On February 15, 2021, Florida introduced House Bill 969, aimed at consumer privacy protection. A prior attempt last year by the Florida legislature to pass similar legislation failed to become law. If this bill passes, and there is some skepticism that it will, given the potential for a significant increase in litigation, Florida will join the rapidly-growing list of states expanding their regulation of the sharing and selling of personal data.
HB 969, which borrows language from the California Consumer Privacy Act, which was passed in 2018, would enable consumers to:
- find out from businesses what personal information of theirs has been collected;
- ask that it be deleted or corrected and provide requirements for compliance with any such request;
- determine whether the data was sold or shared and have a private right of action if a business fails to comply;
- require businesses to disclose to consumers certain information regarding data collection and sale practices at the time or before the data is collected;
- require businesses to provide consumers additional specific information upon request;
- opt-out of third party-disclosure of personal information collected by a business and prohibit disclosure of data of opted-out consumers;
- prohibit a business from collecting additional categories of personal information or using personal information for additional purposes without notifying the consumer;
- require businesses that collect personal information to implement “reasonable security procedures and practices” to safeguard that information;
- require businesses to make available two or more methods for consumers to request their personal information and to provide such information free of charge within a certain time frame and format; and
- prohibit businesses from taking retaliatory action against a consumer who exercises any of these rights;
The bill also seeks to ensure that a contract or agreement that waives or limits consumer rights of the types set forth above would be deemed void and unenforceable. If enacted into law in its current form, it would provide a private right of action and civil remedies for consumers whose personal information or email addresses are subject to unauthorized access. In addition, it would authorize the Florida Department of Legal Affairs to bring a civil action for intentional or unintentional violations and would provide a 30-day time period for companies notified of alleged violations to cure them.
The proposed law would apply to any company doing business in the state that satisfies one or more of the following criteria:
- Global annual gross revenues in excess of $25 million;
- Annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more Florida consumers, households, or devices; or
- Derives 50 percent or more of its global annual revenues from selling or sharing personal information about Florida consumers.
Businesses that fail to comply would be subject to suit by the aggrieved consumer, who would be entitled to damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater and civil penalties by the Florida Office of the Attorney General of up to $2,500 for each unintentional violation, or $7,500 for each intentional violation.
Though the passing of this proposed legislation is not at all certain, the law, if enacted, would take effect on January 1, 2022. Therefore, businesses should begin considering how this proposed law would affect their operations and also begin to plan for implementation of changes to their consumer privacy practices that may become necessary as a consequence of the enactment of this proposed legislation.