Reconciling Blockchain Technology With California Consumer Privacy Act

The California Consumer Privacy Act of 2018, which goes into effect on Jan. 1, 2020, has signaled a new push in the United States to strengthen and broaden privacy regulations, similar to the trends seen in the European Union through the passage and implementation of the General Data Protection Regulation.

Because of these new obligations, the implementation of the CCPA may bring about drastic challenges for organizations that are utilizing blockchain technology.

Blockchain technology is decentralized in a manner that often means that the way that data is stored, processed or otherwise used does not necessarily depend on a centralized authority or single "Steward" or "Controller." In many ways, blockchain technology upends traditional models of collecting and storing personal data by enabling decentralization - thus removing third-party intermediaries.

Most data privacy laws, including the CCPA, presume the operation of the traditional data model, which makes them difficult to reconcile with a decentralized or distributed data model.

Thus, despite the fact that the CCPA aligns philosophically with many of the goals of blockchain technology, several inherent features of most blockchain technologies can pose compliance challenges - in particular, blockchain's decentralized structure and the immutability of data entered into the blockchain ledgers.

The mere act of hosting information on a blockchain could be considered "Sharing" personal information, particularly when nodes are treated as "Devices" under the second prong of the test.

It appears from the facial language of the statute that blockchain companies could be considered to be "Selling" personal information simply by hosting and operating a blockchain platform through which people and entities can exchange personal information - particularly if the blockchain company charges a fee (whether in tokens operable on the blockchain or some other form of external consideration) to access the blockchain or derives other "Valuable consideration" from the hosting and operating of a platform that facilitates personal information exchange.

How can a blockchain business best address compliance with the CCPA?Businesses that deploy blockchain technology should carefully consider the extent to which personal information is written to blockchain-based ledgers and whether there are ways to mitigate the problems that arise from this appertaining to the demands and requirements of the CCPA. For example, businesses might consider storing personal information off-chain while using the ledger to track and mediate access to the personal information.

Charlyn Ho, counsel at Perkins Coie LLP, advises clients on legal issues related to technology and privacy, including those affecting blockchain platforms, e-commerce sites, mobile devices and applications, artificial intelligence/machine learning, virtual reality and augmented reality platforms, and Internet of Things devices.

When not litigating, Anna has experience counseling clients on GDPR compliance, EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and the CCPA.Marina Gatto works with clients to build strong privacy programs to ensure compliance with a range of privacy laws as a member of the firm's data security and privacy practice.