US: Florida Privacy Bill Advances

Authors: Andy Serwin and Jennifer Kashatus

Florida appears to be on track to be one of the next states to pass a general privacy law, joining California and Virginia. CS/HB 969 makes changes to existing law, and also adds a number of new requirements.  It is unclear whether the Bill will be enacted, though it appears to have broad support in Florida, and this post will provide an overview of those changes and additions.

Perhaps the most significant change to existing law is that the Bill expands the definition of “personal information” under Florida’s data breach law to include biometric information.  Given the existing definition of personal information, this change would make Florida’s breach law one of the broadest laws in the United States, at least in terms of coverage of information.

The Bill would also add a new Section 501.173, which contains the proposed privacy protections for “consumers,” defined as Florida residents and natural persons domiciled in Florida.  The legislation applies to “businesses,” which is defined in ways similar to the California Consumer Privacy Act (CCPA), including revenue and data thresholds.  If adopted, notably, the Bill’s definition of “personal information” applies to information about an individual and a household. “Personal information” is information that identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer or household, and there are categories of information, such as direct identifiers, that are also contained in the definition.  The Bill also contains a definition of “deidentified” information, which essentially means information that is not reasonably capable of being directly or indirectly linked with a particular consumer, though there are additional requirements contained in the Bill for information to be deidentified.

The Bill also seeks to give consumers rights with regard to their own personal information, including, to request a copy of their data, correction of their data, disclosure of certain information about the sale or sharing of personal information, deletion of certain data collected from the consumer. The Bill also would provide the consumer with the right to opt-out right for the sale or sharing of personal information. All of these rights would be subject to certain conditions and limitations.

The Bill would impose a requirement that a business that collects personal information about consumers post a privacy policy on its website.  The policy must identify the categories of personal information the business collects from consumers, as well as a list of which of these categories the business discloses, sells or shares or has sold about consumers.  The policy must also contain an opt-out right regarding the sale or sharing of personal information.  The policy must also inform the consumer of its right to request that the business disclose the categories and specific pieces of information the business has collected from consumers.

The Bill also seeks to impose a retention period on personal information, requiring businesses to adopt a retention schedule that would limit retention to the shorter of: the satisfaction of the initial purpose for collecting or obtaining the information, after the duration of a contract, or one year after the consumer’s last interaction with the business.

There are a number of exemptions that are generally consistent with CCPA, including, exemptions for health-related data covered by HIPAA, personal information covered by GLBA, and employee data.

The Bill provides private remedies for the loss of data (in certain cases), as well as enforcement by the Florida Attorney General, including civil penalties.

The Bill, if enacted, would become effective January 1, 2022.  It remains unclear whether the Bill will be enacted, but it is another example of states continuing to attempt to move forward on privacy laws in the absence of federal legislation.

For additional information, please contact Andy Serwin, Jennifer Kashatus, or another member of the DLA team.