Microsoft embraces California law, shaking up privacy debate

Microsoft embraces California law, shaking up privacy debate
© Getty

Microsoft shook up the debate over privacy rules with its announcement that the company will follow the principles of California’s tough online privacy law across the U.S.

The tech giant received accolades from privacy advocates and some Democratic lawmakers over its decision on Monday to meet California’s standards in every U.S. state. But Microsoft’s decision could serve as a wake-up call on Capitol Hill, where bipartisan efforts to draw up federal privacy legislation have blown past a slew of deadlines. 


Other tech companies will almost certainly follow Microsoft’s lead, fixing California’s law as the de facto U.S. standard without congressional input, industry watchers said. 

“When one of the biggest tech companies in America voluntarily adopts California’s standard, it’s very likely to become America’s standard,” Jamie Court, the president of California-based Consumer Watchdog, told The Hill. 

Key Democrats in the Senate lauded Microsoft’s decision but said it underlined the need for federally mandated safeguards around what user information companies can collect and what they’re required to share with users about that data. 

“I’m glad to see that there are companies like Microsoft and Apple that continue to take privacy issues very seriously,” Sen. Mark WarnerMark Robert WarnerHillicon Valley: Facebook removed over 22 million posts for hate speech in second quarter | Republicans introduce bill to defend universities against hackers targeting COVID-19 research | Facebook's Sandberg backs Harris as VP pick Republicans set sights on FBI chief as Russia probe investigations ramp up The Hill's Campaign Report: US officials say Russia, China are looking to sow discord in election MORE (Va.), the top Democrat on the Senate Intelligence Committee, said in a statement to The Hill.

“However, the fact that companies are voluntarily adopting their own standards because of Congress’ lack of action underscores the need for regulators and Congress to get serious about guardrails at the federal level to protect user data and privacy,” he said. “The status quo isn’t working for consumers.” 

Sen. Richard Blumenthal (D-Conn.), one of the top tech critics in the Senate, lauded Microsoft in a statement, claiming the decision “proves tech companies can provide privacy protections to all Americans” but added that the U.S. needs “broad reform of the use of private data.” 

Microsoft is likely better-positioned to make the sweeping commitment than companies with fewer resources and a less global footprint. It will be relatively easy for Microsoft to comply with the principles of the California Consumer Privacy Act (CCPA) across state lines, considering the company is already investing significant resources into meeting an even stricter set of privacy regulations in Europe.

Before Europe’s General Data Protection Regulation (GDPR) went into effect last year, Microsoft announced that it would extend European-style privacy protections to its users nationwide. And earlier this month, Microsoft wrote that it is in an “excellent position” to meet the California law’s requirements after implementing the GDPR’s data restrictions and limitations globally.   

“It is absolutely the case that anyone who is GDPR-compliant already had a leg up,” Heather West, senior policy manager for privacy-focused tech company Mozilla, told The Hill. Mozilla also plans to extend California-style protections to all U.S. users, West said. 

But others have raised concerns about the fallout from Microsoft’s decision, particularly for smaller tech players.

Some Republicans argue that a company like Microsoft, which passed a market cap of $1 trillion earlier this year, will have an easier time complying with a CCPA-style privacy regime than other companies.

For years, the tech industry and Republican lawmakers have fretted over a potential “patchwork” of state laws, claiming small and medium-sized players can’t afford to navigate 50 different state privacy standards.  

“Companies the size of a Microsoft might be able to make California’s law work, but what about the smaller ones?” Rep. Greg WaldenGregory (Greg) Paul WaldenHillicon Valley: Trump backs potential Microsoft, TikTok deal, sets September deadline | House Republicans request classified TikTok briefing | Facebook labels manipulated Pelosi video Top House Republicans request classified TikTok briefing Pelosi huddles with chairmen on surprise billing but deal elusive MORE (Ore.), the top Republican on the House Energy and Commerce Committee, said in a statement to The Hill.

