Microsoft has surprised its competitors with the November announcement that it fully plans to apply California’s new data privacy act to users in all 50 states. The California Consumer Privacy Act (CCPA) goes into effect on January 1, and will provide a new set of privacy standards that tech companies must meet when it comes to individual user data. Many of Microsoft’s competitors feel that the company is jumping the gun and are urging a more cautious approach before imposing one state’s rules on the entire country.
Microsoft support specialist and Sacramento IT services professional Michael Nelson of TLC Tech shares insights into CCPA and Microsoft.
Microsoft Supports CCPA for All Users
California’s CCPA requires companies to be more transparent with what personal data is being used, how it is being used and how it is shared with third parties. The CCPA also requires companies to provide a clear method to opt-out of those policies. Microsoft’s Chief Privacy Officer, Julie Brill, has praised the law for the control it gives internet users over their own data. Not everyone is convinced, however.
Other Companies Not Convinced
The Internet Association, comprised of groups like Amazon, Facebook and Google, is advocating for a federal privacy law to provide guidelines on how companies protect consumer data. Nelson states “California is one of the first states to pass a comprehensive data privacy law.” The Internet Association’s point is that California won’t be the last.
It’s very costly to apply one standard to the way that companies do business, only to have to then implement a different set of standards when Florida adopts a new privacy law (followed by Texas, New York, Washington, Arkansas, and so on). The Internet Association’s point is that one standard would be much cheaper and easier to comply with than the eventual 50 separate state standards the industry is likely to get.
The European Precedent
Tech companies and other institutions have already been through this with the European Union’s General Data Protection Regulation (GDPR). The GDPR imposes one standard for data protection for all nations in Europe, which covers the following areas:
- Data breach notifications
- Data protection and security
- Disposing of data
- Non-PII (Personally-Identifying Information) privacy
One example in the US that highlights the concerns of the Internet Association is data breach laws. This is the only one of the four data privacy concerns that have been addressed in legislation in all 50 states, so far. America has 50 separate versions of the law that companies must comply with.
It’s a patchwork approach to data breaches that require company legal teams to wade through 50 separate versions of one concept in the event of a breach. Indiana’s law is pro-consumer, while Idaho’s is more pro-business. Connecticut’s data breach laws are aimed at insurers and medical companies, while Maine’s law encompasses all industries that deal with consumer data. Florida’s law is highly specific, while Hawaii’s law is extremely vague — requiring companies to notify consumers of a data breach “without unreasonable delay.”
The Internet Association’s concern is that the result when it comes to consumer privacy will be the same patchwork approach, and 50 separate confusing statutes to comply with. Meanwhile, Congress has been dragging its feet on data privacy legislation in 2019 and is unlikely to pass to comprehensive legislation in an upcoming election year.
Interesting related article: “Biometrics, the latest threat to privacy.“