Prepared remarks: Attorney General Phil Weiser at the International Association of Privacy Professionals (April 12, 2022)
Data Privacy Protection: A Colorado Perspective
April 12, 2022
It’s an honor to join such a distinguished group of privacy leaders to discuss our work in Colorado to protect data privacy. Before discussing our work in Colorado and our upcoming rulemaking, let me start with three important back stories.
I. Three Back Stories
My first back story is the story of a lack of federal government legislative leadership. Just over a decade ago, I was working for President Barack Obama on a concept that is familiar to many of you—a Privacy Bill of Rights. My White House colleagues, Chief Technology Officer Aneesh Chopra and Deputy Chief Technology Officer Danny Weitzner, worked hard to develop and refine this concept. Their proposed legislation—unveiled around a decade ago—remains on the shelf, as Congress has failed to act during that time. I won’t dwell on this failing other than to contrast it with state leadership, which is now where the important action is at in developing privacy law and policy.
The second back story is that, over the last 25 years or so, the Federal Trade Commission has worked hard to develop norms around protecting privacy. In the late 1990s, Federal Trade Commission Chairman Bob Pitofsky championed a basic norm around privacy protection—when companies promise certain protection for data they collect, they are obligated to honor those promises. In 1998, as the FTC pointed out, only two percent of websites had privacy policies. After two years of focus on this issue, calling for transparency on this point, 88% of websites had privacy policies. One scholar even described the FTC as a “norm entrepreneur” based on this work. And the FTC continued its important work in the data privacy area, even building up a set of complementary expectations in the data security realm.
My third back story is that, in the shadow of the FTC actions, Chief Privacy Officers and other leaders in companies, non-profit organizations, and governmental organizations have taken up the mantle of developing privacy practices, policies, and norms. Those actions, which include reflection and engagement with the FTC’s work, have moved the state of the art forward even in the absence of federal legislative action. And in so doing, they also developed cultural norms that were increasingly adopted by responsible companies, non-profit entities, governmental organizations, and others.
II. Laboratories of Democracy
As I noted at the outset, the federal government’s ability to engage in collaborative problem solving and serious legislative policymaking is suspect. By contrast, the states remain laboratories of democracy and are positioned to address a range of cutting-edge technology law and policy issues. In Colorado, moreover, we pride ourselves on being collaborative problem solvers and innovators. That’s the spirit that guided the development of the Colorado Privacy Act, which was led by a bipartisan leadership team in our State Assembly.
Under the Colorado Privacy Act, our department is charged with developing regulations to implement the law. In the Pre-Rulemaking Considerations for the Colorado Privacy Act we just released, we outline our approach to the upcoming rulemaking. In short, we are holding a series of conversations on a range of topics to help us prepare for the formal rulemaking process we will conduct this fall. In my talk today, I would like to highlight a few points about this process and how we are approaching it.
Our department is focusing on five principles to guide our work. Let me discuss each principle in turn. First, we are committed to protecting consumers, recognizing that if consumers cannot exercise the rights granted to them, the law’s promise will not be realized. Second, we view the rulemaking as an opportunity to clarify ambiguities and provide guidance on how firms can comply with the law. Third, we want to make compliance as efficient and expeditious as possible, with requirements that are simple and comprehensible. Fourth, we want to make Colorado’s requirements harmonious and interoperable with requirements adopted by other jurisdictions. Finally, we want to enable innovation and not unduly burden anybody from developing creative, adaptive solutions that can emerge from advances in technology.
III. Cutting Edge Challenges for our Rulemaking Process
As we approach the rulemaking, we recognize that we will be taking on a set of challenging questions for which there may well not be readily obvious answers. In the Pre-Rulemaking Considerations for the Colorado Privacy Act, we outline a few such topics, inviting suggestions and input on how we might approach them. In my talk today, let me discuss a few such topics.
First off, as a number of commentators have noted, the Colorado Privacy Act provides for universal opt-out mechanisms (UOOMs). The idea behind this concept is that consumers should have the right to use technical measures that would enable consumers to have the “right to opt out of the processing of personal data . . . for purposes of targeted advertising or the sale of personal data.” To enable such a mechanism, our department is required to “adopt rules that detail the technical specification for one or more” UOOMs.
As we develop rules around the concept of one or more UOOMs, we will welcome feedback from all corners. To the extent, for example, that a UOOM will involve certain technical specifications, we are soliciting feedback during our pre-rulemaking process about the strategies we might use to develop protocols or templates for such mechanisms. Additionally, under the statute, a UOOM must “clearly represent the consumer’s affirmative, freely given, and unambiguous choice to opt out of the process of personal data.” As we work to implement that requirement, we will also seek to provide “a mechanism that is as consistent as possible with any other similar mechanism required by law or regulation in the United States.” In this respect, the law both encourages the development of new technologies and follows the principle of harmonization and interoperability outlined above. If you would like to provide feedback on these or other issues, please do so. The Pre-Rulemaking Considerations document available on our website lays out the process in detail.
Second, in what is getting increased attention, the Colorado Privacy Act is committed to ensuring that consent to share personally identifiable information must not be obtained using “dark patterns.” As defined in the law, dark patterns are defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.” In our regulatory process, we will solicit feedback to help us identify the principles used to determine what constitutes a dark pattern.
Third, in a continuation of the trend towards encouraging responsible cultural norms, the Colorado Privacy Act calls on companies to engage in data protection assessments. Under the law, a firm controlling sensitive data must “conduct and document a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of [the CPA] that present a heightened risk of harm to a consumer” Activities that present a “heightened risk of harm to a consumer” include processing for the purpose of targeted advertising, selling personal data, processing sensitive data, and processing for the purpose of profiling that creates a reasonably foreseeable risk of unfairness, injury, or offensive intrusion of privacy. Our department will need to provide guidance on what constitutes an appropriate assessment, from both a substantive and procedural standpoint. And we will need to make sure that our oversight of assessments remains effective over time and can take advantage of technological changes.
It is an important time for privacy law and policy. In Colorado, we are honored to be at the forefront of this work and have put together a tremendous team to take on this work. Many of the leaders of this work are here at IAPP and we look forward to learning from other professionals and preparing for what we know will be a critical project. Thanks for your feedback and engagement in this work.