Ride the Lightning

Microsoft Will Honor California’s New Privacy Law Throughout the US

November 20, 2019

Naked Security reported on November 13 that Microsoft will "honor" California's Consumer Privacy Act (CCPA) nationwide when it becomes effective on January 1, 2020. Considering all the prospective fines and penalties that accompany violations of the law, that's remarkable in one way and makes sense in another.

There is a precedent here – in 2018, when the European Union's comprehensive General Data Protection Regulation (GDPR) went into effect, Microsoft extended the regulation's data privacy rights worldwide, above and beyond the Europeans it covers.

On Monday, Microsoft chief privacy officer Julie Brill said in a blog post that CCPA is good news, given the failure of Congress to pass a comprehensive privacy protection law at the federal level.

Brill said, "CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can't or won't act."

Under CCPA, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold. Exactly what will be required under CCPA to accomplish these goals is still developing.

California's law isn't just for California businesses, of course. Businesses that do business or have customers, or potential customers, in California will still be on the hook, if they meet one of these criteria:

• Have an annual gross revenue more than $25 million.
• Receives, shares, or sells personal information of more than 50,000 individuals.
• Earns 50% or more of its annual revenue from selling personal information of consumers.

These are the general categories for the consumer rights that CCPA is going to deliver:

• Businesses must inform consumers of their intent to collect personal information.
• Consumers have the right to know what personal information a company has collected, where the data came from, how it will be used, and with whom it's shared.
• Consumers have the right to prevent businesses from selling their personal information to third parties.
• Consumers can request that businesses remove their personal information.
• Businesses are prohibited from charging consumers different prices or refusing service, even if the consumer exercised their privacy rights.

As of the end of October, we were still waiting for California's attorney general to issue regulations about the law, but we know that each violation carries a $7,500 fine.

Microsoft's pledge to honor CCPA nationwide could – and probably will – trigger other companies to do the same.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson