On April 12, at the International Association of Privacy Professionals’ global privacy conference, Colorado Attorney General Phil Weiser gave remarks on his office’s approach to the rulemaking and enforcement of the Colorado Privacy Act.
Attorney General Weiser observed that his office’s approach will be “principle-based” and not prescriptive. He shared that promulgating too many specific rules could be counterproductive. Not only would they not serve every context, he stated that also they could create challenges of interoperability if other states also are very prescriptive. The Attorney General invited suggestions for how his office might approach three areas in particular during the rulemaking:
- Technical specifications for the universal opt-out mechanisms, including “protocols or templates for such mechanisms” and how to ensure they are interoperable with other state requirements;
- Principles that may be used to identify and regulate “dark patterns,” including which user interface design choices may impair consumer autonomy or impact consumer choice, whether the rules should prohibit specific types of dark patterns, and if there are specific frameworks or tools already in existence that help identify dark patterns; and
- What constitutes an appropriate data protection assessment from a substantive and procedural standpoint.
In addition to the issues he specifically addressed in these remarks, the Colorado Attorney General Office released the Pre-Rulemaking Considerations for the Colorado Privacy Act. This document outlines a number of other areas of interest, including (1) standards for consent and how consent is obtained; (2) profiling and automated decision making that produce “legal or similarly significant effects” and consumer choice to opt out; (3) how the Attorney General should issue opinion letters and interpretive guidance; (4) offline and off-web collection of data; and (5) how to avoid “consumer confusion and compliance conflicts” based on differences between the CPA and other state laws.
Attorney General Weiser also described factors that might be relevant to enforcement. For example, he explained he would consider whether an alleged violator made a strategic decision to not comply with the CPA despite understanding its obligations, or if it lacked the resources or maturity to do so. He also said his office would consider the particular area of noncompliance and whether it is a “consumer pain point,” or an issue that has received a large volume of complaints from Colorado residents. He shared that he would not take litigation action without first discussing with an alleged violator whether they want to bring themselves back into compliance. The CPA does provide a 60-day cure period, which will be repealed on January 1, 2025.