House Bill 969, titled Consumer Data Privacy, was introduced to protect consumers’ personal data in Florida. The sponsor, Rep. McFarland, said that the objective of the law is to protect the safety and security of shopper information. The bill aims to give citizens control over who has access to their personal information, what is done with their information, and the right to take action if violations occur.
The Bill is planned to give citizens of the State more command over the individual data that organizations regularly gather, aggregate, and may even sell to other businesses. While some see this as an “anti-big tech” bill, the actual text of the bill suggests it is in line with other states’ efforts for consumer data privacy.
If it passes, HB 969 will be effective on January 1, 2022. Some of the more significant features of the Data Privacy Bill are outlined below.
The bill contains the ability for the individual consumer to sue the business directly (called a private right to action). Florida would be one of the few states in the nation to allow for this type of lawsuit based on a violation of a state data privacy law.
If the Bill is approved as it is drafted, the following are its key features:
The law will apply to all for-profit businesses in Florida with global revenue over $25 million and collect clients’ personal information. It will also cover those businesses that collect the individual data of at least 50,000 consumers, households, or devices. Also any business in the data brokering industry will be covered. These numbers will be accumulated across businesses that control or are controlled by covered organizations with whom they share common branding.
HB 969 does not apply to employers that gather or disclose an employee’s data within the business and as part of employment. This implies that the same organization can have commitments under the law concerning consumers yet be excluded when it involves its employees.
The Bill incorporates other exclusions. The health information gathered by HIPAA-covered entities and business partners, the info sold or shared to or from a customer reporting agency whenever used to produce a Fair Credit Reporting Act shopper report, the information covered by the Driver’s Privacy Protection Act and the Family Educational Rights and Privacy Act, the data gathered for research in the public interest, and the data collected, prepared, sold, or uncovered compliant with the Gramm-Leach-Bliley Act (GLBA) are all likewise exempted from the coverage of the Bill.
Importantly, HB 969 characterizes personal information comprehensively to incorporate data that recognizes, identifies with, or depicts a particular consumer or household or is reasonably equipped for being directly or indirectly associated with a specific consumer or household. It adds biometric data to this definition, becoming one of the few states in the nation to cover this emerging area of private information. It is worth noting that information that is encrypted is not considered PII.
Under HB 969, Floridians are given the following personal data rights:
HB 969 imposes a maximum civil penalty of $2,500 for unintentional infringement or $7,500 for deliberate violation. Authorities might significantly increase the fine if the breach includes a customer who is 16 years old or younger. A business might be found to have disregarded the law if it neglects to fix a supposed infringement within 30 days of notice.
The bill also offers the right for the citizen to use as well with a private right to action.