INFORMATION LAW JOURNAL - A Publication of the Information Security & Internet of Things Committees ABA Section of Science & Technology Law ...

Page created by Anthony Lloyd
 
CONTINUE READING
INFORMATION LAW JOURNAL - A Publication of the Information Security & Internet of Things Committees ABA Section of Science & Technology Law ...
INFORMATION LAW JOURNAL
           PAGE 3                                                                                                                                EDDE JOURNAL

   A Publication of the Information Security & Internet of Things Committees
                  ABA Section of Science & Technology Law

WINTER 2019                   VOLUME 10                  ISSUE 1                            EDITOR/FOUNDER: THOMAS J. SHAW, ESQ.

                               California Consumer Privacy Act: A Comprehensive Review
By Steve Vieux, Al Saikali and Camila Tobón
On June 28, 2018, Governor Jerry Brown signed into law the California Consumer Privacy Act (CCPA or the
Act). The Act, with an effective date of January 1, 2020, grants extensive rights to consumers regarding their
personal information maintained by businesses. Given the size of the state economy, and the Read more

                       State Smart-Contract Laws: Will They Escape Federal Preemption?
By Charles Adjovu
Blockchain, cryptocurrencies, and smart-contracts are no longer simply buzzwords but are now hitting the
mainstream with attention focusing on their real-world applications. Bitcoin, the first cryptocurrency and
blockchain application in the financial sector, opened the world to the technology, and now many Read more

     Cloud Services Negotiation: Tips for Reducing Data Privacy and Cybersecurity Risks
By Leslie Spasser and Allison Trimble
The adoption of cloud computing (the process of using a network of remote servers to store, manage and
process information via the Internet) has grown significantly over the past few years due to the realization of the
many benefits cloud services have to offer. These benefits include the ability to save capital and Read more

                                       Cryptocurrencies, Moving at the Speed of Business
By JoHanna Cox
The cryptocurrency world is evolving and is the new medium for which business and commerce will operate
internationally. While I am not purporting to be a technical expert in the area, I think some basic understanding
of how the currencies work is important for THE context of this article. Crypto currencies, or cyber Read more

                               New Contract on the Block: Smart, Swift and Self-executing
By Renato Opice Blum and Camila Rioja Arantes
The concept of smart contract as a self-executing contract permeates discussions in some law firms and
companies, a significant number of colleges and dozens (if not hundreds) of groups and communities on
platforms like WhatsApp and Telegram. The subject is also a very hot topic in both national and Read more

                                                                     ****Editor’s Message****
We are starting the tenth year of publishing the Information Law Journal each quarter, continuing to welcome authors
and readers from across the ABA. This issue again presents articles focusing on various aspects of leading-edge
domestic and international practice in information, Internet, and emerging technologies law. More than 200 authors
have written for the Information Law Journal and antecedents. Seven authors are writing here for the first time.
Our next issue (Spring 2019) is scheduled to be published in March 2019. All readers of the Information Law Journal
may share their experiences and knowledge with their fellow professionals by writing an article. Every qualified
submission within the scope and requirements as explained in the Author Guidelines will be published. The issue
following the next issue (Summer 2019) is scheduled to be published in June 2019.
 © 2018 American Bar Association. All rights reserved. Editorial policy: The Information Law Journal (formerly published separately as the Information Security and Privacy News
 and the EDDE Journal) provides information about current legal and technology developments in information security, privacy, cloud computing, big data, mobile computing, e-
 discovery, digital evidence, computer crime, cybersecurity, e-commerce, and the Internet of Things that are of professional interest to members of the ABA. Material published
 in the Information Law Journal reflects the views of the authors and does not necessarily reflect the position of the ABA, the Section of Science & Technology Law or the editor.
INFORMATION LAW JOURNAL - A Publication of the Information Security & Internet of Things Committees ABA Section of Science & Technology Law ...
PAGE 2                                                                        INFORMATION LAW JOURNAL

California Consumer Privacy Act: A Comprehensive Review

By Steve Vieux, Al Saikali and Camila Tobón

                                                                    On June 28, 2018, Governor Jerry
                                                                    Brown signed into law the
                                                                    California Consumer Privacy Act
                                                                    (CCPA or the Act). The Act, with an
                                                                    effective date of January 1, 2020,
                                                                    grants     extensive    rights   to
                                                                    consumers       regarding      their
                                                                    personal information maintained
by businesses. Given the size of the state economy, and the wide breadth of entities subject to the Act,
many rightly feel that the CCPA may turn into a de facto national privacy law. This article summarizes
the rights given to consumers under the Act, the requirements imposed on businesses, and the Act’s
provisions for enforcement by both the California Attorney General (Attorney General or the agency)
and private individuals.

Who does it apply to?

The CCPA impacts a wide range of entities that interact with Californians. Many businesses will fall
under the CCPA’s inclusive definition of a “business” subject to CCPA enforcement. The CCPA defines a
subject business as basically a for-profit business doing business in California that collects either
consumer personal information, or on whose behalf personal information is collected.1 To be subject
to the CCPA, the business must also fit one of the following characteristics:

      •    Has annual gross revenues in excess of $25 million adjusted according to the Consumer Price
           Index every odd-numbered year;

      •    Purchases, receives, sells or shares the personal information of 50,000 or more consumers,
           households or devices for commercial purposes2 (no apparent limitation to how many of
           those consumers, households, etc. must be Californian); or

      •    Derives 50% or more of its annual revenue from selling personal information (no apparent
           limitation to revenue amassed in California or from Californian consumers). 3

1
  Cal. Civ. Code § 1798.140(c)(1).
2
  The Act defines “commercial purpose” as “means to advance a person’s commercial or economic interests … by inducing
another person to buy, rent, lease …or exchange products, goods, property…or enabling or effecting, directly or indirectly, a
commercial transaction.” Cal. Civ. Code § 1798.140(f).
3
  Cal. Civ. Code § 1798.140(c)(1).
INFORMATION LAW JOURNAL - A Publication of the Information Security & Internet of Things Committees ABA Section of Science & Technology Law ...
PAGE 3                                                                            INFORMATION LAW JOURNAL

The definition of a business also includes an entity controlled by a business, as described above, that
shares common branding with the latter. Such control is defined as owning 50% of the shares of voting
securities, controlling the election of a majority of the directors, or having the power to exercise
controlling influence over the management of an entity.4 “’Common branding’ means a shared name,
servicemark, or trademark.”5

Service providers, not fitting the above description of a business, may also be subject to the CCPA’s
“right to be forgotten” provisions described below.6

What does it apply to?

