Microsoft Throws Its Support Behind CCPA and Tougher Privacy Laws

With the stringent new California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, the top technology companies in the United States are starting to position themselves for a completely new operating environment in less than two months. Seattle-based Microsoft is now the first major tech company that says it plans to abide by the new CCPA not just in California, but also in every state where it operates in the United States. In a strongly worded blog post, Microsoft Chief Privacy Officer Julie Brill called privacy a “fundamental human right,” and explained that Microsoft was ready to honor California’s digital privacy law all through the U.S.

Europe’s GDPR as a model for California’s CCPA

In many ways, explained Brill, Microsoft’s previous embrace of Europe’s General Data Protection Regulation (GDPR) will serve as a model for how Microsoft plans to embrace the new CCPA. When the European GDPR went into effect in May 2018, Microsoft established itself as a leader in not just complying with the new legislation, but also helping other companies deal with their new legal, regulatory and business responsibilities. Based on that experience, Microsoft plans to adopt a similar approach for the CCPA.

Both the GDPR and CCPA establish privacy as a fundamental right, in which corporations and other organizations have some important responsibilities to safeguard personal data. The new CCPA, for example, contains three key rights in regard to personal data – the right to ownership of one’s personal data, the right to control over one’s data and how it is used by third parties, and the right to security of one’s data. As a result, the CCPA includes some sweeping rules for corporations that collect, analyze or store data. For example, they must disclose data collection practices, such as whether it is sold and to whom, and why they are collecting that data in the first place. Moreover, they must provide ample opportunities for consumers to opt out of any sale of their data, or to have certain data deleted.

Moreover, similar to the GDPR, the CCPA includes some tough new penalties for any company that fail in their responsibility to safeguard data. A single CCPA violation can cost a company up to $2,500. If a company is found to be intentionally negligent in its violation, the penalty can increase to as much as $7,500. Based on previous experience with the GDPR, which also established financial penalties for violations, it’s clear that companies are taking this CCPA compliance provision very seriously.

The CCPA as a template for other states

In the Microsoft blog post about the CCPA data privacy law, the company’s Chief Privacy Officer did not stop with just an endorsement of the CCPA, and its important role in providing “robust protection” for every individual. She also mentioned that Microsoft is hopeful that the California Consumer Privacy Act could become a model for other states around the nation.

And, perhaps most notably, she also took a subtle jab at legislators in Washington, DC, suggesting that states would drive forward the fight for privacy protections if national legislators were unwilling to do so. She specifically chided an “absence of Congressional action,” clearly implying that Microsoft was waiting for the federal government to come up with national privacy legislation that could be applied to all jurisdictions and data subjects within the United States.