Florida joins the increasing number of states considering a consumer privacy bill this legislative session. The Florida privacy companion bills were introduced in both the state’s Senate (SB 1620) and House of Representatives (HB 963). If enacted, the law will become effective in July 2020.
The bill includes three significant new requirements for “operators” of a website or online service:
- Allows consumers to review and correct their personal information,
- Creates a right to opt out of the “sale” of certain of a consumer’s personal information, and
- Delineates specific notice requirements for online privacy statements.
The Florida privacy bill (yet to be named) includes some provisions and requirements that are comparable to the California Consumer Privacy Act (CCPA), while others are not. The below summary compares the Florida privacy bill to the CCPA.
The bill applies to an “operator,” which is defined as a person who:
- owns or operates a website or online service for commercial purposes,
- collects and maintains covered information from consumers who reside in Florida and use or visit the website or online service, and
- purposefully directs activities toward Florida or a Florida resident.
Excluded from the definition of operators are (1) third-parties that host a website on behalf of an operator, (2) GLBA and HIPAA-regulated entities, and (3) motor vehicle manufacturers/repairers under certain circumstances.
Also excluded are entities located in Florida whose “revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on websites or online services,” and “whose website or online service has fewer than 20,000 unique visitors per year.”
– Similar to the CCPA. Both the CCPA and Florida bill apply to companies doing business within the state, with similar exceptions for both small businesses and those covered by federal privacy laws such as HIPAA and GLBA.
“Covered information” is defined in the bill as the following types of information, if collected through a website or online service: (1) first and last name; (2) home or other physical address, which includes the name of a street and the name of a city or town; (3) email address; (4) telephone number; (5) Social Security number; (6) identifier that allows a consumer to be contacted either physically or online; and (7) any other information concerning a consumer that is collected from the consumer through the website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
– Similar to the CCPA. The CCPA arguably includes a broader set of data, including information such as predictive inferences.
Florida consumers would have the right to review and request changes to any of their personal information that is collected by a business under the bill. There is no deletion right included.
– Significant differences from the CCPA. CCPA access rights are much more robust than the Florida bill; the Florida bill does not include a right to deletion.
The bill defines “sale” narrowly to mean “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”
Florida consumers would have the right to submit a verified request to an operator directing the business not to sell any covered information the business has or will collect about the consumer.
– Significant differences from the CCPA. The Florida bill is significantly narrower than the CCPA, following the Nevada approach to information sales. The Florida bill also omits the requirement that businesses provide notice of the right to opt out of sales.
The Florida bill requires businesses to identify in an online privacy statement:
- The categories of personal information processed;
- The process for reviewing and correcting information;
- Whether any third parties collect personal information across different websites.
– Similar to the CCPA. The Florida bill’s requirements are somewhat narrower, and don’t include the requirement that the privacy notice be updated yearly.
Enforcement & Penalties
The Florida Attorney General (AG) may initiate civil actions to enforce the bill. Prior to bringing an enforcement action, businesses would need to be notified of the violation and provided 30 days to cure the violation. It is not clear that the notice would need to come from the AG’s office (as opposed to a consumer complaint). The AG’s office could seek a civil penalty of up to $5,000 per violation. The bill offers no private right of action.
– Significant differences from the CCPA. Both laws contain cure periods and are enforced by the state AG; however, the CCPA also includes a limited private right of action.