Click here to read an important update to this post.
By: Drew Sorrell
As of this writing, the Florida Legislature is poised to enact House Bill 969 (2021), which will fundamentally affect consumer data privacy rights in Florida. Governor DeSantis has expressed his support for the new legislation that he supposes is aimed at “Big Tech” companies but that in actuality will likely sweep small and midsized companies into its coverage at great expense. Should he sign the bill, Florida will move closer to California in its treatment of consumer data privacy.
Strikingly similar to California’s Consumer Privacy Act or CCPA (now the California Consumer Privacy Rights Act or CCPRA), HB 969 will apply to for-profit businesses doing business in Florida that collect “personal information”1, about consumers, and meet one of the following three thresholds:
- Global gross revenues in excess of $25 million dollars (adjusted periodically for CPI);
- Deals in2 the information of 50,000 or more consumers, households or devices; or,
- Derives 50% or more of its global revenues from selling or sharing personal information about consumers.
While the first two somewhat suggest only larger businesses will be affected, the third factor could quite easily sweep in much smaller technology and data business.3,4 Note, too, that the bill’s definition of a business includes several factors that pull related businesses into the analysis of whether any given “business” meets the thresholds. Given that the first 16 pages of the 37-page bill consist of definitions, this is only a brief summary of the bill’s workings.
So, what does “personal information” mean? Similar to the European General Data Protection Regulation’s definitions, it includes names, aliases, addresses, identifying and descriptive information about a person, protected characteristic under law, commercial information such as purchases made or even researched, biometric information (biometric data is the new black when it comes to privacy), Internet usage history, geolocation data, “olfactory and thermal” (it’s thorough, I suppose) information, professional information, and education information, as well as the inferences drawn from the foregoing list used to create a consumer profile. This is clearly aimed at those companies that trade in consumer data for sales, advertising and marketing purposes. (A New York Times article discusses one creepy use of modern tracking.)
If HB 969 does become law as predicted, it well could serve to hammer small and medium businesses without the budget to comply with its many requirements. Essentially, companies will need to hire a lawyer to untangle and apply the bill to any given business operation. Then, a technician is needed to modify systems and software so that the technology complies. Next, a consultant must help establish internal business processes to handle the information. Finally, it’s back to the lawyer and the technician for security policies surrounding the personal information.
Under the bill, a business’s website must facilitate the consumer’s exercise of these rights via posting a what it calls a “simple to use and understand” webform. Given that it takes a lawyer to understand the bill, how a company will provide a “simple and usable” form to the average consumer remains to be seen, i.e. not all requests will be honored because the rights do not apply to every situation. If a Florida consumer requests information about their information, the recipient of the request much identify that consumer (i.e., prove it is really them) and then respond according to the provided timetables.
Like HIPAA, businesses that enter into contracts with third-party entities to assist them with dealing with the affected data must enter into a written data processing agreement that governs how the data may or may not be used. HB 969 further requires that when a business receives an opt-out, it must notify third parties who have received the data that the consumer has opted out (again, a tracking nightmare). Additionally, a business may not retaliate against a consumer who exercises their rights under the bill.
Enforcement of HB 969 will be primarily handled by the Florida Department of Legal Affairs. However, the bill also includes a limited private right of action that is similar to a data breach right of action.
All told, while HB 969 was created with the good intention of protecting consumers and their privacy, the ramifications for businesses will be rather significant, with many finding it overwhelmingly difficult and painful to implement. Of course, the costs for noncompliance could be staggering. Given the potential effects of HB 969, it’s important to consult with a lawyer regarding data privacy and your business.