The goal of the CCPA is to protect a consumer’s personal information. The CCPA’s definitions of
“consumer” and “personal information” again make the impact of the law seem limitless. Consumer is
defined in the Act as any natural person who is a California resident “however identified, including by
any unique identifier.”7 And the term resident applies to anyone in California “for other than a
temporary or transitory purpose” and anyone who is domiciled in California but out of state for a
temporary or transitory purpose.8

Personal information is defined as information that “identifies, relates to, describes, is capable of being
associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or
household.”9 Besides obvious identifiers such as a real name, postal address or online identifier, the
Act goes on to list examples of the wide variety of information that could be included in this definition,
such as name, geolocation data, internet browsing history, employment-related information,
purchasing history, education history, biometric data (defined more broadly than any existing
biometric privacy law), the way a person smells or sounds, and any inferences that can be drawn from
such information.10

Exemptions

Despite the breadth of its impact, there are important exemptions and exclusions to the CCPA that
businesses should keep in mind. The CCPA should not restrict a business’s ability to:

      •    comply with any other federal, state or local laws;

4
  Cal. Civ. Code § 1798.140(c)(2).
5
  Id.
6
  Cal. Civ. Code § 1798.105(c).
7
  Cal. Civ. Code § 1798.140(g).
8
  Id. (referring to the definition of California resident in Section 17014 of Title 18 of the California Code of Regulations as
read on September 1, 2017).
9
  Cal. Civ. Code § 1798.140(o)(1).
10
   Id. at (A)-(K).
INFORMATION LAW JOURNAL - A Publication of the Information Security & Internet of Things Committees ABA Section of Science & Technology Law ...
PAGE 4                                                            INFORMATION LAW JOURNAL

      •    comply with any civil, criminal or regulatory investigation, subpoena, or summons by a federal,
           state or local authority;

      •    cooperate with law enforcement agencies;

      •    exercise or defend any legal claims; and

      •    collect, use, retain, sell or disclose “deidentified” or “aggregate” consumer information.11

The CCPA also does not apply to the collection or sale of personal information occurring entirely
outside of California.12 Looking closely at this exemption, however, even an out of state business may
find it hard to apply it to many of its transactions. For it to apply, not only must no part of the sale of
personal information occur in California, but none of the personal information sold should include data
collected while the consumer was inside the state. The Act also states that a business cannot simply
store a consumer’s personal information while they’re in California and then wait to collect it once the
consumer leaves California to avail itself of this exemption.13

The CCPA also provides a carve-out for information protected and/or collected pursuant to other
federal and state laws.14 It will not apply to protected health information collected by a “covered entity
or business associate” governed by HIPAA and medical information governed by the California
Confidentiality of Medical Information Act.15 A health care provider governed by the Confidentiality of
Medical Information Act and a “covered entity” governed by the data security rules of HIPAA are
further exempt with respect to patient information, if they maintain patient information in the same
manner as required subject to those laws.16

In a positive development for the life sciences industry, the CCPA exempts certain information
collected as part of clinical trials subject to the Federal Policy for the Protection of Human Subjects.17
The CCPA also exempts the sale of information “to or from a consumer reporting agency” in
connection with a credit report.18

Finally, the Act exempts information collected, processed, sold, or disclosed pursuant to the Gramm-
Leach-Bliley Act or the California Financial Information Privacy Act, 19 and information collected,

11
   Cal. Civ. Code § 1798.145(a)(1)-(5).
12
   Cal. Civ. Code § 1798.145(a)(6).
13
   Id.
14
   Cal. Civ. Code § 1798.145(c).
15
   Cal. Civ. Code § 1798.145(c)(1)(A).
16
   Cal. Civ. Code § 1798.145(c)(1)(B).
17
   Cal. Civ. Code § 1798.145(c)(1)(C).
18
   Cal. Civ. Code § 1798.145(d).
19
   Cal. Civ. Code § 1798.145(e).
INFORMATION LAW JOURNAL - A Publication of the Information Security & Internet of Things Committees ABA Section of Science & Technology Law ...
PAGE 5                                                           INFORMATION LAW JOURNAL

processed, sold, or disclosed under the Driver’s Privacy Protection Act.20 However, neither of these two
exemptions apply to a consumer’s private right of action under the Act.

Right to access

The first section of the CCPA gives Californians the right to request their personal information collected
by a business from that business. Upon receipt of a verifiable consumer request,21 a business that
collects personal information must disclose the categories and specific pieces of personal information
collected about that consumer.22 Section 1798.100 also requires that prior to or at the time of
collection, the business must inform the consumer as to the categories of personal information it will
collect and the purposes for collecting the personal information. If the business later collects additional
categories of personal information or uses the personal information for different purposes, it must first
provide notice to the consumer.23

A business must respond to a consumer’s request under this section “promptly”.24 The information
should be delivered via mail or electronically. If the latter, it should be in a portable and readily usable
format that “allows the consumer to transmit this information to another entity without hindrance.”25
A business is not required to provide such information to a consumer more than twice in a 12-month
period.26

The CCPA can appear repetitive as to the disclosure requirements for businesses. Section 1798.110
requires businesses that collect personal information to disclose the following to a consumer upon a
verifiable request:

      •    categories of personal information collected about that consumer;

      •    categories of sources from which the personal information is collected;

      •    the business or commercial purpose for collecting or selling the personal information;

      •    categories of third parties with whom the business shares personal information; and

      •    the specific pieces of personal information it has collected about that consumer.27

20
   Cal. Civ. Code § 1798.145(f).
21
   Cal. Civ. Code § 1798.100(c).
22
   Cal. Civ. Code § 1798.100(a).
23
   Cal. Civ. Code § 1798.100(b).
24
   Cal. Civ. Code § 1798.100(d).
25
   Id.
26
   Id.
27
   Cal. Civ. Code § 1798.110(a) & (b).
INFORMATION LAW JOURNAL - A Publication of the Information Security & Internet of Things Committees ABA Section of Science & Technology Law ...
PAGE 6                                                                        INFORMATION LAW JOURNAL

Under Section 1798.115, businesses that sell personal information, or disclose it for a business
purpose,28 must disclose to a consumer upon receipt of a verifiable request the:

      •    categories of personal information collected about the consumer;