“A patchwork of state laws will hurt small startup companies—they lack the resources of a Microsoft,” Walden said. “We should give people the confidence their privacy is protected—regardless of their zip code.” 

And Microsoft’s move renewed the debate over California’s law.

California’s law allows users to access the information tech companies have collected about them and opt out of that data collection if they are uncomfortable with it. It is widely seen as the toughest privacy law in the country. But some privacy advocates have argued its provisions do not go far enough in protecting users’ sensitive personal information. 

Michelle Richardson, who directs the Center for Democracy and Technology’s data privacy project, expressed optimism that a federal law could go even further in curtailing what companies are allowed to collect and how.

“[The California law] is historic and a game-changer in the U.S., but we hope that other states or the federal government go further to put more burden on the companies,” Richardson said, such as placing more responsibility on companies to stop collecting and using sensitive user information. 

There are still unanswered questions around how the law will work in action, particularly how the state will enforce the CCPA provisions around companies that buy and sell user data. 

“Microsoft, with its focus on selling hardware and software and [business-to-business] enterprise customers, isn’t in the same position as ad-supported companies,” Joe Jerome, a privacy and cybersecurity attorney, told The Hill in an email.  

For that reason, Google and Facebook, two of the primary antagonists of the California law, aren’t likely to follow Microsoft’s lead anytime soon, experts said. Their business models rely more heavily on collecting and using data to target advertisements toward their users. 


Google pointed The Hill toward its framework for federal data protection legislation, which calls for “reasonable” limitations on how companies can use and collect data as well as one global privacy framework to stave off “overlapping or inconsistent rules.” Facebook has similarly called for a federal privacy regulation. 

There are several overlapping efforts to write privacy legislation in the House and Senate. The staffs of Senate Commerce Committee Chairman Roger WickerRoger Frederick WickerDavis: The Hall of Shame for GOP senators who remain silent on Donald Trump The Hill's Coronavirus Report: INOVIO R&D Chief Kate Broderick 'completely confident' world will develop a safe and effective COVID-19 vaccine; GOP boxed in on virus negotiations Hillicon Valley: Lawmakers zero in on Twitter after massive hack | US, UK, Canada allege Russian hackers targeted COVID-19 vaccine researchers | Top EU court rules data transfer deal with the US is illegal MORE (R-Miss.) and ranking member Maria CantwellMaria Elaine CantwellThe Hill's Coronavirus Report: Mike Roman says 3M on track to deliver 2 billion respirators globally and 1 billion in US by end of year; US, Pfizer agree to 100M doses of COVID-19 vaccine that will be free to Americans Overnight Energy: Supreme Court reinstates fast-track pipeline permit except for Keystone XL | Judge declines to reverse Dakota Access Pipeline shutdown OVERNIGHT ENERGY: Watchdog accuses Commerce of holding up 'Sharpiegate' report | Climate change erases millennia of cooling: study | Senate nixes proposal limiting Energy Department's control on nuclear agency budget MORE (D-Wash.) have been in bilateral talks since the summer, while Sens. Jerry MoranGerald (Jerry) MoranDavis: The Hall of Shame for GOP senators who remain silent on Donald Trump Trump tests GOP loyalty with election tweet and stimulus strategy VOA visa decision could hobble Venezuela coverage MORE (R-Kan.) and Richard Blumenthal (D-Conn.) have hinted they could put out privacy legislation of their own.

An industry source told The Hill that they heard a week ago that Moran and Blumenthal were getting closer to putting out a draft.

Meanwhile, key Democratic and Republican lawmakers on the House Energy and Commerce Committee have been working to come up with their own bipartisan privacy bill. Democrats have said they might put out their own version if talks falter.

Overall, the source said, Microsoft’s announcement likely won’t swing the talks on Capitol Hill in either direction. But they noted it’s important that it seems tech companies are “clearly competing on their commitment to privacy.”

John Verdi, the vice president of policy at the Future of Privacy Forum, said he “wouldn’t be surprised to see more companies” extending California protections outside of the state in 2020 if the law’s rules are “clear and workable.”