The Florida Legislature is considering a comprehensive privacy law (HB 969) that would fundamentally change the landscape of how/whether companies do business in Florida. The bill is largely a “cut-and-paste” of the California Consumer Privacy Act (CCPA), but in some ways, it goes further than the CCPA and would make Florida’s law the most aggressive privacy law in the United States. As I have previously described, the bill would create significant privacy rights for Florida residents, including the right to know what personal information companies are collecting about them, the source of that information, how the information is being shared, a right to request a copy of that information, and a right to delete/correct that information. But the law goes too far – placing a crushing financial burden on most small and medium-sized businesses and creating a private right of action that dwarfs California’s version. This post analyzes the five most significant problems with HB 969 and proposes solutions.
HB 969 Would Crush Small and Medium-Sized Businesses
What’s the Problem?
The Florida Governor has promoted HB 969 as a law that will hold “big tech” companies accountable for their collection and use of Florida residents’ personal information. While the bill would apply to big tech companies, for the most part, the law will affect small and medium-sized businesses that are not in the tech industry and may collect a small amount of personal information about Florida residents.
Section 501.173(1)(c)1. of the bill, which establishes the law’s scope, says that the law would apply to most for-profit companies that meet one of the following three requirements:
- Has global annual gross revenue in excess of $25 million;
- Annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or,
- Derives 50 percent or more of its global annual revenues from selling or sharing personal information about consumers.
As you can see, the law would apply to many companies beyond big tech. If a company collects personal information of just one Florida resident but generates annual revenue of more than $25 million, the law applies to that business. It isn’t difficult for an organization to hit the $25 million threshold. According to the U.S. Small Business Administration, many small businesses hit this requirement depending on their industry.
HB 969 would impose significant financial burdens on companies. To comply, a company would likely need to hire:
- A lawyer to help understand the plethora of requirements in the 37-page bill;
- A vendor to perform a data inventory that allows the business to understand what personal information they collect, where they get that information, how they use it, and with whom they share it;
- A vendor to develop a process for responding to Florida residents’ requests to access, delete, or change their personal information;
- A service/subscription that will track changes in how personal information is being collected and shared so that responses to data requests are accurate and provided in a timely manner;
- A company to build the required “Do Not Sell” button on the homepage and all of the back-end support triggered by clicking on that button;
- A company to train employees on how to comply with the law; and,
- A cybersecurity firm to perform a threat assessment and to build the reasonable security procedures and processes required by the law.
The cost of the above services can range between $50,000 to $500,000 depending on the business and the number of vendors needed.
If those costs aren’t enough, businesses will also face a significant risk of class-action lawsuits if they suffer a data breach. These lawsuits typically seek millions of dollars in statutory damages and attorney’s fees.
In short, the price tag for Florida businesses to comply with HB 969 is staggering and could result in bankrupting smaller enterprises.
What’s the Solution?
How do we balance the need to provide consumer privacy rights while protecting a business-friendly environment in Florida? The best way is fairly simple: follow the model created by the Virginia Consumer Data Protection Act (which is about to become law), which eliminates the gross revenue trigger. The VCDPA will apply to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.”
Such an approach makes more sense when it comes to privacy legislation because it uses criteria based on the amount of personal information a company collects, rather than the amount of revenue a company generates.
Eliminate the Bonanza for Lawyers
What’s the Problem?
Do you remember watching the opening credits of DuckTales as a kid and marveling at Scrooge McDuck diving into his pool of gold coins? (Physicists have actually weighed in on whether this is possible – seriously). Well, if section 12 of HB 969 becomes law, just replace Scrooge McDuck with every plaintiffs’ lawyer in Florida.
Section 12 allows any Florida resident whose personal information is impacted by a data breach to sue for $100 to $750 per consumer per incident. So, for example, a company that suffers a data breach impacting the personal information of 5,000 individuals could face a lawsuit seeking more than $5 million in damages, the plaintiff’s attorney’s fees, and class action administration costs (not to mention the company’s own legal fees).
Until now, the biggest obstacle plaintiffs have faced in data breach litigation has been proving actual harm (e.g., monetary losses). If HB 969 becomes law, plaintiffs’ lawyers will argue they no longer need to demonstrate harm because HB 969 creates it for them through the $100 to $750 in statutory damages. We can therefore expect to see a significant increase in these lawsuits, just as California has seen since its version went into effect.
