The Florida Senate’s version of a new comprehensive privacy law (a.k.a. the “Florida Privacy Protection Act” (FPPA)) passed unscathed out of the Senate’s Committee on Commerce and Tourism yesterday. The bill’s sponsor fought off two proposed amendments: one that would have eliminated the private right of action and a second that would have required more than just a revenue threshold for the law to apply. This post describes what makes the FPPA more aggressive than the CCPA, it provides a summary of the Senate Committee hearing, and it shares some late-breaking news about the House version (HB 969).
The FPPA
The FPPA is similar to the California Consumer Privacy Act (CCPA), with two significant differences. First, most of the FPPA’s privacy obligations are limited to companies that sell or share personal information. However, the FPPA also applies to companies that merely collect personal information in some important ways. Companies that merely collect personal information must, for example, develop a robust online privacy policy (which will require a data inventory) and implement various security procedures and practices (which will require a third-party cybersecurity assessment). A violation of either of those obligations would give rise to a lawsuit under the bill as it is currently written.
The second way the FPPA differs from the CCPA is in the FPPA’s far broader private right of action. While the CCPA’s private right of action is limited to data breaches of personal information, the FPPA would allow for a private right of action seeking statutory damages of $100 to $750 per person per incident if a business violates any provision of the FPPA. Also, while the CCPA’s definition of personal information for its private right of action is limited to the traditional meaning of sensitive information (SSNs, DL numbers, financial/health information), the FPPA uses the broader definition of personal information that means anything related to an identifiable individual. So, for example, an inaccurate privacy policy could result in a class-action lawsuit, conceivably brought on behalf of everyone who visited that company’s website over a period of months or years. If one million Floridians visited the company’s website, the lawsuit could seek damages up to $750,000,000, which is outrageous for a privacy policy drafting error or mistaken/stale data inventory.
In addition to allowing for class actions based on violations of the privacy violations of the law, the FPPA also creates a “silent” private right of action for data breaches by requiring that companies “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.” If a company suffers a data breach, rest assured that a plaintiff’s lawyer won’t have to use much creativity to argue that the vulnerability could have been prevented with one change that a “reasonable” security program would have included. Additionally, the targeted company will have little luck obtaining an early resolution, as the plaintiff’s lawyer will argue that the question of whether the security procedures and practices were “reasonable” is a fact question that cannot be decided early in a case by a motion to dismiss or even a motion for summary judgment. Companies would have to spend hundreds of thousands of dollars on attorney’s fees and expert witnesses defending the lawsuits if they actually want to succeed on the merits.
There are two other important features to add to the FPPA’s parade of horrors. First, as described above, it uses a broad definition of personal information (i.e., almost anything about you or inferred about you). This means that a data breach of otherwise harmless information like my preference in clothing color or my personal record on a Peloton could become the basis for a class-action lawsuit. Second, it allows a plaintiff to recover attorney’s fees. So, the fact that a small group or a single individual was impacted by an FPPA violation would not be a deterrent to a plaintiff’s lawyer filing a lawsuit since he would still be able to recover attorney’s fees.
The Senate Hearing
With that backdrop, yesterday’s Senate committee hearing began with Senator Jennifer Bradley (R) making an opening argument while the former President of Florida’s leading plaintiffs’ lawyer lobbying group sat nearby.
Two amendments were offered by Senator Taddeo (Democrat), a small business owner herself who expressed concern about the compliance costs and liability risks the law would have on small businesses. One of Senator Taddeo’s amendments would have eliminated the private right of action. The second would have required a business to meet at least two of the three threshold requirements (e.g., $25M in revenue plus the sale/sharing of a significant amount of personal information for Florida residents). This second change was intended to limit the scope of the FPPA solely to companies that sell/share personal information.
Several members of the public provided testimony, all opposed to the bill or in favor of the proposed amendments. Senator Bradley responded that she was not sympathetic to attacks on the private right of action, stating at one point that “a lot of corporations in this space have the economic abilities of some world nations.” This response seemed to ignore the fact that the FPPA would apply to any company earning more than $25M in annual revenue, not just large companies.
The bill passed out of the Republican-controlled committee favorably and with little opposition. It now moves to a second committee for consideration.
Late-Breaking Developments with the House Bill
Meanwhile, not to be one-upped, the sponsor of HB 969 (the House version of the FPPA) filed several proposed amendments yesterday that add jet fuel to the fire that is the bill’s private right of action.
The private right of action in HB 969 would allow a person to sue for a data breach involving personal information as defined broadly by the bill. As I’ve previously written, this provision is already more aggressive than the CCPA’s private right of action because the CCPA’s private right of action is limited to data breaches of sensitive personal information (e.g., Social Security Numbers, financial information, Driver’s License Numbers, etc.).
Amendment Number 5, filed last night, would keep that proposed private right of action and add private rights of action for: (1) a company’s failure to delete or correct a consumer’s personal information pursuant to a verifiable consumer request; and (2) continuing to sell or share a consumer’s personal information after the consumer chooses to opt out. The additions appear relatively harmless because these two new categories will typically not impact large groups of people at the same time (giving rise to a class action), so plaintiff’s lawyers wouldn’t be incentivized. But the amendment’s “jet fuel” is a one-sided right to attorney’s fees (i.e., the plaintiff can recover them if she prevails, but a defendant can’t). In other words, the plaintiff’s lawyers who may have otherwise not been incentivized to sue because the class was too small will now be entitled to recover their fees. The client will get $750, but the lawyer could recover $25,000.
The jet fuel will create a cottage industry of small plaintiff’s firms filing FPPA lawsuits throughout Florida, as we’ve seen with ADA website cases and now with the Florida Security in Communications Act. In short, the impact on Florida’s judiciary could be significant as there’s no impediment to plaintiff’s lawyers filing hundreds of lawsuits based on violations of HB 969 if it becomes law.
What’s Next
Stay tuned – the hearing on this new amendment to HB 969 will be considered today (March 23rd) in the second of the bill’s three subcommittee stops. The hearing will be before the House Civil Justice & Property Rights Subcommittee.
