Colo. AG: We'll Fill U.S. Privacy Enforcement Void Under Trump if Necessary
Colorado will step in if the federal government pulls back on privacy enforcement under the second Trump administration, the state’s AG Phil Weiser (D) told Privacy Daily. In an interview, he said privacy will continue to be a priority for the state in 2025, with Weiser hoping to raise awareness with businesses and consumers about their duties and rights under the Colorado Privacy Act (CPA).
Sign up for a free preview to unlock the rest of this article
“One of the concerns that we will have to meet if it happens” is whether the incoming Trump administration “will be as active [in] enforcing consumer protections as we would like,” said Weiser, a former Obama administration official who this month announced he will run for governor. “Ideally, we’re going to be able to collaborate with critical consumer protection agencies” like DOJ, the FTC and the Consumer Financial Protection Bureau (CFPB). “Where there is a decision to step back from critical enforcement,” Colorado will seek to fill the “vacuum.”
The CFPB might be in danger, considering comments on X last month from Elon Musk that the agency should be deleted (see 2501070031). Musk co-chairs President-elect Donald Trump's Department of Government Efficiency. “The CFPB has done some very important consumer protection work,” including on data and privacy, and “it would be a mistake to terminate its work,” said Weiser. “They’ve been a good partner.”
Colorado was the third of 20 states to enact comprehensive privacy laws. Privacy is “very much state-centered right now,” said Weiser. That poses "challenges for businesses who are trying to keep track of all the [states'] laws. We are aware of that and have worked to create what we believe is a good community of practice. And, we’re going to work to continue to build what we think of as interoperable state laws so that you can comply with all of them.” One national law would be better than having many state laws, he said, but Weiser doesn’t believe the kind of federal law he envisions is “coming anytime soon.”
“Hope springs eternal -- and it makes a lot of sense -- for there to be a bipartisan, national privacy law,” said the state AG. “If the national law is as strong as Colorado’s law, I’m comfortable with the national law preempting state law -- as long as I can enforce the national law.” Allowing state AGs to help enforce a possible comprehensive U.S. law would mean that they can fill any vacuum that would be left if a national agency pulled back on enforcement, he added.
Since the CPA took effect in July 2023, the biggest issue has been “awareness of the law,” said Weiser. The Colorado AG office will seek to ensure that businesses are aware of requirements such as performing data protection assessments, he said. In addition, Weiser hopes to raise awareness among consumers about activating their privacy rights through universal opt-out mechanisms that businesses must honor. It's a “two-sided challenge,” said Weiser. “How do we tell consumers they’ve got rights they should be able to exercise and tell businesses they’ve got obligations they’ve got to follow?”
“One question that’s always there is: Are consumers opting out at the rate they would want to or not?” The Colorado AG office has concerns that global opt-out mechanisms have “a lower rate of usage than we’d like.” Such mechanisms, which often appear in web browser extensions, allow consumers to specify once for all websites that they want to opt out of concerning the sale or sharing of their personal data and limiting use of their sensitive personal information.
Starting in 2025, Colorado is no longer required to give businesses 60 days to cure potential violations flagged by the AG office. “We are going to have an interesting question in front of us” about how to “operate without a formal right to cure,” said Weiser. “Do we continue to give businesses grace to come into compliance? I will say [that] where businesses are trying to comply, our approach is always to give them room to get it right.” When the AG office sees “flagrant fouls, we very much want to and will take action.”
Weiser can’t speak about non-public investigations, but “we have not brought any action where we have found a blatant violation thus far,” he said. “That’s not to say we’re not going to be able to.” Weiser appreciates “the extent to which businesses are really interested in trying to get this right,” he added. “I do believe there's an emerging norm that treating your customers’ data responsibly is smart business and not just what the law requires.”
Weiser isn’t seeking additional legislative changes to the CPA. The legislature passed bills on children’s and biometric data last year, and the AG office recently implemented them as rules (see 2501100051). Some state laws, approved after Colorado's, added requirements not in previous statutes, such as unique data minimization rules in Maryland’s 2024 law. However, Weiser noted that Colorado’s 2021 law includes data minimization as part of its requirement to do a data protection assessment. “Implicit in the data protection assessment is that you are asking: Are you keeping data you don’t need?” Still, “I guess that we’ll have to look at that as a stand-alone requirement -- whether or not that is worth adding.”
On Colorado’s landmark AI bill, which passed last year and takes effect in 2026, Weiser said he’s watching a legislative task force that must make recommendations by Feb. 1 on tweaking the law. “We want to make sure we allow that process to go forward.” Weiser said he doesn't have suggestions for strengthening the AI law. After lawmakers make any edits, the AG office plans to follow a process similar to how it implemented the CPA, with stakeholder talks and a rulemaking.