#Privacy: Microsoft decision to honour CCPA across the US a “simple yet very effective move”

Microsoft has announced its intention to uphold the “core rights” afforded to Californian citizens under the Californian Consumer Privacy Act (CCPA) which comes into being on the 1st January 2020.

The tech giant has said it will apply the landmark legislative framework across operations throughout the US; according to Julie Brill, Microsoft’s chief privacy officer, the CCPA’s principles will be embraced and rolled out in a similar fashion to those of the EU’s General Data Protection Regulation (GDPR) last year.

In a blog post, Brill said:

“CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.

“We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents. Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual.

“This is why, in 2018, we were the first company to voluntarily extend the core data privacy rights included in the European Union’s General Data Protection Regulation (GDPR) to customers around the world, not just to those in the EU who are covered by the regulation. Similarly, we will extend CCPA’s core rights for people to control their data to all our customers in the U.S.

Approved in the summer of last year, the CCPA is one of the strongest and most purposeful data privacy regulations to have materialised in the US, and has taken much inspiration from the GDPR.

Under the terms of California’s new data protection laws, companies must tell consumers what personal data is being collected by the company. Firms must also disclose whether or not that data is being sold, to whom and give consumers the option of opting out of sales.

User control, a fundamental tenet under the EU’s data laws, is also embraced by the CCPA; companies dealing with data of California’s citizens must allow users to access their data and be able to request for its deletion.

 “Under CCPA, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold,” Brill wrote.

“Exactly what will be required under CCPA to accomplish these goals is still developing.”

Speaking to PrivSec Report, Richard Merrygold, Managing Consultant and Data Protection Officer at iSTORM, said:

“This is a great news and demonstrates that Microsoft have a desire not only to be compliant but also recognise the need to be efficient. One of the biggest challenges for organisations bound by the CCPA that operate across the U.S. is how do you segregate your customers to only provide the rights to those who live in California.

“The rights offered by the CCPA are fair and not particularly wide reaching, it makes perfect sense, to any organisation that cares about it customers, to extend those rights to everyone, saving time, money and increasing customer trust. A simple yet very effective move by Microsoft.”

Commenting on the strategy of Microsoft’s move, Robert Baugh, CEO of Privacy-as-a-Service provider, Keepabl, told PrivSec Report:

“Microsoft’s announcement is very welcome to privacy advocates but it’s also likely to be adopted by many organisations as a practical decision.  The CCPA can easily apply to organisations outside California – much as GDPR can easily apply outside the EU.

“So US businesses have to decide whether to have separate policies and procedures on how they collect, protect, share and report on PII on a State-by-State basis or if it is better to have a baseline set to comply with the strictest level, to simplify procedures.

“That may mean accepting additional obligations when not technically applicable, but the efficiency gains are going to be significant.  And privacy legislation in the US, and globally, is only going one way so it can also pay to be ahead of the curve and use that to gain competitive advantage.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/