Microsoft building with signage

Microsoft to apply tough new California privacy law across the United States

(United States) Microsoft says it will apply the GDPR-style California privacy law across all of the United States. Naked security reports as follows:

You know California’s Consumer Privacy Act (CCPA), the tough new privacy law? The sweeping, GDPR-esque legislation set to go into effect on the first day of the new year that’s set off palpitations within the breasts of tech companies and lawmakers, what with its specter of fines and compliance costs?

Microsoft’s cool with it.

In fact, the company said that it plans to “honor” the law throughout the entire country, even though it’s only a state law. That’s similar to what it did in 2018, when the European Union’s comprehensive General Data Protection Regulation (GDPR) went into effect and the company extended the regulation’s data privacy rights worldwide, above and beyond the Europeans it covers.

On Monday, Microsoft chief privacy officer Julie Brill said in a blog post that CCPA is good news, given the failure of Congress to pass a comprehensive privacy protection law at the federal level.

Chalk one up for Microsoft when it comes to privacy signaling in the runup to CCPA’s debut. Here’s Brill:

CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.

Brill reminded the world that Microsoft’s privacy attitude “starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual.”

(Privacy press clipping sourced via Naked security)
Jurisdiction: United States

Key takeaways:


  • California’s new law is serious business, and is forcing many corporates to pay attention. Each violation of the California privacy law will reportedly carry a $US 7,500 price tag.

  • Microsoft isn’t alone in chasing business efficiencies by applying a ‘highest common denominator’ approach to privacy law. Many companies have done this for the GDPR, finding it is simpler to apply one high standard rather than lots of different standards. Keeping tabs on the tougher law also usually means a company is in compliance with other, weaker laws.

  • While not finalised yet, the California privacy law could be a model of leadership for regulation in the United States. It is certainly being cited by those who would like to see a federal privacy framework and a federal data privacy regulator.

Leave a Reply

Your email address will not be published. Required fields are marked *