Microsoft unexpectedly announced on Monday that it will apply California’s upcoming privacy act to its users not only in that state but across the United States.
Made via blog post, the announcement was a surprise to many because there was strong opposition to the California Consumer Privacy Act (CCPA) that goes into effect on Jan. 1, 2020, from many tech companies based in the state.
“CCPA marks an important step toward providing people with more robust control over their data in the United States,” read the blog post, credited to Microsoft Chief Privacy Officer Julie Brill. “It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.”
The post goes on to state that Microsoft strongly supports CCPA and expanded privacy regulations in general, and that the company will extend “CCPA’s core rights for people to control their data” to all customers in the United States.
“By being transparent about the data we collect and how we use it, and by providing solutions that empower businesses to safeguard personal data and comply with privacy laws, we can demonstrate our commitment in the absence of Congressional action,” the post reads.
Tech Reaction to CCPA Implementation
When CCPA goes into effect at the beginning of next year, California will have some of the world’s strictest laws for the privacy of user data, requiring companies under its purview to be transparent about what data they collect from users and how that data is used.
The law also requires companies to give users the option to restrict their personal data from being sold. That could affect the bottom line of the many tech companies earning revenue from the sale of user data to advertisers.
Some in the tech industry welcomed Microsoft’s announcement. “Extending CCPA’s privacy rights to all Americans underscores the need for a federal privacy law as not all companies will follow suit until they’re required to,” said Peter Reinhardt, CEO and co-founder of data management company Segment. Reinhardt said the announcement was a big step forward for privacy protections for consumers and predicted that similar moves by other tech companies like Apple could follow.
“We’ll find out if the rest of the tech industry decides to extend CCPA to all Americans, and not just California residents,” he said.
Wider commitment to legislation like CCPA and the European Union’s General Data Protection Regulation (GDPR) could become a point of differentiation for tech companies, said Kevin Beasley, CIO of cloud-based software company VAI. As companies are harnessing more customer data than ever before and consumers are increasingly concerned about the use and privacy of that data, it’s important to find a balance, Beasley said.
“It’s no longer going to work for companies to continue putting privacy and transparency on the back burner, and this goes not only for consumer-facing brands but for back-end enterprises as well,” he said.
Going nationwide with CCPA may simply be a matter of doing what makes the most sense for Microsoft, said Terry Ray, senior vice president at cybersecurity enterprise Imperva. It might actually be more difficult for Microsoft to apply the regulations only to users in California than it is to apply them to those in the entire country, Ray said.
“While the message is one of supporting the greater good, the reality is that the greater good coincidentally aligns with the shortest path to compliance in cases like CCPA and GDPR,” he said. “This is a bit of a win-win for Microsoft and for their users.”
Push for Federal Regulations
The changes CCPA will put into place at the start of the new year mirror many of those brought in by GDPR in Europe. Microsoft previously committed to applying those regulations to its customers worldwide when they came into effect in the spring of 2018.
Since the introduction of the act, there have been significant lobbying efforts against CCPA implementation. Some of those efforts sought to delay the law’s introduction or to influence the contents of the bill.
In September, 51 tech CEOs sent an open letter to Congress asking for a federal user data privacy law that would supersede CCPA and other laws in various stages of progress at the state level. Microsoft used its blog post to further agitate for that federal action while offering support for state-level measures as well.
“While many of our customers and users will find that the data controls we already offer them through our GDPR commitment will be stronger than those rights offered by the new California law, we hope this step will show our commitment to supporting states as they enact laws that take us in the right direction,” the post read.
CCPA is the first for this kind of privacy legislation in the U.S., but it’s not likely to be the last, said Mark Sangster, vice president and industry security strategist at cybersecurity company eSentire.
Approached properly, these laws can actually provide an upside for enterprises by mitigating the risks of breaches or other security incidents, Sangster said. “Privacy legislation of this kind shouldn’t and doesn’t need to be seen as crippling to business,” he said. “It can actually be a business advantage by forcing companies to really evaluate the third parties they work with and how data is being stored and collected.”
Microsoft said in the post that the company is working closely with its enterprise customers to help them comply with CCPA. “Our goal is to help our customers understand how California’s new law affects their operations and provide the tools and guidance they will need to meet its requirements,” it read.
But even considering the blog post and Microsoft’s promises on CCPA, it’s unclear how successful the company will be in its implementation. After all, many companies are still unprepared for CCPA to come online, a repeat of what happened when GDPR took effect.
In fact, the tech giant itself is currently being investigated in the EU for failing to implement GDPR properly in its cloud services.