Colorado’s comprehensive consumer data privacy law, the Colorado Privacy Act (CPA), which goes into effect on July 1, 2023, was the topic of a recent conversation with the Colorado Attorney General Phil Weiser at the International Association of Privacy Professionals (IAPP) annual summit in Washington, D.C. As he discussed the new CPA, AG Weiser also called on Congress to pass federal privacy legislation instead of relying on the states to act independently and, in the process, create a patchwork effect for privacy rights across the United States.
The Attorney General noted, “State leadership on data, privacy and data security is what economists would call a second-best world. The best world would be a world where Congress could pass a law … with clear standards and authority for state agencies to enforce that law.”
Google echoed that sentiment when they presented at the National Press Club in D.C., stating, “A U.S. privacy law would align us all on the privacy measures that people want and promote confidence in U.S. companies and our digital ecosystem. It would increase trust in U.S. leadership, as we promote cross-border data flows and compatible, pro-privacy, pro-innovation rules around the world. It would give everyone much-needed clarity and consistency so that organizations spend less time trying to navigate inconsistent rules and more time preventing harm and responsibly innovating—the kind of work that yields research breakthroughs and a stronger U.S. economy.”
Government and Business
So why are states and businesses asking for the same type of legislation? It is so that there can be a harmonized approach to data privacy across jurisdictions, leading to more transparency for consumers at the same time that businesses can decrease compliance costs by having to meet the same compliance standards across jurisdictional boundaries. This was a major focus of Attorney General Weiser’s remarks at IAPP. When asked how he plans to approach rulemaking, he emphasized a plan to make Colorado’s rules harmonious with what is happening in other states—particularly in Virginia, which has a law more similar to Colorado’s than California does. He made a brief reference to the very newly passed privacy law in Utah, which he anticipates will also be fairly harmonious with what has passed in Colorado although more may be required of businesses to comply in Colorado than in Utah.
AG Weiser also emphasized his interest in bringing in operational business experience in going through Colorado’s rulemaking process. In order to gain insight into the practical experience of both consumers and businesses, AG Weiser has launched a QR code campaign to solicit feedback from stakeholders on universal opt-outs, consent, dark patterns, data protection assessments, profiling, multi-jurisdictional issues, and other topics.
When asked about his intentions regarding enforcement of Colorado’s new law, AG Weiser informed listeners that his focus, at least in the beginning, would be on those companies that were wilfully noncompliant. In summary, he told the audience that he would treat organizations that encounter “footfalls” differently than those organizations that are not attempting to comply or even actively avoiding compliance. In Colorado, at least during the early enforcement period, companies can expect someone from the AG’s office to contact them when there is a complaint. If an organization is honestly attempting to rectify a violative situation, they can expect some degree of discretion from the AG’s office that would allow them to make the correction.
In AG Weiser’s words, “If enforcement instead feels random, I would be beating up on companies who don’t know what the rules are. That doesn’t induce compliance, and that doesn’t seem to resonate with fundamental fairness.”
Overall, AG Weiser seemed dedicated to ensuring that Coloradans have increased privacy protections at the same time that companies operating in Colorado or providing services to its residents have a measure of reliability and transparency regarding their obligations. These notes are similar to those struck by all of the other states (California, Virginia, Utah, and Connecticut, which is so newly passed that it hadn’t even happened at the IAPP Summit) that have enacted comprehensive privacy legislation. At this stage, those goals have not created any real clarity for companies struggling to comply across jurisdictional lines, so it is no surprise that AG Weiser specifically called on Washington to take action in the privacy space. As other states, industry groups, private companies, and citizens echo that sentiment, the likelihood of movement in the federal regulatory space increases.
Undesirable Options
States are frustrated. While we might talk about privacy as a space where the American “laboratories of democracy” approach is being practiced, the real-world effect is that businesses, which are not limited by state boundaries, are making less consumer-friendly choices because they are frustrated. They are left to either enact complicated privacy compliance programs that account for jurisdictional differences or ignore the rules and take a riskier but less expensive approach of either picking one jurisdiction to follow or finding other ways to convince consumers that they take privacy seriously (because we’re in a space where it is entirely too risky for companies to do nothing). And, as AG Weiser explained, none of those are great options.
