Shortly after Senator Bradley introduced Florida SB 1864, Representative Fiona McFarland (R-Dist. 72) introduced its House counterpart, Florida House Bill 9, on January 12, 2022. While SB 1864 stalled in the Senate, Florida HB 9 passed the House on March 2 and was sent to the Senate on that date, where it has not advanced since. Given that the legislative session ends this Friday, March 11 and the lack of obvious movement in the Senate, some have speculated recently that HB 9 may not make it to the finish line in time, raising the prospect of a special session later this year. Notably, Florida Governor DeSantis has previously voiced his support of a comprehensive privacy bill, leading some to believe that Florida might finally pass a comprehensive privacy bill after almost passing one last year. However, Gov. DeSantis did not specifically voice support for HB 9 and the presence of a private right of action in the bill, much like the one that failed last year, may be a sticking point. Nonetheless, because legislation can advance quickly, many remain on the edge of their seats waiting for March 11 legislative deadline to pass.
Florida HB 9 has some important differences as compared to Florida HB 969, the bill considered last year (which was also introduced by Representative McFarland) that failed over a disagreement on inclusion of a broad private right of action. These differences include that Florida HB 9 has a more limited private right of action, applicable only to companies meeting certain revenue thresholds that have committed specifically enumerated violations. Additionally, among other things, HB 9 requires annual reports from the Attorney General to the Legislature and provides changes to data retention rules. Below, we analyze HB 9, which is certainly inspired by other omnibus privacy laws and notably includes a number of concepts that closely mirror the CCPA. That said, like other privacy laws on the books and introduced by various state legislatures, there are material differences that may make it difficult to apply a single, least common denominator approach across different jurisdictions. If HB 9 passes, it would become effective on January 1, 2023, providing companies a short runway for coming into compliance.
I. Definitions.
Florida HB 9 defines “personal information” broadly to include “information that is linked or reasonably linkable to an identified or identifiable consumer or household, including biometric information, genetic information, and unique identifiers to the consumer.” Section 501.173(2)(l). Personal information specifically does not include:
- Consumer employment contact information;
- Deidentified or aggregate consumer information; or
- Publicly and lawfully available information reasonably believe to be made available to the general public.
Under Section 501.173(2)(b), “‘biometric information’ means an individual’s physiological, biological, or behavioral characteristics that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. The term includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystrokes patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data containing identifying information.”
Florida HB 9 uses other familiar terms such as “controller,” “processor,” and defines “sell” in a similar manner as the CCPA.
II. Scope.
Most of the key terms between Florida HB 9 and Florida SB 1864 are similar. A significant difference, however, is the threshold for determining whether the proposed law applies to a particular business. Florida HB 9 defines a controller as a for-profit business that does business in Florida, collects personal information about consumers, determines the purposes and means of processing personal information, and meets at least two of the following criteria:
- Global annual gross revenue of more than $50 million;
- Buys, receives, sells, or shares personal information of 50,000 or more consumers, households, and devices for targeted advertising in conjunction with third parties; or
- Derives 50% or more of its global annual revenues from selling or sharing personal information.
Thus, smaller companies may prefer Florida HB 9 since it does not apply to companies earning less than $50 million globally per year unless they engage in significant targeted advertising and earn the majority of their global revenue from selling or sharing personal information.
III. Exceptions.
Section 501.173(1) of Florida HB 9 outlines 27 categories of companies or information to which the bill would not apply, including:
- Personal information collected and transmitted that is necessary for the sole purpose of sharing such personal information with a financial service provider to facilitate short term, transactional payment processing for the purchase of products or services;
- Personal information collected, used, retained, sold, shared, or disclosed as de-identified personal information or aggregate consumer information;
- Cooperation with law enforcement agencies concerning conduct or activity that the controller, processor, or third party reasonably and in good faith believes may violate federal, state, or local law;
- Personal information collected through the controller’s direct interactions with the consumer, that is used by the controller or processor that the controller directly contracts with for advertising or marketing services to advertise or market products or services that are produced or offered directly by the controller;
- Personal information of a person acting in the role of a job applicant or employee of a controller, that is collected by a controller, to the extent the personal information is collected and used solely within the context of the person’s role or former role with the controller;
- Protected health information for purposes of the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related regulations, and patient identifying information for purposes of 42 C.F.R. part 2, established pursuant to 42 U.S.C. § 290dd-2;
- A covered entity or business associate governed by the privacy, security, and breach notification rules in 45 C.F.R parts 160 and 164, as long as the personal information is not used for targeted advertising, sold, or shared;
- Information that is de-identified in according with 45 C.F.R. § 164 and derived from individually identifiable health information as described in HIPAA;
- Information used only for public health activities and purposes as described in 45 C.F.R. § 164.512;
- Personal information collected, processed, sold, or disclosed pursuant to the federal Fair Credit Reporting Act, Driver’s Privacy Protection Act of 1994, Gramm-Leach-Bliley Act (“GLBA”), and Family Educational Rights and Privacy Act;
- A financial institution as defined in the GLBA to the extent the financial institution maintains personal information in the same manner as nonpublic information and does not use it for targeted advertising or sell or share it;
- Personal information disclosed for the purpose of responding to an alert of a present risk of harm to a person or property, detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, or prosecuting those responsible for that activity; and
- An identifier used for a consumer who has opted out for the sale or sharing of the consumer’s personal information for the sole purpose of alerting processors and third parties that the consumer has opted out of the sale or sharing of the consumer’s personal information.
