Background and Priorities of the Office

Given Colorado’s larger size and what AG Weiser called a “range of inputs” including from the legislature and the public, the Consumer Protection Section is comprised of many specialized teams including an opioids unit, a utilities consumer advocate unit, a consumer credit codes unit (where the office plays a supervisory role in non-bank lending), and a civil rights and corporate fraud unit. The section also encompasses traditional consumer protection issues such as consumer fraud and antitrust. For example, in response to public outcry and legislative concerns, the office is actively reviewing student loans, fees, and student loan servicing as potential areas of deception and consumer harm.

Like most states, the office also uses consumer complaints filed with the office to inform its priorities. While Colorado’s complaints were historically not public, the office started a pilot program about a year and a half ago to forward complaints to some businesses for resolution. An expansion of this program should increase business’ awareness of potential issues as they arise.

Collaboration with States

Colorado has a robust history of participating in multistate consumer investigations. AG Weiser touted the multistate’s ability to create a comparative advantage and leverage the distinct strengths and resources of each state. “We’re better together,” he said. Moreover, states may provide a more efficient and streamlined settlement for businesses that are involved in nationwide investigations.

Price Gouging & Auto-Renewals

AG Weiser noted that in addition to its general UDAP law, the Colorado Consumer Protection Act, the office enforces specific consumer protection laws related to topics such as price gouging and auto-renewal charges. Under Colorado’s price gouging statute, it an “unfair and unconscionable act” when “a person charges a price so excessive as to amount to price gouging.” AG Weiser emphasized that the statute relies on a reasonableness standard which is based on comparison with the market. AG Weiser hypothesized that if there is a fire in Boulder County, if people are looking for a place to the stay that night, it’s understandable that the average will go up a little for the hotels. However, if one hotel charges $2,000 extra because they know they can take advantage of a family’s dire situation, AG Weiser identified that actor as an “opportunistic seller” who is violating Colorado’s price gouging laws. He said it is important to note that, like with many states, there has to be a declared state of emergency to trigger price gouging laws.

Auto-renewals have also been a hot topic in Colorado (as with many state and federal enforcers) as a specific Colorado law took effect in 2022. Mr. Blake emphasized the state’s commitment to enforce the recent statute and noted some of the more unique aspects, such as requirements for monthly subscriptions to provide annual reminder notices to consumers.

Colorado Privacy Act

AG Weiser stressed “if you’re a business today, and you’re not thinking about data, you need to wake up.” Colorado was the third state to pass a comprehensive privacy law. With the law now in effect, the office is paying particular attention to how businesses are reacting and adapting. AG Weiser provided some historical context to the law and noted that the CPA was intended to be “principle based” and not “prescriptive” with the knowledge that “technology changes and we need to have an adaptable regime.” Importantly, the office wants to focus its attention on businesses committing “flagrant fouls and not ticky tack fouls. If you’re trying and make a mistake, that’s okay, but if you’re deliberately thumbing your nose at the law? Not okay.”

Mr. Blake discussed Colorado’s thoughtful approach to regulatory process and rulemaking describing it as an extensive, collaborate, and transparent process to develop the rules that went into effect July 1. Blake said Colorado’s commitment is to continue in the spirit of collaborative rulemaking for consumers, members of industry, and sister states. AG Weiser added that the rulemaking process was critical to the CPA. The office started with informal stakeholder process, then issued model rules, received comments, and by the end of the process evaluated the comments and made adjustments prior to issuing final rules.

The office has conducted significant outreach to the business community to maintain the transparent approach to implementing the CPA. Mr. Blake discussed how the office sent a series of letters to businesses informing them of their duties under the CPA after the bulk of the rulemaking process was finished, the purpose of which he explained was to inform them that the law was in effect and what they can anticipate.

As we’ve previously reported, the CPA provides Colorado residents with the right to opt out of use of personal data for sale and targeted profiling, and next year they will have the right to use a universal opt out mechanism. The CPA also imposes a data minimization requirement and mandates covered businesses conduct data protection impact assessments before conducting data processing activities that present a heightened risk to consumers.

Mr. Blake stated that the office welcomes questions. Though the AG office does not answer individual questions, the office considers the questions for FAQs or future rulemaking. The office intends on releasing an FAQ in the coming months, with additional guidance on the universal opt out requirement going into effect July 1, 2024.

