The Sunshine State Joins the Fray: Florida Introduces a Bill Protecting Privacy of Online Consumers

So far, year 2020 has seen the implementation of the much-anticipated California Consumer Privacy Act (CCPA) and as trends have been predicting, other states are not far behind.  The push for states to take action and protect the consumer’s privacy is picking up speed and Florida appears to be one of the next in line for this endeavor having introduced a new consumer privacy bill, designated as HB 963 in the State House and SB 1670 in the State Senate.

The bill requires “operators” of a website or online services that collect information from consumers to establish a way for consumers to request not only notice regarding the collection and sale of their information but to prohibit the sale of such information to data brokers at the consumer’s request, create some level of transparency by requiring online privacy policy statements, and to create accountability though injunctions and civil penalties.

The bill as written applies to “operators” of commercial websites and online services who collect and maintain “covered information” from consumers who reside in Florida and use or visit the website or online service, and purposefully direct activities or purposefully execute a transaction or engage in any activity toward Florida or Florida residents.

The “operators” do not include third parties that operate, host, or manage websites on behalf of the operators, financial institutions already subject to the Gramm Leach Bliley Act, and motor vehicle manufacturers and repairers who collect data related to the servicing of the motor vehicle. The provisions of this bill also exclude HIPPA regulated entities.

The bill also does not apply to the “operators” of Florida websites whose revenue is derived primarily from other than the sale or lease of goods, services or credit on websites or online services and that have fewer than 20,000 unique visitors per year.

Under the proposed Florida bill “covered information” includes the following items of personally identifiable information about a consumer collected by an operator through a website or online service and maintained in accessible format:  first name; last name; home or other physical address; email address; telephone number; social security number, identifiers that allows consumer to be contacted physically or online; and any other information concerning a consumer collected through the website or online service and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.

Compared to the CCPA, which defines “sale” as any exchange of personal data for value, “sale” under the Florida bill has a much narrower definition of an exchange of personal information for monetary value to a person for the person to license or sell the covered information to additional person, i.e. an actual sale to data brokers.   The Florida bill requires operators to establish a designated “request address” (which could be an e-mail address, toll-free number, or a designated website) through which a consumer can submit a verified request to opt-out of sale of covered information but, unlike the CCPA, does not require an explicit notice of the right to request to opt out in the form of an ever convenient “do not sell my info” link.  Under the Florida bill, consumers would have a right to review and correct their covered information, but not a right to delete information granted by the CCPA.  The CCPA, however, does not provide a right of rectification.

Operators must create online privacy statements that identify the categories of covered information collected and the categories of third parties with whom the operator may share such information, describe a process for consumers to exercise their right to review and request changes to their covered information, provide notice of information collection across website by third parties, and describe process of notification of material changes to the notice.

Notably, the Florida bill does not provide for a private right of action.  However, for purposes of enforcement, the Florida Department of Legal Affairs can bring a civil action, provided the operator has 30 days to cure the violation and willfully fails to comply.   Operators can be subject to temporary or permanent injunctions and fines of not more than $5,000 per violation.

If passed, this Florida law would go into effect on July 1, 2020, concurrently with the enforcement of the CCPA. Given the current privacy climate and the rate with which states are introducing new privacy measures, the companies across the nation should sit up and take a close notice.   Those who are already working towards GDPR and CCPA compliance must start thinking of adapting their privacy programs to future regulations, while other companies should assess where they stand in terms of collection and processing of personal data and strongly consider developing privacy and data security frameworks in order to be prepared for the swift changes coming within the data privacy legal landscape.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653