Florida has joined the wave of states considering new comprehensive data privacy legislation. On February 15, 2021, Rep. Fiona McFarland introduced HB 969, modeled after the California Consumer Privacy Act (CCPA). The bill is supported by Gov. Ron DeSantis and the speaker of the Florida House. As introduced, HB 969 would apply to for-profit businesses that either have annual gross revenues exceeding $25 million, annually buy, sell or receive the personal information of at least 50,000 consumers or derive at least 50% of its annual global revenues from selling or sharing consumers’ personal information. A Senate version of a similar bill (SB 1734) introduced by Republican Sen. Jennifer Bradley passed through its first committee earlier this week.
Both bills impose a number of requirements on covered entities relating to consumers’ personal information – for example, entities must maintain an online privacy policy and update it annually, provide notice at the point of collection, respond to consumers’ requests for copies of their personal information or to correct such information or delete it under certain circumstances. Covered entities also must provide consumers with the right to opt out of sharing personal information, and they are prohibited from discriminating against those who choose to do so. The bills also go a step further than what is required under CCPA and include additional business obligations, such as data retention and limited use requirements.
The companion bills also provide consumers with numerous rights regarding their collected personal information, including the right to request that a business provide a copy of their personal information collected, the right to have their personal information be deleted by covered entities, and the right to have inaccurate personal data corrected.
Like the CCPA, the Florida bills provide a private cause of action against a business if there is a data breach. Similarly, the private right of action is limited to only certain data breaches. A consumer could sue a business if their nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, the consumer can sue for the amount of monetary damages actually suffered from the breach or up to $750 per incident.
For all other violations, only the Florida Department of Legal Affairs can file an action. If the department has reason to believe that any business is in violation and that proceedings would be in the public interest, the department may bring an action against such business and may seek a civil penalty of not more than $2,500 for each unintentional violation or $7,500 for each intentional violation. Such fines may be tripled if the violation involves a consumer who is sixteen years of age or younger. A business may be found to be in violation if it fails to cure any alleged violation within 30 days after being notified in writing by the department of the alleged noncompliance.
In their current form, if passed, both bills have an effective date of January 1, 2022. The legislation has been assigned to the Commerce Committee and the Civil Justice and Property Rights subcommittees. The bill has already received a favorable recommendation from the Regulatory Reform subcommittee. The companion Senate bill is also pending in committee. With the support of the governor and the speaker of the house, there is a strong possibility that some form of legislation will pass. Stay tuned for further updates and alerts from Bradley on state privacy law developments and obligations by subscribing to Bradley’s privacy blog, Online and OnPoint.