HB 969’s private right of action is actually worse for businesses than California’s version because it fails to limit the definition of personal information to the more traditional definition of sensitive information (e.g., Social Security Numbers, Driver’s License Numbers, credit card numbers, medical information). The CCPA uses this more limited definition of personal information for the purpose of establishing a private right of action. That’s right – Florida’s proposed law is less business-friendly than California’s. HB 969 defines personal information as “information that identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer or household.” So, for example, inadvertent disclosure of the fact that “John Smith’s favorite color is blue” or “the Smith household likes to watch old episodes of Breaking Bad” would allow the Smiths to sue the company that suffered the breach.
This leads to the next problem with the private right of action – it is based on an overly broad and inconsistent definition of a data breach. The definition of a data breach for the purpose of triggering the private right of action is broader than the definition of a data breach under Florida’s data breach notification law. Under HB 969, a breach means any “unauthorized access and exfiltration, theft, or disclosure” of personal information. In contrast, Florida’s breach notification law limits the definition of a breach to “unauthorized access of data in electronic form containing personal information” (it also limits personal information to more sensitive information as referenced above). Florida’s data breach notification law does not create a private right of action. In other words, a company could be sued based on a data breach for which they never would have been required to give notice, which is absurd.
Perhaps the biggest problem with the proposed private right of action is the disincentive it would create to disclose “gray area” data breaches. Currently, when a company suffers a breach it performs a forensic investigation to determine whether personal information was impacted. The investigation is often inconclusive on this question where there is a lack of log files or the attacker deleted the forensic artifacts that would show his tracks. In that instance, most companies notify individuals of the incident and a potential risk because they believe it’s the right thing to do even if there is no clear forensic conclusion that would have required the notice. Now take that same scenario, but the company faces the risk of a multimillion-dollar class-action lawsuit under the proposed private right of action by disclosing the attach. It doesn’t take a rocket scientist to conclude that companies in that situation will likely not disclose the breach. “Doing the right thing” would be rewarded with a demand from a plaintiffs’ lawyer seeking damages and fees.
Privacy advocates have argued that the private right of action is limited because it will only succeed where the plaintiff can also show that the breach is “a result of a business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” This argument is misleading because it ignores how lawsuits unfold in our judicial system. Plaintiffs’ lawyers will argue that the questions of whether security procedures and practices were reasonable and whether the breach resulted from a business’s violation of the duty to implement those procedures and practices are factual questions. Why does that matter? Because if the plaintiffs’ lawyers were correct, it is highly unlikely the case will be resolved early through a motion to dismiss or summary judgment (at least not on the ground that the “reasonable security practices” limitation applies). In short, the additional requirement of showing that the breach was a result of a violation of the business’s duty to implement reasonable security procedures and practices will have no impact on the lawsuit as the issue may not get resolved until trial (trials rarely happen in class action lawsuits) and the company will need to spend hundreds of thousands of dollars defending the lawsuit in the meantime.
What’s The Solution?
The best solution is to remove the private right of action in its entirety. Doing so would eliminate all the above concerns, disincentives, and contradictive outcomes. To the extent we are concerned that companies will not be held accountable for data breaches, the Florida Attorney General is permitted under Florida’s data breach notification law to seek up to $500,000 in civil penalties and additional monetary/injunctive relief. There is no need for a private right of action that will incentivize companies to hide, rather than disclose, data breaches.
If the private right of action cannot be removed, there are some ways to limit the harm it causes, but none of these ways adequately remediate the problem.
For example, “personal information” and “data breach” should mean the same thing in HB 969 as they do in Florida’s data breach notification law, at least for the purpose of the private right of action. This will help avoid some of the inconsistencies described above. If the Legislature keeps HB 969’s current definition of a data breach then, at minimum, it should be clarified so that it does not apply to a good faith disclosure of information by the business.
Another improvement would be to give companies an opportunity to cure the underlying vulnerability that led to the breach before allowing any private lawsuit to proceed. Curing the vulnerability may mean, for example, broadening implementation of multifactor authentication, patching specific applications or systems, addressing open ports, deleting the existence of the malware that gave rise to the incident, or deleting/minimizing the collection of certain data. The limitation here is that plaintiffs’ lawyers will argue that whether the company adequately cured the underlying vulnerability should be a fact question for the jury and it will turn into a battle of the experts.
