A bill to substantially revise Florida’s data privacy laws is advancing through the Florida Legislature.  If it becomes law, House Bill 969 would create a new statute that substantially changes Florida’s current data privacy laws, consumer protections, and rights, including allowing for a private cause of action if a business does not meet its duty to implement and maintain reasonable security procedures.  On April 21, 2021, the bill passed the House by a 118 – 1 vote.  If the bill passes in the Senate, it is likely to become law.

The current bill would create a new statute—section 501.703—and would modify the current consumer protection statute codified at section 501.701, Florida Statutes.  Currently, section 501.701 provides that there is no private cause of action for a data breach.  The draft language in HB 969 would allow for damages not less than $100, not greater than $750, per consumer per incident, or the actual amount of damages, whichever is greater.  The proposed statute would also allow for private declaratory and injunctive relief, and for the State to enforce any violations through civil penalties of no more than $2,500 per unintentional violation and $7,500 per intentional violation.  These fines could be tripled if the violation involves an individual 16 years old or younger.

The proposed new statute would apply to for-profit businesses that do business in Florida that collect individuals’ data (or have it collected on their behalf), which also meet two or more of the following threshold criteria:

  1. Have annual gross revenue in excess of $50 million;
  2. Annually buy or receive personal information of 50,000 or more consumers, households, or devices for commercial purposes; or
  3. Derive 50% or more of their global annual revenue from selling or sharing consumers’ personal information.

Such businesses would be required to maintain an online privacy policy, accessible through their websites, with specific and detailed disclosures.  Consumers would also have a right to request copies of personal data collected by such businesses, to have personal information deleted or corrected, to determine what personal data has been sold or shared, and to opt out of such selling or sharing.  The law would also prevent discrimination against consumers exercising such rights.  The proposed law further provides that businesses must provide at least two methods to allow for consumers to make such requests, including by maintaining a toll-free telephone number or link on the business’s website homepage, and that any contracts waiving these consumer rights are null and void.

Importantly, certain information and entities are exempt from the proposed new law, including health information collected by covered entities subject to breach notification rules promulgated by the Department of Health and Human Services.

Other proposed changes to the law include protecting “biometric information,” including individuals’ physiological, biological, or behavioral characteristics, such as DNA, imagery, fingerprints, faceprints, keystroke patterns, and sleep, health, and exercise data.

Businesses are cautioned to determine if the new law would apply to them, and if so, implement the necessary measures to be in compliance.  As it currently stands, if the proposed bill becomes law, it would take effect in July 2022.

Written by Gavrila Brotz