Florida recently joined a small but growing number of states considering sweeping reforms to their data privacy and protection laws. House bill 969, titled “Consumer Data Privacy,” in many ways mirrors the California Consumer Privacy Act (CCPA) before the passage of the California Privacy Rights Act (CPRA), but HB 969 also incorporates aspects of the CPRA. We previously issued alerts regarding the CCPA and the CPRA.
If HB 969 passes in its current form, Florida’s privacy landscape would eventually align with California’s, but not completely. Businesses with ongoing compliance plans will have to modify them to reflect regional differences, and businesses doing business in Florida not otherwise subject to the CCPA will find themselves subject to new obligations relating to the collection and processing of personal data. Key highlights from Florida’s new Consumer Data Privacy bill are set forth below.
Does Florida’s HB 969 Affect My Business?
HB 969 would apply to any for-profit entity doing business in Florida, whether located inside or outside Florida, that collects or otherwise controls consumer personal information and that meets one of the following qualifications:
- Has annual global revenues in excess of $25 million (i.e., not limited to Florida revenue);
- Annually buys, sells, or shares the personal information of over 50,000 or more consumers, households, or devices; or
- Derives at least half of its global annual revenues from selling or sharing consumer information.
These qualifications are in the alternative, so a for-profit business that matches any one of the criteria would be subject to the bill were it to become law. The bill would also apply to any entity that controls or is controlled by a qualifying business and that shares common branding with that business.
As under the CCPA, HB 969 would apply to small and medium-sized businesses, even those in the business of collecting or processing modest amounts of personal information of Florida consumers. For example, a website capturing 137 unique IP addresses per day from Florida could trigger the 50,000 threshold over the course of a year. California, through the CPRA, recently upped the minimum processing threshold to 100,000 or more consumers in an effort to decrease the number of small and medium-sized businesses falling within the definition of a covered business. This change, however, was not included in Florida’s HB 969 in present form.
HB 969 also would apply to service providers that process personal information on behalf of the business and third parties that receive personal information from a business. As under the CCPA, the Florida bill would require particular contract language to be in place between these entities to achieve compliance and reduce liability.
What Does Florida’s HB 969 Require?
Under HB 969, covered businesses would be required to do a number of things related to the collection and handling of personal information of Florida consumers, including:
- Provide specific disclosures at or before the moment personal information is collected;
- Provide consumers with the right to opt out of the selling or sharing of their personal information, including adding a “Do Not Sell or Share My Personal Information” link on the business’s homepage;
- Comply with consumers’ rights to access, correct, or delete their personal information;
- Develop and provide a retention schedule for personal information;
- Not discriminate against consumers who choose to exercise their privacy rights; and
- Implement reasonable security measures for protecting consumers’ personal information.
These requirements largely mirror those imposed by the CCPA. Florida’s HB 969 even contains the same definition of selling as the CCPA, broadly defining it to mean any exchange for monetary or “other valuable consideration.”
There are some differences between this bill and California’s regime, however, that could make compliance across the board difficult for some businesses. For instance, Florida’s HB 969 would not limit access requests to the last 12 months, whereas the CCPA contains such a limitation, and the CPRA includes exceptions for access to personal information beyond one year based on impossibility or disproportional effort.
Private Right of Action
Florida’s HB 969 would also create a private right of action for consumers against businesses in the event of a data breach involving personal information. Notably, the private right of action provides for statutory, or presumed, damages, which some consumer attorneys have argued provides standing (that is, the ability to sue) even in the absence of actual damages. This could result in more lawsuits, including class actions, being filed against companies that are the victims of breach events. Moreover, because Florida’s existing data breach notification statute expressly prohibits a private right of action, the creation of one in HB 969 would be a significant change in Florida law.
The CCPA has already led to an increase in class action data breach and privacy lawsuits, and HB 969, if passed, is poised to do the same. Virginia and Washington, two states that are close to passing comprehensive privacy statutes of their own, are considering bills without a private right of action. It will be important to watch whether this private right of action complicates efforts to pass HB 969.
The remainder of Florida’s HB 969 would be enforced by the state’s attorney general.
As currently drafted, HB 969 would not exempt business-to-business (B2B) exchanges of personal information. Nor would it provide for entity-wide exemptions to businesses based on the type of personal information that they collect and process. Rather, the exemptions are based on the type of personal information, like the CCPA, such as:
- Employee data;
- Deidentified or aggregate data; and
- Information covered by certain federal laws, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and the Driver’s Privacy Protection Act.
What Does Florida’s HB 969 Mean for Florida Businesses?
For businesses in Florida — and businesses outside Florida doing business in the state — that have not already developed privacy programs to comply with the CCPA or Europe’s General Data Protection Regulation, Florida’s HB 969 will require those businesses to develop such programs for the first time. Given that this bill, if passed, would become effective on January 1, 2022, those businesses should move quickly. Action items for these companies include:
- Revising their privacy policies;
- Generating methods for the requisite notice at collection and respecting any applicable opt-outs;
- Developing procedures and methods for receiving, verifying, analyzing, and responding to consumer requests to access, correct, or delete their data;
- Inventorying the types of information they collect, for what purpose, from what source, and with whom that information is shared;
- Reviewing and potentially revising their financial incentive, or loyalty, programs;
- Renegotiating or supplementing contracts with business partners to include requisite contractual restrictions needed to qualify the sharing of consumer information as not a sale; and
- Ensuring their cybersecurity practices are appropriately protecting consumers’ information.
For businesses with established privacy programs, Florida’s new privacy bill would require correction and tweaking to account for its many idiosyncrasies.
Will Florida’s HB 969 Pass?
Florida has considered, and rejected, a number of privacy bills over the years. This bill, however, has already garnered the support of Gov. DeSantis. This suggests a strong likelihood of passage given that the same party controls the state’s legislature.
Whether the bill will be revised, or concessions will be made along the way, remains to be seen. Of particular importance will be whether any revisions will be made to the scope of the law (who it does, and does not, apply to), and whether the private right of action will be retained at all or in its present form.
As noted above, should it pass, the effective date for Florida’s HB 969 is January 1, 2022. This gives businesses little less than one year to come into compliance. From our experience working with clients to prepare for the effective dates of California’s privacy laws, even a full year is not much time.
We will continue to monitor HB 969 and provide further updates.