      •    categories of personal information about the consumer sold and the categories of third
           parties to whom it was sold; and

      •    categories of personal information disclosed about the consumer for a business purpose. 29

For consumer requests pursuant to Sections 1798.110 and 1798,115 above, Section 1798.130 of the
act requires businesses to make two or more methods available for submitting verifiable requests for
information, including (at a minimum) a toll-free number and web site (if the business maintains
one).30 Within 45 days of receiving the verifiable consumer request, the business must disclose the
required information, free of charge.31 The 45-day time period may be extended once by an additional
45 days when reasonably necessary, as long as the consumer is notified of the extension within the
first 45-day period.32 The business’s disclosure only has to cover the preceding 12 months before
receipt of the consumer request.33 The disclosure shall be made in writing and delivered through the
consumer’s account with the business, or if the consumer does not maintain an account with the
business, by mail or electronically.34

Businesses should also pay special attention to whether Section 1798.115’s disclosure requirements
apply to them due to the Act’s expansive definition of “sell[ing]”.35 Sell “means selling, renting,
releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally,
in writing, or by electronic or other means, a consumer’s personal information by the business to
another business or a third party for monetary or other valuable consideration.”36 The CCPA does not
provide guidance on what could be included as “valuable consideration”.37 The CCPA does clarify,
however, that a business does not sell personal information when:

28
   Business purpose is defined as “use of personal information for the business’s or service provider’s operational purposes,
or other notified purposes, provided that the use of personal information is reasonably necessary and proportionate to
achieve the operational purpose for which the personal information was collected or processed or for another operational
purpose that is compatible with the context in which the personal information was collected.”
29
   Cal. Civ. Code § 1798.115(a) & (b).
30
   Cal. Civ. Code § 1798.130(a)(1).
31
   Cal. Civ. Code § 1798.130(a)(2).
32
   Id.
33
   Id.
34
   Id. A business cannot require a consumer to create an account just in order to respond to the request. Id.
35
   Cal. Civ. Code § 1798.140(t)(1).
36
   Id.
37
   Id.
INFORMATION LAW JOURNAL - A Publication of the Information Security & Internet of Things Committees ABA Section of Science & Technology Law ...
PAGE 7                                                            INFORMATION LAW JOURNAL

      •    a consumer directs the business to intentionally disclose personal information or uses the
           business to interact with a third party;

      •    a business uses or shares an identifier for a consumer that has opted out of the sale of his or
           her information for purposes of alerting a third party;

      •    the business uses or shares with a service provider personal information of a consumer that is
           specifically necessary to perform a business purpose if it gave prior notice that it would use or
           share the information; or

      •    the business transfers consumer personal to a third party as an asset that is part of a merger,
           acquisition, bankruptcy, or other transaction in which the third party assumes control of all or
           part of the business.38

Right to be forgotten

A consumer will now have the right to request that a business delete any personal information about
the consumer that the business has collected from the consumer. 39 A business that receives a
verifiable consumer request to delete personal information must delete the personal information and
direct any service providers to delete the personal information from their records.40 Businesses and
service providers are not required to comply if maintaining the personal information is necessary to
perform one of certain activities described in the Act, including but not limited to, detecting security
incidents, complying with a legal obligation, otherwise using the consumer’s personal information
legally and compatible with the context in which the consumer provided the information, etc. 41

Right to Opt-Out and Right to Opt-In

A consumer can direct a business that sells personal information not to sell their personal information
under the Act.42 Businesses that sell personal information to third parties must provide an online
notice on its website to consumers that the personal information may be sold and that consumers
have the “right to opt-out” of the sale of their personal information.43 A business must also ensure
that there is a link on its homepage titled, “Do Not Sell My Personal Information,” that directs the
consumer to a web page where they could choose to opt out of the sale of their personal

38
   Cal. Civ. Code § 1798.140(t)(2).
39
   Cal. Civ. Code § 1798.105(a).
40
   Cal. Civ. Code § 1798.105(c).
41
   Cal. Civ. Code § 1798.105(d).
42
   Cal. Civ. Code § 1798.120(a).
43
   Cal. Civ. Code § 1798.120(b).
PAGE 8                                                                         INFORMATION LAW JOURNAL

information.44 The business must respect a consumer’s decision to opt out for at least 12 months
before again requesting that the consumer authorize the sale of personal information. 45

The Act also forbids businesses from selling the personal information of a consumer the business
knows is less than 16 years old unless that consumer is either (1) above 13 years old and has provided
affirmative consent, or (2) is less than 13, but their parent or guardian has consented. 46 This is referred
to as a right to opt-in. This provision is a bit odd in that it assumes a 13-year-old is going to read the
privacy disclosures and make a well-reasoned decision on opting out (or in) of the sale of their personal
information.

Right against discrimination

The CCPA also prohibits a business from discriminating against a consumer that exercises their CCPA
rights. The Act refers to the following as examples of such discrimination:

      •    Denial of goods or services;

      •    Charging different prices;

      •    Provision of a different level or quality of goods or services; or

      •    Suggesting that the consumer will receive a different price or rate or a different level or
           quality of goods or services.47

However, a business can charge different prices or provide a different level of quality if the difference
is related to the value provided to the consumer by the consumer’s data.48 Somewhat relatedly, a
business can also offer financial inducements to consumers for the collection, sale, or deletion of
personal information to consumers, including different prices or quality of service related to the value
of the data to the consumer.49 The business must notify consumers of such financial incentives in its
online privacy notice.50 Furthermore, the business may only enroll a consumer in its financial incentive
program if the consumer does not exercise their right to opt-out as described above after being given

44
   Cal. Civ. Code § 1798.135(a)(1).
45
   Cal. Civ. Code § 1798.135(a)(5).
46
   Cal. Civ. Code § 1798.120(c). Willful disregard of a consumer’s age will be taken to mean that a business has actual
knowledge of the consumer’s age. Id.
47
   Cal. Civ. Code § 1798.125(a)(1).
48
   Cal. Civ. Code § 1798.125(a)(2).
49
   Cal. Civ. Code § 1798.125(b)(1).
50
   Cal. Civ. Code § 1798.125(b)(2).
PAGE 9                                                             INFORMATION LAW JOURNAL

the material terms of the program.51 That consent can be revoked any time. Lastly, the incentives must
not be “unjust, unreasonable, coercive, or usurious in nature.”52

