House Bill 969 and Senate Bill 1734: Game Changers for Data Privacy in Florida

     

Bilzin Sumberg attorneys Kelly Ruane Melchiondo and Philip R. Stein discuss the implications of Florida House Bill 969 and Senate Bill 1734, which would dramatically reshape the ways businesses operating in Florida could collect and handle consumer data. They cover what is in the proposed bills, how they would affect Florida's business community, and what companies should do now to prepare for the law. What follows is a transcript of the discussion.

Transcript:

MELCHIONDO: Hello, everybody. I'm Kelly Ruane Melchiondo, a partner in Bilzin Sumberg's Construction Group.

STEIN: And I'm Phil Stein, the head of Bilzin Sumberg's Litigation Practice Group. We'd like to welcome you to The Bilzin Sumberg Lawcast, where we explore timely and salient issues that are important from both a business and legal perspective to our clients and the wider community.

MELCHIONDO: Today we're going to discuss House and Senate bills recently introduced in the Florida Legislature regarding the handling of personal data that may have profound consequences for the business community. House Bill 969, was introduced on February 15. Senate Bill 1734, was introduced on February 25. Their common objective is to protect consumer privacy by giving consumers broad authority over the way companies collect and handle their personal data.

STEIN: If the proposed legislation passes, Florida will join the rapidly growing list of states expanding their regulation of the sharing and selling of personal data. While that might be welcome news to a lot of consumers, it would also impose substantial compliance requirements on companies doing business in Florida. And it may significantly increase litigation as both consumers and the state government pursue claims against violators. Kelly and I are going to explore in more detail what's in the proposed legislation and the likely ramifications of the law for the Florida business community if it passes.

So Kelly, let's talk first about the proposed legislation. What's in these House and Senate bills in terms of requirements for collecting and handling consumer personal data, and penalties for non-compliance?

MELCHIONDO: Well, Phil, the bills are very similar. The primary interesting point is that the bills add biometric information as categories for personal information. And that means anything from the individual's physical, biological, or behavioral characteristics that can be used to identify the individual. So that's DNA, it's retinal scans, fingerprints, voice recordings, keystroke patterns. Anyone familiar with data privacy knows that Illinois has a very similar law on the books already that has sparked multitudes of litigation over even photographs that are being used without consent.

One of the next issues is that businesses have to create and actually enforce their privacy policies, if they don't already have them; they have to explain the terms of the privacy policies in user-friendly language on their websites. They have to tell the consumers what data exactly they're collecting and why. And they have to give the consumers the right to opt out of the sale or the sharing of that information, and the ability to ask the companies to correct and delete that information. So if a business collects information, but has no access to it after it collects it that could be a problem for that business.

The business won't be able to collect any information for any reason other than what it tells the consumer about. So if your business collects information for the purposes of sending out a weekly newsletter, for example, and you tell your consumers who are using your sites, that that's why you're collecting that information, then you can send them a newsletter. But you can't decide a week later that you're also going to collect that information for the purpose of conducting market research, checking out your demographics, or your consumer base- you have to do what you said you're going to do. And if that changes, then you need to revise your policy and give people the opportunity to opt out of your collecting that data for a different reason.

A critical issue in the new bills is that the penalties for non-compliance have changed. And they're far stricter. And this is actually where the two bills diverge a little bit. In terms of the House Bill, the penalties are related to data breaches. So individuals can seek damages in a private right of action between $100 and $750 per consumer per incident, or actual damages, whichever one is more. For the Senate Bill, that private right of action relates even to privacy violations that are not related to data breaches. So for example, that company that I just mentioned, that collects data for a newsletter, and then uses it later for market research without telling consumers it's also using it for that purpose, could face those serious fines and even individual lawsuits from affected consumers just for collecting that data. So those are some things that are in these bills and have to be taken into account by pretty much every business doing business in Florida.

STEIN: That's a great overview. Kelly, you know, you've touched on some of the major requirements for compliance. And I guess the point is, there are a lot of major requirements for compliance. Many companies, particularly small businesses, may find them really onerous. Does the law affect all companies doing business in Florida? Or are there exclusions?

MELCHIONDO: Well, there are some exclusions and there is some good news for the small business. The bill affects any company with gross revenues globally, that exceed $25 million annually that do business in Florida and collect personal information. So we're talking about the Googles of the world, the Targets of the world. But the law also does apply to smaller companies with annual revenues less than $25 million if those companies buy or receive information of 50,000 or more residents of Florida, or if those companies basically engage in selling personal information and derive at least 50% of their revenues from selling or sharing information. So your small mom-and-pops businesses that have an e-commerce component and are only selling locally, they may not be touched by this, but it's very easy in this day and age to get to that 50,000 consumer resident Florida threshold so people do need to pay attention to this.

