Florida Privacy Protection Act: SB 1864

Note: SB 1864 did not pass and is considered a dead bill as of March of 2022.

On January 7, 2022, Senator Jennifer Bradley filed the Florida Privacy Protection Act (SB 1864) in Florida. The purpose of the legislation is to recognize that privacy is a crucial right for all consumers in Florida and that they should have the right to share their personal data in a way that is safe, and in a manner that they understand and control.

The proposed law draws heavily from the California Consumer Privacy Act (CCPA), Europe's General Data Protection Regulation (GDPR), and Virginia's Consumer Data Protection Act (VCDPA). It is Florida's latest attempt at getting a comprehensive California-style privacy law passed and enacted.

Senator Bradley's draft law follows Florida legislators' 2021 privacy law drafts FL H.B. 969 and FL S.B. 1734, which Senator Bradley also authored. Neither the house nor the senate version survived.

Many expect that Florida State Representative Fiona McFarland will introduce similar legislation shortly.

In this article, we'll discuss the Florida Privacy Protection Act, what it aims to do, whom it applies to, what it will require, fines/penalties for non-compliance, and more.

Background of Florida's Privacy Protection Act

As previously stated, the current round of privacy legislation in Florida was preceded by HB 969 and SB 1734. These bills would have created new regulations concerning disclosing information to online customers.

For instance, the legislation covered how organizations would collect, use, and safeguard personal information. These bills would have given consumers notice of their privacy rights and the ability to opt-out of having their information sold to third-party data brokers. They also would have provided consumers with a private right of action.

The private right of action provision in HB 969 and SB 1734 would have allowed anyone who suffered a loss or injury due to a data breach to sue the business responsible.

This provision was met with significant backlash from companies and politicians in Florida, which led to the bills' eventual demise.

The 2022 Senate Version: An Overview

This overview is a brief snapshot of SB 1864. We'll cover some of the things discussed further on in this article and in more depth.

Now, in an attempt to side-step previous objections to the proposed law, Senator Bradley has removed the provision for a private right of action.

However, the Florida Privacy Protection Act does offer Florida consumers significantly more protection than current Florida data protection laws.

For example, the proposed law gives consumers the right to opt out of the sale of personal data and the use of private data for targeted advertising or profiling.

The Right to Be Left Alone

Businesses will be required to leave consumers alone for at least one calendar year following an opt-out.

In other words, after opting out of personal data collection, a consumer will have the right to be "left alone," and companies will be banned from collecting that individual's private information for one year.

The Right to Data Deletion

Under the new legislation, consumers will also have the right to have their information corrected or deleted upon request. Companies will be required to have sufficient internal controls to locate data, delete or correct it, and confirm deletion or correction.

The intention here is to help protect consumers' privacy and give them more control over their personal data.

A New Enforcement Unit

SB 1864 also calls for creating a new unit to enforce the Florida Privacy Protection Act. Should the law pass, that unit will be created within the office of Florida's Attorney General and will directly report to the Attorney General.

Florida Privacy Protection Act Definitions

If SB 1864 and any house companion bill passes, all of the following types of organizations must comply:

Businesses

In this bill, legal business entities are called data controllers or simply "controllers." The term covers all of the following:

• Sole proprietorships
• Partnerships
• Limited liability companies (LLCs)
• Corporations
• Associations

Additionally, any other legal entity, also lumped under "controllers," and which meets the following requirements must also comply:

• Any entity that is organized or operated for the financial benefit or profit of its owners or shareholders
• Does business in Florida or provides services or products to residents of the state
• Determines the means and purposes of processing a consumer's personal information, alone or jointly with others
• If an entity satisfies either of the following thresholds, it must also comply:
• Controls the processing of the personal information of 100,000 or more consumers who are not covered by an exception under SB 1864 during one calendar year, or
• Controls or processes the personal data of at least 25,000 consumers who are not covered by an exception under SB 1864 and derives 50 percent or more of its global annual revenues from selling consumers' personal information

While it's obvious that Florida is attempting to emulate the CCPA here, it can be argued that this law has a much narrower scope than some of California's other privacy laws, such as the state's Online Privacy Protection Act (CalOPPA).

