Microsoft commits to honouring California Consumer Privacy Act nationwide
It's the first company to make such a promise, but it might not be as rose-tinted as it seems
Microsoft has announced its commitment to honouring the principles of the upcoming California Consumer Privacy Act (CCPA) nationwide, the first big technology firm to do so.
It cited the success of Europe's General Data Protection Regulation (GDPR) as a key motivator in its decision to support the "landmark privacy law", adding that privacy should be seen more as a human right that shouldn't be violated.
The CCPA is due to take effect in the west coast state on 1 January 2020. Similar to the motivations of GDPR, the CCPA aims to introduce more robust rules to protect the privacy of California's citizens and compel companies to be more transparent in the way they handle their customers' data.
Also, like the GDPR, the CCPA will financially punish companies that suffer from damaging data incidents. Companies found to be breaching the CCPA could be fined up to $2,500 per violation or up to $7,500 if it's clear the violation was intentional.
Victims will also be afforded the right to file a class-action lawsuit against the offending company for damages ranging between $100 and $750. Businesses also have 30 days to rectify any incidents that fall foul of the CCPA's rules.
Although California citizens will have the legal right to hold companies to account, Microsoft customers outside of the state will have to simply rely on the company's promise.
"While many of our customers and users will find that the data controls we already offer them through our GDPR commitment will be stronger than those rights offered by the new California law, we hope this step will show our commitment to supporting states as they enact laws that take us in the right direction," said Microsoft in a blog post.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"We are optimistic that the California Consumer Privacy Act - and the commitment we are making to extend its core rights more broadly - will help serve as a catalyst for even more comprehensive privacy legislation in the US.
"As important a milestone as CCPA is, more remains to be done to provide the protection and transparency needed to give people confidence that businesses respect the privacy of their personal information and can be trusted to use it appropriately."
However, Microsoft's commitment may not be as transformative as the company may wish to communicate. An individual close to the matter told Reuters that Microsoft will have a much easier time of committing to such data protection laws due to the way it structures its business divisions.
Many of its data-collecting divisions which include the likes of Edge, Cortana, Windows, Skype and Xbox Live can be classified as service providers - a type of business that is given special consideration under data protection laws.
For example, a business that shares an individual's data with a third-party company may be required to disclose that information with its customers in addition to providing them with advanced notice that the data may be sold or shared.
The same rules don't always apply to service providers receiving data from other businesses and those disclosure clauses may not be triggered, making it easier to comply with data protection law without having to drastically revamp the company's day-to-day operations.
It's believed that other states will enact their own privacy laws before Congress gets around to passing its own national law. The states of Washington and New York are both working on getting their own privacy laws through their respective legislatures and these will probably have different conditions to California's.
This means Microsoft will have to also commit to honouring these different rules if or when they are introduced which could prove to be a challenging feat.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.