Yesterday, the Governor of Florida threw his support behind a newly introduced consumer data privacy bill (HB 969) which is very similar to the California Consumer Privacy Act of 2018. The Governor’s support is a significant development given that he and both chambers of the Florida Legislature are Republican and, to date, there has not been any aligned support for a privacy law since the Florida Information Protection Act (FIPA), Florida’s data breach notification law. Nevertheless, as with the CCPA, the bill proposes a boondoggle for the plaintiffs’ bar in the form of a private right of action for data breaches and statutory damages, which could present a significant obstacle to passage in the bill’s current form, particularly for a fairly business-friendly Florida Legislature.
To Whom Would HB 969 Apply?
HB 969’s definition of a business to which the proposed law would apply is similar to the CCPA’s definition. It would apply to any for-profit business that has a global annual gross revenue in excess of $25 million, does business in Florida, collects personal information about consumers, and determines how the personal information will be processed. (The drafters cleared up the confusion created by the CCPA as to whether the revenue had to be generated from within the state – it does not.) Companies earning less than $25 million in global annual gross revenue would also be required to comply with the law if they buy/receive the personal information of 50,000 or more consumer, households, or devices, or if they derive 50% or more of their revenue from selling/sharing personal information. The law would also apply to entities that control or are controlled by a business that shares common branding with the business.
In short, contrary to the Florida Governor’s implications that the law would apply only to big tech companies, it would in fact apply to many small and medium-sized businesses that collect personal information about Florida residents.
What Rights and Obligations Would HB 969 Create?
HB 969’s obligations are very similar to the CCPA’s. First, the bill would require that businesses create an online privacy policy that would need to be updated annually. The policy would need to include:
- any Florida-specific consumer privacy rights;
- a list of the categories or personal information the business collects or has collected about consumers;
- a list that identifies which categories of personal information the business sells/shares or has sold/shared;
- a list that identifies which categories of personal information the business discloses/shares for a business purpose; and,
- the right to opt out of the sale/sharing to third parties and the ability to request deletion/correction of certain personal information;
The bill would also require businesses to provide a “just-in-time” notice at or before the point of collection that would inform consumers of the categories of personal information to be collected and the purposes for which the categories of personal information will be used. A business would not be allowed to collect additional categories of personal information or use collected personal information for any additional purpose other than those provided in the online privacy notice or the just-in-time notice without first providing the consumer with notice.
Next, HB 969 would require businesses to create and follow a retention schedule that prohibits the use and retention of personal information after the initial purpose for collecting the information has been satisfied, after duration of a contract with that consumer, or one year after the consumer’s last interaction, whichever occurs first. (This retention limitation is not the same for biometric information collected for ticketing purposes.)
HB 969 would also create a right to request from a business, up to twice per year, a copy of their personal data the business collected. The business would have to provide the information free of charge and in a readily usable format that could be easily transferable. Upon receiving a verified request, the business would need to disclose the specific pieces of personal information the business collected about the consumer, the categories and sources from which it collected the consumer’s personal information, the business or commercial purpose for collecting or selling the consumer’s personal information, and the categories of third parties with which the business shares the consumer’s personal information.
The proposed law would also provide consumers with a right to have their personal information deleted. The deletion would be required not just by the business, but also by any service provider with whom the business shared the personal information. There are several exceptions to this right that almost swallow the rule. For example, a business can reject a request to delete if the personal information is needed to complete a transaction, provide a good or service that the business reasonably anticipates the consumer may want, comply with a legal obligation, or use the information internally in a way that is “compatible with the context in which the consumer provided the information.”
Similarly, the bill would provide consumers with a right to request that a business correct inaccurate personal information. Again, the exceptions limit the rule significantly. Also, while this right is fairly easy to administer in the context of a straightforward request like changing information that is objectively verifiable, what happens in an instance where the personal information is more subjective, or the business believes the consumer is using this right to create an unfair advantage? Who makes the determination of which “version” of personal information is accurate? Would “both sides of the story” need to be maintained, as is the case with HIPAA’s right to amend?
HB 969 would also create a right to request what personal data has been sold or shared. Specifically, a consumer would have the right to know the categories of personal information that have been sold/shared, the categories of third parties to which the personal information was sold/shared, and the categories of personal information about the consumer that the business disclosed for a business purpose.
The bill would create a right to opt-out of the sale/sharing of personal information to third parties. Any business that sells/shares personal information to third parties must provide notice to consumers that the information may be sold/shared, and that the consumer has a right to opt-out of the sale/sharing of their personal information. Relatedly, third parties are not allowed to sell/share personal information sold/shared with them by a business unless the consumer is provided with explicit notice of the intent to sell/share and has been provided an opportunity to opt-out.
