pogonici - Fotolia
Microsoft is taking California's new data privacy law nationwide.
The software giant this week said it will honor the California Consumer Privacy Act (CCPA) throughout the United States. When the CCPA goes into effect on Jan. 1, 2020, companies in California will be required to provide people with the option to stop their personal information from being sold, and will generally require that companies are transparent about data collection and data use.
The CCPA applies to companies that do business in California, collect customers' personal data and meet one of the following requirements: have annual gross revenue of more than $25 million; buy, receive, sell or share personal data of 50,000 or more consumers, devices or households for commercial purposes; or earn 50% or more of their annual revenues from selling consumers' personal data.
Julie Brill, Microsoft's corporate vice president for global privacy and regulatory affairs and Chief Privacy Officer, announced her company's plans to go a step further and apply the CCPA's data privacy protections to all U.S. customers -- not just those in California.
"We are strong supporters of California's new law and the expansion of privacy protections in the United States that it represents. Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual," Brill wrote in a blog post. "This is why, in 2018, we were the first company to voluntarily extend the core data privacy rights included in the European Union's General Data Protection Regulation (GDPR) to customers around the world, not just to those in the EU who are covered by the regulation. Similarly, we will extend CCPA's core rights for people to control their data to all our customers in the U.S."
Brill added that Microsoft is working with its enterprise customers to assist them with CCPA compliance. "Our goal is to help our customers understand how California's new law affects their operations and provide the tools and guidance they will need to meet its requirements," she said.
Microsoft did not specify when or how it will apply the CPAA for all U.S. citizens. In recent years the company has introduced several privacy-focused tools and features designed to give customers greater control over their personal data.
Fatemeh Khatibloo, vice president and principal analyst at Forrester Research, said Microsoft has an easier path to becoming CCPA compliant because of its early efforts to broadly implement GDPR protections.
"They're staying very true to all the processes they went through under GDPR," she said. "CCPA has some differences with GDPR. Namely, it's got some requirements to verify the identity of people who want to exercise their rights. GDPR is still based on an opt-in framework rather than an opt-out one; it requires consent if you don't have another legal basis for processing somebody's data. The CCPA is still really about giving you the opportunity to opt out. It's not a consent-based framework."
Khatibloo also noted that Microsoft was supportive of the CCPA early on, and that Brill, who formerly served as commissioner of the U.S. Federal Trade Commission under the Obama administration, has a strong history on data privacy.
"She understands the extensive need for a comprehensive privacy bill in the U.S., and I think she also understands that that's probably not going to happen in the next year," Khatibloo said. "Instead of waiting for a patchwork of laws to turn up, I think she's taking a very proactive move to say, 'We're going to abide by this particular set of rules, and we're going to make it available to everybody.' The other really big factor here is, who wants to be the company that says its New York customers don't have the same rights that its California customers do?
Rebecca Herold, an infosec and privacy consultant as well as CEO of The Privacy Professor consultancy, argued that while CCPA does a good job addressing the "breadth of privacy issues for individuals who fall under the CCPA definition of a 'California consumer,'" it falls short in multiple areas. To name a few criticisms, she pointed out that it doesn't apply to organizations with under $25 million in revenue, it does not apply to all types of data or individuals such as employees, and that many of its requirements can come across as confusing.
But Herold said Microsoft's move to apply CCPA for all 50 states makes sense and it's something she recommends to her clients when consulting on new regional regulations. "When looking at implementing a wide-ranging law like CCPA, it would be much more simplified to just follow it for all their millions of customers, and not try to parse out the California customers from all others," she said via email. "It is much more efficient and effective to simplify data security and privacy practices by treating all individuals within an organization's database equally, meeting a baseline of actions that fit all legal requirements across the board. This is a smart and savvy business leadership move."
Mike Bittner, associate director of digital security and operations for advertising security vendor The Media Trust, agreed that Microsoft's move isn't surprising.
"For a large company like Microsoft that serves consumers around the world, simplifying regulatory compliance by applying the same policies across an entire geography makes a lot of sense, because it removes the headaches of applying a hodgepodge of state-level data privacy laws," he said in an email. "Moreover, by using the CCPA -- the most robust U.S. data privacy law to date -- as the standard, it demonstrates the company's commitment to protecting consumers' data privacy rights."
Herold added that the CCPA will likely become the de facto data privacy law for the U.S. in the foreseeable future because Congress doesn't appear to be motivated to pass any federal privacy laws.
Brill appeared to agree.
"CCPA marks an important step toward providing people with more robust control over their data in the United States," she wrote in her blog post. "It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can't or won't act."
Senior reporter Michael Heller contributed to this report.