Privacy Bill Essentials: Florida

February 23, 2021
Hinshaw Privacy & Cyber Bytes

A comprehensive data protection and privacy bill has been introduced in Florida. Like the California Consumer Privacy Act (CCPA) and other recently proposed state laws, it would provide Florida consumers more control over their personal information, impose a series of requirements on covered business, and create a limited private right of action. If enacted, it would go into effect on January 1, 2022.

To whom would it apply?

The Florida bill would apply to for-profit businesses that:

  1. Has a global annual gross revenue in excess of $25 million;
  2. Engages with the data of 50,000 or more consumers; or
  3. Derives 50% or more of its global annual revenue from the sale or transmittal of consumer information.

What types of information would it cover?

The bill defines personal information to include account log-in, medical, biometric, geolocation, professional/employment, educational, commercial, and sensory information.

What rights would it create?

The Florida bill would create a number of consumer rights, including the right to:

What obligations would it impose?

Under the bill, businesses would be required to post an online privacy policy that includes:

In addition to businesses, the bill would require third-party purchasers and processors of data to provide consumers with prior notice and the opportunity to opt-out before materially changing or altering how they use or share consumer personal information.

How would it be enforced?

The law would be enforced by the Florida's Department of Legal Affairs. If a noticed violation is not cured within 30 days, then the Department may seek up to $2,500 for each unintentional violation and $7,500 for each intentional violation.

Failure to reasonably identify whether or not a consumer is underage would be interpreted the same as intentionally disregarding the fact that a consumer is underage. Fines could be tripled for violations involving minors.

The proposed bill also creates a private cause of action for unauthorized access and exfiltration, theft, or disclosure of nonencrypted and nonredacted personal information or e-mail addresses—in combination with a password or security question and answer—resulting from a business' violation of the duty to implement and maintain "reasonable security procedures and practices." The bill provides for statutory damages up to $750 for each incident, though it does not provide the prevailing party legal fees.

Where does it stand?

The bill was introduced on Monday, February 15, 2021. The state's governor announced support for the proposal on that same date.