Artificial Intelligence

As AG Weiser’s office has discussed before, AI is a hot topic for state and federal agencies. AG Weiser stressed that not having the rules of the road for AI poses some potentially significant risks for our whole society. He stated that one of most important functions of consumer protection law is to build trust with consumers. If bad actors are not held accountable for harming consumers, then the overall trust environment is undermined for everyone. As such, AG Weiser worked with other states to issue a letter to the National Telecommunications and Information Administration (NTIA) and also gave a speech in front of the Federal Circuit Bar Association addressing his concerns for AI and its potential harms. Colorado has some tools available to curb potential harms from AI such as requirements for risk assessments and transparency under the CPA.

Mr. Blake added that AI could pose a risk of accelerating discriminatory practices. However, even without specifically tailored AI statutes, UDAP (unfair deceptive acts and practices) laws provide flexibility to law enforcement to deal with AI and other new technologies that create consumer harm.

Teen Mental Health

AG Weiser, like many of his AG colleagues, has made teen mental health a priority. He described concerns that social media increases engagement with dark content that negatively impacts teen mental health. AG Weiser said that the office evaluated its tools available such as the Children’s Online Privacy Protection Act (COPPA), but noted it falls short in only protecting children under 13 years of age, leaving teenagers unprotected. Mr. Blake added that the challenge is to assess whether these companies broke the law when it came to this teen mental health crisis. As Colorado’s investigation proceeds, the office will consider potential avenues for justice and rectification.

Join Kelley Drye’s State Attorneys General Ad Law Team for the next program in the 2023 State Attorneys General Webinar Series featuring Illinois Attorney General Kwame Raoul and his Consumer Protection Chief Susan Ellis on August 29 at 2:00 ET. Register here.

This year, the bills’ sponsors are trying again and, on July 27, the Committee marked up amended versions of both bills. (The markups came up on heels of President Biden’s once again urging passage of these bills in public remarks.) The amendments to the bills address policy concerns that various groups have continued to raise since the bills were introduced last year. We watched the July 27 hearing to see what we might learn about the prospects for the bills’ passage in 2023.

Brief Background on the Bills, as Amended

For those in need a reminder, KOSA (sponsored by Senators Blumenthal (D-CT) and Blackburn (R-TN)) is a kids and teen safety bill, designed to reduce harmful content on social media and to give minors and parents more tools and controls to block or filter such content. The bill has strong support from members of the child safety, medical, and consumer advocacy communities. At the same time, however, other consumer advocates, as well as the tech community, have criticized features of the bill that they believe would block minors’ access to content (including about LGTBQ+ and abortion issues) and/or potentially require the collection of more data from or about minors to determine their age. To address these concerns, the new version of the bill amends various definitions, as well as the standard governing when companies are expected to know who is minor, among other changes.

COPPA 2.0 (sponsored by Senators Markey (D-MA) and Cassidy (R-LA)), by contrast, is a privacy bill, the primary purpose of which is to extend privacy protections to teens 13 through 16 and change COPPA’s “actual knowledge” standard so that websites and apps have greater obligations to know when they are dealing with minors. Like KOSA, various groups have expressed concern about whether the proposal would lead to restrictions on content available to minors. Also like KOSA, the new version of the bill includes various changes, including revisions to the knowledge standard proposed in last year’s version.

The Markup

The markup this year was part of a full Committee Executive Session considering multiple bills on a range of topics. At the session, the Committee approved both of the amended kids’ bills, as well as several additional amendments to each of them (most of which were relatively minor). While there wasn’t extensive discussion surrounding these bills, Committee Members took the opportunity to highlight the importance of kids’ privacy and safety, as well as future actions that they’re contemplating in this area. Here’s our rundown of notable moments from the hearing:

Chair Cantwell (D-WA) led the session, addressing the multiple bills being considered (including, e.g., legislation on the topics of satellite waste in space and AM radio capabilities in cars). With regard to children’s privacy, she described COPPA 2.0 as a “vital upgrade” to protect minors, closing loopholes and protecting teens 13 through 16. KOSA, she explained, is also long overdue, as there is an ongoing mental health crisis related to social media’s impact on children. Cantwell acknowledged, however, that there are still outstanding concerns among groups who would be affected by the legislation (including members of the LGBTQ+ community), requiring additional work before the bills reach the floor. She added that these bills are “not the last” of the privacy issues that the Committee will consider and that she hopes, when the Committee returns in September, that it will consider other privacy issues as well.