Online privacy notice

The CCPA also requires that governed businesses must provide an online privacy notice that lists the
following information it collected about consumers in the preceding 12 months:

      •    categories of personal information it has collected;

      •    categories of sources from which the personal information is collected;

      •    the business or commercial purpose for collecting or selling personal information;

      •    categories of third parties with whom the business shares consumer personal information;
           and

      •    specific pieces of personal information it has collected.53

Businesses that sell or disclose personal information for a business purpose, must also provide via an
online privacy notice, information on the categories of personal information they have sold or
disclosed for a business purpose, or if they have not sold or disclosed personal information, state
that.54

If it sells personal information, a business’s online privacy notice should include two separate similar
listings for personal information it has sold and disclosed for a business purpose.55 It must also include
in its online privacy notice a description of a consumer’s rights to opt out of having their information
sold along with a link to a web page that allows consumers to exercise their opt-out rights.56

A business is instructed to update its online privacy notice at least once every 12 months, and it must
also include the following:

      •    Description of consumer’s rights to request that a business disclose information on the
           personal information it collects;

      •    Disclose the right to request deletion of personal information;

51
   Cal. Civ. Code § 1798.125(b)(3).
52
   Cal. Civ. Code § 1798.125(b)(4).
53
   Cal. Civ. Code § 1798.110(c).
54
   Cal. Civ. Code § 1798.115(c).
55
   Cal. Civ. Code § 1798.130(a)(5)(C).
56
   Cal. Civ. Code § 1798.135(a)(2).
PAGE 10                                                                     INFORMATION LAW JOURNAL

      •    Disclose anti-discrimination rights.57

Enforcement

The California Attorney General has been entrusted with enforcing and regulatory implementation of
the CCPA. The CCPA not only gives the Attorney General’s office civil enforcement powers, but also
authority to issue final regulations implementing the law. The Attorney General’s Privacy Enforcement
& Protection Unit already has extensive enforcement experience in the area, successfully bringing
several enforcement actions under other laws concerning privacy and data security.58 While the
effective date for the CCPA is January 1, 2020, the legislature amended the Act to delay enforcement
until the earlier of July 1, 2020 or six months after the issuance of the final regulations. 59

Penalties for violations

The Attorney General can only bring an action under the CCPA against a business if it does not cure an
alleged violation within thirty days after notification of the alleged violations by the Attorney
General.60 An offending business is subject to an injunction and a civil penalty of $2,500 for an
unintentional violation and $7,500 for an intentional violation, per violation. 61 The CCPA does not
provide any further explanation on how the Attorney General will specifically differentiate between an
“intentional” and “unintentional” violation. The civil penalties secured by the Attorney General are to
be deposited into the state’s Consumer Privacy Fund where they can assist the Attorney General’s
enforcement efforts.62

As previously discussed, the CCPA exposes a wide range of businesses, both based in California and
outside, to legal liability. Judging from the targets of the Attorney General’s previous privacy
enforcement actions under other privacy and data security laws,63 and the realities of prosecutorial
discretion mixed with limited resources, the Attorney General may prioritize targeting alleged
violations by recognizable consumer bands. Especially brands in the retail and consumer product
spaces that interface directly with much more ordinary consumers on a daily basis. Such prioritization
not only focuses the finite human and physical resources of the agency on alleged violations that affect
a larger number of California consumers, but it also assists in consumer and business education efforts
due to the media attention such legal actions will bring.

57
   Cal. Civ. Code § 1798.130(a)(5)(A).
58
   “Privacy Enforcement Actions,” State of California Department of Justice website, https://oag.ca.gov/privacy/privacy-
enforcement-actions .
59
   Cal. Civ. Code §1798.185(c).
60
   Cal. Civ. Code §1798.155(b).
61
   Id.
62
   Cal. Civ. Code §1798.155(c).
63
   Privacy Enforcement Actions,” supra at 1 (listing privacy enforcement actions against big-name brands such as Comcast,
Uber, Target and Lenova).
PAGE 11                                                                      INFORMATION LAW JOURNAL

Guidance and Rulemaking

The CCPA also allows businesses “to seek the opinion of the Attorney General” for guidance on
compliance.64 While businesses will no doubt find this to be helpful, and should take advantage of the
opportunity, the Attorney General objected to the inclusion of this provision in the CCPA. 65 The
Attorney General expressed worry over the burden on his office of potentially “provid[ing] legal
counsel” to “all inquiring businesses” at the taxpayers’ expense.66 Despite that objection, the provision
remained in the CCPA after the latest amendments on August 31.

The legislature did take into account the request from the Attorney General for extension on its
deadline for issuing final regulations. The legislature amended the Act to delay the deadline for the
Attorney General’s issuance of final regulations six months from the effective date until July 1, 2020. 67
The amended act, however, whether done intentionally or due to oversight, still requires that the
Attorney General issue regulations within one year of passage in three specific areas, which would be
by June 2019.68 Those regulations deal with (1) establishing exceptions “necessary to comply with state
or federal law”, (2) accessibility and clarity to the “average consumer” of the notices and information
businesses are required to provide, and (3) rules and procedures related to requirements in the
previously discussed disclosure provisions of Sections 1798.110, 1798.115 and 1798.130 of the Act.69
Unfortunately, those provisions, especially the last two, appear to be the most complex in the act, and
appear to pose the most burden on the business community.

Private enforcement

The CCPA creates a private right of action only as to a breach of nonencrypted or nonredacted personal
information where the business lacked reasonable security procedures and practices, but not for
violations of the rest of the CCPA.70 The elements of a claim under a CCPA private action are the
following: (1) A consumer’s personal information is nonencrypted or nonredacted; (2) is subjected to
an unauthorized access and exfiltration, theft, or disclosure; (3) a business violated a duty to
implement and maintain reasonable security procedures and practices appropriate to the nature of the
information to protect personal information; and (5) such violation caused a breach. 71 Importantly, the
definition of personal information under California’s data security law, which governs for creating a
private right of action under the CCPA, is narrower than the CCPA’s general definition.72 It is limited to

64
   Cal. Civ. Code §1798.155(a).
65
   Letter from Hon. Xavier Becerra to the Hon. Ed Chau and the Hon. Robert M. Hertzberg, RE: California Consumer Privacy
Act of 2018, August 22, 2018.
66
   Id.
67
   Cal. Civ. Code §1798.185(a).
68
   Id. at (3), (6) and (7).
69
   Id.
70
   Cal. Civ. Code §1798.150(c).
71
   Cal. Civ. Code §1798.150(a).
72
   Cal. Civ. Code §1798.150(a)(1).
PAGE 12                                                                           INFORMATION LAW JOURNAL

a consumer’s name in combination with a social security number, driver’s license number, certain
financial information, medical information, or health insurance information.73

