The CCPA, which was approved by the California legislature in 2018, provides that:
- Consumers have the right to know what personal data information companies are collecting about them, why the companies are collecting the data, and with whom they are sharing it;
- Consumers have the right to tell information companies to delete their data, as well as to not sell or share their information;
- Businesses must provide the same quality of service to consumers who opt out of sharing or selling data; and
- Stricter regulations on sharing or selling data from children under the age of 16.
Given the size of the California consumer market, the state law has been viewed as having the potential for becoming a de facto national set of practices for information service providers doing business in the U.S.
While the U.S. Congress has for many years debated the need for comprehensive data privacy laws, inaction on the Federal front has led Microsoft to embrace the California standard nationwide, the company said.
“The lack of action by the United States Congress to pass comprehensive privacy legislation continues to be a serious issue for people who are concerned about how their data is collected, used and shared,” said Julie Brill, Microsoft’s Chief Privacy Officer and a former Democratic member of the Federal Trade Commission.
“CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act,” she said.
“We are optimistic that the California Consumer Privacy Act — and the commitment we are making to extend its core rights more broadly — will help serve as a catalyst for even more comprehensive privacy legislation in the U.S.,” Brill said. “As important a milestone as CCPA is, more remains to be done to provide the protection and transparency needed to give people confidence that businesses respect the privacy of their personal information and can be trusted to use it appropriately.”
“Indeed, we are calling upon policymakers in other states and in Congress to build upon the progress made by California and go further by incorporating robust requirements that will make companies more responsible for the data they collect and use, and other key rights” from the European Union’s General Data Protection Regulation (GDPR), Brill said.
“More requirements for companies, together with the rights and tools for people to control their data, will prevent placing the privacy burden solely on the individual, and will provide layers of data protection that are appropriate for the digital age,” she said.
“We are optimistic that Congress will take the initiative to act,” Brill said. She continued, “In the meantime, we will continue to work with states that recognize the urgency to implement stronger laws to protect everyone’s privacy. As with GDPR and CCPA, whenever and wherever strong, sensible privacy laws are enacted, we will work to quickly extend the core protections those laws offer to our customers everywhere.”