Ranking Member Cruz (R-TX) offered support for both bills advancing out of the Committee. The Internet hasn’t come without cost, he said, especially for children. He further chided Big Tech companies for failing to protect children or give parents the safeguards and controls they need to protect their kids. Finally, he suggested adding a potential preemption clause to KOSA, as multiple states have passed laws that may be inconsistent with parts of the bill.

Senator Schatz (D-HI) gave an impassioned speech about protecting children, stating that we are in a crisis – an epidemic of teen mental illness due to the algorithmic boosting of harmful content online. He cited a study from the CDC showing that two thirds of high-school girls feel persistently sad or hopeless, and that 22% of all high-school students have seriously considered suicide. Due to his concerns about these issues, Schatz initially offered an amendment to KOSA – his Protecting Kids on Social Media Act – which would prohibit users under the age of 13 from accessing social media platforms, require parental consent for children 13 through 17, and ban the recommendation of content using algorithms to all minors under 18. However, he later withdrew his amendment, noting “productive conversations” he’d had with Cantwell and Cruz. For their part, Cantwell and Cruz expressed eagerness to work with Schatz on these issues in the fall.

Senator Thune (R-SD) offered an amendment to KOSA that would require platforms to notify users if they are using an algorithm, which passed by voice vote. Senators Blackburn (R-TN) and Klobuchar (D-MN) both expressed frustration about how long it has taken to address kids’ privacy and safety issues and said now is the time for action. Other Members, such as Senators Sullivan (R-AK) and Welch (D-VT), expressed support for the bills and their commitment to protecting children’s safety. Finally, Senator Markey (D-MA) confirmed his commitment to address concerns raised by the LGBTQ+ community and others, but expressed confidence that he would be able to resolve them.

* * *

Bottom line: While the Committee approved both bills, there will likely to more changes before either bill reaches the Senate floor. Further, while President Biden and Senate Majority Leader Schumer (D-NY) have both stated (at times) that these bills are a priority, the clock in the 118^th Congress is ticking.

Special guest speakers Colorado Attorney General Phil Weiser and Nathan Blake, Deputy Attorney General for Consumer Protection, will join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Special Counsel Abby Stempson, and Senior Associate Beth Chun for a discussion on a variety of important consumer protection topics, including teen mental health and the increased use of artificial intelligence. AG Weiser has been a national leader on these important topics and will discuss how AGs are using their existing and new consumer protection authority to examine emerging issues.

In addition, the Colorado Privacy Act went into effect on July 1. AG Weiser marked the occasion with a series of letters sent to businesses announcing the office’s intent to enforce the new law. Join us to learn more about the Act, and the office’s enforcement plans.

REGISTER HERE

Specifically, the House has advanced two bipartisan proposals to limit such purchases. If even one of these proposals were enacted, it would represent one of the more significant privacy actions taken by Congress in a long time. Here are the details:

Privacy Amendment in the House NDAA Bill

Some of the last minute amendments to the National Defense Authorization Act (NDAA) bill passed by the House have generated a lot of controversy and concern. But a privacy amendment offered by Rep. Davidson (R-OH) slipped through largely unnoticed.

The amendment would prohibit the Department of Defense (DOD) from “acquir[ing] location information, web browsing history, Internet search history, and Fourth Amendment protected information” of US persons inside the US for (1) foreign intelligence purposes, except as permitted under the Foreign Intelligence Surveillance Act (FISA), or (2) law enforcement purposes, except with a warrant demonstrating probable cause.

The amendment would further require that, if the interception, compelled production, or physical search and seizure of information would require a warrant, court order, or subpoena under law, DOD may not obtain that information from a third party without obtaining the warrant, court order, or subpoena. There is an exception if the information being sought is aggregated or anonymized so that it “cannot reasonably be de-anonymized or otherwise linked to any individual or groups of individuals” and DOD does not disclose the information to any law enforcement agency or to the intelligence community.

The other sponsors of this amendment (seven of them) included Rep. Jacobs (D-CA). As readers may know, Jacobs is also the lead sponsor of the My Body, My Data Act, a bill that would limit how women’s reproductive and sexual health data may be collected, used, and shared with third parties.

The House’s “The Fourth Amendment is Not for Sale” Act

Just as the NDAA was passing the House, Rep. Davidson also introduced a bill (HR. 4639) to place similar limits on how the government (not just DOD) acquires consumer data from electronic communications providers (e.g., providers of phone and email service). The bill is co-sponsored by House Judiciary Ranking Member Nadler (D-NY), as well as Rep. Jacobs and other supporters of the NDAA amendment. Like the NDAA amendment, the bill provides protections for consumers’ location information, web browsing history, Internet search history, and Fourth Amendment protected information.

