With the stringent new California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020, the top technology companies in the United States are starting to position themselves for a completely new operating environment in less than two months. Seattle-based Microsoft is now the first major tech company that says it plans to abide by the new CCPA not just in California, but also in every state where it operates in the United States. In a strongly worded blog post, Microsoft Chief Privacy Officer Julie Brill called privacy a “fundamental human right,” and explained that Microsoft was ready to honor California’s digital privacy law all through the U.S.
Europe’s GDPR as a model for California’s CCPA
In many ways, explained Brill, Microsoft’s previous embrace of Europe’s General Data Protection Regulation (GDPR) will serve as a model for how Microsoft plans to embrace the new CCPA. When the European GDPR went into effect in May 2018, Microsoft established itself as a leader in not just complying with the new legislation, but also helping other companies deal with their new legal, regulatory and business responsibilities. Based on that experience, Microsoft plans to adopt a similar approach for the CCPA.
Both the GDPR and CCPA establish privacy as a fundamental right, in which corporations and other organizations have some important responsibilities to safeguard personal data. The new CCPA, for example, contains three key rights in regard to personal data – the right to ownership of one’s personal data, the right to control over one’s data and how it is used by third parties, and the right to security of one’s data. As a result, the CCPA includes some sweeping rules for corporations that collect, analyze or store data. For example, they must disclose data collection practices, such as whether it is sold and to whom, and why they are collecting that data in the first place. Moreover, they must provide ample opportunities for consumers to opt out of any sale of their data, or to have certain data deleted.
Moreover, similar to the GDPR, the CCPA includes some tough new penalties for any company that fail in their responsibility to safeguard data. A single CCPA violation can cost a company up to $2,500. If a company is found to be intentionally negligent in its violation, the penalty can increase to as much as $7,500. Based on previous experience with the GDPR, which also established financial penalties for violations, it’s clear that companies are taking this CCPA compliance provision very seriously.
The CCPA as a template for other states
In the Microsoft blog post about the CCPA data privacy law, the company’s Chief Privacy Officer did not stop with just an endorsement of the CCPA, and its important role in providing “robust protection” for every individual. She also mentioned that Microsoft is hopeful that the California Consumer Privacy Act could become a model for other states around the nation.
And, perhaps most notably, she also took a subtle jab at legislators in Washington, DC, suggesting that states would drive forward the fight for privacy protections if national legislators were unwilling to do so. She specifically chided an “absence of Congressional action,” clearly implying that Microsoft was waiting for the federal government to come up with national privacy legislation that could be applied to all jurisdictions and data subjects within the United States.
Microsoft’s CCPA strategy
So what is the real purpose of Microsoft throwing its support so visibly behind the new CCPA? The easiest answer is that Microsoft is looking to differentiate itself from other tech rivals in the industry by becoming a “privacy-centric” company. Already, companies such as Apple have attempted to make privacy a key buzzword in marketing and promotional campaigns, and Microsoft clearly has no interest in losing ground here. At a time when companies like Facebook are being pulled in front of Congress and also fined billions of dollars by federal regulators, Microsoft clearly wants to distance itself from these “bad apples.”
But there could be another strategy at play here, too. As some data privacy experts have pointed out, Microsoft has already seen the writing on the wall and knows that the question is not “if” but “when” the U.S. will get federal privacy legislation. So, by being an early outspoken proponent of privacy legislation, Microsoft can help to steer the national debate and carve out rules and perhaps even loopholes that will be favorable for the company.
If you’re a skeptic, you might also argue that Microsoft is also gambling that any federal legislation will be much weaker than any state-level legislation. By the time a federal law is enacted that has true national support, it will likely be very watered down and filled with all kinds of exceptions that Microsoft might be able to exploit.
The CCPA as a catalyst for new privacy legislation
One thing is certain: Microsoft is hopeful that the CCPA can become a catalyst for other states to adopt their own legislation based on the ground rules put into place by California. From the company’s perspective, it will be much more favorable if every state adopts the same (or nearly the same) legislation. That will make it much easier for Microsoft to comply with each new piece of legislation. Otherwise, there is a risk that the U.S. marketplace could become a patchwork quilt of differing laws, rules, and guidelines. That is probably one good reason why Microsoft is now hoping that the U.S. Congress will get involved – the single best way to guarantee a unified regulatory approach is to delegate all heavy lifting to the federal government.
Heading into 2020, look for other tech companies to fall in line behind Microsoft, as they push for federal privacy legislation. It’s now clear that the push for more privacy of personal information is more than just a “fad” or “trend” – it is now clearly entrenched in how companies must do business in the digital age. As a result, tech giants ignore the potential sweeping power and reach of the CCPA at their own peril.