A Guide to Florida’s Proposed Version of CCPA
Post Series: Data Privacy Legislation
3.A Guide to Florida’s Proposed Version of CCPA
4.Infrastructure Bill Allocates Nearly $2 Billion to Cybersecurity
The California Consumer Privacy Act (CCPA) has been an influential model for other states as they draft their own data privacy legislation. Recent laws from Virginia and Minnesota closely resemble CCPA, and now Florida has made joined the movement with a new data privacy law that is strikingly similar to California’s.
The bill, called HB 969, has earned the support of Florida Governor Ron DeSantis. DeSantis’ cosign is significant since it is the first sign of high-level support for a comprehensive Florida privacy law since similar legislation failed to pass last year.
Applicability
Although it has been branded by DeSantis as a “big tech” bill, HB 969’s scope is much wider. The law would apply to for-profit businesses that:
Do business in Florida;
Make over $25 million in global annual gross revenue;
Collect personal information about consumers;
Determine how collected personal information will be processed;
Similar to CCPA, companies that make less than $25 million will be held accountable if they:
Buy or receive the personal data of over 50,000 consumers, households or devices;
Derive 50% or more of their revenue from selling or sharing personal data;
Control or are controlled by, and share common branding with a company that meets any of the criteria.
As far as data goes, the law would not apply to:
Deidentified data with safeguards in place to prevent reidentification;
Health information covered under the Health Insurance Portability and Accountability Act;
Information collected for a clinic trial or for research in the public interest.
Consumer Privacy Rights
Under the law, consumers would have the right to request a copy of their personal data from a business. Upon request, organizations must provide the pieces of information they collect, the source of the information, the purposes of collection, and the categories of third-parties with which it shares the data.
Following the principle of data portability, the business must provide the data in a readable and transferable format that the subject can use for their own purposes. Consumers are entitled to access the data free of charge, but they may only submit two access requests a year and may be asked to verify their identity.
Consumers also have the right to know the categories of their personal data that has been sold or shared and the categories of any third-parties to which it was disclosed. They would also have the right to opt-out of the sale or disclosure of their data to third parties, while children under 16 would have the right to opt-in to such activity.
This does not prevent organizations from disclosing data to service providers for a business purpose if the organization provides notice of it in their terms and conditions and the service provider does not use the data for additional purposes.
Consumers have the right to deletion, but it comes with one major caveat. In addition to the usual exceptions of when the data is needed to obey a law, complete a transaction or provide a good or service to the consumer, organizations can reject requests when the data use is “compatible with the context in which the consumer provided the information.”
However, if none of those exceptions apply, the data would have to be deleted by not only the organization but any service provider with which it shared the data. Consumers also have the right to correct inaccurate data about themselves.
The law would also prohibit businesses from discriminating against consumers for exercising their rights, including charging them a higher price or denying them a good or service. However, rewards programs and payments incentivizing consumers to provide their data are allowed, as long as the data subject consents.
Private Right to Action
The most substantial change is the introduction of a private right to action, which would allow consumers to seek statutory damages after being harmed by a data breach. This private right to action only applies to data breaches–consumers can not seek damages for other violations of the law.
Interestingly enough, a breach is defined as the “unauthorized access, exfiltration, theft or disclosure” of personal information. This is broader than Florida’s current breach notification law, which excludes exfiltration, theft and disclosure from the definition. In theory, companies may have to pay damages for breaches where they weren’t obliged to notify impacted consumers.
Like CCPA, consumers will be entitled to the greater of statutory damages between $100 and $750 or actual damages. The law also allows consumers to seek injunctive or declaratory relief.
Privacy Policy and Collection Notices
Like CCPA, the law would require organizations to make a privacy policy that is accessible online. The policy must detail the organization’s data activity, including a list of categories of personal information the business collects, sells or discloses for business purposes. It must also inform consumers of their privacy rights under Florida law and how they can exercise their rights to delete, correct or opt-out of sale to third-parties.
More specifically, businesses can not sell a customer’s data unless it has explicitly given them the opportunity to opt-out. Businesses are required to provide a conspicuous link on their website that reads “Do Not Share or Sell My Personal Information” which the consumer can use to exercise their opt-out right.
Organizations may not require consumers to create an account to make such requests. Consumers must be given two or more means of submitting a request, including a toll free phone number and a link on the organization’s home page.
Additionally, businesses are required to provide a just-in-time notice upon or before collection, describing the categories of personal information being collected and the purposes for which they will be used. Any data activity beyond that described in this notice is prohibited, unless an additional notice is provided to the consumer.
To ensure that data is not used beyond its initial purpose, organizations must create a retention schedule. Personal data may not be retained after one of the followings occurs:
The initial purpose is satisfied;
The contract with the consumer ends;
One year passes since the consumer’s last interaction with the organization.
What To Expect
If the bill passes, the law would go into effect on January 1, 2022. Violations will be enforced by Florida’s Attorney General. Penalties can reach $2,500 per unintentional violation and $7,500 per intentional violation. Those fines jump to $7,500 per unintentional violation and $22,500 per intentional violation if consumers under 17 are involved.
It is unclear whether payouts will be enforced per consumer, per action, or per violated provision of the law. Organizations can avoid penalties if they cure violations within 30 days of being notified.