There is no such thing as a GDPR- or CCPA-compliant blockchain today. Any blockchain business that claims to be compliant under the current scope of either regulation does so purely as a marketing ploy to convince naive would-be enterprise customers to pick theirs over another blockchain. This is dishonest and would not hold up to legal scrutiny.
Indeed, the blockchain industry should not seek to delay the inevitable regulatory reckoning. Industry leaders should get ahead of the narrative and drive the agenda by forming a coalition, setting an influence strategy, and defining a path to compliance that serves the spirit of consumer protection while updating the letter of these laws to comport with technical realities.
Our industry has a leadership role to play in bringing coherence to CCPA compliance and paving the way for reconciling similar contradictions within the GDPR. There is no reason to wait and no one else to guide the strategy better than our own experts.
Blockchains currently operate in a regulatory limbo, uncertain of their status but largely ignoring compliance implications. This is in large part because enforcement is impossible and liability is unclear.
Meanwhile, lawmakers are aware of the irreconcilable conflict between the norms and expectations established by these laws and the technical realities of public distributed ledger technology. Unless and until a private right of action or legislative proposal directly challenges a blockchain business and successfully establishes cause, standing, jurisdiction, and responsible party, consumers will remain without clarity on their rights and protections under these laws. Blockchain businesses will likewise operate uncertain of their legal status and obligations, and lawmakers will continue looking the other way and pretending they don’t see the glaring inconsistencies.
Consumers, lawmakers, and the blockchain industry would all benefit from clarity, and it falls to the blockchain industry to lead the charge in recognizing and upholding the spirit of CCPA by bringing the letter of this law in comportment with technical reality.
To keep this manageable, I will not focus on the differences between GDPR and CCPA, and will instead outline the main ways in which both laws diverge from blockchain technologies as currently architected. Addressing these issues in CCPA will, in any case, help lay the groundwork for similar adjustments to the GDPR.
The laws diverge in four areas:
- There is no clear liable party responsible for the control of personal data. Compliance is imposed on the controller that processes personal data. But it is impossible to identify subjects responsible for processing blockchain transactions since they are verified by multiple nodes on a decentralized network. Moreover, it is not clear that a liable entity even exists in the context of a decentralized network. Finally, jurisdiction is impossible to establish and uphold, since validators operate worldwide.
- Purpose cannot be limited. Even if a liable subject could be identified, it would not be possible to ensure that personal information collected for one purpose could not later be used for a different purpose, since this assurance falls outside the scope of what nodes and validators have insight into. They are responsible for establishing consensus about the state of contracts on chain, not for assuring what purpose is derived from those public contracts in perpetuity. Data is maintained on every network node and accessible to anyone to view, irrespective of the original intent for entering transactions into the public ledger.
- The immutability of append-only distributed ledgers contravenes the right to be forgotten. To alter consensus and delete a block would require directing the computational capacity of a majority of nodes on a network to delete the requested block. By extension, this would require full control of the majority of those nodes. This type of control is fundamentally antithetical to the purpose of a decentralized ledger, and introduces security and censorship risk to a technology that is intentionally architected for censorship resistance.
- Blockchains’ function as public commercial registers is incompatible with norms around the treatment of private data established by both laws. Anyone can anonymously access information stored on chain and disseminate this information broadly, posing a significant threat to privacy as it is defined within CCPA and GDPR. The advent of blockchains requires entirely updated conceptions of privacy norms and new scope for what information requires protection.
Both the CCPA and GDPR impose legal norms that cannot be reconciled with the nature of blockchain technology as it is currently architected.
But that is not a reason the technology should be abandoned. Instead, lawmakers require education to devise appropriate laws. Rather than remaining in limbo, the blockchain industry should push for regulatory clarity on all four of the main points of divergence between compliance requirements and technical realities.
- An amendment should establish the business status of miners and validators who operate nodes. Importantly, this amendment should provide definitional clarity on what “doing business” means in the context of blockchains, since the crypto business models are vastly different from traditional businesses as defined in case law. Miners who confirm transactions can potentially be considered controllers, although this is impractical in the case of large public blockchains such as Bitcoin. The most expedient remedy here is to agree that there is no controlling party in the case of blockchains, and that an entirely different mental model should be used to defend consumer interest in the face of a technology that was not encompassed within the construct of CCPA.
- The CCPA’s limiting purpose provision should be removed from applicability to blockchain contexts.
- The CCPA should recognize the fundamental nature of the blockchain’s immutability, and likewise remove this provision from applicability, since honoring the right to be forgotten would put the entire blockchain and -- therefore all of its users -- at information security risk.
- The CCPA can make critical improvements in privacy, which is the aspect of consumer protection most challenged by blockchains. Ironically, while the previous three incompatibilities provide very little useful protection to consumers, the most meaningful opportunity to protect consumers is wholly unaddressed by the CCPA. An appropriate amendment might stipulate that on-chain transactions must not contain any personal data, must be access controlled, and only record URLs and hash values of the personal information stored off-chain. Doing so could partly satisfy the desire for revocability and deletion, since such requests could be met by deleting personal information from an associated off-chain database or data store while retaining consensus about on chain transaction history.
By taking proactive steps to bring privacy law in coherence with technological reality, blockchain industry leaders can work with regulators to play a key role in providing:
- Better protection to consumers by upholding the spirit of the law while updating the letter for technical feasibility.
- Clarity on provisions of the law that are vague, confusing, or unenforceable when applied in the context of blockchains.
By establishing responsibility for data control, consumers would benefit from understanding that there is no real liable subject on a blockchain. This removes irreconcilable inconsistency and provides clear expectations to users while addressing a major point of legal ambiguity for miners who operate notes.
There is no reason to wait for regulatory or private right of action to impact how our industry operates. As experts in blockchain technology, responsibility for educating lawmakers and the public falls to blockchain companies themselves.