For example, CalOPPA has implications for all operators of commercial websites and online services accessible within California.

In contrast, SB 1864 only covers businesses that derive 50 percent or more of its global annual revenues from selling consumers' personal data, which is almost identical to the CCPA.

Consumers

A consumer is a natural person who resides in Florida and is not any other natural person acting in an employment or commercial context or a non-resident.

Again, this is almost exactly the same as California's CCPA definition and essentially means anyone who lives in Florida permanently. The term doesn't cover visitors to the state who may live there temporarily.

Third Parties

Under SB 1864, third parties are called "processors." The term means a natural or legal entity that processes personal information on behalf of a business (controller).

Personal Information

SB 1864 calls personal information "Sensitive data." It is a broad term that embodies all of the following:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Biometric information (including genetic information, processed to uniquely identify a natural person)
• Sensitive personal data collected from a known child
• Precise geolocation data

Sale of Personal Information

The term "sale" isn't limited to a monetary exchange. A sale can occur where a controller makes a consumer's personal information available to a third party in exchange for something other than money, such as an agreement between two companies that one will provide access to the other company's customers.

A sale does not include any of the following:

• Disclosing personal data to third parties
• Disclosing personal data to a processor to provide a service/product requested by the consumer
• Disclosing personal data to an affiliate
• Disclosing personal data for non targeted advertising
• Transferring personal data as an asset that is part of a merger, bankruptcy, acquisition, or other transaction where a third party takes control of the business's assets
• Disclosing personal data to emergency services or law enforcement to assist the consumer

Obligations Under the Florida Privacy Protection Act

Florida based businesses or those that market services or products to Florida consumers must abide by all of the following.

Notice of Collection and Processing

Businesses must provide information about the purposes for which personal information is collected or used and whether that information is sold.

This notice requirement doesn't apply if the business does not control the collection of personal information.

In an instance where the business collects personal information about (but not directly from) consumers, the company may provide the required information on its Internet home page or in its online Privacy Policy.

Notice of Sale

Businesses must notify the consumer that the company may sell their personal information. They must also give the consumer the ability to opt out of the sale of their personal data.

To do that, businesses must provide a link on their home page titled "Do Not Sell My Personal Information."

During that process, a business may not require a consumer to create an account to direct the company, not to sell the consumer's information.

Data Collection Must Be Reasonably Necessary

Under the Florida Privacy Protection Act, businesses must carefully consider their need to collect and process personal information. All data collection, use, and retention must be reasonably necessary.

Security

Although it is impossible to guarantee the total security of personal information, businesses must take all reasonable measures to guard it from unauthorized access, use, modification, disclosure, or destruction.

Gaining Consent for Data Collection

All businesses that collect personal information must obtain the consumer's affirmative consent before processing sensitive data.

This includes biometric information, personal data collected from a known child in keeping with Children's Online Privacy Protection Act (COPPA), precise geolocation data, and more.

Establish a Process for Requests

In order to comply with the proposed law, a business must take affirmative steps to make it easy for consumers to use their rights. This includes designating an address where requests may be submitted and disclosing any personal information about the consumer that has been collected since January 1, 2023.

Employee Training

In order to ensure that all individuals who handle consumer inquiries about the business' privacy practices are informed of the requirements and how to direct consumers to exercise their rights, all companies should take the following steps.

First, designate one or more employees as a contact for privacy-related matters. Second, provide training on the opt-in and opt-out requirements to these designated employees and any other employees who may come into contact with consumers seeking information about those requirements.

Finally, ensure that all relevant policies and procedures reflect the opt-in and opt-out requirements.

The Business' Privacy Policy

Businesses must provide a link to their Privacy Policy on their websites.

If a company cannot post a Privacy Policy on its website due to technological limitations. it must send an electronic copy of the notice to the individual when the personal information is collected.