STEIN: You know, one of the questions that comes up in connection with the proposed legislation is, if there is a violation of the law, who would pursue a claim or impose penalties? The answer to the question is it could be an array of different actors. As Kelly mentioned before, a private right of action is created for consumers to the extent the data has been sold or shared with others, and if it's been done in a way that's not in compliance with the law. But the fact of the matter is, this is also something that's within the purview of the Florida Department of Legal Affairs, in the Florida Office of the Attorney General. So you may see a variety of types of actions; you certainly could see individual actions. Kelly outlined the fact that the damages that are recoverable per incident for an individual are somewhat limited; about $100 to $750, or as she said, actual damages, which could of course, be larger. So you have the prospect of individuals bringing, you know, relatively smaller claims.

But because the claims are relatively small, I think what we can reasonably expect to happen, to the extent there is any degree of widespread violations by a business, is you'll see threatened class actions or actual class actions, because plaintiffs' attorneys will see an opportunity to aggregate the relatively smaller claims of a variety of individuals into a big class action. And thereby drive up the damages claim and the hoped-for recovery from a defendant business in such a situation. So we do see an opportunity or the possibility, the problematic possibility, for businesses of being more vulnerable to class action litigation.

But it's not just the private right of action, whether individual or in a class action form. As I mentioned, the Florida Department of Legal Affairs, a section of the Office of the Attorney General, is specifically authorized under the House Bill, for example, to bring a civil action for intentional or unintentional violations. They also provide, by the way, a 30-day time period for companies notified of alleged violations to cure them. But clearly they are a player that could bring claims of this type. So there's definitely a heightened possibility, I think, for the litigation, even beyond what we've already got in Florida with respect to protections afforded consumers in the event of data breaches.

STEIN: Kelly, given the profound consequences of this bill becoming law. What do you think businesses should do at this point in terms of updating or overhauling their consumer privacy practices?

MELCHIONDO: Well, the bottom line is right now, there's not a lot of time. So they should do what they can. If the senate bill passes in its current form, we're looking at an effective date as soon as July of this year, meaning a few short months away. If the house bill passes, we're looking at an effective date of January of 2022, which again, is less than a year. So the fact is that every business that is paying attention needs to look number one at whether or not it's currently doing the volume of business that would put it within the parameters of this law, or whether it intends to do that kind of volume of business in the future. If the answer is yes, then that business needs to look at its existing policies and its existing capabilities to collect. And to access data that it has collected, for example, if someone wants to come in and delete or purge, or correct the data that that business has collected.

So the first consideration is, what are the technical capabilities? You can hire consultants or hire someone to walk you through it. The next consideration is take a look at your privacy policy. Are you actually doing what your privacy policy says you're doing? Obviously, privacy policies will need to be updated across the board for Florida companies that fall within this law's ambit. But it's a good idea to look at your privacy policy now. Because you need to make sure that you are actually following word for word in practice, what your privacy policy is advertising that you're doing. So that's really the last step. The first step is to consider the technical capabilities- what your company can and can't do- along with what it should be doing, and must be doing under the law. And then writing the Privacy Policy at the end to accurately depict what's actually happening behind the scenes is the last step.

STEIN: Kelly, I think those are great points. It occurred to me while listening to you that another good bit of advice would be to make sure that companies that are heeding your advice- reviewing and if necessary, overhauling their policies, reviewing and if necessary, enhancing their technical capabilities- are documenting that they are taking those steps. It would be a shame, obviously, in future litigation or a future investigation, if a company that had in fact followed your very good advice, couldn't document or couldn't demonstrate that it had done those things, that it had been mindful of these risks and had been working hard to address them. And I think to the extent companies have boards of directors or compliance officers that are tasked with responsibility for overseeing these kinds of processes and capabilities, getting them involved and creating minutes, for example, of discussions about what's going on would be sound advice.

Kelly, thank you so much for joining me for this discussion. These bills, if enacted, can surely be expected to have substantial effects on companies doing business in Florida. So I'm glad that we've been able to take some time to discuss what may be coming. And, to our audience, thank you for tuning in. We look forward to bringing you the next episode of The Bilzin Sumberg Lawcast.