Florida joined the fray of state legislatures vying to become the third state to enact comprehensive data privacy legislation following the passage of Virginia’s Consumer Data Protection Act (“CDPA”). Introduced in February with the support of Governor DeSantis, House Bill 969 (“HB 969”) shared many similarities with the California Consumer Privacy Act (“CCPA”), including a private right of action. At the same time, the previously identical Senate Bill 1734 (“SB 1734”) was recently amended to limit the scope of the law and remove the private right of action. As with some many other state laws, the Florida bills have died for the present legislative session due to the breakdown over the private cause of action.
The core difference in the bills, which ultimately made all the difference, was the enforcement mechanism. HB 969 provides consumers a private right of action for three distinct violations, unlike SB 1734, which completely removes any private right of action from the law.
First, under HB 969, a consumer can bring suit where the business’s failure to implement reasonable security practices results in the unauthorized access and exfiltration, theft, or disclosure of non-encrypted and non-redacted personal information or e-mail address, in combination with a password or security question and answer that would allow access to the account. Notably, the bill goes further than the CCPA by covering all “personal information” (rather than a narrower subset of particularly sensitive personal information), and by allowing consumers to also sue a business for failure to delete or correct a consumer’s personal information, and for continuing to sell or share a consumer’s personal information after a consumer has exercised the right to opt-out. The court may grant damages between $100 and $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief. Reasonable attorney fees and costs are also available to prevailing consumers.
Under both bills, the attorney general is authorized to seek civil penalties of up to $2,500 for each unintentional violation and $7,500 for each intentional violation. These fines can be tripled where the violation involves consumers who are 16 years old or younger. Whether businesses receive a 30-day period to cure any alleged violations is left to the discretion of the attorney general.
Applicability and Scope
The bills generally had the same scope.
Covered Entities: Under HB 969, a “business” is a for-profit legal entity that does business in Florida, collects personal information about consumers, and meets at least one of the following jurisdictional thresholds: (1) annual gross revenue in excess of $25 million; (2) annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its global annual revenue from selling or sharing personal information about consumers. As with the CCPA, the bill would also cover an entity that controls or is controlled by a covered business and that shares common branding with the business.
Under SB 1734, there is no monetary threshold. Rather, a business is defined as a for-profit legal entity that does business in Florida, collects personal information about consumers, and satisfies either of the following conditions: (1) annually buys, sells, or shares the personal information of 100,000 or more consumers, households, or devices; or (2) derives 50% or more of its global annual revenue from selling or sharing personal information about consumers.
Personal Information: Similar to the CCPA, HB 969 defines personal information as information that “identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer or household.” The bill highlights the same categories of personal information as the CCPA, such as identifiers, characteristics of protected classification under state or federal law, and commercial information. Excluded from the definition of personal information are publicly available and deidentified or aggregate consumer information. Aside from variations in wording and the addition of probabilistic identifiers as a category of personal information, the definition in SB 1734 tracks that of HB 969.
Covered Individuals: Under both versions of the bill, consumers are natural persons who are in Florida on a non-temporary or transitory basis.
Obligations for Businesses
Substantively, the bills are quite similar and both rely on a notice and choice a standard paradigm.
Businesses that collect personal information are also required to implement “reasonable security procedures and practices appropriate to the nature of the personal information” to protect against threats such as unauthorized or illegal access and disclosure.
Significantly, the bill imposes an explicit retention obligation that prohibits businesses from using and retaining personal information after (1) the initial purpose for collecting the information is accomplished, (2) the duration of a contract, or (3) one year after the consumer’s last interaction with the business, whichever occurs first.
SB 1734 contains several notable departures from HB 969, including:
- Requirements for notice are triggered more narrowly than those in HB 969. If a business that collects personal information will use the data for a “non-business purpose,” it must, at or before the point of collection, inform consumers of specified details regarding such collection and use.
- SB 1734 shares the same obligation imposed by HB 969 to implement reasonable security procedures and practices that are appropriate to the nature of the personal information. However, in a noteworthy departure from HB 969, SB 1734 imposes strict GDPR-like requirements for businesses that engage service providers.
- In addition to barring the retention of personal information for longer than is reasonably necessary to accomplish the disclosed purposes, businesses’ collection, use, retention, and sharing of personal information must be “reasonably necessary to achieve, and proportionate to the benefit of achieving, the purposes” of collection.
- Whereas HB 969 makes no mention of the concept of sensitive data, SB 1734 requires businesses to obtain consumers’ consent in order to process such data. Interestingly, the bill does not provide a definition for sensitive data.
Consumer Rights and Opt-Out Requirements
Both bills generally grant consumers a number of similar rights, including the ability to request to know certain details about their personal data (including the specific pieces of personal data), request deletion or correction of their personal data, and submit an opt-out request with respect to the sale or sharing of their personal data. The laws differ with respect to the exact scope and framework of the opt-out right, with HB 969 adopting a broader variation of the definition of “share” found in the California Privacy Rights Act that covers advertising or marketing in general (in addition to the opt-out from “sale”), and SB 1734 including a narrower opt-out right for targeted advertising or profiling as part of the “sale” opt-out.
Among others, both bills include exemptions for employees’ personal information, protected health information subject to HIPAA, and personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (“GLBA”). Like the CCPA’s analogous exemption, this GLBA exemption applies at the data level, contrasting with Virginia’s Consumer Data Protection Act that applies to any “financial institution or data subject to” the GLBA.