HB 969, a comprehensive privacy law that would immediately become the most onerous in the United States, sailed through the Florida House of Representatives’ Regulatory Reform Subcommittee yesterday.
Before diving deeper into the House subcommittee hearing, it should be noted that the Florida Senate is now considering SB 1734 (the “Florida Consumer Protection Act”) that would create a similarly sweeping privacy law but go one step further in allowing for a private right of action for any violation of the privacy obligations in addition to data breaches. The potential litigation risks to companies doing business in Florida created by this bill are enormous.
Back to the House subcommittee hearing. The subcommittee hearing began with consideration and unanimous approval of five amendments that incorporated minor changes and fixed drafting errors. Representative Fiona McFarland then provided an opening statement. She was knowledgeable about her 38-page bill, demonstrated effective use of her military background, and was highly likeable. Throughout the more than one-hour hearing, Rep. McFarland struck the right tone – expressing an eagerness to pass the law but open to changes. She is, without question, someone to watch in Florida politics, and if this bill becomes law it will in large part be because of its effective sponsor.
The hearing then moved to questions from the 18 subcommittee members. Examples of the discussion include:
- Representative Giallombardo (R) mentioned his background in technology and asked about compliance costs. Later in the hearing he stated that it is “not difficult to be in compliance [with HB 969] these days” because companies that collect personal information are likely already in compliance with other similar laws and standards (like the Payment Card Industry’s Data Security Standards), so the cost should be minimal. Representative McFarland deftly avoided providing a price tag, arguing that if a company chooses to collect personal information of a Florida resident, the price tag is somewhat irrelevant. (As discussed in a previous post, the bill would require companies to incur potentially hundreds of thousands of dollars to perform a data inventory, establish a data subject request process, prepare policies and procedures, perform a third-party cybersecurity risk assessment, and engage legal counsel to understand the law’s application and negotiate new contract requirements. Additionally, most small and mid-sized companies use third-party payment processors to shift the PCI DSS burdens Rep. Giallombardo referenced.)
- Representative Dan Daley (D) mentioned his own experience counseling clients with GDPR enforcement and expressed “a lot of heartburn” over the private cause of action. He (like all other members) nevertheless voted for the bill to pass the subcommittee.
- Representative Eskamani (D) expressed concern that the law was not aggressive enough and floated a softball to Rep. McFarland for examples of how businesses are using data to make money. McFarland responded with an example of how an angry father learned his daughter was pregnant when a department store targeted her with baby product advertisements. (The veracity of this story, which has become lore for privacy advocates, has recently been challenged here and here.)
- Representative Sirois (R) expressed concern that the law required companies to delete personal information faster than necessary. Rep. McFarland conceded that this was an area of the bill that continues to be explored for further changes.
- Representative Harding (R) asked about loopholes we have learned from other state privacy laws. Rep. McFarland noted that other state laws create exemptions for entire industries and conceded that HB 969 required more work on identifying appropriate exemptions.
- Representative Gregory (R) suggested that the Florida Attorney General’s Office (rather than private class action lawsuits) may be the better way to address the underlying concerns of data breaches. Rep. McFarland conceded a few times throughout the hearing that the private right of action is the part of the law that has come under the greatest criticism from the general public.
- Representative Overdorf (R) asked how many businesses Rep. McFarland believed would have to comply with this bill in light of the fact many may already be in compliance with other similar laws. McFarland did not know or hazard a guess.
- Representative Robinson (R) wanted to learn where HB 969’s scope requirements originated. McFarland stated that the scope matches that of California’s law. Rep. Robinson pointed out that costs of implementation will surely be passed on to consumers, almost as a tax. Rep. McFarland conceded that they likely would and that “consumers are OK with that.” Rep. McFarland also said she was open to extending the January 1, 2022 compliance deadline.
The subcommittee then took comment from the public. Perhaps the most effective argument was by William Large of the Florida Justice Reform Institute, who made two strong points previously made in this previous blog post. First, Mr. Large expressed concern that the expansive definition of personal information will create a massive windfall for lawyers (particularly the plaintiff’s bar). He provided the example of a cyberattack resulting in the disclosure of something minor about one-million Florida residents (like their preference for a certain toothpaste). HB 969 would allow for a class action lawsuit based on such an incident resulting in damages of $750,000,000 and millions of dollars more in attorney’s fees. Mr. Large also expressed concern that the private right of action would create an incentive in “gray area” data security incidents (where a breach of personal information is not clear) to not notify impacted individuals out of fear of large class action lawsuits. Rep. McFarland did not address the “gray area” incentive not to notify and seemed to support the large class action lawsuit on the ground that learning one’s toothpaste preference would be an invasion of their private home.
Another fairly persuasive public commenter was a representative from Associated Industries of Florida who argued that HB 969 would effectively constitute a tax on small businesses, with an estimated implementation cost of $55 million.
The other public commenters were less effective. A representative from the Florida Bankers Association requested a limited exemption for entities governed by the GLBA, similar to the exemption in the CCPA. A representative from the Florida Retail Federation expressed a general concern about the private cause of action and short implementation within approximately 15 seconds.
The subcommittee then debated the bill before all 18 members voted unanimously to pass the bill out of subcommittee. The bill will now move to another subcommittee for further consideration while Rep. McFarland considers additional amendments. If you’d like to watch the entire one hour and 10 minutes of the hearing, you can do so here.
My Personal Takeaway
With the Governor’s endorsement of HB 969, the Senate’s consideration of its “CCPA on Steroids” bill, and the way HB 969 sailed through subcommittee consideration (thanks in large part to its highly effective Republican sponsor), it will be interesting to see whether anything will slow down momentum for a comprehensive privacy law in Florida with a strong private right of action. Stay tuned . . .