The Privacy Policy must include:

• The categories of personal data the company collects through its website or online service and the categories of third party vendors to whom it may disclose that personal information
• A description of the process for a consumer who visits or uses the online service or website to review and request modifications to any personal information collected from the consumer through the website or online service
• The process by which the company lets consumers know about material changes to the Privacy Policy
• Whether a third party may collect personal information about a consumer's online activities across different sites or online services over time when the consumer uses the business's website or online service
• The effective date of the notice

Consumer Rights Under the Florida Privacy Protection Act

Consumer protection policies, laws, and regulations are necessary to protect consumers' welfare.

By ensuring that businesses can be held accountable for their actions, consumers are less likely to be mistreated or misled. This ultimately provides advantages to both the consumer and the business community as a whole.

The Florida Privacy Protection Act explicitly names consumer rights and protects them.

The Right to Opt Out

The bill provides transparency and control to the consumer by allowing them to opt out of the sale of their personal data at all times. This includes the right to stop businesses from sharing or selling their personal information to other parties for marketing purposes.

The Right to Opt Out of Advertising

Consumers in Florida will have the right to opt out of the processing of their personal information for targeted advertising or profiling.

If they are not interested in receiving targeted ads, there will be a link on every business's homepage entitled "Do Not Advertise to Me," which will allow them to opt out.

Keep in mind that even if consumers do opt out, the business still has the right to offer different prices and reward programs.

The Right to Correction or Deletion of Data

Consumers have the right to put forward a verified request that personal information, which has been collected be deleted.

Further, consumers have the right to submit a verified request for correction of their personal information held by a company if that information is inaccurate, taking into account the nature of the personal data and the purpose for processing it.

A caveat here is that a business doesn't have to comply with a deletion request if it is using the information to:

• Fulfill the conditions of a product recall or written warranty conducted in accordance with federal law
• Provide a service or product the consumer requests
• Help to ensure integrity and security to the extent that the use of the consumer's personal data is reasonably necessary and proportionate for those purposes
• Debug to identify and repair mistakes that impair existing intended functionality
• Exercise free speech
• Ensure the privilege of another consumer to practice that consumer's right of free speech
• Engage in peer-reviewed scientific, or public, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws
• Comply with a legal obligation
• Exercise another right provided for by law

The Right to Have Another Person Act on the Consumer's Behalf

A consumer may authorize another person to opt-out of the sale of the consumer's personal information.

That authorization must be in writing, signed by the consumer, and include the name of the authorized person. The authorization may not be unreasonably withheld or conditioned.

The Right to Be Left Alone

Consumers have the right to be left alone. All businesses must wait one year before asking any consumer who opted out of the sale of his/her data to re-authorize the sale of that consumer's personal information.

The Right to Know

SB 1864 requires controllers to provide data subjects with a wealth of information about their personal data. This includes the categories of sources from which the data was collected, the specific types of personal data that have been collected, and the categories of any third-party recipients to whom the personal data has been sold.

Enforcement of and Compliance With the Florida Privacy Protection Act

As previously mentioned, the Florida Privacy Protection Act would create a new Consumer Data Privacy Unit within the Florida Attorney General's Office. That unit would be responsible for upholding the new regulations and, more generally, protecting the personal information of Florida residents.

If a business violates the law and the Attorney General brings an action, the court could grant actual damages to a consumer and/or declaratory/injunctive relief.

In Conclusion

The Florida legislature is taking data privacy seriously, and more bills are expected to be introduced in the coming year.

The truth is that the future of privacy legislation in Florida (and elsewhere) will likely be determined by how these bills are prioritized by leadership during the "horse-trading" process.

When the legislative session comes to a close, it will be essential to keep an eye on the progress of privacy bills. Florida businesses should closely watch the DeSantis administration's efforts to pass data privacy legislation. If this legislation is passed, it will significantly impact how they operate.

Of course, it remains to be seen if any privacy law will pass in Florida this year, but we will continue to update you on the latest developments.

All US Privacy Laws

Want to read more about privacy laws in the USA? Start here: