Florida may soon join the growing number of states that have enacted comprehensive consumer privacy legislation. Backed by Governor Ron DeSantis, Florida House Bill 969 (HB 969) would create new obligations for covered businesses and greatly expand consumers’ rights concerning their personal information, such as a right to notice about a business’s data collection and selling practices.
Significantly, and similar to the California Consumer Privacy Act (CCPA), HB 969 also would establish a private cause of action for consumers affected by a data breach involving certain personal information when reasonable safeguards were not in place to protect that information.
The bill also would amend Florida’s data breach notification law, the Florida Information Protection Act of 2014 (FIPA), to expand the definition of “personal information” to include biometric information.
If passed, HB 969 would go into effect on January 1, 2022.
Like laws in other jurisdictions, including California’s CCPA and California Privacy Rights Act, key elements of HB 969 include the following:
Jurisdictional Scope. In general, if enacted as drafted, the law will apply to for profit businesses that conduct business in Florida, collect personal information about consumers, and satisfy at least one of the following threshold requirements:
- The business has global annual gross revenues over $25 million (adjusted to reflect any increase in the consumer price index); or
- The business annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices; or
- The business derives at least half of its global annual revenues from selling or sharing personal information about consumers.
The law also would apply to certain entities that control or are controlled by covered businesses with whom they share common branding. In addition, as with the CCPA, service providers of covered business would have certain obligations under the law.
Exemptions. HB 969 would not apply to employers that collect or disclose employee personal information within the employment (as opposed to consumer) context. This means the same company can have obligations under the law with respect to consumers but be exempted with respect to employees. The bill includes other exemptions, such as health information collected by HIPAA-covered entities and business associates, data sold or shared to or from a consumer reporting agency if used to generate a Fair Credit Reporting Act-compliant consumer report, data covered by the Driver’s Privacy Protection Act and the Family Educational Rights and Privacy Act, data collected for research in the public interest, and information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA).
Personal Information. HB 969 defines personal information broadly to include information that identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being directly or indirectly associated with a particular consumer or household.
Consumer. HB 969 defines “consumer” as a natural person who is (1) a resident of Florida, and (2) who is either in Florida non-temporarily or is domiciled in Florida.
Consumer Rights. Under HB 969, Florida residents would be afforded the following personal data rights:
- To demand a copy of personal information that a business collected about the consumer. The business must deliver the information free of charge. However, a business need not provide a consumer personal information more than twice in a 12-month period.
- Subject to a handful of exceptions, to have any personal information that the business collected about the consumer deleted.
- To request that inaccurate personal information about the consumer be corrected.
- To request that a business that sells or shares personal information about the consumer disclose the categories of personal information sold or disclosed for a business purpose and the categories of third parties to which such information is shared or disclosed.
- To opt-out – at any time – of the sale or sharing of personal information to third parties. A third party to which personal information is sold or shared may not sell or share personal information, unless the consumer has been provided explicit notice and an opportunity to opt-out. In addition, a business may not knowingly sell or share the personal information of a consumer who is under 16 years old, unless the consumer (for consumers ages 13-15), or the consumer’s parent or guardian (for consumers ages 12 or younger) has affirmatively opted in. A business, on its homepage, must have a link titled “Do Not Sell or Share My Personal Information” to a page that enables the consumer to opt out.
Non-discrimination. HB 969 prohibits discrimination against a consumer who exercises their rights under the law. For example, a business may not target the consumer by denying goods or services or charging a higher price.
Enforcement. HB 969 provides for a maximum civil penalty of $2,500 for unintentional violations, or $7,500 for intentional violations. The fine may be tripled if the violation involves a consumer who is 16 years of age or younger. A business may be found to have violated the law if it fails to cure an alleged violation within 30 days of notification.
Private Cause of Action. The FIPA provides that covered entities “shall take reasonable measures to protect and secure data in electronic form containing personal information.” The FIPA, however, does not provide a private cause of action for data breaches. HB 969 expressly provides that a consumer whose covered data is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s failure to implement and maintain reasonable security procedures may bring a civil action for damages or injunctive relief. Possible damages can range from $100 to $750 per consumer, per violation, or actual damages, whichever is greater.
The ramifications of HB 969’s inclusion of a private cause of action are significant. In the event of a data breach involving many consumers, $100-$750 per violation could add up and entail serious and substantial exposure.
The current legal landscape in Illinois is instructive. Illinois provides a private cause of action in relation to prohibited collection, use, or disclosure of biometric information. A flurry of class actions in Illinois, in large part, can be traced to the state’s permitting plaintiffs who allege bare statutory violations to proceed in court. In other words, a plaintiff need not make any showing of actual injury beyond their rights under the statute. For example, the Northern District of Illinois federal court had concluded that even the retention (as opposed to the collection or use) of biometric data constituted a particularized injury sufficient to support standing to sue. Neals v. Partech, Inc., No. 19-cv-05660, 2021 U.S. Dist. LEXIS 24542, at *9-13 (N.D. Ill. Feb. 9, 2021).