The Florida House of Representatives has introduced its version of a comprehensive privacy law (HB 9 – no fancy acronym, unlike the FPPA in the Senate).  This blog post will explain the key differences between the House and Senate versions. I also propose two changes to the private right of action that would mitigate the risk of professional plaintiffs filing gotcha lawsuits. The post ends with a roadmap of what to expect moving forward in this legislative session.

Overview of HB 9

HB 9 was authored by Rep. Fiona McFarland, who was the standard bearer for data privacy in the House last year and successfully spearheaded other technology legislation, like a bill that supported the growth of autonomous vehicles. HB 9 is less business-friendly than its Senate counterpart (SB 1864), in large part because of the private right of action it would create, which is ripe for abuse. But I can attest to the great extent to which Rep. McFarland and her staff have sought to understand concerns (from both sides).

Scope.  Most key terms in the House and Senate bills are similar. One significant difference, however, is the threshold for determining whether the proposed law applies to a particular business. HB 9 applies to for-profit companies that meet, among other things, at least two of the following criteria: (1) global revenue of more than $50M; (2) buys, receives, sells, or shared personal information of 50,000 or more consumers, households, or devices for targeted advertising; and (3) derives 50% or more of its revenue from selling or sharing personal information.  In comparison, the Senate’s version typically applies to for-profit companies that: (1) control the processing of personal information of 100,000 or more consumers; or (2) control or process personal information of at least 25,000 consumers and derive 50% or more of their global annual revenue from selling personal information.

Neither bill’s scope definition appears to be clearly more business-friendly than the other. Whether each version applies depends on the nature of the company’s business. A smaller company, for example, may prefer the House bill’s definition, which does not apply to companies earning less than $50M globally per year unless they engage in significant targeted advertising and earn most of their revenue from selling/sharing personal information. Regardless, the definitions in both chambers are more nuanced than the last legislative session, where versions of the law would have applied to companies that collected very little personal information. The bills this year are more narrowly tailored to apply to companies that collect or sell/share a significant amount of personal information.

Effective Date. HB 9 would not take effect until July 1, 2023, while the FPPA would become effective on December 31, 2022.

Exceptions. Both bills include a significant number of exceptions/exemptions. These include carve-outs for: (1) certain kinds of personal information (e.g., business-related personal information, deidentified personal information, protected health information under HIPAA, and nonpublic information under GLBA); (2) certain activities (e.g., to comply with legal obligations, cooperate with law enforcement, to perform a contract, to advertise to the consumer, and where shared as part of a merger); and (3) certain kinds of entities (e.g., covered entities and business associates under HIPAA, and (to a certain degree) financial institutions under the GLBA). The House version includes at least 23 categories of companies or information to which the bill would not apply. The Senate version has 32 such exceptions/exemptions.

One significant difference in exceptions that will catch the attention of the financial industry is that the FPPA would include an entity-wide exemption for financial institutions under the GLBA, while HB 9 has only a partial entity-wide exemption that does not apply where consumer information is used for targeted advertising with third parties or where the financial institution sells/shares personal information to a third party.  

HB 9‘s Obligations. In most ways, HB 9 creates the same obligations on controllers/processors we have seen in other comprehensive privacy laws. Those include:

• maintaining an online privacy policy;
• providing notice at the point of collection;
• limiting the collection/use of personal information for only those purposes disclosed to consumers;
• requiring a data subject request process to respond to a consumer’s request to exercise his/her rights described next; and,
• requiring reasonable security procedures and practices (and pushing those downstream).

HB 9 also includes an obligation we don’t see as often (and is not in the Senate version) – a retention schedule prohibiting the use or retention of personal information after the initial purpose for which the information was collected is fulfilled, or three years after the consumer’s last interaction with the controller.  This requirement will create operational challenges for companies as they try to track when the last interaction with a consumer was and whether all personal information relating to that consumer has been deleted. Fortunately for companies, the newly proposed private right of action would not apply in that instance.

HB 9’s Consumer Rights. There are many similarities in the consumer rights created by the House and Senate versions. Both provide consumers with a right to request a copy of their information. It also includes a right to delete information. Under HB 9, controllers would have 90 days to comply with that request, which also has ten exceptions to it. Next, HB 9 includes a right to correct inaccurate personal information that requires controllers to use commercially reasonable efforts to correct personal information (and instruct processors to do the same) within 90 days of receiving a verified consumer required.  It is not clear, however, whether the ten exceptions for the right to delete also apply to the right to correct. Nor is it clear what rights a controller has if it receives a request to “correct” information it believes is not accurate (e.g., consumers who use the right to “game the system”, as we have seen with the GDPR). Finally, HB 9 includes a right to opt out of the sale/sharing of personal information, and requires an opt-in for personal information relating to minors.  (HB 9 also adds biometric information to the definition of personal information under Florida’s data breach notification law, but that change will have little impact as there has never been a breach of biometric information given the inherently secure manner in which such information is created and stored.)

Nevertheless, the proposed laws also differ in certain ways. HB 9’s right to request a copy of information requires the controller to disclose the sources of the personal information; the FPPA would not. The FPPA creates opt-in requirements for the collection of sensitive information, but HB 9 does not. The FPPA requires companies that engage in targeted advertising to add a “Do Not Advertise To Me” link on their website (in addition to the “Do Not Sell My Personal Information” link that both bills require); HB 9 does not. Additionally, HB 9 states that a controller “may” accept a request to opt out of sale/sharing “through a user-enabled global privacy control, such as a browser plug-in or privacy setting . . . which communicates or signals the consumer’s choice to opt out.”  It is not clear whether the use of “may” gives controllers an option to ignore these signals, or if “may” simply means that this is one way a consumer can exercise his/her opt out request. The FPPA does not contain a similar method for opt-out requests.

