February 4, 2022
Colorado Attorney General Publishes Remarks on the Way Forward for Privacy and Security
4 Min Read
On January 28, 2022, Colorado Attorney General Phil Weiser published prepared remarks to coincide with Data Privacy Day on the way forward for privacy and security in Colorado. The remarks were used as an opportunity for Weiser to outline plans to begin the rulemaking process under the Colorado Privacy Act (CPA) and how this can correspond with data security best practices.
As part of the update on privacy and security, Weiser highlighted his opinion that despite the state-level developments of the past 12 months, there is still a need for a federal privacy framework. However, the work being done in Colorado can set an example for the policy-making at a federal level.
“When I reflected on the state of federal inaction on data privacy and security three years ago, I called the state of play a ‘second best solution.’ The first best solution, I explained, would be national leadership by Congress that empowers states to act withing [sic] a framework of cooperative federalism. We are not in that world, however, and we must move to adopt second best solutions, meaning that the responsible step to take is to support state leadership to protect consumers. The alternative, unfortunately, is no protection at all.” – Phil Weiser, Colorado Attorney General
Rulemaking under the CPA
A central part of the AG’s remarks was the outline for proposed rulemaking under the CPA as well as what can be expected and estimated timeframes for the process. Weiser also drew attention to three key areas that the rulemaking would focus on.
Firstly, regarding the right to know, the right to access, and the right to opt out of sale, the AG hopes to use the rulemaking process to develop fair mechanisms for consumers to exercise these rights. This would include combatting the use of dark patterns which mislead consumers, similar to what has been seen with recent rulemaking in California.
Secondly, regarding the right to correction, any proposed rulemaking will also have a focus on transparency and empowering individuals with the ability to understand their data profiles as well as developing methods of correcting inaccurate data.
Finally, the AG has stated that the auditing and risk assessment requirements outlined by the CPA are areas that the AG’s office would likely issue guidance on.
The next step in the process for the AG’s rulemaking under the CPA is to understand the concerns of citizens and businesses in Colorado which will be done through a series of meetings and townhalls which have yet to be announced. The goal of such informal consultations is to understand what privacy protections should be handled as a priority in the process. In addition to these meetings, the AG’s office will be posting a series of topics seeking written comments from consumers, businesses, and other stakeholders. The results of both the informal meetings and call for comments will culminate in a notice of proposed rulemaking being issued around Autumn which will include a proposed set of model rules. This will kick start the formal public consultation process with final rules expected to be adopted in around 12 months’ time.
Data Security in Colorado
The AG also included a summary of the future of data security in Colorado highlighting the importance of the intersection between privacy and security. Some of the key areas discussed included reiterating the need for businesses to practice data minimization as an example of an area that crosses privacy, security, and third-party risk as well as good data retention practices
In addition, the AG’s office published a guide to data security best practices for entities to help them protect the personal information of Colorado residents. The guide goes in-depth across a number of key steps including:
- Inventory the types of data collected and establish #1 a system for how to store and manage that data.
- Develop a written information security policy.
- Adopt a written data incident response plan
- Manage the security of vendors.
- Train your employees to prevent #5 and respond to cybersecurity incidents.
- Follow the Department of Law’s ransomware guidance to improve your cybersecurity and resilience against ransomware and other attacks.
- Timely notify victims and the Department of Law/Attorney General (when required) in the event of a security breach.
- Protect individuals affected by #8 a data breach from identity theft and other harms
- Regularly review and update your security policies
Weiser concluded their remarks citing ‘Colorado’s collaborative problem-solving culture’ which will help to inform the work being done to enact the Colorado Privacy Act, upcoming rulemaking, and the implementation of Colorado’s data security laws.
- Colorado Attorney General’s Office: Attorney General Phil Weiser on the way forward on data privacy and data security
- Colorado Attorney General’s Office: Data Security Best Practices
- OneTrust DataGuidance News: AG provides updates on CPA regulations
- OneTrust DataGuidance News: AG publishes data security best practices guidance