Microsoft recently announced that it will extend “core” privacy rights created by the California Consumer Privacy Act (CCPA) to all of its customers in the United States. This bold proclamation is undoubtedly an example of getting in front of an issue and embracing privacy as principle that resonates with consumers. But does it expose Microsoft to liability?
Microsoft made a similar announcement prior to the implementation of the General Data Protection Regulation (GDPR) in 2018. The company stated at the time that it would “extend the rights that are at the heart of GDPR to all of our consumer customers worldwide.”
The “heart” of the GDPR. The “core” of the CCPA. That’s the key. Embrace the intent of the legislation, rather than specific requirements.
Microsoft did not say that all rights would be extended to all customers regardless of location. Nor did it say that it would self-impose GDPR or CCPA-specific obligations in every customer relationship. Saying otherwise would arguably expose Microsoft to potential liability under consumer protection or unfair trade practices laws for making promises it can’t keep.
So what can companies learn from Microsoft?
Stay Neutral. A closer look at Microsoft’s U.S. Privacy Statement shows that it is regime-neutral. It makes no specific reference to the GDPR, and it likely won’t refer to the CCPA when that statute comes into effect. Moreover, the privacy statements displayed to Microsoft users in Great Britain and Canada are nearly identical to the U.S. version. This lack of specificity makes a great deal of sense, offering critical flexibility in an age of constantly changing requirements.
Privacy is good for business. Thanks to a steady stream of data breach headlines, consumers are more aware of the collection of personal information and rightly concerned with unforeseen uses of it. They are disturbed by the “creepiness” factor. By addressing privacy laws protectively, Microsoft is communicating that it values consumers’ privacy, thereby building good will and customer loyalty.
Unite and conquer. There’s no need to mention a specific law by name. Rather, find themes common to privacy laws and employ language that applies regardless of jurisdiction. A thoughtfully drafted privacy statement can fulfill the core requirements of several laws.
Simplify. Consider, for example, how Microsoft uses a thematic heading in its privacy statement—“How to access and control your personal data”—and how Microsoft employs the phrase “data protection rights” to cover anything from a right to opt out to a right to erasure. By keeping the language broad and simple, Microsoft not only presents information in an understandable way, but also satisfies the regulatory requirements of multiple jurisdictions.
Layer. Privacy notices needn’t surface statute-specific rights unless and until it’s relevant. Microsoft includes a link to an interactive web form that prompts questions tailored to specific requests. Microsoft only asks for jurisdictional information at the point where regulatory variations may come into play.
It will be interesting to see if and how Microsoft chooses to amend its privacy statement come Jan. 1, 2020, when the CCPA enters into effect. Whatever those changes may be, companies looking for guidance on best practices should certainly consider following Microsoft’s lead.