Following California and Virginia’s sweeping consumer and data privacy bills, Florida is the next state to consider comprehensive data privacy legislation in the form of House Bill 969, which was introduced in February. The measure is similar in many ways to the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”): it imposes a number of new requirements and obligations on covered entities related to their processing and sharing of consumers’ personal information. Similar to the California and Virginia laws, the Florida bill would apply to most for-profit entities that do business in Florida and have annual global revenue of over $25 million. It would also apply to entities that either buy, sell, receive or share the personal information of over 50,000 Florida residents, households or devices annually, or that derive at least half of their global annual revenues from selling or sharing information about Florida residents.
The Florida bill includes a private right of action for consumers in the event that a data breach occurs that involves consumers’ nonencrypted and nonredacted personal information, a term that is defined very broadly (“information that identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer or household”). A consumer who is affected could file suit against a covered entity under this provision, either for damages – the bill provides for the greater of up to $750 per consumer per incident or actual damages – or injunctive or declaratory relief. This is a significant change from current Florida law. While Florida does have a data breach notification statute, that law does not include a private right of action. If enacted, the new bill is likely to lead to a new wave of class action consumer privacy litigation, similar to what we have seen under the CCPA or Illinois’ Biometric Information Privacy Act (“BIPA”), following data breaches.
Glenn Brown and Christina Lamoureux have a more comprehensive review and analysis of the Florida bill available here – it is a must read for a look at potentially the next major state privacy legislation.