IV. Obligations.
Florida HB 9 creates many of the same obligations on controllers and processors that are included in other comprehensive privacy laws. These include:
- Maintaining an online privacy policy;
- Providing notice at the point of collection;
- Limiting the collection and use of personal information for only those purposes disclosed to consumers;
- Requiring reasonable security procedures and practices;
- Implement a retention schedule, subject to certain exemptions, that prohibits the use or retention of personal information (1) after the satisfaction of the initial purpose for which such information was collected or obtained, (2) after the expiration of the contract pursuant to which the information was collected or obtained, or (3) three years after the consumer’s last interaction with the controller; and
- Responding to a consumer’s request to exercise his/her rights.
This requirement may create challenges for companies who have not previously needed to track their last interactions with consumers. Florida HB 9’s private right of action, fortunately, does not apply to this retention requirement. In a further nod to the CCPA, controllers “may charge a consumer who exercised any of the consumer’s rights . . . a different price or rate, or provide a different level or quality of goods or services to the consumer, only if that difference is reasonably related to the value provided to the controller by the consumer’s data or is related to a consumer’s voluntary participation in a financial incentive program.” Section 501.173(8)(a). Controllers may also offer financial incentives to consumers, “if the consumer givers the controller prior consent that clearly describes the material terms of the financial incentive program.” Section 501.173(8)(b). There are also specific contractual requirements mandated by HB 9, similar to what we have seen in some of the other comprehensive privacy bills.
V. Consumer Rights.
Under Florida HB 9, consumers have a right to request that a controller disclose the following information: (1) the consumer’s personal information that the controller has collected; (2) the sources from which the consumer’s personal information was collected; (3) the specific pieces of personal information about the consumer that have been sold or shared; (3) the third parties to which the personal information about the consumer was sold or shared; and (5) the categories of personal information about the consumer that were disclosed to a processor. Controllers must act on these requests, free of charge, within 45 days, although there is a 45 day extension available after informing the consumer. Controllers are not required to provide personal information to a consumer more than twice in a 12-month period.
Consumers also have the right to request that a controller delete their personal information. After receiving a verifiable consumer request to delete the consumer’s personal information, a controller would have 90 days to comply with the request, with ten delineated exceptions. Controllers do not have to comply with consumer deletion requests if it is reasonably necessary for the controller or processor to maintain the consumer’s personal information to do any of the following:
- Complete the transaction for which the personal information was collected;
- Fulfill the terms of a written warranty or product recall;
- Provide a good or service requested by the consumer, or reasonably anticipated to be requested within the context of a controller’s ongoing business relationship with the consumer, or otherwise perform a contract between the controller and the consumer;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity or access; or prosecute those responsible for that activity or access;
- Debug to identify and repair errors that impair existing intended functionality;
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws when the controller’s deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent;
- Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the controller or that are compatible with the context in which the consumer provided the information;
- Comply with a legal obligation, including any state or federal retention laws;
- Reasonably protect the controller’s interests against existing disputes, legal action, or governmental investigations; and
- Assure the physical security of persons or property.
Florida HB 9 also contains a right to correct inaccurate personal information and requires controllers to use commercially reasonable efforts to correct personal information, and direct processors to do the same, within 90 days of receiving a verifiable consumer request. The bill is not clear on what a controller is supposed to do in the event it thinks that the information provided by the consumer is inaccurate. Nine of the ten right to delete exceptions apply to the right to correct. Controllers cannot rely on the peer-reviewed scientific research exception to deny a right to correct.