Before initiating an action, the private litigant must give the business a thirty-day notice to business
and opportunity to cure before filing a suit.74 How a notice to cure would work in a situation where a
business has already suffered a breach is unclear. No notice is needed for a consumer to recover
actual pecuniary damages. Plaintiffs can claim injunctive relief, damages between $100 and $750 per
consumer per incident or actual damages, whichever is greater, and other relief the court deems
proper.75 Interestingly, the CCPA does not require an actual showing of harm or injury for a private
action.76

Conclusion

We can expect further amendments to the Act before it becomes effective in 2020. Given the broad
nature and depth of the Act’s application, as well as need for greater clarity in some of the provisions,
businesses should pay special attention to the legislative process. Since the main requirements and
goals of the Act are not anticipated to change much in the way of reducing the burden of compliance,
businesses should also use this period before actual enforcement to work with privacy counsel in
getting ready. Entities that feel they may be subject to the CCPA should ready themselves now by
identifying and categorizing the type of personal information from consumers they collect and disclose,
and creating systems that will allow them to provide notice, obtain consent, and respond to the
extensive disclosures (and requests for deletion) under the Act.

Steve Vieux is Of Counsel at Shook, Hardy & Bacon, where he practices commercial and product liability
litigation in the firm’s San Francisco office, as well as counsels clients on antitrust and consumer
protection matters. Prior to joining Shook, Steve was an attorney at the Federal Trade Commission in
Washington, DC. svieux@shb.com

Al Saikali is a Partner with Shook, Hardy & Bacon, where he chairs the firm’s Privacy and Data Security
Practice. asaikali@shb.com

Camila Tobón is the Director of Shook, Hardy & Bacon’s International Data Privacy Task
Force. mtobon@shb.com

73
   The Act refers to the definition of personal information under preexisting state law governing data security in Cal. Civ.
Code §1798.81.5(d)(1)(A). Id.
74
   Cal. Civ. Code §1798.150(b).
75
   Id.
76
   See Lothar Determann, California Privacy Law, 2-15:3.2 (3d. ed. 2018).
PAGE 13                                                                       INFORMATION LAW JOURNAL

State Smart-Contract Laws: Will They Escape Federal Preemption?

By Charles Adjovu

                            Blockchain1, cryptocurrencies, and smart-contracts are no longer simply
                            buzzwords but are now hitting the mainstream with attention focusing on
                            their real-world applications. 2 Bitcoin, the first cryptocurrency and
                            blockchain application in the financial sector, opened the world to the
                            technology, and now many are seeking to utilize blockchain technology in
                            a variety of non-financial applications such as healthcare, energy,
                            cybersecurity, and music. 3 One specific application of blockchain
                            technology is the unfortunately named “smart-contract”, which is
executable code “stored, verified, and executed” on a blockchain that will run as coded, with no fear of
downtime or censorship.4 Nick Szabo is often attributed as one of the first computer scientist and
cryptographer to conceptualize smart-contracts.5

Smart-contract applications were initially conceived by computer scientist and cryptographer, Nick
Szabo, in the 1990s but really started gaining headway in the blockchain space in 2013 with the
development of Mastercoin/Omni coin in 2013 and Ethereum in 2015.6

Smart-contracts bring blockchain’s potential to the fore regarding its uses in commerce, especially in
business-to-consumer (B2C) and business-to-business (B2B) transactions.7 Many even tout the ability
of smart-contracts to become part of the next generation of digital legal contracts (some even go so far

1
  Blockchain is used interchangeably with distributed ledger throughout the article.
2
  Mattha Busby, Blockchain is this year's buzzword – but can it outlive the hype?, The Guardian (Jan. 30, 2018, 3:00 EST),
https://www.theguardian.com/technology/2018/jan/30/blockchain-buzzword-hype-open-source-ledger-bitcoin.
3
  Abhimanyu Krishnan, 24 Industries That Blockchain Will Radically Transform, Invest in Blockchain (Feb. 27, 2018),
https://www.investinblockchain.com/blockchain-transform-industries/; Arjun Kharpal, Beyond bitcoin: How the world is
experimenting with the blockchain, CNBC (Aug. 29, 2018, 1:27 AM EDT), https://www.cnbc.com/2018/08/29/bitcoin-
world-is-experimenting-with-blockchain.html.
4
  Mark, Youtube Went Offline for 30 Minutes, NullTX (Oct. 16, 2018), https://nulltx.com/youtube-down-30-minutes/; Alyssa
Hertig, How Do Ethereum Smart Contracts Work?
, Coindesk https://www.coindesk.com/information/ethereum-smart-contracts-work (last visited, Nov. 14, 2018) ; Josh Stark,
Making Sense of Blockchain Smart Contracts, Coindesk (Jun. 4, 2016, 18:39 UTC),
https://www.coindesk.com/making-sense-smart-contracts; Allen Scott, Vitalik Buterin: I Quite Regret Adopting the Term
‘Smart Contracts’ for Ethereum, Bitcoinist (Oct. 14, 2018, 5:00 AM), https://bitcoinist.com/vitalik-buterin-ethereum-regret-
smart-contracts/ .
5
  Alyssa Hertig, How Do Ethereum Smart Contracts Work?, Coindesk https://www.coindesk.com/information/ethereum-
smart-contracts-work (last visited, Nov. 14, 2018).
6
  Hertig, supra note 5; Vitalik Buterin, Mastercoin: A Second-Generation Protocol on the Bitcoin Blockchain, Bitcoin
Magazine (Nov. 4, 2013, 5:15 PM EST), https://bitcoinmagazine.com/articles/mastercoin-a-second-generation-protocol-on-
the-bitcoin-blockchain-1383603310/.
7
  Tim Sandle, Smart contract technology set to transform commerce, Digital Journal: Business (Jan. 1, 2018),
http://www.digitaljournal.com/business/smart-contract-technology-set-to-transform-commerce/article/511177.
PAGE 14                                                                         INFORMATION LAW JOURNAL

as saying they will completely replace them, but that is unlikely to happen).8 For example, the Accord
project is creating a legal smart-contract open source software stack to help the transition and
adoption of legal smart-contracts. 9 Bitcoin and blockchain technology entered the American
mainstream media in 2017 with project after project raising millions of dollars through Initial Coin
Offerings (ICOs) and Bitcoin rapidly racing to an all-time-high of $20,000.00 dollars.10

