Governance & Risk Management , Privacy , Standards, Regulations & Compliance
Microsoft Will Apply California's Privacy Law NationwideCompany's Move Could Influence Other Technology Companies
Microsoft will apply the core rights of the California Consumer Privacy Act across all its customers in the U.S., a move that may nudge other technology companies in the same direction as online privacy becomes an increasing concern.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Microsoft’s Chief Privacy Officer, Julie Brill, writes in a blog post that the company hopes its move will “help serve as a catalyst for even more comprehensive privacy legislation in the U.S.” The lack of action by Congress to pass comprehensive privacy legislation continues to be a “serious issue,” she writes.
“CCPA marks an important step toward providing people with more robust control over their data in the United States,” writes Brill, who was formerly a commissioner on the U.S. Federal Trade Commission between 2010 and 2016. “It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.”
Most major U.S. companies will likely apply CCPA to all of their customers but may not make as much fanfare about it as Microsoft, says Jason Cronk, a lawyer and privacy engineer. By doing so, companies avoid figuring out who the law applies to, and many states could follow California’s lead and pass similar privacy legislation, he says.
Companies may also hold off publicly announcing their moves for another reason. California’s law gives consumers a right to request their data, and a rash of those requests could overwhelm processes in place now, which are often manual, Cronk says.
“It’s an economy of scale issue,” he said.
CCPA: Threatening Online Advertising?
Many technology companies have expressed concerned about CCPA, which will require that companies handling Californian's data re-tune their compliance procedures. The new law, which goes into effect in Jan. 1, also restricts under what circumstances companies may sell personal data and mandates transparency with customers whose data is collected.
Microsoft’s decision is especially notable because it is a member of the Internet Association, a large trade group that includes Google, Facebook, Amazon and Twitter as members, among others. The association launched a campaign called Keep the Internet Free, contending that CCPA would jeopardize online advertising, which could mean that consumers would have fewer free services.
The Internet Association has sought to change elements of the CCPA. Its chief executive, Michael Beckerman, argued in The New York Times last month that the patchwork of state privacy regulations “risks the country ceding our position as a leader in technology.” He advocated for a federal privacy law.
The Electronic Frontier Foundation, a digital rights watchdog that supports CCPA, contended in September that the Internet Association was running misleading ads, citing a Washington Post story.
Jumble of State Privacy Laws
If Microsoft's CCPA compliance strategy is followed by other large tech companies, CCPA’s central tenets could drift across the U.S., making it a de-facto national law. Last year, Microsoft said it would extend elements of the European Union’s General Data Protection Regulation across its customer base, regardless whether a customer was based in Europe.
A number of other global firms also extended GDPR protections to individuals outside of Europe, says John Verdi, who is vice president of policy of the Future of Privacy Forum.
“Online services are increasingly supportive of pragmatic, interoperable legal frameworks that can provide consistent protections for individuals and provide companies with clarity about their obligations,” he says.
Verdi says that if the obligations of CCPA become clear and workable once the rulemaking is finished, “I wouldn't be surprised to see more companies extending CCPA protections outside California in 2020 and beyond.”
The U.S. does not have general federal privacy legislation. Rather, it has “a jumble of hundreds of laws enacted on both the federal and state levels to protect the personal data of U.S. residents,” notes the law firm White & Case
Although CCPA is still being refined and amended, it contains some of the most sweeping privacy protections of any state in the U.S. and new mechanisms for consumers to control their data.
CCPA builds on concepts put in place within the European Union under GDPR, which took effect in May 2018.
Consumers can ask businesses about the type and categories of personal data they collected. Businesses must disclose why they collect personal data, and reveal whether the data is sold and to which partners. Under the law, Californians also have a right to request a company delete data.
CCPA applies to companies with gross revenue of $25 million and above, those that deal in personal information involving 50,000 or more consumers, households or devices, or those whose revenue is mostly derived from selling personal information.
Last month, California Gov. Gavin Newsom signed six amendments to CCPA, and the state has released a series of draft regulations for implementing the law. Public hearings are scheduled for early next month (see: CCPA Amendments Signed; Draft Regulations Released).
According to a study prepared for the state by independent researchers Berkeley Economic Advising and Research, initial compliance costs could be $55 billion (see: Initial CCPA Compliance Costs Could Hit $55 Billion: Study).