Privacy Bill Essentials: Florida
A comprehensive data protection and privacy bill has been introduced in Florida. Like the California Consumer Privacy Act (CCPA) and other recently proposed state laws, it would provide Florida consumers more control over their personal information, impose a series of requirements on covered business, and create a limited private right of action. If enacted, it would go into effect on January 1, 2022.
To whom would it apply?
The Florida bill would apply to for-profit businesses that:
- Do business in Florida;
- Collect personal information about consumers, or is the entity on behalf of which the information is collected;
- Determine the purpose and means of processing consumer personal information alone or jointly with others; and
- Meet at least one of the following thresholds:
- Has a global annual gross revenue in excess of $25 million;
- Engages with the data of 50,000 or more consumers; or
- Derives 50% or more of its global annual revenue from the sale or transmittal of consumer information.
What types of information would it cover?
The bill defines personal information to include account log-in, medical, biometric, geolocation, professional/employment, educational, commercial, and sensory information.
What rights would it create?
The Florida bill would create a number of consumer rights, including the right to:
- Request a report of the information that the business collects about the consumer;
- Request notice of how that information is used;
- Correct inaccuracies;
- Limit the sale or transfer of that information;
- Have their information deleted; and
- Be notified of the purpose for which the information is collected.
What obligations would it impose?
- Any Florida-specific consumer privacy rights;
- The categories of personal information the business collects or collected about consumers;
- The categories, if any, of personal information the business sells or shares, or has sold or shared about consumers;
- The categories, if any, of personal information the business discloses or shares, or has disclosed or shared about consumers for a business purpose;
- The right to opt-out of the sale or sharing to third-parties; and
- The right to request a deletion or correction of certain personal information.
In addition to businesses, the bill would require third-party purchasers and processors of data to provide consumers with prior notice and the opportunity to opt-out before materially changing or altering how they use or share consumer personal information.
How would it be enforced?
The law would be enforced by the Florida's Department of Legal Affairs. If a noticed violation is not cured within 30 days, then the Department may seek up to $2,500 for each unintentional violation and $7,500 for each intentional violation.
Failure to reasonably identify whether or not a consumer is underage would be interpreted the same as intentionally disregarding the fact that a consumer is underage. Fines could be tripled for violations involving minors.
The proposed bill also creates a private cause of action for unauthorized access and exfiltration, theft, or disclosure of nonencrypted and nonredacted personal information or e-mail addresses—in combination with a password or security question and answer—resulting from a business' violation of the duty to implement and maintain "reasonable security procedures and practices." The bill provides for statutory damages up to $750 for each incident, though it does not provide the prevailing party legal fees.
Where does it stand?
The bill was introduced on Monday, February 15, 2021. The state's governor announced support for the proposal on that same date.