Yesterday, House Bill 969 titled Consumer Data Privacy was introduced as a potential new law to protect the personal data of Florida consumers. Governor Ron DeSantis’ stated goal for the bill is to “safeguard the privacy and security of consumer data.”
The bill is intended to give consumers more control over the personal information that businesses routinely collect and may even sell to third parties. Many of the basic rights under the new bill mirror that of the California Consumer Privacy Act passed in 2018 (CCPA). Like the CCPA, HB 969 attempts to secure new privacy rights for Florida consumers. If you are a Florida resident, you may ask businesses to disclose what personal information they have about you and what they do with that information as well as the right to request a business delete and to not sell your personal information. Consumers will also have the right to be notified, before or at the point businesses collect personal information, about the types of personal information being collected and what the business may do with that information. Generally, businesses will not be able to discriminate against you for exercising your rights under HB 969.
As stated above, the consumer will be provided the right to request that businesses disclose what personal information they have collected, used, shared, or sold about the consumer, and why they collected, used, shared, or sold that information. Businesses must provide a consumer with this information for the twelve-month period preceding the request and must provide the information free of charge.
If passed, HB 969 would require businesses to inform consumers about certain information being collected at the time of collection. Businesses would be required to inform consumers about:(i) categories of personal information collected; (ii) specific pieces of personal information collected; (iii) sources from which the business collected personal information; (iv) purposes for which the business uses the personal information; (v) categories of third parties with whom the business shares the personal information; and (vi) categories of information that the business sells or discloses to third parties.
If the business sells consumers’ personal information, then the information at collection must include a “Do Not Sell or Share My Personal Information” link. The information of consumer rights must also contain a link to the business’s privacy policy, where consumers can get a description of the business’s privacy practices and of their privacy rights.
A Florida consumer may also request that businesses stop selling their personal information (“opt-out”). With some exceptions, businesses cannot sell your personal information after they receive an opt-out request unless later provide authorization allowing them to do so again. Businesses must respect the consumer’s decision to opt-out for at least twelve months before requesting that the consumer authorize the sale of the consumer’s personal information. Businesses can offer consumers financial incentives in exchange for collecting, keeping, or selling personal information. However, businesses cannot use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
After discovering what personal information is collected, used, shared or sold a consumer may request that a business delete the personal information collected and to tell their service providers to do the same. However, there are many exceptions that allow businesses to keep personal information. Businesses must respond to a request to delete within 45 calendar days and can only extend that deadline once by another 30 days (75 days total) if they notify the consumer.
Consumers may be worried about retaliation for exercising rights under HB 969. However, the bill prohibits businesses from denying goods or services, charging a different price, or providing a different level or quality of goods or services just because a consumer exercised rights under the proposed law. Businesses also cannot make the consumer waive these rights, and any such contract provision is unenforceable.
What happens if a business violates HB 969? What rights are given to the consumer? Much like the CCPA, HB 969 only provides a private cause of action against a business if there is a data breach, and even then, only under limited circumstances. A consumer can sue a business if their nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, the consumer can sue for the amount of monetary damages actually suffered from the breach or up to $750 per incident. An important aspect of the proposed law is that it does not provide for prevailing party legal fees.
For all other violations of HB 969, only the Department of Legal Affairs (“Department”) can file an action. If the Department has reason to believe that any business is in violation and that proceedings would be in the public interest, the Department may bring an action against such business and may seek a civil penalty of not more than $2,500 for each unintentional violation or $7,500 for each intentional violation. Such fines may be tripled if the violation involves a consumer who is sixteen years of age or younger. A business may be found to be in violation if it fails to cure any alleged violation within 30 days after being notified in writing by the Department of the alleged noncompliance.
The bill also contains other provisions outlining who is protected under the bill, what is considered personal information, data retention and biometric information rules and procedures for businesses to follow. We will publish additional articles exploring these provisions and expand on the information addressed in this article. In addition, we will explore the importance of Florida enacting a well-balanced privacy law which does not act as an anchor for businesses and appropriately protects the rights of Florida consumers.