Privacy Bill Essentials: Florida
Update on May 3, 2021: On April 30, 2021, the Florida Consumer Data Privacy Bill officially died as it failed to pass the Legislature. On April 21, 2021, the Florida House of Representatives passed Florida House Bill 969 by a vote of 118 to 1, then on April 29, 2021 the Senate passed a different version by a vote of 29 to 11 sending the bill back to the House. Then on April 30, 2021, the House declined to consider the bill and with the close of the legislative session this leads to the end of the road for it. Unfortunately, because the two could not agree on how the bill should be enforced, specifically whether a private right of action should be included, Florida will have to wait until next year to try again.
Update on March 31, 2021: see below.
A comprehensive data protection and privacy bill has been introduced in Florida. Like the California Consumer Privacy Act (CCPA) and other recently proposed state laws, it would provide Florida consumers more control over their personal information, impose a series of requirements on covered business, and create a limited private right of action. If enacted, it would go into effect on January 1, 2022.
To whom would it apply?
The Florida bill would apply to for-profit businesses that:
- Do business in Florida;
- Collect personal information about consumers, or is the entity on behalf of which the information is collected;
- Determine the purpose and means of processing consumer personal information alone or jointly with others; and
- Meet at least one of the following thresholds:
- Has a global annual gross revenue in excess of $25 million;
- Engages with the data of 50,000 or more consumers; or
- Derives 50% or more of its global annual revenue from the sale or transmittal of consumer information.
What types of information would it cover?
The bill defines personal information to include account log-in, medical, biometric, geolocation, professional/employment, educational, commercial, and sensory information.
What rights would it create?
The Florida bill would create a number of consumer rights, including the right to:
- Request a report of the information that the business collects about the consumer;
- Request notice of how that information is used;
- Correct inaccuracies;
- Limit the sale or transfer of that information;
- Have their information deleted; and
- Be notified of the purpose for which the information is collected.
What obligations would it impose?
- Any Florida-specific consumer privacy rights;
- The categories of personal information the business collects or collected about consumers;
- The categories, if any, of personal information the business sells or shares, or has sold or shared about consumers;
- The categories, if any, of personal information the business discloses or shares, or has disclosed or shared about consumers for a business purpose;
- The right to opt-out of the sale or sharing to third-parties; and
- The right to request a deletion or correction of certain personal information.
In addition to businesses, the bill would require third-party purchasers and processors of data to provide consumers with prior notice and the opportunity to opt-out before materially changing or altering how they use or share consumer personal information.
How would it be enforced?
The law would be enforced by the Florida's Department of Legal Affairs. If a noticed violation is not cured within 30 days, then the Department may seek up to $2,500 for each unintentional violation and $7,500 for each intentional violation.
Failure to reasonably identify whether or not a consumer is underage would be interpreted the same as intentionally disregarding the fact that a consumer is underage. Fines could be tripled for violations involving minors.
The proposed bill also creates a private cause of action for unauthorized access and exfiltration, theft, or disclosure of nonencrypted and nonredacted personal information or e-mail addresses—in combination with a password or security question and answer—resulting from a business' violation of the duty to implement and maintain "reasonable security procedures and practices." The bill provides for statutory damages up to $750 for each incident, though it does not provide the prevailing party legal fees.
Where does it stand?
The bill was introduced on Monday, February 15, 2021. The state's governor announced support for the proposal on that same date.
March 31 Update
Florida House Bill 969 was introduced on February 15, 2021, and has gone through two committee substitutes by the Regulatory Reform Subcommittee and the Civil Justice & Property Rights Subcommittee. It now sits with the Commerce Committee.
Florida Senate Bill 1734, the Florida Privacy Protection Act, was introduced on February 25, 2021, and has gone through one committee substitute by Commerce and Tourism. It now sits in Rules.
Both bills apply to the same businesses and protect the same information.
However, the Senate Bill differs from the House Bill in the following ways:
- Rights created:
- Requires disclosure of the amount of time the consumer's personal information will be retained.
- Businesses are allowed to provide different pricing or offerings depending on whether or not a consumer has opt-ed out so long as it is reasonable.
- Minors must expressly opt-in to having their information collected
- Consumers are allowed to designate third-parties with the authority to opt them out of data collection programs
- Obligations imposed:
- A "Do Not Sell My Personal Information" link must be on the home page of the businesses website
- Contractual and scientific research poses exceptions to the deletion and opt-out rules
- Vehicle information used for repair and warranty purposes
- Private right of action with statutory damages of $100 to $750 per incident and attorney fees
- The Legal Affairs Department has the authority to adopt rules to enforce this act (compared the 30 day correction period and pre-defined statutory damages the house proposed)