On Monday, Microsoft announced that it would honor the “core rights” provided to Californians through the state’s landmark data privacy law and expand that coverage across the entire United States.
In a Monday blog post, Julie Brill, Microsoft’s chief privacy officer, said that the company will extend the main principles of the California Consumer Privacy Act (CCPA) across the US just as it did with Europe’s General Data Protection Regulation (GDPR) last year. The law goes into effect in California on January 1st, 2020.
CCPA, which was approved in June 2018, is one of the fiercest and most sweeping data privacy regulations in the US. It’s somewhat similar to GDPR. Under CCPA, companies must disclose to users what personal data of theirs is being collected, whether it is sold and to whom, and allow users to opt out of any sales. Users must also have access to their data and be able to request that a company delete it.
“Under CCPA, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold,” Brill wrote. “Exactly what will be required under CCPA to accomplish these goals is still developing.”
Brill continued, saying that Microsoft will closely monitor any changes to how the government asks companies to enforce the new transparency and control requirements under CCPA.
CCPA has been the subject of many privacy fights both in the California state legislature and Congress. The Senate and the House of Representatives are in the midst of their own data privacy fight with new bills being proposed every couple weeks. Many Democratic lawmakers argue that any national legislation should leave California as a baseline and extend those protections across the country and add more protections if necessary. Republicans and industry stakeholders disagree and are broadly convinced that CCPA goes too far and any federal law should nullify it and any other state laws in order to stave off a “patchwork” of privacy regulations.
“CCPA marks an important step toward providing people with more robust control over their data in the United States,” Brill wrote. “It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.”