Additionally, the law would require a business to provide a conspicuous link on its homepage entitled “Do Not Sell or Share My Personal Information” that enables a consumer to opt-out of the sale or sharing of the consumer’s personal information. (A business does not need to put this link on its homepage if it has/creates a separate page dedicated to Florida consumers.) A business cannot require a consumer to create an account as a condition for directing the business not to sell the consumer’s personal information, and a business must wait at least 12 months before asking the consumer to authorize the sale of their information.
Additionally, the bill would create a right to opt-in for the sale/sharing of personal information of children. Specifically, where a business intends to sell/share personal information and it knows that a consumer is under 16 years of age, the business must obtain the child’s consent (if the child is between 13 and 15) or the parent’s/guardian’s consent if the child is 12 or younger.
Regarding the two rights described above, and as with the CCPA, there are some contours and carve-outs to the definition of a “sale” of personal information. For example, a business does not “sell” personal information if a consumer directs the business to intentionally disclose the personal information to a third party, assuming the third party does not then sell the personal information. Additionally, a business can share personal information with a service provider for a business purpose if the business provides notice of this activity in its terms and conditions, and the service provider does not further collect, sell, share, or use the personal information except for the business purpose.
Another exception to the definition of “sale/sharing” is the transfer of personal information to a third party as part of a merger, acquisition, bankruptcy, or other transaction. Under this exception, if the new business wants to use the personal information in a way that is materially inconsistent with the previous business’s privacy practices, the new business must provide notice in a “prominent and robust” way.
As with the CCPA, HB 969 would prohibit discrimination against consumers who exercise their rights under the law. Examples of such discrimination include denying goods or services to the consumer, charging different prices or rates for goods or services (including discounts or other benefits), or providing a different level/quality of goods or services. The law does, however, allow for financial incentives, like rewards programs and payments for the collection, sale, or deletion of personal information. In that case, the business must first obtain consent that describes the material terms of the financial incentive program, and the consent may be revoked at any time.
Finally, but perhaps most significantly, HB 969 would create a private right of action for data breaches. More information about that is provided below.
Beginning January 1, 2022, a business cannot use an agreement with a consumer to waive or limit any of the above-described rights.
How Must a Business Respond to a Verified Consumer Request?
To meet the bill’s requirements of responding to a consumer’s verified request, the business must make two or more methods available for submitting requests, one of which must be a toll-free number and (if the business maintains a website) a link to the homepage of the website.
The business cannot require the consumer to create an account to make a request. Additionally, the business must deliver the responsive information in a readily usable format, free of charge, and within 45 days after receiving the request (this period can be extended under certain circumstances).
Businesses must ensure that employees responsible for handling consumer inquiries are trained to handle inquiries about the business’s privacy practices and that they know how to direct consumers to exercise their rights under this proposed law.
How Does HB 969 Impact a Business’s Relationship with Third Parties and Service Providers?
HB 969 would impose restrictions on how service providers and other third parties with whom a business may share the consumer’s personal information can use/share that information. For example, any contract between a business and a service provider or third party must prohibit the service provider or third party from (a) selling/sharing the personal information; (b) using the personal information in a way that is outside the business purposes specified in the contract; (c) disclosing the information to any third party outside the relationship between the business and the service provider or third party; and, (d) combining the personal information it receives from the business with other information it receives about the consumer.
The contract must certify that the entity receiving the personal information will comply with these restrictions. These same restrictions apply between the service provider or third party and any subcontractor. If a third party, service provider, or subcontractor violates any of these restrictions, they may be held liable for those violations. In contrast, the business that discloses personal information to a third party or service provider is not liable if, at the time of disclosing the personal information, the business did not know or have reason to believe that the service provider or third party intended to commit such a violation.
What Are The Exceptions To HB 969?
As with the CCPA, there are significant exceptions to the bill’s requirements. So, for example, a business is not required to comply with HB 969 if doing so would restrict the business’s ability to comply with a different U.S. law, comply with a regulatory inquiry or subpoena, cooperate with law enforcement, or exercise legal rights.
Additionally, HB 969 does not apply to the collection of deidentified or aggregate consumer information. This assumes the business implements safeguards and processes that prohibit reidentification or prevent the inadvertent release of deidentified information, and the business does not attempt to reidentify the information.
HB 969 also carves out significant categories of information and businesses to which the bill would not apply, including employee personal information (where collected for employment purposes); health information, covered entities, and business associates under HIPAA (assuming they’re actually in compliance with HIPAA); information collected as part of a clinical trial; information collected as part of research in the public interest; and, information collected/used pursuant to GLBA, the FCRA, the DPPA, or FERPA.
