With the introduction of companion bills HB 963 and SB 1670, Florida has joined the ever-growing list of states considering data privacy legislation.
Florida’s proposed privacy bills are in the same vein as California’s Consumer Privacy Protection Act (CCPA) and Nevada’s Privacy of Information Collected on the Internet from Consumers Act (NPICICA): they seek to provide consumers more control over the collection and use of personally identifiable information (PII).
If passed, businesses operating online would have an even more complex patchwork of state-level laws with which they will need to comply.
New compliance obligations and requirements
If either of the bills passes, organizations could be facing new compliance obligations and may be required to:
- Give notice of the categories of PII collected and the categories of third parties with whom the information is shared
- Allow Florida consumers to review and correct PII the business gathered about them
- Provide a mechanism for consumers to opt out of the sale of their PII to third parties
As currently drafted, the privacy bills require “operators” who collect or maintain “covered information” about Florida consumers to provide written notice concerning their collection and sale of PII and allow consumers to opt out of the sale of their information to third parties.
The bills define an “operator” as a person who owns or operates a website or online service for commercial purposes and collects and maintains “covered information” from Florida consumers who visit the website. Operators could include businesses outside the state of Florida if those businesses “purposefully direct[] activities toward Florida or Florida residents.”
It is important to note that the bills do provide for a limited exception for some Florida businesses. It exempts any business located within Florida whose revenue is “derived primarily from a source other than the sale or lease of goods, services, or credit” and whose website has fewer than 20,000 unique visitors per year. However, the usefulness of this exception to Florida businesses is, at best, unclear given its narrowness.
The bills both define “covered information” as first and last names, home addresses, email addresses, telephone numbers, Social Security Numbers, “identifiers” that allow consumers to be contacted or any other information that is collected from the consumer and maintained by the business in combination with an identifier in a form that makes the information personally identifiable.
Notable differences compared to the CCPA
The Florida legislation does not provide a right to deletion, which the CCPA includes. It also does not require businesses to give consumers notice of their opt-out rights, which the CCPA specifically requires.
Florida’s bills also define the “sale” of data more narrowly than the CCPA, instead following the NPICICA’s approach. As drafted, “sale” means “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” (emphasis added).
Florida’s proposed legislation does not provide for a private right of action, with only Florida’s Attorney General empowered to bring claims for non-compliance. The Attorney General’s office can seek civil penalties of up to $5,000 “per violation,” which is a term yet to be defined.
By not including a private right of action, Florida lawmakers appear to have learned from the mistakes made last year in their attempt to pass a biometric privacy law. Like Illinois’ Biometric Information Privacy Act (BIPA), Florida’s 2019 SB1270 would have established restrictions on private entities’ use and collection of biometric information. It also would have created a private right of action for relief from violations of the law. Florida Senator Gary Farmer, Jr. introduced SB1270 in early 2019 to much fanfare, but the bill eventually died in committee.
In addition to applying a diluted version of the CCPA to Florida, the proposed bills would also prohibit private entities’ use of personal data found in public records maintained by state agencies for unsolicited marketing purposes. Individuals and companies can currently request public records from state and local agencies under Florida’s freedom of information statute.
These records often include Florida residents’ names, addresses and birthdates, which the companies then utilize for marketing purposes. The proposed legislation would prohibit this practice.
Both bills remain pending in the Florida legislature, with HB 963 referred to the Oversight, Transparency and Public Management Subcommittee and SB 1670 referred to the Commerce and Tourism committee.
Our Privacy, Cybersecurity and Data Management team will continue to monitor Florida developments, as well as consumer privacy bills introduced in other states and at the federal level.