What to expect regarding regulatory and enforcement priorities

As business in Colorado is settling into the third quarter of 2021, the State’s consumer/investor protection regulators have spent the spring and summer months signaling what to expect as to their ongoing regulatory and enforcement priorities.

It should come as no surprise that their priorities remain largely driven by the economic uncertainties and tumult arising from COVID-19 as well as from the cybersecurity threats resulting from the ever-increasing saturation of technology into every aspect of business. 

For example, when the Colorado Division of Securities (DOS) published its 2020-2021 Investment Adviser Examination Priorities, it identified COVID-19 disruptions at the top of the list. 

Specifically, the DOS confirmed its examination section would continue focusing on ensuring that State-licensed investment advisers and firms are addressing COVID-19-related challenges by implementing and maintaining comprehensive written procedures to:  

• Ensure business continuity and succession planning in the event of prolonged remote work or the hospitalization, death, or unavailability of key personnel.  
• Achieve and maintain cybersecurity despite increased electronic communications and a remote work environment. 
• Effectively supervise the activities of all representatives, whether in-person or remote.  

 Investment advisers and firms must thus continue to keep these priorities front of mind, just as they did this past year.  

Confirming its ongoing enforcement priorities as well, in recognition of National Consumer Protection Week in March, the DOS also announced its list of the top investor threats for 2021 as determined by regulators across the country as well as in Canada and Mexico.

The top three on that list – (1) schemes promoted through online and social media activity; (2) schemes involving investments in precious metals and cryptocurrencies; and (3) foreign exchange-related schemes – involve relatively new but nonetheless prevalent technologies combined with the lingering economic uncertainty of the COVID-19 era.

Colorado’s Securities Commissioner Tung Chan explained that investors hoping to supplement income lost as a result of the pandemic are particularly susceptible to these sorts of schemes offering the promise of high returns. Commissioner Chan noted, “during times like these, unscrupulous scammers will play on our economic worries more than ever with promises of no-risk high returns.”

Businesses engaged in legitimate fundraising activity in 2021 must now more than ever prioritize careful and consistent messaging on social media platforms and transparency in identifying risks and projecting rewards. 

Cementing the State’s prioritization of cybersecurity and the protection of consumers’ private information in the transaction of business in Colorado, on July 7, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. Colorado thus became the third state – behind California and Virginia – to enact a comprehensive data privacy law.

While the CPA does not go into effect until January 1, 2023, its enactment confirms that Colorado’s business community must expect cybersecurity to remain a top regulatory and enforcement priority for years to come.

Indeed, the enforcement of the CPA falls on the Colorado Attorney General and the State’s district attorneys, not on private litigants – which likely portends robust regulation and enforcement.  

While details about how businesses will need to implement the CPA’s requirements and how the regulators will need to enforce them remain to be fleshed out through the Attorney General’s rule-making process, the statute itself provides some important takeaways for businesses.

First, the CPA is likely to cover many of the State’s businesses and nonprofits. Specifically, the CPA will generally apply to business entities and nonprofit organizations that conduct business in the State or produce or deliver commercial products or services that are intentionally targeted to Colorado residents, and that meet one or both of the following thresholds: controlling or processing the personal data of 100,000 or more Colorado residents during a calendar year; or both deriving revenue or receiving discounts from selling personal data and processing or controlling the personal data of 25,000 or more Colorado residents.

Second, the CPA gives Colorado consumers the right to access, correct, delete, and obtain a copy of their personal data from such business entities and nonprofit organizations.

Further, the CPA gives Colorado consumers the right to opt out of the sale of their personal data, as well as from targeted advertising and profiling.

These two takeaways alone provide Colorado business with much to consider and prepare for in advance of January 1, 2023.   

 Lucas T. Ritchie is a partner in Moye White’s Trial Section and focuses his litigation and trial practice on high-stakes business and securities disputes as well as regulatory investigations and enforcement proceedings. He can be reached at 303.292.7957 or [email protected].