The Florida state legislature is considering a sweeping data privacy bill introduced by Governor Ron DeSantis in February.  House Bill 969 is the latest state provision to follow in the footsteps of the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act and the Virginia Consumer Data Protection Act, in giving consumers greater control over how their personal information is used while imposing greater restrictions on companies’ use of that data.

Similar to the California and Virginia laws, the Florida bill would apply to most for-profit entities that do business in Florida and have annual global revenue of over $25 million.  It would also apply to entities that either buy, sell, receive or share the personal information of over 50,000 Florida residents, households or devices annually, or that derive at least half of their global annual revenues from selling or sharing information about Florida residents.  The bill imposes a number of requirements on covered entities relating to consumers’ personal information – for example, entities must maintain an online privacy policy and update it annually, provide notice at the point of collection, respond to consumers’ requests for copies of their personal information or to correct such information or delete it under certain circumstances.  Covered entities also must provide consumers with the right to opt out of sharing personal information (and not discriminate against those who choose to do so).

The Florida bill includes a private right of action for consumers in the event that a data breach occurs that involves consumers’ nonencrypted and nonredacted personal information, a term that is defined very broadly (“information that identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer or household”).  A consumer who is affected can bring suit against a covered entity under this provision, either for damages – the bill provides for the greater of up to $750 per consumer per incident or actual damages – or injunctive or declaratory relief.  This is a significant change from current Florida law.  While Florida does have a data breach notification statute, that law does not include a private right of action.  If enacted, the new bill is likely to lead to a new wave of class action consumer privacy litigation, similar to what we have seen under the CCPA or Illinois’ Biometric Information Privacy Act (“BIPA”), following data breaches. The law would otherwise be enforceable solely by Florida’s attorney general.

If passed, House Bill 969 would take effect on January 1, 2022. The House bill will be assigned to committees for consideration, and must pass each committee and the full House to become law.  The bill must also pass in the Senate to be sent to Governor DeSantis for approval, and there is currently no companion bill in the Florida Senate.  We’ll keep an eye on how this develops for you.