In brief, and as summarized here, the bill amends portions of the Electronic Communications Privacy Act of 1986 (ECPA), which restricts how the government can obtain people’s communications from electronic service providers. Among other things, the House bill requires the government to obtain a court order to obtain consumer data from data brokers. It also “closes the loophole” that has allowed the government to purchase data from data brokers and other sellers without obtaining a warrant, court order, or subpoena as required under ECPA and FISA. On July 19, the House Judiciary Committee marked up the bill, with broad support from both sides of the aisle. The next step will be a vote on the House floor.

Rep. Davidson’s bill is similar to a proposal (also called the Fourth Amendment is Not for Sale Act) that Sen. Wyden (D-OR) introduced last year in the Senate, with support from a number of bipartisan co-sponsors. Wyden has told the press (in an article behind a pay wall) that he doesn’t intend to reintroduce that bill this year, but that he plans to incorporate similar protections into a comprehensive surveillance reform bill that he is developing.

Why is this Significant?

The data privacy limits proposed here reflect simmering concerns about the ease with which the government can purchase consumers’ sensitive data from data brokers and other sellers to get around the privacy restrictions imposed under the Constitution and US laws. The repeal of Dobbs has added to these concerns, raising fears that government entities in anti-abortion states will purchase information revealing details about women’s health and location and use it for law enforcement purposes.

As noted above, federal laws (including FISA and ECPA) impose limits on the ability of the government to obtain consumer information from certain entities and/or for certain activities without a warrant, court order, or subpoena. Further, in US v. Carpenter, the Supreme Court held that the government’s acquisition of a person’s cell phone records from a wireless carrier (which can reveal a person’s precise location over time) was a 4^th amendment protected search, requiring a warrant supported by probable cause.

However, several years ago, the Wall Street Journal and other news outlets started reporting that the government was getting around these restrictions by purchasing consumer data from data brokers and other sellers, rather than seeking it directly, pursuant to federal laws. This prompted efforts in Congress to close this “loophole” through legislation such as Sen. Wyden’s bill. Now, with these two House proposals, these efforts appear to be gaining bipartisan steam.

It’s far from certain that these proposals will end up becoming law. The House NDAA must now be reconciled with the version passed in the Senate, which doesn’t include Davidson’s amendment language. Further, if Wyden doesn’t re-introduce his bill in the Senate, but instead incorporates its protections in broader and potentially more controversial legislation, it could get tied up and fail to advance. Nevertheless, the bipartisan support that these proposals have received in the House could be a sign of more to come.

The CPA went into effect on July 1, 2023, and last week Colorado Attorney General Phil Weiser was prompt in his reminder to businesses that his office will begin enforcement.

In a statement issued on July 12, Weiser noted that the CPA is a critical tool to protect consumers’ data and privacy but that his office’s enforcement approach “will not seek to make life challenging for organizations that are complying with the law, but rather will seek to support such efforts.” Weiser said, “if we become aware of organizations that are flouting the law or refusing to comply with it, we are prepared to act.”

Among other things, the CPA provides Colorado residents with the right to opt out of targeted advertising and the sale of their personal data. Key obligations under the CPA include requirements to:

• Provide consumers with clear, understandable, and transparent information about how and why they collect, store, use, share, and sell personal data
• Respond to consumer requests to access, delete, correct, and get a portable copy of their personal data
• Allow consumers to opt out of the sale of personal data as well as targeted advertising and certain kinds of profiling
• Obtain consent before collecting or using sensitive data
• Only collect the minimum amount of personal data necessary from consumers

Beginning on July 1, 2024, controllers will need to honor user-selected universal opt-outs for targeted advertising and sales.

The Colorado Attorney General and local district attorneys have exclusive authority to enforce the CPA and can seek significant monetary penalties for non-compliance. In addition, several other states have joined the list of those that have enacted comprehensive privacy laws and may soon provide indications of their enforcement priorities.

For specific questions about what this means for you and your business, please contact Alysa Hutnik at [email protected].

In addition, please join us on July 24 for a webinar featuring special guest speakers Colorado Attorney General Phil Weiser and Nathan Blake, Deputy Attorney General for Consumer Protection, as they join Kelley Drye State Attorneys General practice Co-Chair Paul Singer, Special Counsel Abby Stempson, and Senior Associate Beth Chun for a discussion on a variety of important consumer protection topics. You may register here.