Version 1.1: Florida Attempts a Privacy Law, Again

In Data Protection, Uncategorized by lowndestech

By Drew Sorrell

Last year, I wrote about the Florida Legislature’s, ultimately failed, attempt to pass a consumer privacy law. The law was generally patterned after California’s Consumer Privacy Act (CCPA). Negotiations over the Florida version broke down over the inclusion of a private right of action, which would have allowed consumers to sue a company for data privacy violations.

While not the only proposed privacy bill currently winding its way through the Florida legislature, the same Florida legislator has now proposed version 1.1 of last year’s failed bill. The new bill is Florida SB 1864.

You will recall that the original proposed bill enjoyed some bi-partisan support. Waggishly, this was because Democratic politicians liked the consumer protection provisions, and Republican politicians liked that it took aim at social media companies.

Version 1.1 of the new bill makes a notable change in how it defines a “controller.” The term, lifted from the European General Data Protection Regulation, is the nomenclature used to indicate the companies that must comply with the new law, if passed. The new Florida proposal now defines a “controller” as a company doing business in Florida for profit and that either has the right to determine how consumer data of 100,000 or more consumers is processed, or, controls or processes consumer data of 25,000 or more and derives 50 percent or more of its global annual revenue from selling such data.

This new definition of controller is interesting because California’s CCPA law includes, among other triggers, a pure-revenue trigger (revenue greater than $25 million) that does not require a data processing minimum. The net effect in California is that a company could be required to comply with the CCPA even though it does not deal in a volume of consumer data. Obviously, this leads to a broader application of the California law.

By contrast, the Florida proposal, by speaking only in terms of personal data volume as a trigger, reduces the overall application of the proposed law. Presumably this Florida trigger more squarely targets technology companies and arguably secondarily large consumer companies.

Depending on your point of view, this is “good” for smaller and medium-sized business, “bad” for companies dealing in any meaningful volume of consumers, and “bad” for consumers who would (should?) appreciate enhanced privacy protections.

I intend to write a series of these reviews as the various bills progress. The next will discuss the proposed protections of the bill and some of its burdens on business swept into its coverage.