To pounce on the potential held by smart-contracts and blockchain technology, and most importantly,
to bring these new and exciting (investor-funded) blockchain projects within their borders, many State
Legislatures have passed laws related to blockchain technology, ICOs, cryptocurrencies, and smart-
contracts.11 Further, some States have now enacted blockchain working groups to develop legal and
regulatory frameworks for this new technology and its various applications. 12 Tennessee and Arizona,
have specifically passed bills defining the contours of smart-contracts in their state.13

There are three major issues that may arise from a State smart-contract law: 1) inconsistency with
other state smart-contract laws; 2) federal preemption; and 3) incompatibility with underlying
functions of smart-contracts and blockchain technology.14 In this article, I will discuss the above issues
and why state smart-contract regulation at the state level is not absurd as it seems. In Part I, I shall
compare Arizona and Tennessee’s smart-contract laws. In Part II, I shall provide a brief overview of
blockchain technology and discuss whether Arizona and Tennessee’s smart-contract laws make sense
considering blockchain’s underlying functioning. In Part III, I shall discuss why Arizona, Tennessee, and
any other state that passes smart-contract laws will face preemption issues and whether there are any
workarounds. Lastly, I shall provide a short conclusion.

8
  Mary Juetten, Legal Technology and Smart Contracts: Blockchain & Smart Contracts (Part IV), Forbes (Sept. 6, 2017, 8:00
AM), https://www.forbes.com/sites/maryjuetten/2017/09/06/legal-technology-and-smart-contracts-blockchain-smart-
contracts-part-iv/#3d8d24666a5f; Stark, supra note 4.
9
  Accord, Accord, https://www.accordproject.org/ (last visited Nov. 14, 2018).
10
   William Suberg, Bitcoin Hits $20,000 Per Coin, Capping Year of Enormous Growth, Coindesk (Dec. 17, 2017),
https://cointelegraph.com/news/bitcoin-hits-20000-per-coin-capping-year-of-enormous-growth; John Patrick Mullin, ICOs
In 2017: From Two Geeks And A Whitepaper To Professional Fundraising Machines, Forbes (Dec. 18, 2017, 11:29 PM),
https://www.forbes.com/sites/outofasia/2017/12/18/icos-in-2017-from-two-geeks-and-a-whitepaper-to-professional-
fundraising-machines/#66a1b532139e.
11
   See Sagewise, Smart Contracts State Legislation, Sagewise, https://www.sagewise.io/smart-contracts-state-legislation/
(last visited Nov. 14, 2018).
12
   See Arizona Blockchain Initiative, Arizona Blockchain Initiative, https://azblockchain.org/ (last visited Nov. 14, 2018).
13
   H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017); S.B. 1662, 110th Gen. Assemb. (Tenn. 2018).
14
   H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017); S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); Stark, supra note 4; Mark
Giancaspro, Is a ‘smart contract’ really a smart idea? Insights from a legal perspective, 33 Computer Law & Security Review
825 (2017); Mauricio Sevilla, Should smart contracts be legally enforceable?, Brandcrypt ( May 7, 2018),
https://brandcrypt.com/en/should-smart-contracts-be-legally-enforceable/.
PAGE 15                                                                           INFORMATION LAW JOURNAL

I. State Smart-Contract Bills

Arizona, New York, Ohio, Tennessee and Vermont are states that have deliberated smart-contract bills
in their legislative sessions.15 In this paper, only Arizona and Tennessee (possibly VT) smart-contract
laws will be compared because they explicitly define smart-contracts and blockchain or distributed
ledger technology.16

Arizona passed its smart-contract law, House Bill No. 2417 (HB2417), in 2017.17 HB2417 amends Title
44, Chapter 26 in the Arizona Revised Statutes to define smart-contract and blockchain technology.18
HB2417 defines a smart-contract as “an event-driven program, with state, that runs on a distributed,
decentralized, shared and replicated ledger and that can take custody over and instruct transfer of
assets on that ledger.”19 HB2417 also defines blockchain technology as “distributed ledger technology
that uses a distributed, decentralized, shared and replicated ledger, which may be public or private,
permissioned or permissionless, or driven by tokenized crypto economics or tokenless. The data on
the ledger is protected with cryptography, is immutable and auditable and provides an uncensored
truth.”20 HB2417 recognizes smart-contract use in commerce and provides that “[a] contract relating to
a transaction may not be denied legal effect, validity or enforceability solely because that contract
contains a smart contract term.”21

Tennessee passed a smart-contract law, Senate Bill No. 1662 (SB1662), in March 2018.22 SB1662
amends Tennessee Code Annotated, Title 47, Chapter 10 to add language explicitly defining distributed
ledger technology and smart-contracts. 23 SB1662 defines distributed ledger technology as “any
distributed ledger protocol and supporting infrastructure, including blockchain, that uses a distributed,
decentralized, shared, and replicated ledger, whether it be public or private, permissioned or
permissionless, and which may include the use of electronic currencies or electronic tokens as a
medium of electronic exchange.”24 SB1662 defines a smart-contract as “an event-driven computer
program, that executes on an electronic, distributed, decentralized, shared, and replicated ledger that
is used to automate transactions.”25

15
   Sagewise, supra note 11.
16
   Id.
17
   H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
18
   Id.
19
   Id.
20
   Id.
21
   Id.
22
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018).
23
   Id (as opposed to implicitly defining or simply staying silent on the matter, such as stating a working group should
examine smart-contracts, without further defining smart-contracts.).
24
   Id.
25
   Id.
PAGE 16                                                                          INFORMATION LAW JOURNAL

SB1662 also includes an example of smart-contract transactions:

        “(A) Take custody over and instruct transfer of assets on that ledger;

         (B) Create and distribute electronic assets;

         (C) Synchronize information; or

         (D) Manage identity and user access to software applications.”26

SB1662 recognizes smart-contract use in commerce and provides that “[a] contract relating to a
transaction may not be denied legal effect, validity or enforceability solely because that contract
contains a smart contract term.”27

