Overview

Whilst there has been commentary on many legal aspects of non-fungible tokens (“NFTs”), relatively little has been said about the privacy law aspects. A common view is that privacy risks do not arise with blockchain and cryptoassets because they are not directly associated with individuals’ personal identities. This differs from traditional assets and transactions in the “real world”, which typically involve payment in fiat currency and may have ownership recorded in a public register (e.g., for shares, real estate and certain art/cultural assets) or non-public records (e.g., a retailer’s customer database). In contrast, NFTs are typically acquired with cryptocurrency and stored on a decentralized network, held via a personal but typically anonymous wallet.

This anonymity is always not as depersonalized and private as some may believe. In many cases, ownership of, and transactions relating to, NFTs can be linked to the identity of individuals who own, purchase and sell them.

NFTs – An Introduction

“NFT” was introduced in Collins Dictionary as the word of the year for 2021, defined as (1) “a unique digital certificate, registered in a blockchain, that is used to record ownership of an asset such as an artwork or a collectible” and (2) “an asset whose ownership is recorded by means of a non-fungible token”.

NFTs are digital tokens linked to a blockchain to represent and provide public evidence of the ownership of unique items. Whilst they are cryptoassets that can be traded, they differ from cryptocurrency in an important way. Cryptocurrency such as Bitcoin and Ethereum are fungible, so one Bitcoin may be traded for another Bitcoin. NFTs, in contrast, are non-fungible and non-interchangeable, meaning that no NFT is the same as any other NFT.

Almost overnight in 2021, NFT trading developed into a booming marketplace, with nearly $11 billion in sales in the third-quarter of 2021 alone. Media stories of record-smashing sales include a $69.3 million sale of a collection of digital art by the digital artist Beeple and more recently in December a $91.8 million collection sold by Pak. NFTs have a wide variety of uses beyond digital artwork and collectibles, such as ticketing, gaming, legal documents and tokenized invoices. At the core of an NFT is a smart contract that can assign ownership and manage the transferability of the relevant asset. In many cases, the smart contract itself (comprising a bundle of rights and obligations vested in the holder) is the asset.

The popularity of NFTs sits alongside the emergence of the so-called Web 3.0. This is the name given to the emerging internet infrastructure based on decentralized networks, in which individual ownership of content is a key feature (in contrast to Web 2.0, in which web users typically create content without owning it).^[1]

Privacy Legislation and Cryptoassets

Current privacy legislation was not drafted with blockchain and Web 3.0 in mind. Any attempts to apply the existing legal framework to Web 3.0 technology and cryptoassets result in unsatisfactory outcomes. For instance, the fact that data cannot be deleted from the blockchain runs contrary to basic data subject rights under California Consumer Privacy Act (“CCPA”) and EU General Data Protection Regulation (“GDPR”) (which has effect in the UK through the Data Protection Act 2018 (“DPA 2018”)).

NFTs – A Solution for Privacy

As noted, traditional transactions involve varying degrees of information about the parties being shared with intermediaries and/or made public. In contrast, blockchain transactions avoid the need to share personal information with intermediaries, thus reducing the risk of exposure of personal information. Moreover, some have proposed that NFTs could contain tokenized information to be used in conjunction with smart contracts such that smart contracts could use the NFTs to “verify necessary information without ever exposing it to a third party."^[2] This would allow the use of a tokenized identity to enter into a smart contract without sharing personal information with intermediaries or others. However, as is considered further below, a new, tokenized identity that is distinct from an individual’s real life identity may not be an effective solution to privacy issues.

NFTs – Risks to Privacy

If it is accepted that Web 3.0 is about individual ownership of online content (including cryptoassets on the blockchain), the notion of identity in this new age risks becoming heavily intertwined with the assets held by individuals.

There are several ways in which owning, acquiring and disposing of NFTs could give rise to privacy risks in the Web 3.0 era including:

• Online identifiers and avatars
• Blockchain addresses
• Transaction activity
• Location data

Online identifiers and avatars

Uniqueness and identifiability are inherent characteristics of NFTs – this is precisely what makes them non-fungible and desirable to certain web users. A trend in Web 3.0 and the so-called emerging “metaverse” is for people to create online avatars or profile pictures (commonly referred to as “PFPs”) and devise a digital identity that is either based on, or entirely separate to, their real life entities. For example, users of Twitter, Instagram or online messaging applications may use a PFP in their online presence.

Privacy legislation tends to define personal information or personal data rather broadly. For example:

• Section 1798.140 CCPA defines personal information as:
  • “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and includes “(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.” (emphasis added.)
• Article 4(1) of the GDPR (which also has effect in the UK by virtue of the DPA 2018) states that:
  • “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier […]” ^[3] (emphasis added.)

If a PFP or avatar can function to identify a person, then it is arguably personal information/data. But in many cases, a PFP or avatar will only identify a pseudonymous identity that has been deliberately created to exist online independently from – and incapable of being associated with – the natural person sitting behind that online identity. As to this, two issues arise:

• First, few users can be sure that there is no trail of digital breadcrumbs which allows the online identifier (and therefore that individuals’ entire pseudonymous online existence) to be associated with their real life identity.
• Second, the notion of personal information being linked to a natural person may become outdated in the very near future if (or when) millions of individuals have sophisticated online identities which hold social and economic value. This is an existential issue which lawmakers and policymakers will need to grapple with in due course, but it should not be assumed that existing privacy legislation does not apply to online identities, including those which are based on NFTs.