HB 969’s Private Right of Action
Getting back to the private right of action. Like the CCPA, HB 969 would create a private right of action for data breaches and allow for statutory damages. First, it would broaden the definition of a data breach from “unauthorized access” of personal information (which is how Florida’s breach notification law currently defines a breach) to “unauthorized access and exfiltration, theft, or disclosure” of personal information. In other words, the definition of a data breach would remain the same for the purpose of determining whether notice to affected individuals is required, yet people could sue for data breaches about which companies would not have been required to provide notice. Pretty bizarre.
Consumer privacy organizations will argue that the private right of action would be limited to data breaches that are a result of a business’s violation of the duty to implement and maintain reasonable security procedures, so not all breaches would give rise to a class-action lawsuit. But that limitation is meaningless. Plaintiffs’ lawyers will argue, after filing the lawsuit, that this limitation is a question of fact for a juror at trial, rather than for a judge to decide via a motion to dismiss or motion for summary judgment. So a company will need to incur substantially the same expense fighting the lawsuit as if the limitation never existed.
Individuals will be entitled to seek damages between $100 to $750 per consumer per incident or actual damages, whichever is greater. The law also allows plaintiffs to seek injunctive or declaratory relief, which will undoubtedly be an avenue through which plaintiffs with weak claims will try to justify filing their lawsuits, getting class representative payouts, and obtaining attorney’s fees.
We’ve seen other privacy laws that create private rights of action and the results are never good. The Illinois Biometric Information Privacy Act (BIPA), for example, has resulted in hundreds of class-action lawsuits and millions of dollars in settlements against companies doing business in Illinois. Similarly, there have been hundreds of lawsuits filed under the Telephone Consumer Protection Act (TCPA). These are results that a business-friendly legislature will not want in Florida.
Another Change to The Definition of “Personal Information” Under FIPA
While on the topic of Florida’s breach notification law, HB 969 would broaden the definition of personal information under FIPA by adding biometric information to the list of identifiers that, if accessed without authorization, may be considered a data breach. FIPA would use the broader, CCPA-like definition of biometric information that would include not just physiological characteristics (like retinal scans, fingerprints, and voice prints) but also behavioral patterns like gait or keystroke patterns, and information like sleep, health, and exercise data.
It is likely that such a proposed change to FIPA will have little impact on a company’s data breach notification obligations, as breaches of biometric information are incredibly rare given the low value of what a threat actor actually obtains if he acquires “biometric information.”
The more meaningful impact of adding this amendment to FIPA would be opening the door to lawsuits by plaintiffs’ lawyers who would combine the broader definition of a breach (for the purpose of the private right of action) with Florida’s new definition of personal information (that adds biometric information) to try to create a Florida version of BIPA. For example, companies that “disclose” biometric information to vendors without first obtaining the data subject’s consent might inadvertently subject themselves to the new private right of action. To be clear, this private right of action is not intended by the law and should lose on the ground that such sharing is permitted under the good-faith exception to FIPA. Nevertheless, that won’t stop plaintiffs’ lawyers from trying.
How will HB 969 be enforced?
If HB 969 were to become law, the new rights/obligations would be enforced by the Florida Office of the Attorney General, which can bring an action against any business, service provider, or other person and seek a penalty of up to $2,500 for each unintentional violation, or $7,500 for each intentional violation. The bill does not define how a violation is calculated. So, for example, it is not clear whether a violation means one-violation-per-act, one-violation-per-consumer, or one-violation-per-provision-of-the-law-alleged-to-be-violated. In any event, fines may be tripled if the violation involves a consumer under 17 years of age. Additionally, the bill would allow the Florida Attorney General to adopt rules to implement the law.
If there is any “good” news with respect to enforcement, it is that before being deemed in violation of the law a business would first be provided 30 days to cure any alleged violation. Additionally, as with the CCPA, HB 969’s private right of action is limited to data breaches and does not apply to violations of the other privacy rights created by the proposed law.
When Would The Law Go Into Effect?
January 1, 2022.
What Is The Likelihood HB 969 Will Become Law?
HB 969 faces some uphill challenges created by the proposed private right of action, the low threshold that allows the bill to capture many small businesses in its net, and the potentially significant enforcement fines a company may face. Additionally, the high risk of class-action lawsuits may be enough to doom the bill, especially given Florida’s overt attempts to attract new business to the state. Nevertheless, the Governor appears to be on board with the law, and his party controls both chambers of the Florida Legislature (the other party will certainly have few objections to the law).
I remain optimistic that Florida can be a state that creates privacy consumer rights without providing a boondoggle for the plaintiffs’ bar. I believe that can be achieved here with some changes to HB 969, but only time will tell whether that will actually be the case.