I.A. Comparing Arizona and Tennessee’s Smart-Contract Laws

Arizona and Tennessee's smart contract bills share many similarities. 28 Arizona and Tennessee's
definitions of blockchain technology and smart-contracts are nearly identical except for a few
discrepancies. 29 Most notably, these discrepancies make Tennessee’s smart-contract bill more
amenable than Arizona’s smart-contract bill as a model for other states in defining blockchain
technology and smart-contracts.30

I.A.I. Blockchain Definitions

Arizona’s definition does not include blockchain as a type of distributed ledger technology, rather
defining all distributed ledger technologies as blockchain.31 Tennessee’s definition includes blockchain
technology as a type of distributed ledger technology.32 Arizona explicitly requires a blockchain to be
secured by cryptography, while Tennessee leaves it up to the creators of the distributed ledger
protocol to decide whether to use cryptography or not.33

Arizona’s definition also takes it a step further than Tennessee's by including “immutable and auditable
and provides an uncensored truth” in its definition.34 Arizona’s definition is more explicit, but also

26
   Id.
27
   Id.
28
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
29
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
30
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
31
   H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
32
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018).
33
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017) (however, in a practical sense,
you will be required to use cryptography).
34
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
PAGE 17                                                                     INFORMATION LAW JOURNAL

more restrictive because of 51% attacks on a blockchain network.35 A 51% attack occurs when a user or
set of users, who may be malicious or non-malicious, have more than fifty percent of the network’s
hashing power.36 A user implementing a 51% attack can censor transactions from being added to the
blockchain, which will lead that blockchain to no longer fall under Arizona’s HB2417. 37 Further, a
malicious individual may then double spend cryptocurrency, thereby removing the immutability of
records on the blockchain.38 On the other hand, Tennessee’s SB1662 would still consider a blockchain
that has suffered a 51% attack to fall under its blockchain definition. 39

Other than this difference, the bills are pretty much the same.40 Arizona and Tennessee generally
define a blockchain by using language containing “distributed, decentralized, shared and replicated
ledger,” that includes public and private blockchains that are permissioned or permissionless, which
may or may not have cryptocurrencies or tokens. 41 Arizona and Tennessee’s broad definition
encapsulates nearly all blockchain projects currently in existence.42

I.A.II. Smart-Contract Definitions

Arizona and Tennessee’s smart-contract definitions are also nearly identical other than a few
discrepancies. 43 Arizona and Tennessee both define smart-contracts as “event-driven computer
programs, that run on a distributed, decentralized, shared, and replicated ledger.”44 A small difference
with major implications arises concerning the use of smart-contracts. 45 Arizona’s smart-contract
defines smart-contracts use as “tak[ing] custody over and instruct[ing] transfer of assets on that
ledger.” 46 This definition constrains smart-contract use because it limits smart-contracts to a
“transfer[or/ee]” or custodian of assets.47 Compare this use limitation with Tennessee’s SB1662 smart-
contract definition, which leaves smart-contract use broad, and includes an exemplary list of smart-
contract usage.48 Tennessee’s SB1662 not only leaves use broad, it provides examples of such usage,
principally, the first usage described is the exact same use limitation found in Arizona’s HB2417 smart-

35
   Jeff John Roberts, Bitcoin Spinoff Hacked in Rare ‘51% Attack’, Fortune (May 29, 2018),
http://fortune.com/2018/05/29/bitcoin-gold-hack/; 51% Attack, Investopedia, https://www.investopedia.com/terms/1/51-
attack.asp (last visited Nov. 12, 2018).
36
   Roberts, supra note 35; Investopedia, supra note 35.
37
   Roberts, supra note 35; Investopedia, supra note 35; H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
38
   Roberts, supra note 35; Investopedia, supra note 35; H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
39
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018) (though, it may not qualify anymore because the network is now controlled
by one user, therefore the network is no longer decentralized).
40
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
41
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
42
   Blockchains & Distributed Ledger Technologies, BlockchainHub https://blockchainhub.net/blockchains-and-distributed-
ledger-technologies-in-general/ (last visited Nov. 14, 2018).
43
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
44
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
45
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
46
   H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
47
   Id.; Asset, Black's Law Dictionary (2nd ed. 1910).
48
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
PAGE 18                                                                           INFORMATION LAW JOURNAL

contract definition.49 Tennessee’s SB1662 second usage example is informative in describing the
limitations of Arizona’s use limiting language.50 The second usage example contemplates smart-
contracts having the ability to create and distribute assets which goes beyond merely the
transferr[or/ee] or custodian of assets.51 Arizona’s use limitation does not consider a smart-contract
that can create electronic assets, while Tennessee would allow for it.52 Tennessee’s definition is more
forgiving than Arizona’s and includes more smart-contract uses.53

Lastly, both bills recognize the use of smart-contracts in commerce and that smart-contracts will not be
denied legal effect, validity or enforceability solely because a smart contract is used.54 However,
another difference exists here as well.55 In Tennessee, a contract executed as a smart-contract will not
be denied legal cognizance while in Arizona, a smart-contract will not be denied legal cognizance solely
because a contract contains a smart-contract term.56 Though this appears somewhat different, the
effect of either provision should be the same as a contract solely executed as a smart-contract only
contains smart-contract terms, and a contract that includes a smart-contract term can also be
extended to include a contract that is solely comprised of smart-contract terms.57 Overall, Tennessee
and Arizona’s smart-contract definitions are very similar and provide a good basis for other states
considering smart-contact legislation.58

II. Brief Overview of Blockchain Technology and Smart-Contracts

A blockchain is an immutable and irreversible digital public ledger which allows a distributed network
of computers to verify the authenticity of transactions without the need for a central authority. 59 What
truly makes blockchain powerful is how it secures and authenticates data to prevent data tampering
and fraud.60 A blockchain’s cybersecurity comes from its ability to control how data is added to the
blockchain (called mining), how blocks are connected to each other, and how nodes decide on the
correct blockchain.61 Let’s start with how a block gets added to the chain. In mining, there are many

