Florida Introduces Consumer Data Protection Law with Governor’s Support

On February 15, 2021, Florida legislators introduced a comprehensive consumer data protection bill (HB 969) modeled on the California Privacy Rights Act.  Notably, Florida Governor DeSantis has already came out in support of the bill and said that he “wants big tech companies to be forced to tell Floridians in detail how personal information is being collected, analyzed, and sold.”

Under the proposed bill, Florida consumers would have a right to (1) request a copy of their personal information collected by a business; (2) have their personal information deleted or corrected; (3) request information about personal information sold or shared by a business; and (4) opt out of sale of sharing of personal information to third parties.  While the term “sale” is defined similarly to the CCPA/CPRA, the term “sharing” includes any sharing, transfer, or access to consumer’s personal information for advertising.  Unlike the CPRA, however, “sharing” for advertising purposes is not limited to cross-context behavioral advertising, and would presumably include a broader range of data transfers. Also, unlike the CPRA, the bill would not apply to personal information collected in employment context.

Businesses, in turn, would be required to disclose in their privacy policies the categories of personal information collected about consumers, the categories of personal information that they sold, shared, or disclosed for a business purpose; as well as information about privacy rights granted to consumers.  Businesses would be prohibited from collecting additional categories of personal information or using personal information collected for additional purposes without providing notice to consumers. The bill would also impose limitations on data retention by the covered businesses.

The bill further imposes various contractual and direct obligations on the service providers and would require service providers to similarly obligate their subcontractors.

Like the CPRA, the Florida bill provides for a private right of action but only in cases of breaches involving nonencrypted and nonredacted personal information or email address, in combination with a password or security question.  Consumers would be able to recover statutory damages in the amount of not less than $100 and not greater than $750 per consumer per incident.  In addition, Florida Department of Legal Affairs would be able to bring administrative actions for violations of the privacy law and seek civil penalties up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation.

If enacted, the law would take effect just ten months from now, on January 1, 2022.

Ask Clarip today how we can help you solve your biggest data privacy compliance pain points. Schedule a demo of the Clarip’s Privacy Compliance software or call 1-888-252-5653 today!