Prepared remarks: Making Progress on Data Privacy: A Colorado Perspective (March 5, 2024)
Thanks for joining us to celebrate Consumer Protection Week. Our Department started our work on data privacy and data security at the outset of my administration. We have come a long way. In my remarks, I want to discuss that journey briefly and take some time to look ahead.
The Second Best World of State Privacy Law
For starters, let me acknowledge that we are living in a second-best world.[1] In the first best world, Congress would have the ability to act on the bipartisan support and strong public support and enact a comprehensive data privacy law as strong as Colorado’s law and that provides for State AG enforcement of it. Indeed, the United States is one of the very few nations that lacks such a law. In the absence of such a law, we made the decision to pursue state legislation and, after unanimous support in our State Senate, we were the third state to pass comprehensive data privacy legislation. As of today, a total of 12 states have done so and more such laws are expected to be passed this year.
In Colorado, we are proud that our law provides some of the strongest protections for consumers. In particular, our consumer privacy law requires opt-in consent before the use of sensitive data. This includes the personal data of children under 13, biometric data, mental and physical health data, and protected data related to race, religion, and sexuality. Consumers may not be aware when this type of information is collected or, in the case of some health data, may assume it is protected by federal health laws when it is not. The Colorado Privacy Act helps ensure consumers are informed and in control when it comes to their most sensitive personal data.
With a burgeoning number of state privacy laws now enacted, we are committed to a promise I made earlier about state legislation—we all must do our very best to ensure that businesses have the ability to comply with multiple state privacy laws. Put differently, the states with such laws must work together to ensure that our legal systems are interoperable with one another and that compliance with all such systems is feasible. To advance this work, our team is now working with colleagues in other states on a special privacy law conference this year to discuss critical privacy law and policy issues.
With Colorado’s privacy law now in effect, our team is working hard to communicate what is requires and on the look out for those willful violators of it. As I explained when were starting our regulatory process, we are looking for those who are engaging in willful violation of the law—as opposed to those who are operating in good faith and making modest mistakes.[2] And if you have questions about what our law requires, we are getting ready to implement a process for providing guidance from those engaged in good faith compliance. Stay tuned for more information on that front.
An Innovative Mindset and User Controls
When Colorado adopted a state privacy law, one of the innovations we adopted is the requirement that those collecting data respect a “universal opt out mechanism,” or “UOOM.” The idea of an UOOM is that consumers would prefer to use a single system for communicating their preferences on what how data collected about them can be used. The challenge, of course, is how can companies collecting data know what technologies marketed as UOOMs are legitimate and worthy of respect. To ensure that consumers and companies know which UOOMs will be enforced in Colorado, we committed to maintain a list of valid UOOMs. To that end, our department recently conducted a process where we asked proposed UOOMs to provide information on how they operate and we invited public comment on the potential impact and viability of the proposed UOOMs..
After the process conducted last fall, we recognized the Global Privacy Control (“GPC”) as the first UOOM that companies would be required to respect and follow. As commenters recognized, GPC is the most promising and significant technology that enables consumers to opt out of data processing.[3] We recognize that the adoption of this technology is still a work in progress and that our action to recognize this technology is only one further step in advancing its use. We will, as part of our consumer education, talk about this technology (and other approved UOOMs) and we will also work with fellow states that recognize the role of an UOOM to encourage its use.