A third change if the private right of action remains is requiring the plaintiff to demonstrate an intentional or willful violation of the duty to implement and maintain reasonable security procedures and practices. Also, the question of whether the duty to implement and maintain reasonable security procedures and practices is met should be a question of law for the court (allowing early consideration of the issue), rather than a factual question that requires costly litigation.
Another option would be, as California considered at one point, requiring the plaintiff to first provide notice to the Florida Attorney General of the individual’s intent to file the lawsuit and obtain approval from the Florida Attorney General’s office before the private right of action is permitted to proceed.
Lastly, the private right of action could be amended to limit the damages provision. An individual could be limited to recovery of injunctive/declaratory relief; the statutory damages could be limited to $100 per consumer per incident; or, the individual could be required to show actual harm as a condition for obtaining statutory damages.
Explain When Regulatory Enforcement Can Occur
What’s the Problem?
HB 969 would be enforced by the Florida Attorney General. She can seek a civil penalty of “up to $2,500 for each unintentional violation or $7,500 for each intentional violation.” But the bill does not define how to quantify a “violation.”
What’s the Solution?
A violation could be defined in different ways. Some options include:
- Option 1 – there can be only one violation no matter how many provisions of HB 969 are violated or how many individuals are impacted. Penalties would therefore be capped at $2,500 or $7,500, depending on whether the violation is unintentional or intentional.
- Option 2 – violations are measured by the number of requirements in the law that are not met. So, for example, if a company did not comply with the privacy notice requirement and did not comply with the requirement to provide a response to a verified consumer request, there would be two violations of the law for calculating civil penalties.
- Option 4 – a combination of 2 and 3 – a violation would be calculated by multiplying the number of impacted individuals by each provision violated, respectfully. This approach would result in potentially enormous penalties against companies for violating the law.
The bigger issue is not which of the four options is best (personally, I’d go with options 2 or 3), but the lack of clarity around the definition.
Fix the “Service Provider” v. “Third Party” Drafting Errors
What is the Problem?
HB 969 is based on the CCPA. That law imposes different obligations depending on whether the business is sharing personal information with a “service provider” or a “third party.” A service provider is a company with which the business shares personal information for a purpose that is compatible with the context in which the personal information was initially collected. For example, sharing information with a company for auditing, detecting security incidents, performing services on behalf of the business, research, or quality control would all meet the business purpose requirement. A third party is a company with whom the business shares personal information for a reason that is not a business purpose. These companies are not necessarily looking to help you; they’re looking to benefit from the data you’re sharing with them. An example might be a marketing or “big data” firm that purchases data from you primarily for their own independent benefit.
For a company to be considered a service provider, the contract between the company and the business must contain provisions described in lines 707 to 725 of HB 969, which prohibit further types of selling, using, and sharing of personal information. That makes sense because the whole idea of the service provider is that the business that hired the service provider must control/limit how any personal information is used/shared. What does not make sense is the language in lines 726 to 744, which imposes the same share/use/sale limitations on third parties. Indeed, the reason why entities are considered third parties is because they will not agree to these limitations. Likely, this language was included due to a drafting error.
Additionally, there appears to be a typographical/drafting error in which the provision set forth in lines 730 to 735 repeats itself in lines 736 to 741.
What is the Solution?
There is an easy fix to both problems: delete lines 726 to 744.
Not Enough Time to Comply
What is the Problem?
HB 969 would go into effect on January 1st of next year. By comparison, the CCPA took approximately two years to become effective. A long ramp-up time is necessary because companies need to understand how the numerous requirements will apply to their organizations. Companies will need to conduct risk assessments and perform a data inventory before preparing their privacy notices. The companies will need to build processes and policies to govern how they will respond to data requests from consumers. The companies will need to assess and improve their security practices and procedures, and they will need to train employees on the law’s new and often complicated requirements. With each of these examples, the company may need to engage a professional, experienced third party. The work will take most organizations much longer than six to nine months to complete.
What is the Solution?
The best solution would be to make the law effective on January 1, 2023. In addition to giving companies more time to prepare to comply with the law, this longer ramp-up time will allow Florida to evaluate and better address the weaknesses that are becoming increasingly apparent from the CCPA and other similar comprehensive privacy laws.