How Microsoft and Twitter use the CCPA to position themselves as privacy-first companies
In the months before the California Consumer Privacy Act's (CCPA) effective date of January 1st this year, we have seen both Microsoft and Twitter make important statements about how they plan to interpret and implement this sweeping data privacy law. In this article, we take a look at the specifics of the two companies' promises, the upside it generates for them, and why being skeptical of their commitment to privacy is likely still a good idea.
Microsoft has set a high bar by “vowing to honor” the rights granted by the CCPA not only for Californian residents, but for all US citizens.
Though Microsoft’s decision to not treat non-Californians as “second class data citizens” is laudable, its motives are most likely not entirely altruistic. With 87% of consumers stating that they will take their business elsewhere if they don’t trust how a company handles their data, Microsoft is smart to brand itself as a good data custodian by rolling out CCPA data rights to their entire customer base, and therefore incentivizing customer retention as well as new customer acquisition. Microsoft can certainly use a little image boost, especially considering their Windows 10 tracking fiasco, the NSA detecting a weakness in its cryptographic systems and the recent breach of 250 million customer service records.
Microsoft certainly stands to gain some consistency with this move. With many state wide legislations in different stages of the law-making process since the signing of the CCPA, Microsoft must have seen the writing on the wall: Adhering to a patchwork of different privacy laws will come at a steep cost. Applying the CCPA standard on a US-wide basis is a smart way to pre-empt having to implement new changes with each new privacy law coming into effect, although they will need to pay attention to any pre-emption clauses in future laws.
During her statement early November 2019, Microsoft’s Chief Privacy Officer Julie Bril stated that since Congress seems unable to, the individual states will take action themselves. Being an early advocate for privacy laws could allow Microsoft to have an impact on the federal debate and ensure that the rules turn out to their benefit.
Without minimizing the importance of the signal that Microsoft is sending, it’s also important to realize that Microsoft’s business model is not largely dependent on revenue generated from data-driven advertising, as opposed to that of Google or Facebook, who mostly monetize by serving internal ads based on the data collected and gathered within their “walled gardens”. Microsoft acts as a service provider for many of its offered products, a classification which eases the CCPA burden.
Lastly, this “vow to honor” really is just a vow. No matter how generous Microsoft’s gesture seems, the CCPA only provides for legal recourse in the case of the violation of the right of a California resident. If a New York consumer were to request a copy of their personal information, Microsoft would still be free to decide whether or not they wish to stick with their “vow to honor”.
Twitter took the CCPA’s transparency requirement at heart, and created a Privacy Center for users and partners, to be able to more easily understand Twitter’s data handling practices and stay up to date with announcements. The Privacy Center provides pages about GDPR, CCPA and global Data Processing Addendums.
When announcing the new Privacy Center, Twitter also stated that non-EU and non-US users will be moved from one Twitter entity - the Dublin based Twitter International Company- to another - San Francisco based Twitter Inc.. Twitter International Company services users from the E.E.A., Twitter Inc. services US users, and soon also non-US and non-EU users. This allows Twitter to test different privacy settings on these sets of users, without being blocked by the strict GDPR requirements.
On the one hand this could allow for the development of more consumer-friendly ways of guaranteeing privacy rights. On the other hand, it could mean less protection for the non-US and non-EU users who were moved.
In their statement of December 2nd 2019, Twitter’s Global Data Protection Officer Damien Kieran and Product Lead Kayvon Beykpour made it clear that Twitter wants to take real action on privacy protection, rather than merely uttering “cliche” and meaningless phrases such as “we value your privacy”. The pair writes: “Many companies make these declarations without even showing people what actions they are taking to protect their privacy. And let’s be honest, we have room for improvement, too” This last part is certainly true: in as October 2019 Twitter announced that email addresses and phone-numbers used for two-factor authentication may have been used to serve ads, earlier this week Twitter reportedly fixed a vulnerability that allowed attackers to match usernames to phone numbers.
Both Microsoft and Twitter are members of the Internet Association
The Internet Association lobbies on behalf of top tech companies such as Amazon, Google, Facebook as well as Microsoft and Twitter. When the initial version of the CCPA, a popular bill authored by the privacy group Californians for Consumer Privacy, headed by real estate mogul Alistair Mactaggart achieved more than double the required amount of signatures to be put to the vote in November 2018, several lobbying firms including the Internet Association worked hard to block the privacy bill from being passed. Mactaggarts version of the CCPA was stricter than the version that came into effect (AB-375), for instance by including a private right of action for any type of violation. In June 2018, Mactaggart withdrew his bill once AB-375 passed as a compromise.
On October 11th, 2019, governor Newsom signed 7 amendments to the CCPA into effect, which largely carve out exemptions for certain business models. These bills were backed by the Internet Association, whilst privacy groups strongly opposed them, being concerned about the CCPA slowly being eroded. The Internet Association is also amongst the groups involved in the development of a federal privacy law to preempt state laws.
Microsoft and Twitter’s announcements are certainly laudable and are a good step forward in the battle of giving consumers the level of protection they deserve. Microsoft goes a step beyond, vowing to grant the extensive CCPA rights to all US citizens, although these are not enforceable. This sets a high bar for other large tech companies, who will not be able to follow suit as quickly without cutting off important sources of income.
It should not be forgotten, however, that both companies can profit hugely from being branded as a privacy-first organization, considering their mistakes of the past and the overwhelming consumer demand for control over their data. Both companies are part of the Internet Association, a powerful lobbyist group that has worked hard to tone down the powerful language of the initial CCPA ballot bill. Of course, new regulation always needs to walk a fine line between consumer protection and ensuring the integrity of our online economy. However, had the large tech companies been better and more transparent data custodians, governments would not have needed to step in as vigorously, removing the potential for over-regulation.Consumer PrivacyIndustry Trends CCPADeep Dives Ad Tech