As digital technology becomes more and more essential in our day-to-day lives, the lack of action by the United States Congress to pass comprehensive privacy legislation continues to be a serious issue for people who are concerned about how their data is collected, used and shared. There is good news, however. In the absence of strong national legislation, California has enacted a landmark privacy law, known as the California Consumer Privacy Act, or CCPA, which goes into effect on Jan. 1, 2020.
CCPA marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.
We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents. Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual. This is why, in 2018, we were the first company to voluntarily extend the core data privacy rights included in the European Union’s General Data Protection Regulation (GDPR) to customers around the world, not just to those in the EU who are covered by the regulation. Similarly, we will extend CCPA’s core rights for people to control their data to all our customers in the U.S.
We continue to put these principles into practice every day through ongoing investments in tools that give people greater control over their personal information. More than 25 million people around the world – including over 10 million people in the U.S. – have used our privacy dashboard to understand and control their personal data. By being transparent about the data we collect and how we use it, and by providing solutions that empower businesses to safeguard personal data and comply with privacy laws, we can demonstrate our commitment in the absence of Congressional action.
Under CCPA, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold. Exactly what will be required under CCPA to accomplish these goals is still developing. Microsoft will continue to monitor those changes, and make the adjustments needed to provide effective transparency and control under CCPA to all people in the U.S. While many of our customers and users will find that the data controls we already offer them through our GDPR commitment will be stronger than those rights offered by the new California law, we hope this step will show our commitment to supporting states as they enact laws that take us in the right direction.
In addition, we are working closely with our enterprise customers to help them comply with CCPA. Our goal is to help our customers understand how California’s new law affects their operations and provide the tools and guidance they will need to meet its requirements.
We are optimistic that the California Consumer Privacy Act — and the commitment we are making to extend its core rights more broadly — will help serve as a catalyst for even more comprehensive privacy legislation in the U.S. As important a milestone as CCPA is, more remains to be done to provide the protection and transparency needed to give people confidence that businesses respect the privacy of their personal information and can be trusted to use it appropriately.
In addition to guaranteeing the rights of individuals to control their personal information, we believe privacy laws should be further strengthened by placing more robust accountability requirements on companies. This includes making companies minimize the data they collect about people, specify the purposes for which they are collecting and using people’s data, and making them more responsible for analyzing and improving data systems to ensure that they use personal data appropriately. Indeed, we are calling upon policymakers in other states and in Congress to build upon the progress made by California and go further by incorporating robust requirements that will make companies more responsible for the data they collect and use, and other key rights from GDPR. More requirements for companies, together with the rights and tools for people to control their data, will prevent placing the privacy burden solely on the individual, and will provide layers of data protection that are appropriate for the digital age.
We are optimistic that Congress will take the initiative to act. In the meantime, we will continue to work with states that recognize the urgency to implement stronger laws to protect everyone’s privacy. As with GDPR and CCPA, whenever and wherever strong, sensible privacy laws are enacted, we will work to quickly extend the core protections those laws offer to our customers everywhere.