Scroll to top of page.

March 25, 2021

Will Florida Pass a Data Privacy Bill?

By Timothy Shields.

House Bill 969, titled Consumer Data Privacy, was introduced to protect consumers’ personal data in Florida. The sponsor, Rep. McFarland, said that the objective of the law is to protect the safety and security of shopper information. The bill aims to give citizens control over who has access to their personal information, what is done with their information, and the right to take action if violations occur.

The Bill is planned to give citizens of the State more command over the individual data that organizations regularly gather, aggregate, and may even sell to other businesses. While some see this as an “anti-big tech” bill, the actual text of the bill suggests it is in line with other states’ efforts for consumer data privacy.

If it passes, HB 969 will be effective on January 1, 2022. Some of the more significant features of the Data Privacy Bill are outlined below.

The bill contains the ability for the individual consumer to sue the business directly (called a private right to action). Florida would be one of the few states in the nation to allow for this type of lawsuit based on a violation of a state data privacy law.

Features

If the Bill is approved as it is drafted, the following are its key features:

The law will apply to all for-profit businesses in Florida with global revenue over $25 million and collect clients’ personal information. It will also cover those businesses that collect the individual data of at least 50,000 consumers, households, or devices. Also any business in the data brokering industry will be covered. These numbers will be accumulated across businesses that control or are controlled by covered organizations with whom they share common branding.

Exemptions

HB 969 does not apply to employers that gather or disclose an employee’s data within the business and as part of employment. This implies that the same organization can have commitments under the law concerning consumers yet be excluded when it involves its employees.

The Bill incorporates other exclusions. The health information gathered by HIPAA-covered entities and business partners, the info sold or shared to or from a customer reporting agency whenever used to produce a Fair Credit Reporting Act shopper report, the information covered by the Driver’s Privacy Protection Act and the Family Educational Rights and Privacy Act, the data gathered for research in the public interest, and the data collected, prepared, sold, or uncovered compliant with the Gramm-Leach-Bliley Act (GLBA) are all likewise exempted from the coverage of the Bill.

Personal Information

Importantly, HB 969 characterizes personal information comprehensively to incorporate data that recognizes, identifies with, or depicts a particular consumer or household or is reasonably equipped for being directly or indirectly associated with a specific consumer or household. It adds biometric data to this definition, becoming one of the few states in the nation to cover this emerging area of private information. It is worth noting that information that is encrypted is not considered PII.

Consumer Rights

Under HB 969, Floridians are given the following personal data rights:

  • To request a duplicate of individual data that a business gathered about the buyer.
  • To have any personal data that the business gathered about the buyer deleted, subject to particular cases.
  • To demand that erroneous individual data about the shopper be corrected.
  • To request that a company that sells or shares personal data about the consumer show the categories of the personal data sold or revealed for a business purpose and the classes of third persons to which such data is shared or uncovered.
  • To quit from the sale or sharing of personal data to outsiders.
  • A business, on its page, should have a link “Don’t Sell or Share My Personal Information” to a page that allows the buyer to quit or opt-out.

Enforcement

HB 969 imposes a maximum civil penalty of $2,500 for unintentional infringement or $7,500 for deliberate violation. Authorities might significantly increase the fine if the breach includes a customer who is 16 years old or younger. A business might be found to have disregarded the law if it neglects to fix a supposed infringement within 30 days of notice.

The bill also offers the right for the citizen to use as well with a private right to action.


Timothy Shields is a Partner at Kelley Kronenberg focusing his practice on Technology, Data Privacy, and Social Media Representation.

Contact Timothy Shields at:
Phone: 833-830-HELP (4357)
Email: tshields@kklaw.com

DISCLAIMER: This article is provided as a courtesy and is intended for the general information of the matters discussed above and should not be relied upon as legal advice. Neither Kelley Kronenberg, nor its individual attorneys or staff, are responsible for errors, omissions and/or typographical errors – always seek competent legal counsel.