Enforcement.  Both bills would be enforced by the Florida Office of the Attorney General. Both bills provide that enforcement authority by making violations of the bills an automatic violation of the Florida Deceptive and Unfair Trade Practices Act (for regulatory enforcement purposes only, not for the creation of a private right of action). Both bills also include a discretionary period to cure any violations.  The bills, however, also contain significant differences on the enforcement front. First, the Senate bill would create a new unit within the Attorney General’s office dedicated to the protection of consumer personal information. (The funding (if any) for this new unit is not clear.) Such a dedicated unit can have advantages for businesses – maximizing a regulator’s technology expertise, ensuring privacy experience, and requiring an understanding of operational challenges that typically accompany privacy compliance. It can also have disadvantages – regulatory officials whose primary focus is pursuing companies who are not in compliance with Florida’s privacy laws, and the degree of aggressiveness of those officials will likely depend on the particular Attorney General.  The second (bigger) difference between the two bills on the enforcement front is the House’s proposal of a private right of action for privacy violations (the Senate bill does not have a private right of action).

The Private Right of Action

One of the biggest concerns for companies will be HB 9’s private right of action. Last year, Florida did not adopt a privacy law in large part because of the House leadership’s insistence that it include a private right of action so broad it would have applied to data breaches of any kind of personal information (not just sensitive information, as with the CCPA) in addition to any violations of the privacy provisions of the bill.  The Senate’s version did not include a private right of action.

This year, HB 9 proposes a more limited private right of action that would allow consumers to sue companies for $100 to $750 per person per incident (or injunctive/declaratory relief) where the company: (1) fails to delete or correct the consumer’s personal information after receiving a verifiable consumer request or, in the case of a processor, fails to delete/correct as directed by the controller; (2) continues to sell or share personal information after the consumer opted out; or (3) sells or shares personal information of a consumer 16 or younger without obtaining the required consent. Significantly, the law allows a prevailing plaintiff to seek attorney’s fees and costs, but does not do the same for a prevailing defendant.

HB 9 would be the first comprehensive U.S. privacy law that creates a private right of action for violation of privacy provisions of the law.  (California’s private right of action, for example, is limited to data breaches of sensitive personal information, and Colorado’s and Virginia’s laws do not contain a private right of action.)

In its current form, the private right of action will incentivize “gotcha” lawsuits by professional plaintiffs who will make mass deletion/correction/opt-out requests in the hope of catching companies off-guard and unable to respond within the time provided by law. The consumer will receive $100 to $750 while the consumer’s lawyer will collect tens or hundreds of thousands of dollars in attorney’s fees per lawsuit.

The House can mitigate this abuse by making two changes. First, create a “right to cure” that requires a consumer to first inform a company of his/her intent to sue; if the company does not comply with the request or identify an exception within 30 days, the lawsuit can proceed. Adding a right to cure allows lawsuits to proceed against companies that intentionally violated the law.  Second, the bill should allow the “prevailing party” to seek attorney’s fees, instead of only the plaintiff being entitled to fees. Doing so would further ensure that any lawsuits have merit. It would also align this consumer protection law with Florida’s leading consumer protection law (the Florida Unfair and Deceptive Trade Practices Act) which allows the prevailing party to seek attorney’s fees.

Compliance Costs

Both bills would impose significant compliance costs on companies that have not already had to comply with California’s, Colorado’s, or Virginia’s privacy laws (i.e., smaller to mid-sized companies). This may be what ultimately dooms a comprehensive privacy law in Florida this year, at a time when companies are still trying to recover from pandemic-related losses. The costs include:

• A lawyer to help understand the plethora of requirements in the lengthy bill;
• A vendor to perform a data inventory that allows the business to understand what personal information they collect, where they get that information, how they use it, and with whom they share it;
• A vendor to develop a process for responding to Florida residents’ requests to access, delete, or change their personal information;
• A service/subscription that will track changes in how personal information is being collected and shared so that responses to data requests are accurate and provided in a timely manner;
• A company to build the required “Do Not Sell My Personal Information” and “Do Not Advertise To Me” links on the homepage and all of the back-end support triggered by clicking on one of these links;
• A company to train employees on how to comply with the law; and,
• A cybersecurity firm to perform a threat assessment and to build the reasonable security procedures and processes required by the law.

All of these services can range between $350,000 to $750,000 annually depending on the business and the number of vendors needed. For larger companies, the compliance costs can easily exceed $1,000,000 each year.

Next Steps

The FPPA’s immediate path includes three committees: Commerce and Tourism, Regulated Industries, and Rules. The Rules committee is chaired by the Senate President, so we may learn a great deal about the bill’s future from that hearing. HB 9’s path is shorter. It is now in the Commerce Committee and from there will proceed to the Judiciary Committee. After passing through the various committees, both bills must then pass on the floor of their respective chambers.

Assuming both bills (especially the Senate bill) pass the floor votes, the most important phase will follow – when the Senate President and House Speaker decide which version of the bill should become law. The outcome of this phase will depend on each leader’s list of priorities. The House Speaker, for example, may be willing to agree to language on a Senate bill that is a top priority for the Senate President in exchange for a privacy law that contains a private right of action. This “horse trading” part of the legislative process will be influenced by Governor DeSantis’s priorities, particularly since this is an election year for the Governor, who many believe is the leading contender to become the next Republican nominee for U.S. President. It’s not clear which way this factor cuts, as it will force a choice between the pro-growth traditional values of Republican conservativism or the newer populist “anti-Big Tech” wing of the Republican party.

All of these next steps must come to a conclusion by March 11^th, when the Florida legislative session comes to an end.