Protection Regulation (GDPR).
The CCPA affords covered consumers new privacy rights not otherwise enjoyed here in the U.S. Under the CCPA, an entity qualifying as a “business” must provide:
- Abbreviated disclosures regarding the personal information that is collected from or about covered consumers (Cal. Civ. Code § 1798.100).
- Certain other expanded disclosures regarding personal information collected from or about covered consumers (id. § 1798.110(a)).
- Disclosures regarding the sale or disclosure of personal information for a business purpose (id. § 1798.115).
- An opt-out from the “sale” of personal information (id. § 1798.120).
- An opt-in requirement before selling a minor’s personal information (id. § 1798.120(c)).
- The ability for covered consumers to access and/or delete personal information collected from or about them (id. §§ 1798.105, 1798.100(d)).
Subjected businesses must also implement measures to prevent discrimination against consumers who exercise their rights under the CCPA (id. § 1798.125). Because of these new obligations, the implementation of the CCPA may bring about drastic challenges for organizations that are utilizing blockchain technology.
What does the CCPA mean for blockchain?
Blockchain technology is being used to develop solutions and tools that provide individuals much greater control over their data. The technology’s often public and immutable ledgers promise to introduce a new level of transparency into how individuals’ data is being used. Blockchain technology (particularly when it is employed in a public/permissionless environment) is decentralized in a manner that often means that the way that data is stored, processed or otherwise used does not necessarily depend on a centralized authority or single “steward” or “controller.” In many ways, blockchain technology upends traditional models of collecting and storing personal data by enabling decentralization — thus removing third-party intermediaries.
However, most data privacy laws, including the CCPA, presume the operation of the traditional data model, which makes them difficult to reconcile with a decentralized or distributed data model. Thus, despite the fact that the CCPA aligns philosophically with many of the goals of blockchain technology (i.e., data integrity, cybersecurity and transparency), several inherent features of most blockchain technologies can pose compliance challenges — in particular, blockchain’s decentralized structure and the immutability of data entered into the blockchain ledgers.
Much of the uncertainty surrounding the CCPA (both generally and as it applies to blockchain technology) stems from the statute’s broad definitions. For example, the definition of personal information encompasses “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Id. § 1798.140(o)(1)). Despite calls for the legislature to provide further clarification — including those voiced during the state attorney general’s multiple public forum spending the passage of any additional amendments — the statute, as it is currently written, becomes effective on Jan. 1, 2020.
Notably, enforcement actions by the attorney general may be brought six months after the publication of final regulations or Jul. 1, 2020, whichever is sooner (Id. § 1798.185(c)). Civil penalties include injunctions and fines of up to $2,500 per violation and aggravated fines of up to $7,500 per intentional violation. Note that consumers are afforded a limited private right of action in situations when their personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”
When are blockchain businesses subject to the CCPA?
The CCPA’s obligations are limited to “businesses,” which are defined as any for-profit company doing business in California that collects personal information and satisfies at least one of the following thresholds:
- Receives an annual gross revenue in excess of $25 million.
- Annually buys, sells, or, for commercial purposes, receives or shares personal information of at least 50,000 California consumers, households or devices.
- Derives 50% or more of its annual revenue from “selling” California consumer personal information.
Note that “doing business” is undefined by the statute and could be construed to encompass a blockchain platform with nodes that operate in California or that collect data from Californian consumers (Id. § 1798.140(c)(1)).
Though the first prong of the CCPA threshold test is fairly self-explanatory, the second and third prongs are less straightforward. The mere act of hosting information on a blockchain could be considered “sharing” personal information, particularly when nodes are treated as “devices” under the second prong of the test. For example, the existence of 500 nodes on a blockchain network that all maintain a copy of the ledger may constitute “sharing” under the statute (although there is currently no regulatory guidance on this topic).
The definition of “selling” is also very broad. It includes “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” personal information for “other valuable consideration.” (Cal. Civ. Code § 1798.140(t)(1)). What constitutes “other valuable consideration” remains unspecified.
Therefore, it appears from the facial language of the statute that blockchain companies could be considered to be “selling” personal information simply by hosting and operating a blockchain platform through which people and entities can exchange personal information — particularly if the blockchain company charges a fee (whether in tokens operable on the blockchain or some other form of external consideration) to access the blockchain or derives other “valuable consideration” from the hosting and operating of a platform that facilitates personal information exchange.
Similarly, it is possible that node operators or miners in a blockchain environment who receive tokens or cryptocurrency in exchange for performing transaction validation or ledger confirmation services to the network would be similarly considered to be “selling” because they are “communicating […] by electronic or other means” personal information that is written to the blockchain. If a covered business is found to be “selling” personal information, additional notice, disclosure and other obligations will apply — even if the business has not engaged in what would traditionally be considered a “sale” for monetary consideration.
More, while pseudonymization may help obfuscate data, it does not render the subject data nonpersonal. Because the statute applies to personal information that is “capable of being associated with, or could reasonably be linked, directly or indirectly” with the individual, such techniques may prove insufficient due to the risk of reidentification.
How can a blockchain business best address compliance with the CCPA?
Businesses that deploy blockchain technology should carefully consider the extent to which personal information is written to blockchain-based ledgers and whether there are ways to mitigate the problems that arise from this appertaining to the demands and requirements of the CCPA.
For example, businesses might consider storing personal information off-chain (i.e., not on the blockchain) while using the ledger to track and mediate access to the personal information. This type of solution could enable the business to directly reference the off-chain personal information for reporting obligations under the CCPA while maintaining the integrity of its ledger, and without necessarily putting the data on-chain, such that the business could not delete that data upon request. In this scenario, deletion is simple: By simply taking the data off-chain, any immutable references on-chain become references to nonexistent data and are rendered meaningless.
However, off-chain workarounds can add unwanted complexity that is at odds with many blockchain platforms’ goals of simplicity and transparency. Furthermore, these workarounds often fail to solve the security concerns presented by having parallel data sources in the status quo that blockchain-based solutions so elegantly address.
If an off-chain solution is impractical, blockchain businesses could consider taking all data obfuscation steps available to depersonalize the data as much as possible (e.g., applying salting, encryption and hashing techniques to all on-chain data). However, data on the blockchain is almost always associated with a ledger’s public key (i.e., ledger address) and is therefore connected to the person or entity that was adding data to that address. Accordingly, public keys could be deemed “personal information” under the CCPA to the extent that they belong to or can be tied to a California consumer.
Finally, businesses should begin taking steps to comply with the CCPA as soon as possible: In a 2018 conversation at Perkins Coie LLP, Eleanor Blume, the special assistant to the California Office of the Attorney General, emphasized that companies would be evaluated on their CCPA compliance in part by the preventative measures they took in 2019.