Florida’s governor, Ron DeSantis, and the speaker of the state’s house of representatives, Chris Sprowls, each recently highlighted proposed new privacy legislation in Florida that resembles the California Consumer Privacy Act (CCPA). This has landscape-changing potential, as House Bill 969 is the first CCPA-like proposal endorsed by a Republican governor. The bill the governor and speaker lauded was filed on February 15th, and if passed would become effective on January 1, 2022.
Application/Exceptions
House Bill 969 would apply to any business that collects personal information about consumers, or is the entity on behalf of which personal information is collected and satisfies one or more of the following thresholds:
- has global annual gross revenues in excess of $25 million
- annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices, or
- derives 50 percent or more of its global annual revenues from selling or sharing personal information about consumers.
- These mirror the CCPA’s original application thresholds prior to the amendments introduced by the California Privacy Rights Act (CPRA).
The bill defines “consumer” to mean a natural person who resides in or is domiciled in Florida, however identified, including by any unique identifier. “Personal information” is defined, as in the CCPA, as information that identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer or household.
Unlike the CCPA, House Bill 969 does not apply to the collection or disclosure of employee personal information as long as the business is collecting or disclosing such information within the scope of its role as an employer (however, the bill does not include an express exemption for personal information related to business contacts). The bill contains many exemptions for data already subject to other laws and regulations, including those organizations covered or regulated by the Health Insurance Portability and Accountability Act (HIPAA) and entities subject to the Gramm-Leach-Bliley Act (GLBA). House Bill 969 also exempts certain categories of data from its scope of application, including information regulated by the Family Educational Rights and Privacy Act, and information used in a consumer report to the extent that it is regulated by the federal Fair Credit Reporting Act.
Data Rights
Similar to the CCPA, House Bill 969 provides consumers rights with regard to their personal information, including a right to know what information was collected and the business purpose for collecting the information. Consumers would be able to request the personal information collected by businesses be deleted. Consumers would be given the ability opt out of having their personal information sold or shared by a business, with a corresponding Do Not Sell My Personal Information link on the applicable website’s homepage. House Bill 969 also takes inspiration from the CPRA by proposing the right to correct inaccurate records of a consumer’s personal information. Like most bills proposing consumer rights, this bill would also bar a business from discriminating against a consumer for exercising one of the aforementioned rights.
Contractual Obligations
House Bill 969 would require a contract between a business and third parties that purchase or receive personal information. These contracts would be mandated to include certain prohibitions on the party receiving the personal information, including the following:
- selling or sharing the personal information,
- retaining, using, or disclosing the personal information for any purpose other than the business purpose specified in the contract,
- retaining, using, or disclosing the personal information outside of the direct business relationship between the third party and the business, and
- combining the personal information that the third party receives from or on behalf of the business with personal information that it receives from or on behalf of another person or entity, provided that the third party may combine personal information to perform any business purpose.
The contract would also have to include a certification of understanding by the entity receiving the personal information of these restrictions.
Data Governance and Protection
This Florida proposal creates some affirmative obligations and restrictions on businesses. For example, businesses would be required to develop, provide, and follow a retention schedule for personal information. Businesses would be prohibited from retaining personal information beyond the earliest of:
- the satisfaction of the initial purpose for collecting
- after the duration of a contract, or
- one year after the consumer’s last interaction with the business. Further, businesses would be required to implement reasonable security procedures and practices to protect personal information.
Enforcement and Private Right of Action
Like the CCPA, House Bill 969 introduces a private right of action for any consumer whose personal information was breached as a result of a business’ violation of the duty to implement and maintain reasonable security procedures and practices. As in the CCPA, this private right of action is coupled with statutory damages in an amount between $100 and $750 per consumer, per incident, or actual damages, whichever is greater.
The state attorney general would be able to bring an action of up to $2,500 for each unintentional violation or $7,500 for each intentional violation. These fines could be tripled if the violation involves a consumer who is 16 years of age or younger.
Other Implications
In noting his support for House Bill 969, Governor DeSantis emphasized his opposition to “Big Tech platforms” that “have created a surveillance economy which enriches those platforms by free riding on consumer data,” and the escalating scale and “scope of consumer information that’s collected, analyzed, and auctioned.” A Democratic governor in California signed CCPA into law, and a Democratic governor in Virginia is on pace to do the same in the coming weeks. House Bill 969 is the first omnibus privacy proposal that has garnered the support of a Republican governor. If the sentiment expressed by DeSantis is shared by members of his party in state legislatures and governor’s mansions across the country, there may be even more CCPA-like laws implemented in the near future, making privacy regulation one of the few bipartisan agenda items. The rise of CCPA-like legislation, along with one-party control of the White House, Senate, and House of Representatives, gives the federal government a short window to pass a comprehensive pre-emptive privacy bill to avoid the patchwork of requirements that will arise from increasing state-level regulation.
