Prepared Remarks of Colorado Attorney General Phil Weiser at Technology Policy Institute (TPI) Aspen Forum
The influence of Internet platforms in our lives is profound. Given the impact of these platforms on competition, data privacy, and data security, to take just a few examples, consumers are increasingly concerned about how they are being treated. And companies are increasingly uncomfortable with the lack of governmental oversight and guidance, too, with even major corporations like Facebook now calling for legislation on data privacy.
Unfortunately, in a world where our federal government is often dysfunctional and unable to develop effective policy solutions, it is up to the states to work on developing an adaptive framework that can both facilitate and oversee emerging technologies as well as build confidence on behalf of consumers that they will be protected.
The role of the states in developing technology policy solutions reflects “one of the happy incidents of the federal system . . .[that a state can serve] as a laboratory” of democracy, as Justice Brandeis put it. As I recently commented, in encouraging Colorado’s passage of a law protecting network neutrality:
Until Congress is able to function appropriately, we can take some encouragement from the fact that the states, including their executive and legislative branches, are demonstrating the capacity to advance effective policy solutions. They are working hard on substantive issues, listening to different points of view, crafting thoughtful solutions, and developing approaches that are legally sound and can be enforced effectively. [Colorado’s network neutrality law] is one important example of leadership by the States. By crafting such approaches in Colorado, we can both protect our citizens and provide a model for how our federal government should operate—and hopefully will once again.
The ability of the states to act, even without federal government partnership, applies in a range of contexts. In the antitrust context, for example, Colorado took action in a recent health care merger, imposing a series of pro-competitive conditions on a merger between DaVita Medical Group and UnitedHealth. These conditions protected competition in the Medicare Advantage marketplace by preventing the merged firm from gaining control of competitive significant assets that it could use to re-establish the prior dominance of UnitedHealth in the Colorado Springs market. As the joint statement of two Federal Trade Commissioners recognized, it was fortunate that Colorado acted to address the harmful competitive effects that could have resulted from this merger and other states should be prepared to do the same in the future.
On the data privacy and security front, it is clear that states are taking a leading role in crafting solutions that protect consumers and ensure that businesses act responsibly. To be clear, a world where states alone act in this area is, as economists would put it, a second-best solution. But, as I have explained previously, developing no protections for consumers is worse. Ultimately, if there is a federal comprehensive law, it will be important that such a law provide a meaningful role for states, such as is the case under the Dodd-Frank law, which allows for enforcement by State AGs.
In closing, I want to recognize that, in technologically advanced fields, we need to develop more adaptive and entrepreneurial models of regulation. First, any legal framework in dynamic areas needs to provide flexibility for new learning and an ability to adapt. In that sense, a framework that is more principles-based is preferable to one that is highly prescriptive. Second, to the extent that regulators empower and rely on private actors, such as standard setting bodies, it is important that such private bodies be established to operate in credible and effective ways. If consumers cannot trust that such bodies operate in the public interest, for example, such bodies will fail to deliver on their promise of enabling adaptive regulation.
Finally, it is important to recognize that one form of effective government action, such as in the data security area, will be catalyzing compliance with best practice. In taking on Equifax, for example, a number of states and the FTC made plain that Equifax had failed to do just that, thereby calling attention to the importance of basic security precautions. In Colorado, we will be working on spreading the word to businesses on how they can adopt and implement reasonable security precautions to protect consumers and their own businesses.
In short, the work we have to do in this area will require all of us, working together, to develop new solutions. At the Colorado Attorney General’s Office, we are committed to doing our part and believe that Colorado’s ethos—which prizes collaborative problem solving—will be a critical part of making progress and demonstrating how our government can protect consumers and foster innovation and inclusive economic growth.