Florida Lawmakers Considering CCPA-Like Privacy Bills

privacyData LawFinancial Services
Written By Dara Tarkowski

Drafted by Loly Sosa.

With the goal of “put[ting] some Florida sunlight” on data mining practices, Florida lawmakers proposed two CCPA-like privacy bills in January 2022: SB 1864 (in the Florida Senate) and HB 9 (in the Florida House). If either bill is passed, Florida could become the fourth state to enact comprehensive privacy regulation – following California, Virginia, and Colorado.

Status

  • HB 9 is being reviewed by the Judiciary Committee on this Wednesday. If it clears this hurdle, it will be heard on the House floor. 

  • SB 1864 still faces a number of committee hearings.

Main Points

The bills will be subject to changes as the legislative session progresses. Their main points, as currently drafted, are as follows:

(1)    The Bills Apply to Different Entities.

Although both apply to for-profit entities conducting business in Florida, each bill applies a different threshold for consumers and revenue.

HR 9 requires that two of the three be met: the business (a) has global annual gross revenues in excess of $50 million; (b) annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, and devices for the purpose of targeted advertising in conjunction with third parties or for a non-exempted purpose; or (c) derives 50% or more of global annual revenues from selling or sharing personal information about consumers. HB 9 differs from the California Consumer Privacy Act in that it requires two (rather than one) of these to be met.

SB 1864 is more similar to Virginia’s Consumer Data Protection Act and Colorado’s Privacy Act,  requiring that one of the following be met: the business (a) controls the processing of personal information of 100,000 or more consumers who are not covered by an exception under act; or (b) controls and processes the personal information of at least 35,000 consumers who are not covered by an exception under the act and derives 50% or more of global annual revenues from selling personal information about consumers.

(2)    Similar Exemptions from Act

Both bills exempt certain types of information and entities from its requirements. For example, they both exempt:

  • A covered entity or business associate under HIPAA;

  • Information is covered by the Family Educational Rights and Privacy Act;

  • Information and financial institutions regulated by the Gramm-Leach-Bliley Act;

  • Information collected, processed, sold, or disclosed pursuant to the Fair Credit Reporting Act and Driver’s Privacy Protection Act;

  • Certain employee data; and

  • Certain information collected for research purposes.

  • (3)    The Bills Contain Similar Definitions and Exclusions for “Personal Information”

HR 9 defines “personal information” as “information that identifies or is linked or reasonably linkable to an identified or identifiable consumer or household, including biometric information and unique identifiers to the consumer.” SB 1864’s only difference is that it does not include household and does not provide examples.

Both bills exclude the following from the definition of “personal information”:

  • Publicly available information that is made available through federal, state, or local government records

  • Information that a controller has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media unless the consumer has restricted the information to a specific audience;

  • Information that is de-identified or aggregate consumer information.

HR 9 also excludes certain employment information.

(4)    HR 9 More Narrowly Defines “Aggregate” and “De-Identified” Information

Both bills define “aggregate” and “de-identified” information by exclusion.

SB 1864 defines “aggregate consumer information” as “information that relates to a group or category of consumers from which individual consumer identities have been removed and which is not linked or reasonably linkable to any consumer, including through device.” HR 9, on the other hand, states that such information “cannot be directly or indirectly associated or linked with any consumer, household, or device.”

SB 1864 defines de-identified information as “information that cannot reasonably identify or be linked directly to a particular consumer, or a device linked to such consumer,” while HR 9 defines the term as  “information that cannot reasonably be used to infer information about or otherwise be linked to a particular consumer.”

Because HR 9’s definitions exclude data that is more tenuously linked to a consumer, its categories for “aggregate” and “de-identified” information are narrower than SB 1864’s.

(5)      Only SB 1864 Recognizes “Sensitive Data” Requiring Consent

SB 1864 differs from HR 9 in that it recognizes a category of “sensitive data” for which a consumers’ informed consent is required for processing. This data includes citizenship/immigration status, geolocation, health information, sexual orientation, and biometric data. 

(6)    The Bills Identify Similar Consumer Rights

Both bills provide consumers with similar rights, specifically:

  • Right to opt out of sale of personal information;

  • Right to request deletion or correction of personal information; and

  • Right to know controller’s sources of personal information, the specific information collected, and the categories of third parties to whom the information was sold.

SB 1864 also allows for a right to opt out of processing for purposes of targeted advertising or profiling, while HR 9 provides rights to opt out of, or request additional information regarding, the sale or sharing of information (and defines sharing as disclosing or transferring information for advertising or marketing).

(7)      The Bills Similarly Differentiate Between “Controller” and “Processor”

Like the GDPR, each bill sets forth “controller” and “processor” roles based on their handling of personal information. A “controller” is an entity that “determines the purposes and means of processing personal information about consumers alone or jointly with others.” A “processor” is an entity that “processes personal data on behalf of . . . a controller.” “Processing” means “any operation or set of operations performed on personal information or sets of personal information.” Under SB 1854, such processing must be done “at the direction of” the controller and, under HR 9, such processing must be pursuant to the terms of a written contract.

Both bills require:

·         Controllers to provide consumers with certain privacy notices and follow certain processes in responding to consumers who exercise their rights;

·         Controllers to establish, implement, and maintain reasonable security, retention, and administrative procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure; and

·         Certain contractual provisions between controllers and data processors.

(8)    The Bills Vary in Their Enforcement Rights

SB 1864 does not provide for a private right of action. It creates a Consumer Data Privacy Unit, within the Department of Legal Affairs, with responsibility to enforce the act. The Unit may bring an action against controllers and processors that sell personal information to third parties for the following unfair or deceptive trade practices: (1) failure to delete or correct a consumer’s personal information after receiving a verifiable request or directions to delete or correct; (2) continuing to sell a consumer’s personal information after the consumer chooses to opt out or selling the personal information of a consumer age 16 or younger without obtaining the consent required by the act.  The Department shall notify the party in writing of the alleged violation and may grant a 45-day cure period. In such an action, a court may grant actual damages to a consumer or injunctive or declaratory relief.

HR 9 allows both for a private right and an agency enforcement action. Such action may be brought against a controller, processor, or third party. 

Under the private right of action:

·         A Florida consumer may bring a civil action against a controller, processor, or third party

·         The basis of such action shall be the same bases as in SB 1864 (with the exception that a minor is 18 or younger).

·         A court may grant injunctive or declaratory relief; statutory damages between $100-$750 per consumer per incident or actual damages, whichever is greater; and attorneys’ fees and costs to a prevailing consumer.

·         In assessing the amount of statutory damages, a court shall consider circumstances including, but not limited to, the nature and seriousness of misconduct, the number of violations, the length of time, and the defendant’s assets, liability, and net worth.

Under the agency right:

·         The Department of Legal Affairs may bring an action against a controller, processor, or third party if it has reason to believe that they are in violation of the act.

·         Such action must be brought on behalf of a Florida consumer

·         The department may provide an opportunity to cure within 45 days, but not for violations that give rise to the private right of action.

·         Any violation of the act is considered an unfair and deceptive act or practice. However, civil penalties may be tripled if the violation (1) includes a Florida consumer who the controller, processor, or third party has actual knowledge is 18 years of age or younger or (2) gives rise to the private right of action.

·         The department may issue additional regulations to implement this section.

Dara Tarkowski
Previous

Actuate Law Adds Xavier Suarez as Senior Counsel to Firm’s Focus in Wynwood
Next

The Importance of Well-Designed Policies and Procedures for Regulation F compliance