GC’s Corner: Florida’s Proposed New Consumer Data Privacy Law – Less Than a Year to Liftoff

Florida State Representative Fiona McFarland recently sponsored Florida House Bill 969 (“HB 969” or “Bill”), as the state’s proposed new consumer data privacy law.  Should Florida’s House of Representatives and Senate pass the legislation, there is an extremely high probability that it will be signed into law, as Governor Ron DeSantis has already publicly expressed his support for it.  This Bill is slated to go into effect on January 1, 2022, which means businesses throughout the country (and the world) have less than one year to be fully compliant.  It also amends Florida Statute § 501.171, as it revises the definition of “personal information” with respect to the data breach reporting requirements of the Florida Information Protection Act of 2014.  

HB 969 was filed on February 15, 2021, and is heavily influenced by the EU General Data Protection Regulation (“GDPR”), as well as the California Consumer Privacy Act of 2018 (“CCPA”) and the California Privacy Rights Act (“CPRA”).  As Florida is the nation’s third most populous state and has seen a significant uptick in businesses relocating to the state, understanding Bill 969 is of critical importance, as it will unquestionably have an impact on commerce.  Of note, HB 969 is set to become effective a full year before the CPRA goes into effect.  The sheer enormity of the combined populations of both California and Florida is in excess of 60 million people, which means that these two states’ data privacy laws will cover over 18% of the entire U.S. population.

Some of the Key Data Privacy Components of Florida’s Bill

On January 1, 2022, the Florida Bill is targeted to become effective and will provide significant privacy rights to Florida’s consumers, who are defined as natural persons that are: (1) Florida residents, or (2) domiciled in the state.  There is a limited carve-out provision for individuals to bring a private right of action under certain circumstances, as related to the breach of their personal data, which are specifically defined by the Bill.  However, HB 969 explicitly sets forth that Florida’s Attorney General will have the authority to enforce the law. 

The following are some of the key privacy rights established under the proposed legislation for Florida consumers:

·     Right to request a copy of personal data that has been collected by the business;

·     Right to have personal information deleted or corrected;

·     Right to be informed, at or before the point of collection of personal information, of the categories of information to be collected and the purposes for which it is to be used; and

·     Right to opt-out of the sale or sharing of personal information to third parties.

In addition, below are some of the other highlights from HB 969:

·     Prohibits discrimination against the consumer for exercising any rights under this Bill;

·     A business that receives a verifiable consumer request to access their own personal  information shall promptly take steps to disclose and deliver it free to the consumer within  45 days of receiving the request, with a one-time extension of an additional 30 days when reasonably necessary (e.g., factors in the complexity of the request);

·     The online privacy policy, that is contained on a business’ website, has to be updated at least once every 12 months and must include certain enumerated information; 

·     A business shall provide and follow a retention schedule that strictly prohibits the retention of personal information, based on specific criteria; and

·     The business will include a separate link to a “Do Not Sell or Share My Personal   Information” within its online website’s privacy policy.

What The Proposed Legislation Means for Companies Doing Business in Florida

As Florida is home to tens of millions of consumers, and one of the largest state economies in the U.S., this law will likely have a significant impact on “for profit” entities doing business in the state.  The proposed legislation will only apply to businesses that satisfy one or more of the following criteria: (1) have global annual gross revenues in excess of twenty-five million dollars ($25,000,000), which will help alleviate the financial burden and compliance requirements for smaller companies, (2) “annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, household, or devices”, or (3) earns 50 percent or more of its revenue from the sale or sharing the personal information of consumers.

Companies that conduct business in Florida will have to implement a data privacy regime that ensures they are fully compliant with the proposed legislation.  In addition, HB 969 authorizes businesses to offer financial incentives to consumers for the collection of their personal information, which consent may be revoked by the consumer at any time.  Although Florida consumers will have data subject access rights, a business will not be required to provide a consumer with their personal information more than twice during a 12-month period.

The Florida Attorney General’s Office will be able to bring an action against a covered business, service provider, or entity that is in violation of HB 969.  An enforcement action can result in the Attorney General’s Office seeking “… a civil penalty of not more than $2,500 for each unintentional violation or $7,500 for each intentional violation.  Such fines may be tripled if the violation involves a consumer who is 16 years of age or younger.”

Companies Will Have to Comply with a Multitude of Data Protection and Privacy Laws

The EU GDPR is already considered by many in the business and legal communities to be the de facto global data protection and privacy law.  The CCPA, CPRA and HB 969 all adhere to the spirit of the EU GDPR.  However, there are countless nuances contained within the various laws that data privacy officers and privacy counsel will have to be aware of, in order to remain fully compliant with all applicable global and local privacy laws.

For instance, Florida’s Bill 969 includes the term “devices”, with respect to one of the threshold requirements as to personal information of 50,000 or more consumers, households, or devices.  Whereas, the CPRA specifically excludes the term “devices” from its definition in a similar section of California’s law.  There is an abundance of subtleties between the Florida Bill and California’s privacy laws, as well as with the EU GDPR.  As such, it will become increasingly complex for multi-national companies and other businesses to be fully compliant with the myriad of privacy laws throughout the globe. Companies will undoubtedly require a significant increase in data privacy resources (both in the retention of privacy experts and sophisticated privacy programs).

As others states in the U.S. consider passage of their own data privacy laws, it is going to become ever more burdensome for businesses to adhere to the body of diverse laws that are being enacted.  There will continue to be a growing demand for Congress to consider federal legislation, on a national level, that will properly protect and safeguard the personal information of individuals.  A comprehensive legislation should be measured and appropriate in balancing the needs and interests of individuals, businesses and governments. 

Please let me know if you found this to be informational. I value your feedback.   

About the Author: 

Jerry Barbanel is a Fellow of Information Privacy (FIP), and has earned seven certifications in data privacy, data protection and data governance (including CIPP-US, CIPP-E, CIPP-A, CIPP-C and CIPM).  In addition, he serves as an IAPP Advisory Board Member for the CIPP-E Exam Development Board (2021 to 2023).  Jerry founded a top advisory and technology company, and served in key roles, including as its General Counsel for 11+ years.  Also, he was named to the PrivSec 200 (Northeast) in November 2019.  He is a seasoned attorney, data privacy professional and former prosecutor with the Manhattan DA’s Office with extensive expertise in legal, data protection, data governance, operational, investigations, forensic accounting, eDiscovery, compliance and consulting.  Jerry serves an Expert Advisor to Charles River Associates.

General Counsel’s Corner was created to share professional articles with others across the globe.