If 2022 has been any indication, the innovations of Web3—the developing, largely decentralized, autonomous internet, enabled by technologies such as blockchain, smart contracts, decentralized autonomous organizations (DAOs), and digital assets—will lead to an era of rethinking the ways that privacy, cybersecurity, and consumer protection are regulated for these technologies. Proponents of Web3 argue that Web3 will promote individual data ownership, transparency, and freedom, but over the last few years, lawmakers have struggled to keep up with the rapidly changing nature of the Web3 space and force the new technology to fit within the existing legal framework.
This year, however, authorities have called for a more harmonized approach to Web3 regulation. Several recent developments—including Executive Orders from President Biden and California Governor Gavin Newsom, invocation of a long-dormant statutory provision by the Consumer Financial Protection Bureau (CFPB), and proposed amendments to the Cybersecurity Information Sharing Act—have signaled that lawmakers and regulators are prioritizing new approaches to privacy, cybersecurity, and consumer protection in an attempt to regulate Web3.
President Biden’s Executive Order
On March 9, 2022, President Biden issued an Executive Order on Ensuring Responsible Development of Digital Assets. The opening of Biden’s order places data privacy and cybersecurity first among a list of “profound implications for the protection of consumers, investors, and businesses” that have followed from advances in Web3 technology. The order further lists consumer protection first among its six policy objectives with respect to digital assets, emphasizing both that “firms providing digital asset services may provide inadequate protections for sensitive financial data” and that “[c]ybersecurity and market failures at major digital asset exchanges and trading platforms have resulted in billions of dollars of losses.” Mitigating the risks of cybercrime and ransomware attacks is among the order’s actions to limit illicit finance.
President Biden’s Executive Order has significant implications for the Federal Trade Commission (FTC) and the CFPB, which are both empowered to address a wide range of potentially “unfair or deceptive” practices affecting consumers, including those that emerge with the development of new technologies and business models. The FTC and CFPB are specifically directed by Biden’s Executive Order to focus on how privacy and consumer protection regulation “may be used to protect users of digital assets and whether additional measures may be needed.”
Consumer Financial Protection Bureau
In the wake of the announcement of President Biden’s Executive Order, the CFPB on April 25, 2022 announced that it would begin to invoke a largely unused provision giving the agency authority to oversee nonbank financial institutions posing risks to consumers. The clause, found in 12 U.S.C. 5514(a)(1)(C), empowers the CFPB to oversee nonbank companies if the agency “has reasonable cause to determine” that those companies are “engaging, or ha[ve] engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.” Although it was implemented through procedural rulemaking in 2013, the CFPB has waited until now to invoke the clause, citing the ability to be “agile and supervise entities that may be fast-growing or are in markets outside the existing nonbank supervision program.” At the same time, the CFPB issued an amendment to the 2013 procedural rule that will allow it to publicly release the results of its determinations under this authority.
The CFPB has authority to protect consumers against “unfair” and “deceptive” practices, and “abusive” acts and practices, and to provide broad relief including restitution and disgorgement. The CFPB has used this authority in the past to seek enforcement against companies that it deems have deceived consumers about the safety or security of their online systems. In 2016, as part of the first data security enforcement action by the CFPB, the agency entered a consent order with payment provider Dwolla, Inc.
There has been some speculation that the CFPB will be stepping in to provide consumers redress where the FTC is limited due to the Supreme Court’s 2021 decision in AMG Capital Management v. FTC, which held that Section 13(b) of the FTC Act does not authorize the FTC to seek equitable monetary relief, such as restitution or disgorgement, in federal court. Indeed, in late 2021, the CFPB ordered large fintech companies to provide access to data about assess their business practices as part of consumer protection efforts. The CFPB’s recent invocation of its nonbank entity authority appears to be a natural progression toward supervising the more novel fintech structures in the Web3 space—especially given the directives in Biden’s executive order and the rapid increase in Web3-related data breaches, hacks, ransomware attacks, and scams in recent years.
Governor Gavin Newsom’s Executive Order
California Governor Gavin Newsom also signed an Executive Order this year that related to the regulation of Web3 technology. On May 4, 2022, Governor Newsom issued his Executive Order with the stated goal of creating “a transparent and consistent business environment for companies operating in blockchain, including crypto assets and related financial technologies, that harmonizes federal and California laws, balances the benefits and risks to consumers, and incorporates California values such as equity, inclusivity, and environmental protection.” The order directs state agencies to comport with the process outlined in President Biden’s Executive Order. It further directs the California Department of Financial Protection and Innovation (DFPI) to develop a comprehensive regulatory approach, including exercising its authority under the California Consumer Financial Protection Law “to develop guidance, regulatory clarity, and supervision of private entities offering crypto asset-related financial products and services” as well as publish consumer protection principles, initiate enforcement actions, enhance collection and review of consumer complaints, and communicate with law enforcement authorities regarding criminal activity in the Web3 space. In late September, Governor Newsom also vetoed Assembly Bill 2269, which proposed a regulatory framework for cryptocurrency in California, stating that it was too “premature” and “a more flexible approach” to blockchain and crypto is needed. Newsom seems intent on promoting emerging Web3 technologies and providing flexibility while also keeping consumer protection at the forefront of California’s focus.
Proposed Amendments to the Cybersecurity Information Sharing Act
The Cybersecurity Information Sharing Act, passed in 2015 to “improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats…” Earlier this year, Senators Marsha Blackburn and Cynthia Lummis, proposed changes to the act that would encourage companies involved in distributed ledger technologies like cryptocurrency to voluntarily report and share information regarding cyber threats. Senator Blackburn indicated that the proposed amendments are aimed at consumer protection by enabling companies to have more data about bad actors that they can use to protect cryptocurrency from such threats. These proposed changes signal that regulators are thinking critically about consumer protection and cyber threats as Web3 continues to develop.
As Biden’s Executive Order indicted, appropriate consumer protections are needed to address the “unique and varied” aspects of emerging Web3 technologies. In 2023, we expect even more states to follow California’s lead and direct state agencies to take action with respect to Web3-related technologies, and the CFPB seems poised to act in the event nascent Web3 entities pose risks to consumers. Such developments are not surprising given that cyberattacks on cryptocurrencies and Web3 soared to record highs this year, placing consumers at great risk. For the remainder of 2022 and into early 2023, companies should expect more proposed amendments from congress and regulators, that are focused on developing a more robust and harmonized regulatory framework that considers the impact of Web3 on privacy, cybersecurity, and consumer protection concerns.