Microsoft to Extend CCPA Privacy Rights to All US Customers
On November 11, 2019, Microsoft announced that it will honor California Consumer Privacy Act’s (CCPA) rights throughout the United States. By its terms, the CCPA applies only to “California residents.” This follows Microsoft’s similar commitment made in 2018 to extend the core privacy rights included in the EU’s General Data Protection Regulation to customers around the world.
In announcing this decision, Julie Brill, Microsoft’s Corporate Vice President for Global Privacy and Regulator Affairs and Chief Privacy Officer, declared that the company “strong[ly] support[s] California’s new law and the expansion of privacy protections in the United States that it represents. Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection to every individual.” At the same time, Brill called on Congress to enact a federal privacy legislation to “build upon the progress made by California.” In the absence of a comprehensive federal legislation, the CCPA, which applies to companies in and outside of California, effectively set a nationwide standard for privacy regulation.
The Microsoft’s decision to implement the CCPA nationwide could prompt other companies to follow suit. The commentators have noted that a wider commitment to the CCPA will likely become a differentiating point on the market where consumers are increasingly concerned about their privacy. Notwithstanding Microsoft’s declared commitment to extending privacy rights, its decision might also reflect a pragmatic approach to compliance. Operationally, it might be easier for companies not to distinguish between California and non-California residents when complying with the CCPA requirements. In addition, given that the CCPA has become a model law for a number of states (such as Massachusetts, New Mexico, Rhode Island, and Hawaii) as they consider their own privacy legislation, a nationwide implementation of the CCPA framework is likely to simplify future compliance efforts.