Microsoft says it will honor California’s new privacy law across US

You know California’s Consumer Privacy Act (CCPA), the tough new privacy law? The sweeping, GDPR-esque legislation set to go into effect on the first day of the new year that’s set off palpitations within the breasts of tech companies and lawmakers, what with its specter of fines and compliance costs?

Microsoft’s cool with it.

In fact, the company said that it plans to “honor” the law throughout the entire country, even though it’s only a state law. That’s similar to what it did in 2018, when the European Union’s comprehensive General Data Protection Regulation (GDPR) went into effect and the company extended the regulation’s data privacy rights worldwide, above and beyond the Europeans it covers.

On Monday, Microsoft chief privacy officer Julie Brill said in a blog post that CCPA is good news, given the failure of Congress to pass a comprehensive privacy protection law at the federal level.

Chalk one up for Microsoft when it comes to privacy signaling in the runup to CCPA’s debut. Here’s Brill:

CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.

Brill reminded the world that Microsoft’s privacy attitude “starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual.”

We will extend CCPA’s core rights for people to control their data to all our customers in the U.S.

True, we don’t know exactly what it’s going to take to digest this enchilada, Brill said:

Under CCPA, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold. Exactly what will be required under CCPA to accomplish these goals is still developing.

…but we’ll stay on top of it, she said:

Microsoft will continue to monitor those changes, and make the adjustments needed to provide effective transparency and control under CCPA to all people in the U.S.

In spite of the US Federal Trade Commission (FTC) marching down to Capitol Hill to beat the drum for a unified federal privacy law (and more regulatory powers to enforce it), and in spite of both the House and Senate holding hearings on privacy legislation, transparency about how data is collected and shared, and the stiffening of penalties for data-handling violations, any of a slew of online privacy bills that tried to get before Congress this year is not going to make it.

Last month, anonymous sources told Reuters that lawmakers haven’t managed to agree on issues such as whether the bill would preempt state rules.

That leaves CCPA to become the ipso facto privacy rule of the land.

California’s law isn’t just for California businesses, of course. Businesses that do business or have customers, or potential customers, in California will still be on the hook, if they meet one of these criteria:

  • Have an annual gross revenue more than $25 million.
  • Receives, shares, or sells personal information of more than 50,000 individuals.
  • Earns 50% or more of its annual revenue from selling personal information of consumers.

These are the general categories for the consumer rights that CCPA is going to deliver:

  1. Businesses must inform consumers of their intent to collect personal information.
  2. Consumers have the right to know what personal information a company has collected, where the data came from, how it will be used, and with whom it’s shared.
  3. Consumers have the right to prevent businesses from selling their personal information to third parties.
  4. Consumers can request that businesses remove their personal information.
  5. Businesses are prohibited from charging consumers different prices or refusing service, even if the consumer exercised their privacy rights.

As of the end of October, we were still waiting for California’s attorney general to issue regulations about the law, but we at least know that each violation carries a $7,500 fine.

Microsoft’s pledge to honor CCPA nationwide could trigger other companies to do the same.