Microsoft shook up the debate over privacy rules with its announcement that the company will follow the principles of California’s tough online privacy law across the U.S.
The tech giant received accolades from privacy advocates and some Democratic lawmakers over its decision on Monday to meet California’s standards in every U.S. state. But Microsoft’s decision could serve as a wake-up call on Capitol Hill, where bipartisan efforts to draw up federal privacy legislation have blown past a slew of deadlines.
Other tech companies will almost certainly follow Microsoft’s lead, fixing California’s law as the de facto U.S. standard without congressional input, industry watchers said.
“When one of the biggest tech companies in America voluntarily adopts California’s standard, it’s very likely to become America’s standard,” Jamie Court, the president of California-based Consumer Watchdog, told The Hill.
Key Democrats in the Senate lauded Microsoft’s decision but said it underlined the need for federally mandated safeguards around what user information companies can collect and what information they’re required to share with users about that data.
“I’m glad to see that there are companies like Microsoft and Apple that continue to take privacy issues very seriously,” Sen. Mark Warner (Va.), the top Democrat on the Senate Intelligence Committee, said in a statement to The Hill.
“However, the fact that companies are voluntarily adopting their own standards because of Congress’ lack of action underscores the need for regulators and Congress to get serious about guardrails at the federal level to protect user data and privacy,” he said. “The status quo isn’t working for consumers.”
Sen. Richard Blumenthal (D-Conn.), one of the top tech critics in the Senate, lauded Microsoft in a statement, claiming the decision “proves tech companies can provide privacy protections to all Americans” but added that the U.S. needs “broad reform of the use of private data.”
Microsoft is likely better-positioned to make the sweeping commitment than companies with fewer resources and a less global footprint. It will be relatively easy for Microsoft to comply with the principles of the California Consumer Privacy Act (CCPA) across state lines, considering the company is already investing significant resources into meeting an even stricter set of privacy regulations in Europe.
Before Europe’s General Data Protection Regulation (GDPR) went into effect last year, Microsoft announced that it would extend European-style privacy protections to its users nationwide. And earlier this month, Microsoft wrote that it is in an “excellent position” to meet the California law’s requirements after implementing the GDPR’s data restrictions and limitations globally.
“It is absolutely the case that anyone who is GDPR-compliant already had a leg up,” Heather West, senior policy manager for privacy-focused tech company Mozilla, told The Hill. Mozilla also plans to extend California-style protections to all U.S. users, West said.
But others have raised concerns about the fallout from Microsoft’s decision, particularly for smaller tech players.
Some Republicans argue that a company like Microsoft, which passed a market cap of $1 trillion earlier this year, will have an easier time complying with a CCPA-style privacy regime than other companies.
For years, the tech industry and Republican lawmakers have fretted over a potential “patchwork” of state laws, claiming small and medium-sized players can’t afford to navigate 50 different state privacy standards.
“Companies the size of a Microsoft might be able to make California’s law work, but what about the smaller ones?” Rep. Greg Walden (Ore.), the top Republican on the House Energy and Commerce Committee, said in a statement to The Hill.
“A patchwork of state laws will hurt small startup companies—they lack the resources of a Microsoft,” Walden said. “We should give people the confidence their privacy is protected—regardless of their zip code.”
And Microsoft’s move renewed the debate over California’s law.
California’s law allows users to access the information tech companies have collected about them and opt out of that data collection if they are uncomfortable with it. It is widely seen as the toughest privacy law in the country. But some privacy advocates have argued its provisions do not go far enough in protecting users’ sensitive personal information.
Michelle Richardson, who directs the Center for Democracy and Technology’s data privacy project, expressed optimism that a federal law could go even further in curtailing what companies are allowed to collect and how.
“[The California law] is historic and a game-changer in the U.S., but we hope that other states or the federal government go further to put more burden on the companies,” Richardson said, such as placing more responsibility on companies to stop collecting and using sensitive user information.
There are still unanswered questions around how the law will work in action, particularly how the state will enforce the CCPA provisions around companies that buy and sell user data.
“Microsoft, with its focus on selling hardware and software and [business-to-business] enterprise customers, isn’t in the same position as ad-supported companies,” Joe Jerome, a privacy and cybersecurity attorney, told The Hill in an email.
For that reason, Google and Facebook, two of the primary antagonists of the California law, aren’t likely to follow Microsoft’s lead anytime soon, experts said. Their business models rely more heavily on collecting and using data to target advertisements toward their users.
Google pointed The Hill toward its framework for federal data protection legislation, which calls for “reasonable” limitations on how companies can use and collect data as well as one global privacy framework to stave off “overlapping or inconsistent rules.” Facebook has similarly called for a federal privacy regulation.
There are several overlapping efforts to write privacy legislation in the House and Senate. The staffs of Senate Commerce Committee Chairman Roger Wicker (R-Miss.) and ranking member Maria Cantwell (D-Wash.) have been in bilateral talks since the summer, while Sens. Jerry Moran (R-Kan.) and Richard Blumenthal (D-Conn.) have hinted they could put out privacy legislation of their own.
An industry source told The Hill that they heard a week ago that Moran and Blumenthal were getting closer to putting out a draft.
Meanwhile, key Democratic and Republican lawmakers on the House Energy and Commerce Committee have been working to come up with their own bipartisan privacy bill. Democrats have said they might put out their own version if talks falter.
Overall, the source said, Microsoft’s announcement likely won’t swing the talks on Capitol Hill in either direction. But they noted it’s important that it seems tech companies are “clearly competing on their commitment to privacy.”
John Verdi, the vice president of policy at the Future of Privacy Forum, said he “wouldn’t be surprised to see more companies” extending California protections outside of the state in 2020 if the law’s rules are “clear and workable.”