Privacy Bill Essentials: Florida

February 23, 2021 | Updated March 31, 2021 | Updated May 3, 2021
Hinshaw Privacy & Cyber Bytes

Update on May 3, 2021: On April 30, 2021, the Florida Consumer Data Privacy Bill officially died as it failed to pass the Legislature. On April 21, 2021, the Florida House of Representatives passed Florida House Bill 969 by a vote of 118 to 1, then on April 29, 2021 the Senate passed a different version by a vote of 29 to 11 sending the bill back to the House. Then on April 30, 2021, the House declined to consider the bill and with the close of the legislative session this leads to the end of the road for it. Unfortunately, because the two could not agree on how the bill should be enforced, specifically whether a private right of action should be included, Florida will have to wait until next year to try again.  

Update on March 31, 2021: see below.

A comprehensive data protection and privacy bill has been introduced in Florida. Like the California Consumer Privacy Act (CCPA) and other recently proposed state laws, it would provide Florida consumers more control over their personal information, impose a series of requirements on covered business, and create a limited private right of action. If enacted, it would go into effect on January 1, 2022.

To whom would it apply?

The Florida bill would apply to for-profit businesses that:

  1. Has a global annual gross revenue in excess of $25 million;
  2. Engages with the data of 50,000 or more consumers; or
  3. Derives 50% or more of its global annual revenue from the sale or transmittal of consumer information.

What types of information would it cover?

The bill defines personal information to include account log-in, medical, biometric, geolocation, professional/employment, educational, commercial, and sensory information.

What rights would it create?

The Florida bill would create a number of consumer rights, including the right to:

What obligations would it impose?

Under the bill, businesses would be required to post an online privacy policy that includes:

In addition to businesses, the bill would require third-party purchasers and processors of data to provide consumers with prior notice and the opportunity to opt-out before materially changing or altering how they use or share consumer personal information.

How would it be enforced?

The law would be enforced by the Florida's Department of Legal Affairs. If a noticed violation is not cured within 30 days, then the Department may seek up to $2,500 for each unintentional violation and $7,500 for each intentional violation.

Failure to reasonably identify whether or not a consumer is underage would be interpreted the same as intentionally disregarding the fact that a consumer is underage. Fines could be tripled for violations involving minors.

The proposed bill also creates a private cause of action for unauthorized access and exfiltration, theft, or disclosure of nonencrypted and nonredacted personal information or e-mail addresses—in combination with a password or security question and answer—resulting from a business' violation of the duty to implement and maintain "reasonable security procedures and practices." The bill provides for statutory damages up to $750 for each incident, though it does not provide the prevailing party legal fees.

Where does it stand?

The bill was introduced on Monday, February 15, 2021. The state's governor announced support for the proposal on that same date.

March 31 Update

Florida House Bill 969 was introduced on February 15, 2021, and has gone through two committee substitutes by the Regulatory Reform Subcommittee and the Civil Justice & Property Rights Subcommittee. It now sits with the Commerce Committee.

Florida Senate Bill 1734, the Florida Privacy Protection Act, was introduced on February 25, 2021, and has gone through one committee substitute by Commerce and Tourism. It now sits in Rules.

Both bills apply to the same businesses and protect the same information.

However, the Senate Bill differs from the House Bill in the following ways: