Last updated on 09 May 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
On January 7, 2022, Senator Jennifer Bradley filed the Florida Privacy Protection Act (SB 1864) in Florida. The purpose of the legislation is to recognize that privacy is a crucial right for all consumers in Florida and that they should have the right to share their personal data in a way that is safe, and in a manner that they understand and control.
The proposed law draws heavily from the California Consumer Privacy Act (CCPA), Europe's General Data Protection Regulation (GDPR), and Virginia's Consumer Data Protection Act (CDPA). It is Florida's latest attempt at getting a comprehensive California-style privacy law passed and enacted.
Senator Bradley's draft law follows Florida legislators' 2021 privacy law drafts FL H.B. 969 and FL S.B. 1734, which Senator Bradley also authored. Neither the house nor the senate version survived.
Many expect that Florida State Representative Fiona McFarland will introduce similar legislation shortly.
In this article, we'll discuss the Florida Privacy Protection Act, what it aims to do, whom it applies to, what it will require, fines/penalties for non-compliance, and more.
As previously stated, the current round of privacy legislation in Florida was preceded by HB 969 and SB 1734. These bills would have created new regulations concerning disclosing information to online customers.
For instance, the legislation covered how organizations would collect, use, and safeguard personal information. These bills would have given consumers notice of their privacy rights and the ability to opt-out of having their information sold to third-party data brokers. They also would have provided consumers with a private right of action.
The private right of action provision in HB 969 and SB 1734 would have allowed anyone who suffered a loss or injury due to a data breach to sue the business responsible.
This provision was met with significant backlash from companies and politicians in Florida, which led to the bills' eventual demise.
This overview is a brief snapshot of SB 1864. We'll cover some of the things discussed further on in this article and in more depth.
Now, in an attempt to side-step previous objections to the proposed law, Senator Bradley has removed the provision for a private right of action.
However, the Florida Privacy Protection Act does offer Florida consumers significantly more protection than current Florida data protection laws.
For example, the proposed law gives consumers the right to opt out of the sale of personal data and the use of private data for targeted advertising or profiling.
Businesses will be required to leave consumers alone for at least one calendar year following an opt-out.
In other words, after opting out of personal data collection, a consumer will have the right to be "left alone," and companies will be banned from collecting that individual's private information for one year.
Under the new legislation, consumers will also have the right to have their information corrected or deleted upon request. Companies will be required to have sufficient internal controls to locate data, delete or correct it, and confirm deletion or correction.
The intention here is to help protect consumers' privacy and give them more control over their personal data.
SB 1864 also calls for creating a new unit to enforce the Florida Privacy Protection Act. Should the law pass, that unit will be created within the office of Florida's Attorney General and will directly report to the Attorney General.
If SB 1864 and any house companion bill passes, all of the following types of organizations must comply:
In this bill, legal business entities are called data controllers or simply "controllers." The term covers all of the following:
Additionally, any other legal entity, also lumped under "controllers," and which meets the following requirements must also comply:
While it's obvious that Florida is attempting to emulate the CCPA here, it can be argued that this law has a much narrower scope than some of California's other privacy laws, such as the state's Online Privacy Protection Act (CalOPPA).
For example, CalOPPA has implications for all operators of commercial websites and online services accessible within California.
In contrast, SB 1864 only covers businesses that derive 50 percent or more of its global annual revenues from selling consumers' personal data, which is almost identical to the CCPA.
A consumer is a natural person who resides in Florida and is not any other natural person acting in an employment or commercial context or a non-resident.
Again, this is almost exactly the same as California's CCPA definition and essentially means anyone who lives in Florida permanently. The term doesn't cover visitors to the state who may live there temporarily.
Under SB 1864, third parties are called "processors." The term means a natural or legal entity that processes personal information on behalf of a business (controller).
SB 1864 calls personal information "Sensitive data." It is a broad term that embodies all of the following:
The term "sale" isn't limited to a monetary exchange. A sale can occur where a controller makes a consumer's personal information available to a third party in exchange for something other than money, such as an agreement between two companies that one will provide access to the other company's customers.
A sale does not include any of the following:
Florida based businesses or those that market services or products to Florida consumers must abide by all of the following.
Businesses must provide information about the purposes for which personal information is collected or used and whether that information is sold.
This notice requirement doesn't apply if the business does not control the collection of personal information.
Businesses must notify the consumer that the company may sell their personal information. They must also give the consumer the ability to opt out of the sale of their personal data.
To do that, businesses must provide a link on their home page titled "Do Not Sell My Personal Information."
During that process, a business may not require a consumer to create an account to direct the company, not to sell the consumer's information.
Under the Florida Privacy Protection Act, businesses must carefully consider their need to collect and process personal information. All data collection, use, and retention must be reasonably necessary.
Although it is impossible to guarantee the total security of personal information, businesses must take all reasonable measures to guard it from unauthorized access, use, modification, disclosure, or destruction.
All businesses that collect personal information must obtain the consumer's affirmative consent before processing sensitive data.
This includes biometric information, personal data collected from a known child in keeping with Children's Online Privacy Protection Act (COPPA), precise geolocation data, and more.
In order to comply with the proposed law, a business must take affirmative steps to make it easy for consumers to use their rights. This includes designating an address where requests may be submitted and disclosing any personal information about the consumer that has been collected since January 1, 2023.
In order to ensure that all individuals who handle consumer inquiries about the business' privacy practices are informed of the requirements and how to direct consumers to exercise their rights, all companies should take the following steps.
First, designate one or more employees as a contact for privacy-related matters. Second, provide training on the opt-in and opt-out requirements to these designated employees and any other employees who may come into contact with consumers seeking information about those requirements.
Finally, ensure that all relevant policies and procedures reflect the opt-in and opt-out requirements.
Consumer protection policies, laws, and regulations are necessary to protect consumers' welfare.
By ensuring that businesses can be held accountable for their actions, consumers are less likely to be mistreated or misled. This ultimately provides advantages to both the consumer and the business community as a whole.
The Florida Privacy Protection Act explicitly names consumer rights and protects them.
The bill provides transparency and control to the consumer by allowing them to opt out of the sale of their personal data at all times. This includes the right to stop businesses from sharing or selling their personal information to other parties for marketing purposes.
Consumers in Florida will have the right to opt out of the processing of their personal information for targeted advertising or profiling.
If they are not interested in receiving targeted ads, there will be a link on every business's homepage entitled "Do Not Advertise to Me," which will allow them to opt out.
Keep in mind that even if consumers do opt out, the business still has the right to offer different prices and reward programs.
Consumers have the right to put forward a verified request that personal information, which has been collected be deleted.
Further, consumers have the right to submit a verified request for correction of their personal information held by a company if that information is inaccurate, taking into account the nature of the personal data and the purpose for processing it.
A caveat here is that a business doesn't have to comply with a deletion request if it is using the information to:
A consumer may authorize another person to opt-out of the sale of the consumer's personal information.
That authorization must be in writing, signed by the consumer, and include the name of the authorized person. The authorization may not be unreasonably withheld or conditioned.
Consumers have the right to be left alone. All businesses must wait one year before asking any consumer who opted out of the sale of his/her data to re-authorize the sale of that consumer's personal information.
SB 1864 requires controllers to provide data subjects with a wealth of information about their personal data. This includes the categories of sources from which the data was collected, the specific types of personal data that have been collected, and the categories of any third-party recipients to whom the personal data has been sold.
As previously mentioned, the Florida Privacy Protection Act would create a new Consumer Data Privacy Unit within the Florida Attorney General's Office. That unit would be responsible for upholding the new regulations and, more generally, protecting the personal information of Florida residents.
If a business violates the law and the Attorney General brings an action, the court could grant actual damages to a consumer and/or declaratory/injunctive relief.
The Florida legislature is taking data privacy seriously, and more bills are expected to be introduced in the coming year.
The truth is that the future of privacy legislation in Florida (and elsewhere) will likely be determined by how these bills are prioritized by leadership during the "horse-trading" process.
When the legislative session comes to a close, it will be essential to keep an eye on the progress of privacy bills. Florida businesses should closely watch the DeSantis administration's efforts to pass data privacy legislation. If this legislation is passed, it will significantly impact how they operate.
Of course, it remains to be seen if any privacy law will pass in Florida this year, but we will continue to update you on the latest developments.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
09 May 2022