Blockchain address

Cryptoassets are stored on the blockchain at a specific address and can be accessed by their owners through a “wallet” interface, which provides users with the ability to send and receive assets to/from their address. The contents of cryptoasset wallets are public.

Each blockchain address is unique. In the case of the Ethereum network, on which most NFTs are stored and traded, the address is typically a string of 42 randomly generated letters and numbers in hexadecimal format. However, an increasing number of cryptoasset owners have a “.eth” domain associated with their wallet, known as an Ethereum Naming Service (“ENS”) domain.^[4]

Whilst cryptowallets are typically associated with anonymity, many wallets with an ENS domain will deliberately identify the individual (or their online pseudonymous persona) associated with that wallet. This can be as simple as the ENS address containing their personal name (e.g. johnsmith.eth) or indirectly, through a reference to their Web 3.0 identity (e.g. punk1234.eth), which may or may not in turn reveal the individual’s real life identity.

Furthermore, it is possible to view all assets in (and transactions effected via) an individual’s wallet regardless of whether it uses an ENS domain. This may yield clues as to the identity of the individual wallet owner, by reference to certain information that exists in the public domain. If there is any public record of the individual owning or trading a single NFT, or otherwise having revealed their wallet address publicly, that wallet and its contents become inextricably linked with the individual and their cryptoasset holdings will be known to the world at large.

Transaction activity

By using a blockchain explorer (such as Etherscan for the Ethereum blockchain), it is possible to see a complete list of the assets which are held in any given wallet, as well as the transactions in and out of that wallet since the wallet address was created – much like a bank statement that is visible to the world at large.

By way of comparison to existing privacy law frameworks, the CCPA includes within the definition of personal information “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.” This would arguably be broad enough to capture transaction activity on the blockchain if that legislation were applicable to such matters. The language in GDPR is not as prescriptive as CCPA in this regard. However, there is a school of thought that individuals’ web browsing activity constitutes personal data under EU/UK law, so it is would not be too large a leap to assume that transaction activity on the blockchain could also constitute personal data.

Individuals with assets on the blockchain may want to ensure that they take steps to preserve their anonymity (if so desired) and implement appropriate cybersecurity measures.^[5] Likewise, organizations processing individuals’ personal information and effecting transactions on the blockchain (even if it relates to seemingly anonymous wallet addresses) should not automatically assume that data privacy law does not apply.

Location data

Many would assume that NFTs have nothing to do with an individual’s location. However, one type of NFT – a POAP (which states for Proof of Attendance Protocol) – is directly or indirectly linked to location. POAP is an emerging form of NFT which is essentially a digital badge proving that an individual attended an event (either virtually or in the real world). It can be thought of as the digital equivalent to a ticket stub or wristband.^[6]

Because POAPs are stored on the blockchain and are therefore public, it is possible to ascertain an individual’s location history by looking at the contents of their wallet if they have one or more relevant POAPs. For now, these are generally novelty items used by a modest proportion of Web 3.0 users. But if or when the technology becomes more mainstream, the blockchain may contain a rich location history of any given user. Individuals and organisations would need to consider the privacy implications of this location data being permanently recorded and/or made public.

Conclusion

Whilst NFTs may be an exciting medium for those who wish to inhabit a seemingly anonymous and private life online, it is clear that there are several inherent potential threats to privacy. It remains to be seen how NFTs and blockchain technology will adapt with more widespread use and technological advances. However, as Web 3.0 continues to grow, it is likely that we will see an increasing tension between true anonymity and privacy on one hand, and the public aspects of NFTs and blockchain technology on the other.

It will be equally important as the space develops to ensure that any privacy law frameworks are adhered to (to the extent they may already apply) and monitored (in case the law is updated to specifically address privacy in the Web 3.0 age).

_______________

^{[1] Web 2.0 is generally viewed as the successor to Web 1.0, i.e. the era of read-only web pages created solely by website publishers during the early days of the internet before social media and other user-generated content.
[2] https://blog.orchid.com/what-do-nfts-mean-for-privacy-/
[3] Recital 30 of GDPR gives examples of online identifiers, including “internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags”. This list is non-exhaustive which was evidently drafted before the growth of Web 3.0.
[4] These serve a similar function to “.com” domain address in the traditional internet world, which are used to avoid internet users having to type in long strings of characters of a website’s full IP address (e.g. typing in google.com rather than http://142.250.178.4/), thereby allowing funds or assets to be sent to a wallet without having to type out the full 42-character address. 
[5] For example, having a “cold wallet” or “hardware wallet” with a private key (i.e. storage that is not always connected to the web) will be more secure than using a “hot wallet” that is permanently connected online. Further detail can be read here: https://101blockchains.com/hot-wallet-vs-cold-wallet/
[6] In practice, POAPs might be distributed at an event might involve handing out unique QR codes that allow the recipient to visit a website and create/redeem their POAP token, which will be stored in their wallet.}