This past Friday, the Attorney General Alliance and the Colorado Department of Law held a symposium, “Colorado Privacy Act: Rights, Obligations, and Next Steps.” The symposium is another signal that state attorneys general (state AGs) around the country intend to take a primary role in influencing, and ultimately enforcing, data privacy policies. The panel discussions revolved around the Colorado Privacy Act (CPA), one of only three comprehensive data privacy laws in the nation—the other two being California’s Consumer Privacy Act of 2018 (CCPA) and Virginia’s Consumer Data Protection Act (VCDPA). Panelists, including the state legislators who sponsored the CPA, discussed the impact of the law since its enactment this past summer and how it could serve a model for other states to look to when considering their own comprehensive privacy laws.

This symposium was also another expression of Colorado AG Phil Weiser’s significant interest in data privacy and tech issues, particularly as they relate to consumer protection. AG Weiser will continue to be a leader among the Democrat AGs in this space. To that end, the symposium’s keynote speaker, Georgetown Law professor, privacy expert, and former advisor to the Federal Trade Commission, Paul Ohm, announced during his remarks that he will be joining the Colorado AG’s office as a data privacy advisor. More state AG offices will likely follow this move in the coming years by bringing on in-house privacy experts to lead their offices’ policy and enforcement efforts. Among the many topics covered in Ohm’s remarks, he noted the recent focus by regulators and enforcement agencies on “dark patterns,” algorithms that use deceptive and manipulative tactics to drive user behaviors. Algorithms, and dark patterns specifically, will continue to be a major focus of AGs in the coming year and beyond. Just last week, a bi-partisan group of four state AGs filed a lawsuit against a major online search platform alleging that the platform leveraged dark patterns in violation of state consumer protection laws.

AG Weiser has engaged in bi-partisan efforts to expand state AGs’ influence on data privacy policy and enforcement. This was evidenced by AG Weiser inviting Wyoming AG Bridget Hill to the symposium for a “fireside chat” to discuss AG collaboration on protection of consumers’ data. In addition to the extensive discussion on the CPA’s reach and the Colorado AG’s role in enforcing the law, panelists also discussed other states that are currently considering data privacy legislation, including: Alaska, Connecticut, Indiana, Minnesota, Ohio, Oklahoma, and Washington. Four of these states are represented by Republican AGs and three are represented by Democrat AGs. There is a strong likelihood that each of these states’ respective AGs are actively lobbying their legislatures to be the primary enforcers of their states’ eventual laws. Panelists also emphasized how Colorado effectively avoided including a private right of action in its law, juxtaposing the CPA’s enforcement mechanism to California’s CCPA, which included a supposedly limited private right of action that trial lawyers have already significantly expanded.

Companies should actively monitor state privacy law developments and analyze the role various states’ AGs have in enforcing those laws. Industry can play a critical role in helping shape these policies and should incorporate state AG engagement into their data privacy policy and compliance strategies. More and more states will likely follow AG Weiser’s lead on many of these issues and, as such, companies should closely monitor developments coming out of the Colorado Department of Law.