In the absence of a federal digital privacy law, Microsoft has decided to comply with the requirements of California’s Consumer Privacy Act (CCPA) throughout the U.S.
The CCPA in short
The CCPA goes into effect on January 1, 2020, and says that California residents (consumers) have the right to know what personal data is being collected about them and access it, to know whether their data is sold or disclosed (and to whom), to demand that organizations delete their data and/or not sell it to anyone and, finally, to not be discriminated against for exercising these rights.
It applies to California-based businesses with a revenue above $25 million, those whose primary business is the sale of personal information, and those that hold the personal information of 50,000 or more consumers, households, or devices.
Organizations are required to implement and maintain reasonable security procedures and practices to protect consumer data. If they fail to do that, they can be sued. If they don’t comply with the requirements, they could get fined up to $7,500 for each intentional violation and $2,500 for each unintentional violation.
“Under CCPA, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold. Exactly what will be required under CCPA to accomplish these goals is still developing. Microsoft will continue to monitor those changes, and make the adjustments needed to provide effective transparency and control under CCPA to all people in the U.S,” said Microsoft chief privacy officer Julie Brill.
She also noted that the company believes “privacy laws should be further strengthened by placing more robust accountability requirements on companies,” such as minimization of data collection, more thorough explanations of why the data is collected and how it’s used, and so on.
“More requirements for companies, together with the rights and tools for people to control their data, will prevent placing the privacy burden solely on the individual, and will provide layers of data protection that are appropriate for the digital age,” she added.
Emily Wilson, VP of Research at digital risk protection provider Terbium Labs, says that this move illustrates just how much Microsoft sees the writing on the wall, as do the other tech giants in the space – either they can embrace the overarching and detailed California legislation, or they can attempt to push for a national standard.
“While pushing for a national standard may sound like an easier path to compliance (a unified set of requirements, rather than needing to make adjustments on a state-by-state basis), tech giants are also hoping that the process of creating a national framework will be a slow and tedious process, ultimately resulting in legislation that is less stringent in its requirements,” she opined.
“Organizations have no inherent incentive to limit their data collection practices or provide consumers with increased privacy; the data economy is lucrative, and the more companies can collect and analyze, the greater their competitive advantage and potential profit. Microsoft choosing to lean in on CCPA is likely to be an outlier amongst the other major tech companies who would rather bide their time, and certainly an outlier among smaller enterprise organizations.”