ICYMI: Momentum Continues with the Colorado Privacy Act
Last week, the Attorney General Alliance hosted a seminar to address the Colorado Privacy Act (CPA)—what it does and how to prepare for its July 1, 2023 effective date. The seminar featured a discussion with the bill’s sponsors, legal experts, practitioners, and the Attorneys General for Colorado and Wyoming. As the third state to enact a comprehensive privacy law in the United States, it looks like Colorado stakeholders have considered the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act (CCPA), and they are paving a new path for tackling privacy and data security issues not addressed by the plain text of the statute.
Here are some of the major takeaways from the panels:
From the bill’s sponsors. Colorado legislators consider the CPA more effective than the VCDPA and CCPA for several reasons, among them that the statute requires the Attorney General to adopt rules detailing a “universal opt-out mechanism[].” State Representative Terri Carver noted that in Colorado, a user will only have to opt-out once of processing of all personal data for the purposes of targeted advertising or the sale of personal data, whereas currently in Virginia and California, a user needs to opt-out every time they visit a site. Other legislators addressed the importance of the CPA’s rulemaking provision, which gives the AG flexibility to issue opinion letters and interpretive guidance to develop an operational framework for businesses. However, State Senator Paul Lundeen wanted to see more changes to the CPA, including revisiting the types of exemptions the law provides. While he would like to see more data covered by the protections of the CPA, such as data collected under the “Driver’s Privacy Protection Act of 1994,” he stated the exemptions were necessary for the Legislature to approve the bill.
From privacy attorneys and privacy experts. Privacy experts and attorneys observed that the CPA will assign new obligations for businesses. For example, businesses that process certain data (such as sensitive data) may need to conduct and document data protection assessments, which must be made available to the AG upon request. While the CPA does not create a private right of action, the CPA may be enforced by the AG or a district attorney. The CPA gives businesses a longer cure period of 60 days compared with Virginia and California, both of which give businesses a 30-day cure period.
Professor Paul Ohm gave the keynote address. He spoke in part about the need for businesses to focus on potential consumer harms to their data collection practices. Notably, Ohm announced that he’s taking a one-year sabbatical to join the Colorado’s Office of the Attorney General (OAG) to help implement the CPA.
From the Attorneys General. The Attorneys General of Wyoming, Bridget Hill, and Colorado, Phil Weiser, generally discussed how states serve as bi-partisan leaders on issues like privacy and data security. AG Hill attributed state AGs and legislatures’ ability to work collaboratively on the fact that, at the state level, they understand well what their constituencies need. She commented that privacy legislation should not harm businesses, and she echoed comments from speakers earlier in the day in calling on governmental entities to improve their data protection practices.
In his remarks, AG Weiser agreed with AG Hill’s sentiment about the collaborative culture of states. He noted that even though the “first best solution” would be a national data privacy and security framework, the “second best solution” would be to support state leadership in order to protect consumers. Otherwise, he argued, consumers risk having no protection against privacy or data security harms.
AG Weiser gave some initial insights regarding the upcoming rulemaking process and his office’s planned enforcement efforts. As for the rulemaking, AG Weiser anticipates there will be a significant amount of time for the OAG to first engage with the public on the types of rules needed to make the CPA effective. In the next few months, the OAG will begin soliciting informal input regarding targeted CPA issues, anticipating a formal Notice of Proposed Rulemaking to begin this fall. AG Weiser emphasized that he wants to get the rulemaking right on the front-end, and begin by establishing very clear rules of the road for businesses.
On enforcement, AG Weiser committed that there will be consequences for businesses that refuse to follow the law, and the OAG will prioritize going after those entities that flagrantly violate the law’s provisions. AG Hill agreed that consumer protection enforcement efforts generally should focus on those that knowingly and intentionally violate the law.
We will continue to monitor updates regarding the CPA and other privacy and data security developments.