On Nov. 11, Microsoft announced that it will voluntarily extend the core data privacy protections afforded to California residents under the California Consumer Privacy Act (CCPA) to all its U.S. customers.
California's landmark privacy law, which takes effect on Jan. 1, 2020, has left many businesses struggling with whether to distinguish, in their compliance efforts, between those who live inside and outside the state. On one hand, a company may decide that not making a residency distinction when processing personal data is simpler and operationally attractive, because it does not have to determine residency. On the other hand, a business may want to distinguish between residents and non-residents in order to limit the pool of consumers who can opt out of the sale of personal information or exercise other rights under the CCPA.
By extending CCPA's protections to all its U.S. customers, Microsoft has chosen the first option — and has decided to promote its decision.
The software giant’s announcement has created a compliance floor for many companies. With several states considering laws that are similar to the CCPA, Microsoft has now made the CCPA the minimum standard for consumer privacy rights, which is a model that is sure to be followed on a broad basis. Any company, especially one similarly situated to Microsoft, will now have a difficult time taking a less consumer-friendly approach to data privacy.
Microsoft also called on Congress to pass federal legislation giving protection to consumers nationwide, echoing the sentiments of many companies and privacy professionals. With multiple state-directed legislative efforts currently underway, it is already evident that companies will face a patchwork of laws with different standards and obligations, likely making it nearly impossible to simultaneously comply with all states' requirements.
“We are optimistic that the California Consumer Privacy Act — and the commitment we are making to extend its core rights more broadly — will help serve as a catalyst for even more comprehensive privacy legislation in the U.S.," wrote Microsoft Chief Privacy Officer Julie Brill, who is also corporate vice president for global privacy and regulatory affairs. "As important a milestone as CCPA is, more remains to be done to provide the protection and transparency needed to give people confidence that businesses respect the privacy of their personal information and can be trusted to use it appropriately.”
As businesses are considering CCPA compliance, and specifically whether to extend the law’s protections to non-California residents, they should pay close attention to the reaction to Microsoft’s decision.