The Florida Senate appears poised to hit the brakes on privacy legislation that has thus far soared through committees in both legislative chambers. The House version (HB 969) and the Senate Version (SB 1734) would have not only created the same consumer privacy rights as the CCPA, the bills would have created massive private rights of action, far broader than any other privacy law in the United States.
Today, a “strike all” Committee Amendment was offered to the Senate version. TRANSLATION – the Senate Rules Committee, where SB 1734 is now pending, is proposing a “friendly amendment” that would strike the entirety of SB 1734 and replace it with a new version.
What’s in the Strike-All Amendment?
The proposed new version of SB 1734 makes three important changes.
First, it removes the private right of action entirely (for data breaches AND violations of the privacy provisions of the law). Instead, the law would be enforced entirely by the Florida Attorney General, which has recently been active in enforcing the Florida Information Protection Act.
Second, it significantly reduces the law’s scope by removing the revenue trigger for the law to apply. The previous version of SB 1734 would have applied to any business that generated more than $25 million in revenue, even if that business collected only a handful of Florida residents’ personal information. The new version eliminates the revenue threshold as a basis for the law applying to a company. The law now would apply only to companies that: (1) annually buy, sell, or share the personal information of 100,000 or more consumers, household, or devices; or (2) derive 50% or more of their global annual revenue from selling or sharing personal information about consumers.
This leads to the third important change: the new version of SB 1734 would apply only to companies that buy, sell, or share a significant amount of personal information. Previously, the mere collection of personal information would have triggered application of the law.
My Personal Takeaway
For most companies, the new version of SB 1734 is a significant improvement. The previous version had two fatal errors: that were removed (1) an enormous compliance burden on small companies that are not in the business of selling/purchasing personal information; and (2) creating a cottage industry of plaintiff’s lawyers who would have abused the language of the previous version to file hundreds of “gotcha” lawsuits against companies seeking millions of dollars.
The new version is definitely far more targeted towards traditional “big tech” companies in the business of purchasing, selling, and sharing large quantities of personal information.
There is still more work that could be done to improve the newly proposed SB 1734. For example:
- Although the private right of action has been removed, language should be added that a violation of the law cannot be used as the basis for a private right of action to make clear to the plaintiff’s bar that a violation of the law can’t be shoehorned into a negligence or Florida Deceptive and Unfair Trade Practice Act claim.
- The law would impose significant burdens on companies that share information with their affiliates, which is a fairly common practice in the business world.
- The law would prohibit businesses from processing sensitive data concerning a consumer without first obtaining the consumer’s consent, but the law doesn’t define what is meant by “sensitive data.”
- There should be some direction as to how a “violation” should be calculated for determining the regularity fine. Can there only be one violation? Can there be a violation per obligation/subsection of the law violated? Can a violation be calculated by the number of individuals impacted or the number of pieces of data collected? How “violation” is defined could mean a fine in the amount of a few thousand dollars or several billion or trillion dollars.
- In a few places, the law imposes obligations on a “business that collects personal information.” One would assume these obligations apply only to entities that buy, sell, or share personal information (i.e., those within the bill’s definition of a “business”) and not simply any “business”. But further clarification would be helpful.
- The law allows for a discretionary right to cure an alleged violation. So if Florida were to have a particularly trigger-happy Attorney General, the right to cure may not be offered at all. Instead, companies should always be given an opportunity to cure unintentional violations.
- Te effective date should be moved to January 1, 2023.
What Happens Next?
The privacy fight in Florida is not over. In some ways, it’s not even in the fourth quarter. As I see it, five key decision points remain.
Decision Point #1 (the Senate Rules Committee). On the Senate side of the fight, things look better for Florida businesses. The Rules Committee will vote tomorrow on the proposed strike-all amendment. I anticipate that the amendment will pass, which will move the new version of SB 1734 to the Senate Floor, barring any additional changes (like the ones I suggest above).
Decision Point #2 (the House Commerce Committee). On the House of Representatives side, HB 969 will likely be considered at the Commerce Committee meeting scheduled for next week. Between now and then, I would not be surprised to see a similar attempt to amend HB 969 to make it consistent with the Senate version. There are a few possibilities: (1) Senate-like removal of the private right of action and dialed-back scope; (2) keep the same aggressive private right of action but dial back the scope to sell, buy, and sharing of significant amounts of personal information; or (3) minimal/no changes to the current version of HB 969. If #1 occurs, it should be smooth sailing for the law going into effect looking something like the new version of SB 1734. But if #2 or #3 occur, what happens next?
Decision Point #3 (the floor votes). Assuming HB 969 and SB 1734 pass out of Committee, they would then need to receive successful votes on the full floor of the House and Senate. This is not a given, since a lot needs to happen between now and the end of Florida’s legislative session on April 30th. Nevertheless, the appetite in Tallahassee to attack “Big Tech” is too great to let the opportunity pass by. (I’m not judging whether the appetite is right or wrong, I’m just stating a fact that it’s there, it’s significant, and it’s largely a result of a perceived liberal bias in social media and big tech giants.) As a result, we could definitely see a different, more consumer-friendly version passed by the House on its floor vote than the version passed out of the Senate on its floor vote.
Decision Point #4 (Legislative Leadership). This is where things would get really interesting. Two important wild cards will come into play. The first wild card is we don’t know where the privacy legislation falls in the list of priorities for the House/Senate leadership. For example, if the House Speaker really wants a different law to be passed (unrelated to privacy), he may be more amenable to having the House vote on the Senate’s version of the privacy law in exchange for the Senate considering the House version of the other law. Similarly, the Senate President may have certain legislation that holds a much higher priority and could instead decide to have the Senate vote on the House version. It’s unpredictable how this factor shakes out, but there has been a noticeable groundswell of anger and frustration in the business community over the last few weeks as they have learned of the likely impact the aggressive privacy laws would have on them. That anger and frustration has bubbled up to the highest levels of government, so I’d be surprised if the current proposed version of SB 1734 (or something close to it) was not the version ultimately passed by the Florida Legislature.
Decision Point #5 (The Governor). The second wild card is Governor DeSantis. You will recall that Governor DeSantis initially endorsed HB 969 because he believed it targeted Big Tech. I firmly believe that Governor DeSantis now understands the significant impact HB 969 will have on Florida businesses well beyond big tech. This is a Governor with U.S. Presidential aspirations who has tried to make Florida as business-friendly as possible. He now understands that the initially proposed version of HB 969 went too far, and would have created a risk to Florida’s business-friendly climate while creating a cottage industry of plaintiff’s lawyers looking to file “gotcha” lawsuits as we’ve seen with so many other privacy laws that create statutory damages, like the Illinois Biometric Information Privacy Act, the California Consumer Privacy Act, and the Telephone Consumer Protection Act. So if HB 969 is the version that both chambers vote on, there’s a good chance (maybe even likelihood) the Governor will not sign it. On the other hand, if the newly proposed version of SB 1734 passes, it will become law.
Overall, I put the likelihood of some sort of privacy law going into effect as a result of this legislative session at 50-60%. If you made me predict right now what I think it will look like – I’d say it’s going to look like what the Senate is considering tomorrow, but only time will tell.