Last week, HB 9 (the leading privacy bill on the House side of the Florida legislature) made its first of two committee stops in the House Commerce Committee. The bill passed unanimously. Just as important, however, the hearing revealed a potential misunderstanding as to the scope of the bill.

This blog post will dive into HB 9’s scope in greater depth, as that may be the most significant issue for companies wondering whether the bill would apply to them. The post will offer suggestions to bridge the disconnect and it will make suggestions to address other concerns many companies have with HB 9. The post ends with an analysis of what to expect next with HB 9 and its Senate counterpart.

HB 9 Is Amended

First things first – the day before the House Commerce Committee meeting, Rep. McFarland (the bill’s author) proposed a “strike-all” amendment. A strike-all amendment is a fancy way of saying that all the language of the bill is stricken and replaced with new language. It is often used to make several changes to the bill at once and can sometimes (though not here) be used to disguise changes to the law. In this instance, the strike-all to HB 9 made several minor changes to the bill, including:

• Broadening the required types of information to be given to a consumer upon request by adding back the word “categories” to be “categories of sources from which personal information was collected.”
• Matching exceptions to “right to delete” with those to “right to correct” and “controller retention,” to the extent applicable and practical.
• Clarifying that a processor must only turn over personal information to a controller, not all of the processor’s information.
• Clarifying consumer protections regarding contracts between a controller and a third party.
• Clarifies throughout the bill that a length of time in days refers to calendar days.
• Increases the age that requires an opt-in for minors, to 18 years of age, from 16.

It was in this amended form that HB 9 was passed by the Commerce Committee.

To Whom Does HB 9 Apply?

Perhaps no issue is more important with respect to HB 9 than its scope. Like many privacy laws, HB 9 applies to controllers and processors. A controller is a for-profit company doing business in Florida that meets at least two of the following three threshold requirements:

1. earns global annual gross revenue in excess of $50 million;
2. “annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, and devices for the purpose of targeted advertising in conjunction with third parties or for a purpose that is not listed under [the subsection of HB 9 that lists the instances where HB 9 does NOT apply]”; or
3. derives at least 50% of its annual revenue from selling or sharing personal information about consumers.

The primary focus of discussion during the Committee Hearing was the second threshold requirement. If HB 9 applies to a company at all, it will likely be because of that second threshold.

First, it is important to clear up a misconception. The second threshold does not apply solely to companies that buy or sell personal information. It also applies to companies that “receive” or “share” personal information. So the proponents of HB 9 who claim that the bill would apply only to companies that buy or sell information, or only to companies that generate more than 50% of their revenue from selling personal information, are wrong.

Next, the buying/receiving/selling/sharing that trigger the second threshold must be “for the purpose of targeted advertising in conjunction with third parties or for a purpose that is not listed under [the subsection that lists the exceptions to HB 9].” Let’s take the first part of that provision – “targeted advertising in conjunction with third parties.” Does that mean advertising in conjunction with a marketing vendor (which is how many companies engage in targeted advertising)? The problem with this interpretation is that vendors are typically processors, and not “third parties” (which has a special definition under HB 9). So does it instead mean advertising in conjunction with a company over whom the sharing company lacks control regarding how the data is used (i.e., not a processor)? My conversations with those involved in drafting the bill have provided conflicting messages. It would be helpful if the House amended this provision or, at the very least, incorporated clarification in the staff analysis.

Now, let’s look at the second half of the above provision, which states that HB 9 also applies to any company that is using personal information for “a purpose that is not listed under [the subsection that lists the 24 different exceptions].” So the fact that a company is not engaged in targeted advertising provides no safe harbor from the law. That said, there are some significant exceptions to HB 9. For example, HB 9 does not apply to:

• Personal information obtained through the company’s direct interactions with the consumer and used to advertise the company’s own products or services;
• Personal information that is disclosed when a consumer uses or directs a controller to intentionally disclose information to a third party or uses the controller to intentionally interact with a third party;
• Personal information in the employment context (e.g., job applicants, employees, interns, owners/directors/officers, interns, and contractors);
• Personal information used for payment transactions;
• Deidentified/aggregated personal information;
• Protected health information under HIPAA, and personal information that is not PHI under HIPAA that covered entities or business associates maintain and do not: (a) use for targeted advertising with third parties; and (b) sell or share to a third party (unless doing so falls within one of the 24 exceptions under HB 9);
• Nonpublic personal information (NPI) under GLBA, and personal information that is not NPI under GLBA that a financial institution maintains and does not: (a) use for targeted advertising with third parties; and (b) sell or share to a third party (unless doing so falls within one of the 24 exceptions under HB 9);
• Personal information companies maintain to be in compliance with certain laws;
• Personal information collected or maintained pursuant to various federal privacy laws (e.g., FCRA, DPPA, FERPA); and,
• Personal information transferred by a controller to a third party as part of a merger, acquisition, bankruptcy, or other transaction.

With all of these exceptions, what’s left? Other than companies engaging in targeted advertising, to whom else would HB 9 apply?  One significant example would be companies that use personal information to better understand their products and services. How are customers using (and not using) their products/services? What do their customers like or dislike about their products/services? Another example of when HB 9 would apply to companies not engaging in targeted advertising is where companies use personal information to market goods and services of business partners. Currently, there is an exception under 501.173(1)(g) for personal information used to market your own products and services, but there is no exception for companies that work together and market each other’s goods/services. HB 9 would also apply to companies that do not obtain personal information from consumers directly, but want to use that personal information to market their own (or other companies’) goods and services to those consumers.