What’s the takeaway here? More states are going to follow Colorado’s lead and try to model privacy legislation on pre-existing legislation in other states (or abroad; California’s CPRA pulls in aspects of the EU’s GDPR that California had initially eschewed). Trying to make it coherent with other jurisdictions’ rules is a great goal, but, at the end of the day, no one is going to directly adopt another state’s legislation, so we will continue to have operational compliance differences until the federal legislature takes action.
Dreaming Big
We have seen some activity in that space, particularly around the new agreement in principle with Europe to facilitate trans-Atlantic personal data transfers. But the movement is slow, and the idea that Congress could create a privacy law that is all things to all people–controlling the giant social media and adtech companies of the world as well as small retailers, the press, and every kind or organization in between–is a pipe dream.
A coherent federal privacy law that streamlines notice requirements, outlines what qualifies as sensitive personal data and puts special protections around it (similar to what it has done for children, but in a way that updates and unifies the child privacy laws), and creates real oversight for data processing giants would be an excellent starting point. It could put the US on the road to streamlined trans-Atlantic data transfers (of course, I’m not addressing the security concerns the EU has regarding US government access to data, which will require separate legislative action) and lower transaction costs for businesses processing personal information in the US at the same time that it would increase oversight and consumer protection.
SixFifty Solutions
SixFifty’s privacy toolset was built to take on disparate privacy laws around the world. We are continuously monitoring this dynamic area of the law and updating our tools with changes in real time. Working with SixFifty is like having top-tier lawyers by your side as you work through the best way to comply with your privacy law obligations.
If you are ready to get started or have any questions, schedule a demo with SixFifty today!
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth
About The Author: Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income.
Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as General Counsel allows her to field-test SixFifty’s products to ensure they’ll work for customers.
Education and Experience
Marie attended Brigham Young University, and spent most of her undergrad studying International Politics and Development. It was during a field study in South Africa that she first decided to become a lawyer. As she researched the new South African constitution and worked with community organizers, Marie became fascinated with the development of the rule of law and how it in turn fosters economic development.
After undergrad, she attended BYU Law, where she continued focusing on improving equity, specifically through access to justice. She spent time interning with a nonprofit at the Human Rights Council in Geneva and with the United Nations International Tribunal for the Rwandan Genocide. At home, she interned with Catholic Charities, focusing on supporting asylum cases. Marie’s work with communities and governments across the globe broadened her understanding of how the law can either uplift or further harm underserved populations.
After law school, Marie worked as a judicial law clerk for the US Fifth Circuit Court of Appeals. She then practiced commercial litigation in Salt Lake City before returning to BYU Law, where she became an Assistant Dean. During her time at BYU Law, Marie built a diversity recruiting program and a storytelling program. Although she has left academia, she continues to keep a hand in by teaching a legal design class at BYU Law School and an undergraduate international politics class that focuses on development and diplomacy at BYU’s Kennedy Center. Both courses help students increase their community engagement and use their skills to create change.
Achievements with SixFifty
Marie’s work with both SixFifty and LawX focuses on making the law less complicated and
more equitable for both companies and individuals.
Marie’s legal specialty is privacy. She has additional focus areas in legal technology; diversity, equity and inclusion; employment; and compliance. She enjoys the opportunity to build products with the legal product team, including pro bono products. This allows her to work with communities she cares about – and complements the work she continues to do at BYU.
With Marie’s guidance and experience, SixFifty is able to offer privacy products that allow even small companies to easily comply with global privacy restrictions. Her passion for making the law accessible to everyone is evident in our pro bono products, which help individuals access free legal help for common issues.
Get to Know Marie
When she’s not helping to advance SixFifty’s mission, Marie travels whenever she can. Keep your eyes open and you may find her anywhere in the world – one of her favorite trips was a seven-day motorbike tour of northern Thailand. She especially loves to canyoneer in southern Utah and explore wilderness areas.
Marie also continues her community development and education work. She is on the board of several nonprofits, including one that runs primary schools in South Sudan and the Utah Tribal Relief Foundation. She recently joined the board of the Mountainland Association of Governments, which focuses on making loans to entrepreneurs from underserved communities who lack access to traditional funding. She’s also a Model UN legend! She is the Executive Director of BYUMUN, Utah’s premier high school Model United Nations learning conference.
Marie loves podcasts and will nerd out on anything related to the law, the history of the English language, and anything done by the people at Radiolab.
Bar Licensed
Utah
More posts by Marie Kulbeth