On Feb. 15, Gov. Ron DeSantis and House Speaker Chris Sprowls held a press conference to announce their support for legislation that would significantly increase data privacy and security regulation and create new rights for Florida consumers with respect to their personal information (PI).
House Bill 969 by Rep. Fiona McFarland (R-Sarasota) would apply to any for-profit business that collects PI about Florida residents and satisfies one or more of the following thresholds: (a) has annual revenue over $25 million, (b) collects 50% or more of its revenue from selling or sharing PI, or (c) sells or shares the PI of 50,000 or more consumers or devices. If passed, the law will take effect Jan. 1, 2022.
The House bill will be assigned committees where it will be considered. There is currently no companion measure filed in the Senate. Regular Session begins March 2 and ends April 30. To become law, the bill must pass each of its assigned committees and the full body in the House, which is very likely given the Speaker's strong support. The bill must also pass in the Senate before it is sent to the Governor for signature.
The bill is similar to California's Consumer Privacy Act (CCPA) but includes several additional obligations on businesses.
CCPA-like Rights & Obligations
Similar to the CCPA, the bill would create a number of new rights for Florida consumers with regard to collected PI. These new rights include:
- A right to request that a business that collects PI disclose to the consumer what information was collected and the business purpose for collecting or selling the information and require that the business provide the consumer a copy of the PI free of charge in a readily usable format.
- A right for consumers to have PI collected by businesses deleted unless such information is necessary to complete the transaction, prevent security incidents, or engage in certain types of research.
- A right for consumers to request from a business that sells or shares PI to disclose the categories of PI sold or shared and the categories of third parties to which the information was sold or shared.
- A right for consumers to opt out of having their PI sold or shared by a business, and a corresponding Do Not Sell My Personal Information link on the website's homepage. Minors or their legal guardians must affirmatively opt in to permit the selling or sharing of their PI.
In addition, the bill includes several CCPA-like provisions.
- Covered businesses would be required to post a privacy policy that provides notice of consumer rights.
- Covered businesses would be prohibited from discriminating against consumers who exercise any of their privacy rights by charging different prices for goods or services or providing different service levels. Businesses would, however, be permitted to offer financial incentives to consumers to permit the sale or sharing of their PI.
- The legislation includes exceptions for PI necessary to comply with federal, state, or local laws, cooperate with law enforcement and regulatory agencies, or PI that is otherwise governed by certain federal privacy statutes.
Additional Rights & Obligations
The Florida bill creates significant additional compliance obligations for in-scope businesses, many similar to those required under the California Privacy Rights Act, which takes effect Jan. 1, 2023. Specifically, the bill would also afford Florida consumers the following additional rights and impose the following obligations:
- The right to correct incorrect PI held by an in-scope business.
- Businesses will also be required to establish a retention schedule that prohibits the use and retention of PI after the duration of a contract or one year after the consumer's last interaction with the business.
- Third parties that purchase or receive consumer PI would be prohibited from further selling or sharing PI about a consumer unless the consumer has received explicit notice and an opportunity to opt out.
- A "just-in-time" notice at or before the point of collection that would inform consumers of the categories of PI to be collected and the purposes for which the categories of PI will be used. Collecting additional categories of PI, or using collected PI for any additional purpose, would be prohibited unless additional notice is provided.
- Contracts with consumers that waive or limit privacy rights would be deemed contrary to public policy and void and unenforceable.
Finally, the legislation would create a private cause of action for consumers whose PI was subject to an unauthorized disclosure as result of a violation of the duty to maintain reasonable security procedures and practices and authorizes the Florida Attorney General to bring civil actions against such businesses. The bill creates some ambiguity regarding which breaches would give rise to a private right of action since the definitions of PI differ between the Florida breach statute and the bill.
The legislation would be enforced by Florida's Department of Legal Affairs, which may bring an action seeking $2,500 for each intentional violations or $7,500 for each intentional violation if a business fails to cure any alleged violation within 30 days after being notified in writing by the department of the alleged noncompliance. The fines may be tripled if the violation involves a consumer who is 16 or younger.
The governor's press release included the following:
"For far too long, Big Tech companies have abdicated their responsibility of safeguarding and securing the data of Americans and Floridians; in fact, rather than protecting our data, they are profiting from it," said Governor DeSantis. "This one-way street – where Big Tech has all the power and consumers have little to none – stops now. With the proposals announced today, we will finally check these companies' unfettered ability to profit off our data and ensure the protection of Floridians' personal and private information."
"Today’s introduction of our Consumer Data Privacy legislation is another step in combating mass public distrust left in the wake of Big Tech companies’ destruction,” said Speaker Chris Sprowls. “They don’t care about your personal information; they don’t care who gets ahold of your sensitive data. In the state of Florida, we care. It’s time to stop bad actors and help restore consumers’ trust in companies that hold the keys to their personal information.”