49
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
50
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
51
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
52
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
53
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
54
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
55
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
56
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
57
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
58
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
59
   Mark E. Burge, Apple Pay, Bitcoin, and Consumers: The ABCs of Future Public Payments Law, 7 Hastings L.J. 1493, 1529
(2016).
60
   Id.; Jennifer Bresnick, Is Blockchain the Answer to Healthcare’s Big Data Problems?, Health IT Analytics (Apr. 27, 2016),
https://healthitanalytics.com/news/is-blockchain-the-answer-to-healthcares-big-data-problems..
61
   Bresnick, supra note 60; Johannes Mueller, Understanding Blockchains by Coding One in R
, Datacamp: Tutorials (Feb. 8, 2018), https://www.datacamp.com/community/tutorials/blockchain-
r?utm_campaign=News&utm_medium=Community&utm_source=DataCamp.com.
PAGE 19                                                                         INFORMATION LAW JOURNAL

ways to do it, but the most dominant method is Proof-of-Work (PoW), created by Satoshi Nakamoto.62
PoW helps restrain spam and fraudulent transactions from being added to the blockchain by requiring
miners (transaction validators) to solve a very hard math problem (the work), which when answered, is
easily verifiable (proof) by any other node on the network.63 Mining is done in a decentralized manner,
as in no single entity is given priority for mining, rather, it is more of a lottery where any person who
solves the PoW problem first can add their block to the chain.64

Once a new block is mined, it will be added to the blockchain.65 A new block primarily holds a set of
transactions, and in the header, it includes two hashes: 1) the previous block’s hash; and 2) its own
hash.66 By requiring the new block to be created based on the hash of the previous block, we obtain an
immutable sequential chain of transactions.67 If someone tried to change the contents of a block, they
would have to change the hashes of all sequential blocks after the altered block.68 This makes it nigh
impossible for one party to commit fraud because the blockchain is replicated among many nodes on
the network.69 Once a new block is created, it gets distributed to the nodes on the network, thereby
providing for a “replicated” authoritative ledger that all other nodes can refer to for data integrity. 70 A
fraudulent individual may change one person’s copy of the ledger, but they are very unlikely to have
the ability to change a majority (50%+) of the copies held by nodes, and when consensus is again
determined, the fraudulent transaction will be removed from the ledger. 71 This goes back to the
blockchain’s inherent redundancy, by constantly re-verifying all transactions/blocks from the first block
(genesis block), you prevent data tampering and provide an authoritative record of transactions. 72 Now,
how is consensus determined about what is the correct chain? It is determined based on the longest-
chain rule (generally for most PoW blockchains), whereby the chain with the most work done, is the
correct chain and should be followed.73

The workings of a blockchain make censorship-resistance and lowtrust possible.74 With the blockchain,
you can achieve lowtrust by each counterparty in a transaction relying on their own personal replicated
copy of the blockchain.75 Additionally, censorship-resistance is achieved by decentralizing the mining

62
   Satoshi Nakamoto, Bitcoin: A peer-to-peer electronic cash system (2008), https://bitcoin.org/bitcoin.pdf; Mueller, supra
note 61.
63
   Mueller, supra note 61.
64
   Bresnick, supra note 60; Mueller, supra note 61.
65
   Mueller, supra note 61.
66
   Id.
67
   Id.
68
   Bresnick, supra note 60; Mueller, supra note 61.
69
   Bresnick, supra note 60; Mueller, supra note 61.
70
   Bresnick, supra note 60; Mueller, supra note 61.
71
   Bresnick, supra note 60; Mueller, supra note 61.
72
   Bresnick, supra note 60; Mueller, supra note 61.
73
   Bresnick, supra note 60; Mueller, supra note 61.
74
   Bresnick, supra note 60; Mueller, supra note 61.
75
   Bresnick, supra note 60; Mueller, supra note 61.
PAGE 20                                                                        INFORMATION LAW JOURNAL

process to a winner-take-all situation, where people compete among each other.76 Further, no one can
stop any user from making a transaction on the bitcoin blockchain.77 A smart-contract, as described by
Nick Szabo, can be thought of as a digital vending machine where users provide some input to the
smart-contract, and the smart contract will provide some output, like a vending machine where a
customer inserts money into the vending machine, and then the vending machine will dispense a drink,
within certain defined rules.78 Arizona and Tennessee have created broad smart-contract bills which
work with the underlying functionality of blockchain and smart-contracts.79

Both laws considered the inherent functioning of a blockchain as creating an immutable and
irreversible record (with Arizona expressly mentioning cryptography), and that smart-contracts are
driven to action when a certain set of conditions are met.80

III. State Smart-Contract Laws and Federal Preemption

State passage of smart-contract laws raises federal preemption concerns, but these concerns are
complicated by the fact smart-contracts can be interpreted as “legal contracts,” which are traditionally
a domain of state legislation, and as an electronic transaction under the Uniform Electronic
Transactions Act. Under American common law, a contract requires three elements: 1) offer; 2)
acceptance; and 3) consideration.81 An offer exists when an offeror is willing to be bound by the terms
of their offer and the offerree need do nothing but accept the terms.82 An acceptance exists when an
offerree accepts the terms as offered.83 Consideration exists when there is a bargained for exchange.84
Lastly, other than these three elements, the contract must not suffer from any formation defects such
as incapacity (age, competence, etc.), unilateral or mutual mistake, lack of consideration,
unconscionability, lapse, misrepresentation, illegal subject matter and fraud.85 A smart-contract can
easily qualify as a contract under the common law requirements because the creator or manager of
the smart-contract offers (e.g., creating the smart-contract and storing it on the blockchain) the terms
to the offeree in a manner a reasonable person would assume only requires acceptance (e.g.,
interacting with one of the functions of the smart-contract by depositing a certain amount of
cryptocurrency or tokens), and the consideration should exist from the deposit of a certain amount of
tokens in the smart-contract.86 Mark Giancaspro discussed how many issues under contract law, such

76
   Bresnick, supra note 60; Mueller, supra note 61.
77
   Bresnick, supra note 60; Mueller, supra note 61.
78
   Hertig, supra note 5.
79
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
80
   S.B. 1662, 110th Gen. Assemb. (Tenn. 2018); H.B. 2417, 53rd Leg., 1st Reg. Sess. (Ariz. 2017).
81
   Annie Sisk, What Three Elements Are Necessary for a Legal Contract?, bizfluent (Oct. 20, 2018),
https://bizfluent.com/info-8646564-three-elements-necessary-legal-contract.html.
82
   Id.
83
   Id (Mirror image rule will apply under common law, but this will change depending on the body of law, e.g., Uniform
Commercial Code Article 2 acceptance does not require acceptance to be the same as the terms).
84
   Id.
85
   Giancaspro, supra note 14, at 828-33.
86
   Id.; Sisk, supra note 81.
You can also read