With respect to the role of whether users adopt UOOMs and exercise their control over data, we recognize that there is an important experiment that we will be a part of. Giving consumers meaningful choice in the face of complicated new technology can be difficult. In the case of Google’s agreements calling for its search to be the featured technology, for example, it has maintained a dominant market position because of them and, as we have argued in federal district court, violated the antitrust laws as a result.[4] Other examples abound. As one commentator put it:
The bigger problem is not the sometimes ridiculous difficulty of opting out, it’s that consumers often aren’t even aware of what their settings allow, or what it all means. If they were truly informed and actively choosing among the available options, the default setting would matter little, and be of little to no value.[5]
Making it easier for consumers to control their personal data is a big deal, and requiring GPC is a first step to meet that goal. I recognize that the proof will be in the pudding on whether GPC as a UOOM provides consumers with a real world opportunity to control their digital footprint. In a different context, the use of parental controls by social media platforms, there is real cause for concern that the potential benefit of such controls are illusory. After we led a multistate lawsuit against Meta for its actions that harmed teen mental health, they pointed to these parental controls as a reason parents should not be considered about the negative impacts from its platform. What they did not acknowledge, however, is that the very limited use of such controls mean that Meta’s decisions—the default settings as it were—largely control. That means young people are affected by a blizzard of notifications, algorithms that can lead towards greater consumption of content discussing and suggesting self-harm, and were marketed to in violation of federal law—by enticing and retaining 11 and 12 year old kids on its platforms.
Looking Ahead
The important challenge in data privacy and security law is that we cannot—and we will not—sit still. This legal regime continues to develop and new obligations are now upon companies and non-profits organizations. Take, for example, the use of a data protection assessment. This concept is a common sense step that companies should have adopted years ago. Now, it’s the law. We look forward to efforts to drive and improve such assessments, helping companies make better decisions about what data to collect, how long to store it, and who has access to it.
The looming impact of artificial intelligence, or AI, is one that we are aware will intersect with data privacy. After all, AIs will only be as capable as the data sets that they can use. The use of AI presents new and evolving data privacy and consumer protection questions. Did consumers knowingly consent to the user of their personal data to develop an AI system or algorithm? Is there bias in the data sets used, and does an AI system treat all consumers equally? When and where is it appropriate to deploy AI systems or algorithms? What choice should consumers have between a product or service enabled by AI vs a real person? To be sure there is a huge innovative upside to making some products more efficient and even better. But there are also huge risks, suggesting that a risk assessment approach to when AI is used is well advised.[6]
Colorado’s privacy act took one step regarding AI by giving consumers control over the use of their personal data for automated profiling in certain situations and requiring businesses to assess the risk in using automated systems. One of the questions that we are already fielding is what new legislation might come down the pike related to AI, biometrics, and other emerging technologies. Similar to consumer data privacy, we are already seeing state legislatures pass laws in these areas before Congress acts. As we answer those questions in Colorado, I would come back to the first principles I discussed when we considered how to develop a data privacy law—we need a system that protects consumers; that provides a level of certainty to consumers and companies; that enables efficient compliance; that is interoperable with the law of other states; and that allows for ongoing innovation.[7]
* * *
In closing, let me acknowledge the extraordinary team in Colorado who is working on these issues. Both the process of our work and the quality of people doing it are exemplifying how government should work. Our department remains committed to being accessible, transparent, and innovative in how we continue to protect consumer privacy. Thank you all for being a part of this community and helping us continue to set a bar for other states to meet.
[1] That was how I framed the issue in the spring of 2019. https://coag.gov/press-releases/04-11-19.
[2] This was one theme of my remarks to the International Association of Privacy Professionals in 2022. https://coag.gov/blog-post/prepared-remarks-attorney-general-phil-weiser-at-the-international-association-of-privacy-professionals-april-12-2022. I elaborated on that point last spring. https://coag.gov/blog-post/prepared-remarks-attorney-general-phil-weiser-on-the-way-forward-on-data-privacy-may-4-2023.
[3] See, for example, the Future of Privacy Forum’s comment (page 1).
[4] https://coag.gov/app/uploads/2024/03/2023.02.16-PUBLIC-Redacted-SJ-Opposition-Brief.pdf
[5] https://www.nytimes.com/2023/11/20/opinion/apple-google-privacy.html
[6] We led a coalition of State AGs in commenting to the Department of Commerce on this front. https://coag.gov/app/uploads/2023/06/NTIA-AI-Comment.pdf
[7] I discuss those values at https://coag.gov/blog-post/prepared-remarks-attorney-general-phil-weiser-at-the-international-association-of-privacy-professionals-april-12-2022/.