How To Fix The Scope Issue

My sense from conversations with legislators and staff is that the above examples were not intended to be caught within the net of HB 9. If that’s the case, then there are a few ways to exempt those instances out of the law while keeping the spirit of it intact. One easy way would be to add the above use cases to the list of exemptions in 501.173(1). A second way would be to make the following two small changes to the second threshold requirement:  “Annually buys, receives, sells, or shares the personal information of 50,000 of more consumers, households, and devices for the purpose of targeted advertising in conjunction with third parties or for a purpose that is not listed under subsection (1).”  (The latter part of that sentence is technically redundant to the bill, which explicitly exempts those entities in the earlier section.) Making those changes would eliminate the wider net that captures companies simply “receiving” or collecting personal information. It would also limit the bill’s application to companies truly engaging in targeted advertising.

McFarland Clarifies The Electronic Signal Opt-Out

There was another important development during the Commerce Committee hearing. HB 9 provides different ways for consumers to opt out of the sale or sharing of their personal information. One way is via a “Do Not Sell or Share My Personal Information” link on the controller’s home page. The second way is through “a request to opt-out received through a user-enabled global privacy control, such as a browser plug-in or privacy setting, device setting, or other mechanism, which communicates or signals the consumer’s choice to opt out.” It is not clear, however, whether the user-enabled privacy control method is mandatory for controllers. While the provision states that “[a] controller may accept” the user-enabled global privacy control, an earlier provision introducing the ways in which opt-out can be provided states that “[a] controller shall” use these methods. (Emphasis added). Requiring companies to act on user-enabled global privacy controls would create operational and cost issues for small and midsized businesses that do not have the technology to easily recognize and act upon such signals.

During the Commerce Committee hearing, however, Rep. McFarland clarified that the user-enabled global privacy control opt out method would be optional for companies. This means that only the “Do Not Sell or Share My Personal Information” link opt-out method would be required by HB 9. This is an important clarification that will be helpful for businesses interpreting the law. I am hopeful that the staff analysis will also incorporate this clarification.

The 48-Hour Opt-Out Requirement

One of the concerns I raised during the Commerce Committee hearing is the requirement that a company stop selling or sharing the consumer’s personal information within 48 hours after receiving such direction from the consumer. This is a near-impossible requirement for many companies to meet. It does not allow sufficient time for the company to research the request to determine whether the request is valid or if an exception applies.  It does not provide much time for the controller (and processors) to implement the request. Additionally, the 48-hour period is in contrast to the time provided for companies to respond to the other privacy requests (45 days for the right for information, and 90 days for the right to delete and right to correct). Professional plaintiffs will certainly take advantage of the short turnaround time to put companies in “gotcha” situations that lead to lawsuits under the law’s private right of action.

There is an easy way to fix this problem — allow companies 45 days instead of 48 hours to comply with requests to opt out of the sale/sharing of personal information.

The Retention Requirement

Another concern I brought to the Committee’s attention is the retention schedule requirement that requires companies to delete personal information within three years of the last interaction with the consumer. This three-year limitation is significantly shorter than the statute of limitations for many kinds of lawsuits under Florida and federal law. So, a company that needs to defend itself in a breach of contract lawsuit, negligence lawsuit, or any lawsuit based on a statutory violation may not have the key information it needs to defend itself. The lawsuit need not relate to HB 9; it could be any lawsuit where customer personal information may be relevant. While HB 9 allows companies to keep personal information beyond the three-year period for legal dispute purposes, the company may not anticipate a legal dispute at the end of the three-year limitation, when deletion would be required. So, when the legal action subsequently arises, the company will not have the consumer personal information it needs to defend itself.

This problem can be significantly lessened (though not fully cured) by extending the retention period to six years, which is longer than the five-year statute of limitations for a large majority of state and federal claims.

The Private Right of Action

The final area discussed during the Commerce Committee hearing was the need to amend HB 9’s private right of action. To be sure, the private right of action is significantly dialed-back from the version proposed last year.  But it is still subject to abuse by the professional plaintiff’s bar, which will seek to catch companies making mistakes in response to consumer requests, then quickly file “gotcha” lawsuits. We have seen this behavior in so many instances – the TCPA, the FCRA, ADA website accessibility cases, BIPA, and state wiretap laws.  Plaintiffs will seek small monetary damages, but their attorney’s fees are in the tens of thousands of dollars. Those are lawsuits that businesses often resolve rather than fight because the cost of defense is lower than paying the plaintiff (and the plaintiff’s lawyer’s fees).

This potential abuse of the law can be alleviated with two small changes. First, allow companies 30 days to cure any alleged violation before a plaintiff can proceed with a lawsuit. Second, like Florida’s leading consumer protection law (the Florida Deceptive and Unfair Trade Practices Act) allow the prevailing party (not just the plaintiff) to obtain attorney’s fees.

What’s Next for HB 9 and its Senate counterpart?

This week promises to be filled with more developments, as HB 9 will likely make its next committee stop (the Judiciary Committee) on Thursday.  Any proposed amendments to the current version of HB 9 will likely be released by Wednesday.

Meanwhile, the Senate bill (SB 1864) has yet to be set for a committee hearing.  This is significant because without passage through at least one Senate committee, the bill cannot be passed by the general Senate (ending any chance of a privacy law this legislative session). If SB 1864 passes one committee, however, we will likely see the House Speaker demand passage of HB 9 in exchange for legislation the Senate President will want to become law. So it will be important to monitor whether any Senate committee passes SB 1864.