Colorado Attorney General Philip Weiser said the political gridlock in Washington, D.C., that has come to define the national political landscape has all but paralyzed public policymaking in Congress.
Where Congress has failed to deliver comprehensive national privacy legislation, Weiser said states have begun to assert their policymaking chops. Colorado was no exception when it became the third state to pass a privacy law in 2021.
“If you're looking for public policy innovations, I wouldn’t recommend it’s generally worth looking in Washington," Weiser said. "I would look to the states.”
"State leadership on data, privacy and data security is what economists would call a second-best world," he added. "The best world would be a world where Congress could pass a law … with clear standards and authority for state agencies to enforce that law like we have in Dodd-Frank. I would sign up for that tomorrow, but (Washington) is not working as it should and as we need it to.”
Weiser, the former assistant attorney general in the U.S. Justice Department’s Antitrust Division, spoke to several hundred attendees at IAPP’s Global Privacy Summit 2022 in Washington, D.C., April 12. He discussed how he will approach implementing and enforcing the Colorado Privacy Act when it goes into effect at the beginning of 2023.
The first hurdle for his office to clear before the CPA goes into effect is to complete the rulemaking process. To help gain a wide spectrum of views before rulemaking is finalized, Weiser announced his office would launch a QR code campaign to solicit feedback from stakeholders. The QR code, now live, seeks input on CPA provisions involving universal opt-out, consent, dark patterns, data protection assessments, profiling, interpretive guidance, offline collection and multi-jurisdiction issues.
“We want your ideas now,” Weiser said. “This will be an informal opportunity for stakeholders to tell us, ‘Hey, here are the ideas you should be wrestling with, here are the questions you need to be asking, (and) here are some best practices to look at.’ So, we're open for engagement.”
As enterprises of all sizes have embarked on complying with the CPA, Weiser said, in terms of enforcement, he would distinguish between businesses and organizations that encounter “footfalls” and violate the law, and entities that engage in “willful noncompliance.”
“Our number one priority are those who are willfully noncomplying with the law, that is where our blood is going to most boil,” Weiser said. “The opposite of that spectrum, I call it good faith, well-intentioned compliance, where you make a footfall, and we are going to do everything we can to differentiate between those two types of cases.”
One provision of the CPA that has not been implemented in other state's privacy laws was the inclusion of nonprofit organizations as entities subject to the law. Weiser said the Colorado legislature did not want to cut out an exception for large nonprofits that would otherwise have the resources to comply with the CPA, such as hospitals.
Weiser said smaller nonprofits would be treated similarly to small businesses with fewer resources if they happened to be involved with lesser violations of the CPA.
“There are some very large, sophisticated nonprofits, who look a whole lot like a company, and to create an exemption (under the CPA), that shouldn't be the role of privacy,” Weiser said. “Smaller nonprofits that are just to Colorado, like small businesses in Colorado, we recognize we need to make sure we do everything we can to educate them on what they need to do (to comply with the law), and then we also are going to understand their profile when we're looking at (the organization) beforehand.”
Weiser said when the CPA takes hold, he would foster dialogue with potential violators before taking enforcement action in order to achieve compliance.
“People are supposed to be given notice and a chance to be heard, it is critical that parties get a chance to understand what the basis of the concerns are, so they can respond to them,” Weiser said. “If enforcement instead feels random, I would be beating up on companies who don't know what the rules are. That doesn't induce compliance, and that doesn't seem to resonate with fundamental fairness.”
Photo by Andrew Coop on Unsplash