Microsoft wants a US privacy law that puts the burden on tech companies

Europe's privacy law went into effect nearly a year ago. It’s time for the US to catch up, the tech giant says.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

Microsoft's framework for a US privacy law includes stronger enforcement against data violations.

James Martin/CNET

Microsoft's idea of a US privacy law would make it easier for people to protect their data.

The company's corporate vice president and deputy general counsel, Julie Brill, wrote Monday that people have a right to privacy, as they become increasingly alarmed by how much data tech giants have gathered on them. The post comes nearly a year after the European Union's General Data Protection Regulation came into effect.

While there are multiple state laws on data privacy, like California's Consumer Privacy Act and Illinois' Biometric Information Privacy Act, there is no US federal legislation -- even as multiple senators have proposed their own bills to protect your data.

Tech giants like Facebook, Google and Apple have also called for a data privacy law, though the specific details vary. In Microsoft's vision for privacy regulation, it calls for shifting the burden of protecting your data from the person to the tech companies.

The majority of data protection is an "opt-out" experience, meaning that data collection is the default, and people have to find their privacy settings to shut it off. In March, lawmakers criticized Google over how difficult it was to actually opt out of its data tracking programs.

"This places an unreasonable -- and unworkable -- burden on individuals," Brill wrote in the post. "Strong federal privacy should not only empower consumers to control their data, it also should place accountability obligations on the companies that collect and use sensitive personal information."

Microsoft has the numbers to back up how often people actually take that extra step to protect their own privacy. In the year since GDPR came into effect and Microsoft released its Privacy Dashboard, Brill said more than 18 million people have used those tools.

Considering that there are about 1.5 billion Windows devices, that would mean only 1 percent of Microsoft users have actually changed their privacy settings. Similarly, there were about 2.5 billion visits last year to Google's Accounts page, but only about 20 million people viewed their ads settings.

Microsoft's call for privacy legislation is to make sure that tech companies are the ones responsible for your privacy, not the other way around. Brill also noted that privacy legislation should have strong enforcement.

"As I saw first-hand when I served on the Federal Trade Commission, laws currently on the books are simply not strong enough to enable the FTC to protect privacy effectively in today's complex digital economy," Brill said.

While the FTC is able to issue fines to tech companies, it needs a consent decree to do that, which would require offending businesses to agree to a future penalty if they violate the terms again. Of the 101 data privacy violations the FTC investigated in the past 10 years, nearly all of them ended without any penalties, a government watchdog agency found.

In November, the agency's commissioners told senators that they didn't have enough resources to properly regulate against data abuses.

Microsoft's call for stronger enforcement aligns with what lawmakers in Washington, DC, have proposed. On Monday, Sen. Josh Hawley, a Republican from Missouri, announced plans to introduce the Do Not Track Act, which would give more power to the program first introduced in 2010.

"The vast majority of websites, including the Big Tech companies, ignore these signals because there is currently no penalty in doing so," Gabriel Weinberg, founder of privacy-focused search engine DuckDuckGo, said in an email.

Brill noted that the US' privacy legislation should go beyond California's privacy law. She called on Congress to pass privacy legislation that'd give people control over their data and require more accountability and transparency from tech giants.

Watch this: Google's head of advertising calls for privacy, but not by default