Microsoft extends CCPA privacy protections beyond California

Companies have spent 2019 preparing for the California Consumer Privacy Act (CCPA), which officially goes into effect on January 1, 2020. While many are planning to only apply the regulations to their California customers, Microsoft is taking a broader approach.

What is the CCPA?

The CCPA is an act designed to give consumers control over who has access to their personal data and information and how that information is shared, stored, and sold.

Under the act, businesses that serve customers in California must inform their customers of what information they are storing. Customers then have the power to say "no" and ask companies not to keep their information. Companies must comply with customer requests or face litigation.

For now, the act only applies to companies that are based in California and do business with California consumers. That's why Microsoft's statement that it will extend the CCPA to all of its customers, regardless of whether or not they live in California, is such a bold move.

Who needs to comply with the CCPA?

Most big businesses will need to comply with CCPA since they probably already do business with California residents. Specifically, companies that meet at least one of these criteria are mandated to comply with the new act: 

• Exceed annual gross revenue of $25 million.
• Obtain personal information of at least 500,000 California residents, households, or devices.
• Obtain at least 50% of their annual revenue from selling the personal information of California residents.

Note that the focus is on companies that make a profit from selling their customers' personal information. However, that doesn't mean that only companies that meet all of these criteria should comply.

Eleven states have already introduced legislation similar to the CCPA, which means companies of all types and sizes in all industries should be prepared to make changes in order to comply with new consumer protection legislation as it becomes mandated in other states.

Why is Microsoft's stance on the CCPA significant?

Microsoft announced that the company will apply all of the regulations set out by the CCPA to all of their customers, regardless of where they live, which marks an important step for consumer privacy advocates who are concerned with the overwhelming amount of data that is stored, shared, and sold by marketers and businesses worldwide.

(For a refresher on what type of personal data companies store, you can take a look at this article we wrote on this topic.) 

In a statement released on Monday, Microsoft's Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer Julie Brill said, "Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual." 

She pointed out that Microsoft has already proven its commitment to consumer privacy by voluntarily extending the rights covered by the European Union's General Data Protection Regulation (GDPR) to customers worldwide. When Microsoft made this move in 2018, it was the first company to do so. 

In her announcement, Brill singled out Congress — specifically their lack of effort to put forward a national privacy act that would require all U.S. businesses to follow regulations to protect their customers' data. 

"By being transparent about the data we collect and how we use it, and by providing solutions that empower businesses to safeguard personal data and comply with privacy laws, we can demonstrate our commitment in the absence of Congressional action." 

Now, it's worth noting that Microsoft doesn't get the same type of financial gain from its customers' personal data as other tech giants like Google and Facebook do. So, the fact that it won't be losing significant profits could account for Microsoft's seemingly bold move to apply regional privacy laws to all of its customers around the world.

Nonetheless, if the goal is to have Congress pass a national privacy act, having a tech leader at the forefront of the debate could help all companies involved.

What does the future look like with the CCPA in place?

The CCPA is a brand new regulation in the United States. As such, it's reasonable to anticipate that it will need to adapt and change once it's put into action. Brill acknowledges that, by applying the CCPA's guidelines to all of their customers, Microsoft will have to monitor and adapt their transparency as the CCPA evolves.

Microsoft will also work closely with their enterprise customers to help them through the transition to the CCPA.

Brill closes her announcement by assuring customers and interested parties that Microsoft will continue to protect consumer privacy and will roll out new regulations that states enact to all of their customers. She writes, "As with GDPR and CCPA, whenever and wherever strong, sensible privacy laws are enacted, we will work to quickly extend the core protections those laws offer to our customers everywhere."

Microsoft users and customers, then, can rest easy, knowing the company is committed to using and sharing their personal information in a responsible manner.