Prepared Remarks: Attorney General Phil Weiser on The Way Forward on Data Privacy (May 4, 2023)
It’s great to join you today to talk about our department’s work on data privacy. Several years ago, I joined the Federal Communication Bar Association and International Association of Privacy Professionals to talk about the state of data privacy. In those remarks, I related that, when I worked for President Obama, he committed the federal government to “do what we have done throughout history: apply our timeless privacy values to the new technologies and circumstances of our times.” Sadly, the federal government, in the past decade, has failed to do so. But, happily, states like Colorado are taking the lead to do just that.
For consumers, data privacy is increasingly on their minds. Consumers are aware, for example, that lots of information about them and their habits is being collected, analyzed, and monetized without their knowledge or consent. In some cases, moreover, incorrect or fragmented information about consumers can lead to adverse outcomes in a range of contexts from eligibility for credit to job opportunities. Like a consumer’s right to access their credit histories, as granted by the Fair Credit Reporting Act, the ability of consumers to know what information is collected about them—and correct inaccuracies—is a matter of fundamental fairness. And for businesses, it is critical that they not manage important consumer personal data irresponsibly and leave consumers open to harms like identity theft.
For consumers, the landscape is both potentially threatening and dizzying. After all, personal data can now be collected automatically through a range of tracking technologies and analyzed automatically through artificial intelligence. To be sure, the opportunity for innovations that benefit consumers is considerable, but if consumers do not trust that they are being treated fairly or if they learn that their personal data is being used or sold against their wishes, they are going to view these technological and economic changes with hostility.
Over my career at the intersection of law, technology, and entrepreneurship, I have worked to encourage collaborative problem solving and what I have called entrepreneurial administration. This means that I start by analyzing the underlying principles and proceed to evaluate the best governance strategies to advance them. Over the last few decades, we can find examples of both public and private successes in catalyzing technological change in ways that advanced public policy concerns and enabled innovation. Consider, for example, how the LEED building standard or the Energy Star concept have helped the marketplace advance energy efficiency goals. And there are disappointments, too, such as the continued challenges in enabling access to electronic health records.
After members of the Colorado General Assembly approached me about developing a Colorado Privacy Act (CPA), I welcomed the opportunity to put into practice my commitment to collaborative problem solving. Both in the legislative process, and in the rulemaking that followed, we honored a commitment towards good faith dialogue, deep listening, and humility. We also sought to avoid taking an unduly prescriptive approach and instead focused on articulating the critical principles we believed in, providing private firms leeway to determine how best to advance them.
In 2021, Colorado followed California and Virginia as the third state to adopt a state data privacy law. In enacting this law, we not only followed the model outlined above, but we also adopted very strong privacy protections that provide consumers with transparency around how their personal data is used. The law also provides consumers with a number of critical rights, including the ability to opt out of the use of their personal data for sale, targeted advertising, and profiling that has a significant impact on them. And in July 2024, Colorado consumers will have the right to use a universal opt mechanism to opt-out of the sale of their personal data, and the processing of their data for targeted advertising. Moreover, as I adverted to above, consumers will also have the right to access and delete personal data that businesses collect on them and to correct data that is inaccurate. Finally, consumers will also have a right to access data collected about them in a portable form.
For businesses, the Colorado Privacy Act institutes a series of responsibilities. First, the CPA requires businesses to provide meaningful privacy notices to consumers and to specify the express purpose for which data is collected and processed. Moreover, the law imposes a data minimization requirement, specifying that businesses can only collect personal data that’s reasonably necessary in relation to a specified purpose. The law also requires that businesses use sound practices in storing personal data, avoid processing personal data in ways that would violate antidiscrimination laws, and obtain affirmative consent before processing sensitive data. Finally, the law requires businesses to conduct data protection assessments before conducting data processing activities that present a heightened risk of harm to consumers (which includes the use of personal data for targeted advertising, selling data, or processing sensitive data).
When we started the process of developing the Colorado Privacy Act rules, I committed in my remarks to IAPP to a transparent, inclusive, and engaged process. I am proud of how our team—and it is truly an A Team—has accomplished just this goal. By all accounts, we conducted an extensive, transparent, and collaborative rulemaking. We finalized the rules in March 2023 after receiving and considering over 200 comments through our comment portal, listening sessions and public hearing. In these rules are some national firsts, including guidance on data protection assessments, where we emphasize the principle-based approach I mentioned above and worked to discourage “check the box compliance” activities.
Consumers and businesses can analyze our rules for themselves. And, like any regulatory system, we expect to revisit and revise aspects over time. Given the novelty of some of the rules, we know that we are going to learn a fair amount as they go into effect. Consider, for example, that the concept of a universal opt-out mechanism is a new one. To drive this effort forward, we are taking on the responsibility of maintaining a list of recognized mechanisms. We are also interested to see how our requirements on privacy notices and purpose specification play out in practice and give consumers more insight into how data is used. Finally, we are going to keep a close eye on so-called “dark patterns,” with rules now in place to guide when such patterns are in play.
For Colorado businesses and non-profits required to comply with the law, there are a few things to know about this law that goes into effect on July 1, 2023. The foundational point to keep in mind is that companies need to understand what personal data they are collecting and keep track of what they are doing with that data. For companies that do collect, and use personal data, they will have to compile privacy notices, make required disclosures, have a method for consumers to exercise data rights, have data processing agreements ready, and be prepared to comply with the CPA controller obligations.
I have received a lot of questions about how we will approach enforcement under the new law. My overall philosophy is that we are focusing on willful noncompliance. For those that try to comply, but make mistakes, our focus will be on enabling compliance. Indeed, for the first year and a half of the law, there is a required 60-day cure period, which means that, in cases where a cure is possible, our office will issue a notice of violation and the business will have 60 days to cure that violation. (That requirement sunsets in January of 2025 and we will need to determine whether to extend it by rulemaking.)
In terms of how we will educate companies and consumers about the law, we are building an education program. That will include expanding upon the list of frequently asked questions and answers that is currently on our website at coag.gov/CPA. If you have questions that you would like us to consider for our “FAQs”, please email your questions to us at COPrivacy@coag.gov. Over the weeks and months ahead, we are putting together additional materials to provide to the public, which will also be available through our website at coag.gov/CPA.
Under the law, we plan on providing interpretive guidance and opinion letters. In particular, the CPA gives our office the authority to promulgate rules governing a process of issuing opinion letters and interpretive guidance. We are thinking deeply about how to approach those rules to provide the best, most relevant guidance to effectively implement our privacy law, and expect to offer a framework for such guidance in the coming months.
* * *
In Colorado, we are proud of our work on data privacy and Internet policy more generally. For me, the most rewarding part of this work is the incredible team in our office. I recognize that hard decisions lie ahead, including the question of what different universal opt-out mechanisms will be recognized and used by consumers. I also recognize that we are now driving and encouraging a culture change already underway—just because you can collect or process data does not mean that you should do so. And I am excited to see how the data protection assessment process works in practice. As we do this work, your feedback and engagement will be critical.