Finally, Florida HB 9 includes a right to opt out of the sale or sharing of personal information and requires an opt-in for personal information relating to minors. A controller that receives an opt-out is prohibited from selling or sharing the consumer’s personal information beginning 4 calendar days after receipt of the opt-out. If the bill passes, companies will be required to add another link to their homepages, this time entitled “Do Not Sell or Share My Personal Information.” Controllers may also accept opt-out through global privacy controls. Once a consumer opts-out, a controller must wait 12 months before requesting the consumer authorize the sale or sharing of the consumer’s personal information.
VI. Enforcement.
Florida HB 9 grants the Florida Department of Legal Affairs (the “Department”) with enforcement authority by making violations of the bill an automatic violation of the Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”) for purposes of regulatory enforcement. FDUTPA provides for civil penalties of up to $10,000 per violation of the act (and up to $15,000 in certain situations). These penalties may be tripled if the violation:
- Involves a consumer who the controller, processor, or person has actual knowledge is 18 years of age or younger without the required parental consent;
- Involves the controller, processor, or third party’s failure to delete or correct a consumer’s personal information after receiving a verifiable consumer request or directions to delete or correct from a controller;
- Involves the controller, processor, or third party continuing to sell or share the consumer’s personal information after the consumer opts-out; or
- Involves the selling or sharing of personal information of a consumer 18 years of age or younger without obtaining the required consent.
After being notified of the violation, the Department has discretion to grant the controller or processor a 45-day period to cure the violation. This cure period, however, does not apply if the controller, processor, or third party failed to delete or correct a consumer’s personal information after receiving a verifiable consumer request or directions to delete or correct from the controller. The Department may only bring actions on behalf of a Florida consumer. The Department is also obligated to report to the President of the Senate and Speaker of the House with the number of complaints received each year and their dispositions.
VII. Private Right of Action.
Unlike its Senate equivalent, Florida HB 9 contains a private right of action for some consumers. Florida HB 9’s private right of action would allow consumers to sue companies for $100-$750 per person, per incident, or actual damages, where the company:
- Fails to delete or correct the consumer’s personal information after receiving a verifiable consumer request;
- In the case of a processor, fails to delete or correct a consumer’s personal information after having been directed by a controller to do so;
- Continues to sell or share personal information after the consumer has opted out; or
- Sells or shares personal information of a consumer under the age of 18 without obtaining the required parental consent.
Florida HB 9 also permits a consumer to seek declaratory or injunctive relief for violations. The bill does not create a private right of action for data breaches, which is prohibited by Florida’s current data breach law, Section 501.171(10).
Importantly, HB 9 places some restraints on Florida consumers bringing a civil action. According to Section 501.173(10)(a)(1), a private civil action against companies with global annual gross revenues of less than $50 million is barred. Controllers, processors, or third parties with global annual gross revenues between $50 million to $500 million as subject to private claims, but the prevailing Florida consumer may not be awarded attorney fees or costs. If the controller, processor, or third party has global annual gross revenues of more than $500 million, the prevailing consumer shall recover reasonable attorney fees and costs. A prevailing defendant, however, may only recover attorney fees “if the court finds that there was a complete absence of a justiciable issue of either law or fact raised by the consumer or if the court finds bad faith on the part of the consumer, including if the consumer is not a Florida consumer.” Section 501.173(10)(d). Accordingly, if passed, Florida HB 9 would be the first comprehensive U.S. privacy law that creates a private right of action for violation of the privacy provisions of the law. For example, California’s private right of action is limited to data breaches of sensitive personal information. Florida HB 9’s proposed private right of action will incentivize lawsuits from professional plaintiffs who will make mass deletion, correct, or opt-out requests in the hopes of catching companies off-guard and unable to respond within the time provided by the law. The consumer will receive between $100-$750 per alleged violation or actual damages, while the consumer’s lawyer will be able to recoup their fees and costs only in certain situations.
As written, the current private right of action does not contain a cure provision. That is, companies are not given the ability to fix whatever violation is alleged before having to defend against a lawsuit.
VIII. Next Steps.
Florida HB 9 is currently in the Senate, having passed the House 103 to 8. After passing through the various committees, it must also pass on the floor of the Senate. All of these next steps must come to a conclusion by March 11, 2022, when the Florida legislative session comes to an end, unless the governor calls for a special session.
For more information please reach out to the authors.