Thinking of creating a non-fungible token (NFT) marketplace? You're not alone. Global NFT transactions have risen from $40.96 million in 2018 to around $25 billion in 2021. Organizations from the NBA to Taco Bell have begun implementing NFT strategies. As blockchain-native artifacts, NFTs' immutability, digital scarcity, and transferability have catalyzed growing interest among consumers and businesses alike, inspiring companies of all sizes to explore potential use-cases ranging from standalone art pieces, to NFTs tied to physical products, to NFTs with real-world or virtual components.

NFTs' unique technical features, and the business models those features enable, pose distinct and challenging legal questions arising from laws that were not made for, or did not anticipate, their advent. (See related Wilson Sonsini advisories addressing the potential application of securities law, intellectual property law, tax law, and anti-money laundering regulation to certain NFTs.) This advisory focuses on consumer protection and privacy regulation. The following tips can help businesses offering NFTs avoid regulatory scrutiny in these areas:

• Implement measures to preserve authenticity of NFTs. By all accounts, fraud is rampant in the NFT space, with stolen images proliferating on the most popular exchanges. If your NFT marketplace is permeated by fraudulent or inauthentic NFTs, NFTs that include illegal or offensive content, or NFTs that have not secured appropriate permissions, this could weaken user trust in your marketplace, cause reputational harm, and incentivize users to seek out other marketplaces. And without appropriate controls and contractual protections, you may be exposed to legal risk. Indeed, the chair of the Federal Trade Commission has stated her intention to scrutinize "gatekeepers" and "dominant intermediaries," and to "look[] upstream" at firms enabling and profiting from unlawful conduct. Rather than "whack-a-mole" enforcement against fraudulent NFT purveyors, her remarks suggest that the FTC would be more interested in pursuing the platforms through which NFTs are offered.

  Although Section 230 of the Communications Decency Act of 1996 might provide some level of legal protection for marketplaces that host or sell user-generated content, that law is in Congress' crosshairs, and in any event, would not address the reputational and competitive damage that could arise from fraudulent offerings. Accordingly, you should, at the very least, clearly and expressly prohibit illegal behavior in connection with the sale of NFTs, and implement measures to prevent such behavior (e.g., putting in place a team to address complaints). In addition, be careful to ensure you're not making inaccurate claims related to NFTs or the extent to which you police NFTs.

• Be careful about earnings claims. In an effort to attract business, you may be tempted to make claims about how much NFT sellers could earn on your marketplace or how much buyers could earn by investing in NFTs. But you should think twice. The FTC has launched a rulemaking proceeding to bar deceptive earnings claims, including investment or money-making opportunities. While the FTC may already pursue deceptive or false earnings claims under Section 5 of the FTC Act, the new rule in this area would allow the Commission to seek steep penalties against noncompliant companies. And the proposed rule may not be limited to prohibiting outright deception. For example, the FTC is exploring whether any earnings claims should be accompanied by additional disclosures of specific earnings information.
• Accurately state your privacy practices. When you create an NFT marketplace, you will likely collect personal information from buyers and sellers, such as username, email address, and blockchain address. It's a good idea to set forth your practices with respect to personal information in a privacy policy. In addition to making sure claims are accurate within privacy policies, make sure all of your public-facing statements (e.g., user interfaces, blog posts, press releases) about how you collect, use, and share this data are accurate, not only at the point where you launch your marketplace, but also over time. The FTC has taken enforcement action against many companies whose privacy claims have not kept up with their changing data practices. Periodically review your data practices and your disclosures to make sure they continue to be accurate.
• Have a compliance strategy to implement consumer data rights. In certain cases, such as under the coming amendment to California's state privacy law (CCPA), the new Virginia privacy law, and the new Colorado privacy law, you may not need to worry about access, correction, or deletion obligations for data appended to a public blockchain because these laws carve out "publicly available" information from the definition of personal information. However, other laws that offer data subjects those same rights do not have a similar carve-out. Make sure that you have a process in place to effectuate consumer rights under applicable laws, and are clear about any limitations—for example, you may not be able to comply with a request to delete data published to the blockchain.
• Pay special attention if your marketplace is attractive to children. Among the variety of use-cases for which NFTs are being considered, some, such as certain video games, may appeal to minors, including children under 13. Consider the application of the Children's Online Privacy Protection Act (COPPA) if your NFT platform, or certain content on that platform, is likely to attract a significant audience under 13. If so, in many circumstances, you can't simply comply by requiring users to attest that they are over 13 or blocking child users from the site. Rather, you should follow the FTC's guidance for providing a COPPA compliant experience to users who indicate they are under 13. What is a COPPA-compliant experience? There are various approaches, but it may include obtaining verifiable parental consent prior to collecting, using, or disclosing any child's personal information, or limiting the type of personal information you collect and the ways you use that information. Failure to comply with these obligations may result in substantial fines.