Microsoft is planning to apply the California Consumer Privacy Act (CCPA) across the entirety of its business and customer base in the United States.
Why? Because Congress can’t get its act together (literally).
In a blog post on Monday, Microsoft decried the fact that there’s been no serious movement to draft bipartisan federal privacy legislation.
“The lack of action by the United States Congress to pass comprehensive privacy legislation continues to be a serious issue for people who are concerned about how their data is collected, used and shared,” wrote Julie Brill, Microsoft’s corporate VP for global privacy and regulatory affairs and the company’s chief privacy officer. (Before the Microsoft gig and a stint in private practice, Brill spent six years as a commissioner at the Federal Trade Commission.)
This isn’t the first time Microsoft made a move like this. Last year, it was the first company to voluntarily extend the data privacy rights enshrined in Europe’s General Data Protection Regulation (GDPR) to all of its global customers, not just those in the EU.
Technology companies and advertising trade organizations have been lobbying for a federal privacy law out of fear that every state will pass its own, which would make compliance difficult.
But privacy advocates and some lawmakers are wary of their motives. Democrats have said they won’t support a federal privacy framework that preempts CCPA if it waters down or weakens the California law in any way.
Two Democratic House reps introduced a bill last week in an effort to set the groundwork for a federal privacy law they claim will be tougher than the CCPA. But it’s a long, long road before a bill becomes a law, and most proposals die somewhere along the way.
With its stand, Microsoft is both sidestepping and furthering the debate.
The CCPA, Brill writes, “shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.”
As one of the largest companies in the world, Microsoft has a lot of weight to throw around.
The hope, according to Brill, is that CCPA serves as a catalyst for “even more comprehensive privacy legislation in the US.”
Microsoft says it supports importing GDPR-like tenets from Europe, including placing more stringent accountability requirements on companies and requiring a specific data minimization mandate, which doesn’t exist under CCPA.
“We are optimistic that Congress will take the initiative to act,” Brill wrote. “In the meantime, we will continue to work with states that recognize the urgency to implement stronger laws to protect everyone’s privacy.”
