Florida is currently considering data privacy legislation that would require covered businesses to implement comprehensive policies and procedures to provide privacy rights to consumers. The proposed legislation, House Bill 969, is based in significant part on the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (CRPA). If passed, HB 969 would become effective on January 1, 2022.

While HB 969 is directly relevant to those businesses that would be covered entities under the legislation, on a grander scale it demonstrates the continuing efforts by state legislatures to develop more comprehensive data privacy laws. For example, since the passage of the CCPA, other states such as Arizona, Connecticut, Illinois, Maryland, Massachusetts, Minnesota, New York, Virginia, and Washington, among others, have also considered data privacy legislation resembling the CCPA. Given that no uniform consumer privacy legislation exists at the federal level, businesses will be forced to continue navigating the patchwork of developing state privacy laws that govern the jurisdictions in which they are conducting business.

What Exactly Is HB 969?

HB 969 would apply to for-profit businesses that (a) conduct business in Florida, (b) collect personal information about consumers, (c) determine the purposes and means of processing personal information about consumers, and (d) satisfy at least one of the following:

• Have global annual gross revenues exceeding $25 million;
• Annually buy, sell, or receive or share for commercial purposes, the personal information of at least 50,000 consumers, households, or devices; or
• Derive at least 50% of their global annual revenues from selling or sharing consumers’ personal information.

The legislation would require covered businesses to (a) create an online privacy policy, which must be updated annually; (b) inform consumers, at or before the point of collection, of the categories of personal information to be collected and the purposes for which the information will be used; and (c) develop and follow a retention schedule that prohibits the use and retention of personal information (excluding biometric information used for ticketing purposes) after the purpose for collecting the information has been satisfied, after duration of a contract, or one year after the consumer’s last interaction with the business – whichever occurs first. The first and second requirements described here are also nearly identical to California’s law, while the third requirement is a more specific version of the data minimization requirement that was recently added to the CCPA by the CPRA.

HB 969 also provides consumers with numerous rights regarding their collected personal information, including the right to request that a business provide a copy of their personal information collected, the right to have their personal information be deleted, and the right to have inaccurate personal data corrected. All of these rights are also provided by the CCPA/CPRA.

For CCPA/CRPA-Covered Businesses

Business Obligations – For businesses covered by the CCPA, HB 969 also imposes privacy policy and notice requirements. However, businesses should pay close attention to the data retention requirements under HB 969 if they are enacted, as these requirements converge from the more general data minimization requirement in the CCPA/CPRA.

Treatment of Employee Data – As drafted, HB 969 would not apply to a business’s collection or disclosure of its employees’ personal information, so long as the collection or disclosure is conducted within the business’s scope as an employer. In California, the exemption of employee information is not as definite. As it currently stands under the CCPA/CRPA, the exemption for employee and job applicant personal information expires on January 1, 2023, and it is also not a full exemption as certain requirements pertaining to employee and job applicant data have already been in effect since January 1, 2020.

Private Right of Action – Like the CCPA/CPRA, HB 969 also provides for a private right of action in the event of a data breach. HB 969 enables the aggrieved party to seek damages of $100-$750 per consumer per incident, or actual damages – whichever is greater. The proposed legislation also provides that an aggrieved party may pursue injunctive relief.

Covered Businesses – As one of the criteria to determine if a business is covered, the threshold number of consumers, households, or devices is 50,000 under the CCPA and under HB 969. However, the CRPA amended the CCPA to increase the California threshold, effective January 1, 2023, to 100,000 consumers or households and to exclude devices. Moreover, while the CCPA prior to the CPRA amendment would apply to an entity that derives 50% or more of its revenue from merely “selling” consumer personal information, HB 969 mirrors language from the CRPA and includes companies that derive 50% or more of their revenue from “selling or sharing” consumer personal information. “Sharing” would potentially cover more businesses under the criteria that do not engage in any “selling” of personal information.

Next Steps for Employers

Florida legislators proposed a similar, but more limited, bill last year that did not make it out of legislative committee. However, this latest attempt clearly indicates that the legislative effort to push through some form of consumer privacy protection bill continues to have momentum. To the extent your organization either does business in Florida or targets Florida residents as potential consumers, you should continue to monitor the status of the bill, and if it passes, consult with legal counsel sooner rather than later to ensure you are able to meet HB 969’s requirements if the bill passes.

For those businesses who have already taken steps to comply with the CCPA, do not assume that your CCPA compliance steps will automatically protect you under HB 969 – or any other state consumer privacy legislation that emerges over the next few years.