Recently, Florida Governor Ron DeSantis signed Senate Bill 262 and Senate Bill 264 into law. These new laws grant Floridians greater control over their personal data and establish a new standard for data handling and protection. Senate Bills 262 and 264 take effect on July 1, 2023.

Senate Bill 262: Florida’s Digital Bill of Rights

As we previously discussed here, Senate Bill 262, entitled the Technology Transparency Bill, has been dubbed Florida’s “Digital Bill of Rights”. This new law imposes restrictions on for-profit companies doing business in Florida that collect “sensitive data” regarding Florida residents, including personal data revealing an individual’s race, ethnicity, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data from a known child; and precise geolocation data. Effective July 1, 2023, the State of Florida prohibits companies from: (i) selling “sensitive data” without receiving prior consent from the consumer or (ii) processing “sensitive data” of children under the age of eighteen (18) without authorization under the Children’s Online Privacy Protection Act. As a matter of public policy, the new law voids any contractual waivers or limitations on these consumer rights. Companies selling “sensitive data” must also post a statement on their website stating: “NOTICE: This website may sell your sensitive personal data.” Notably, Protected Health Information (“PHI”), health records, data collected for clinical research, and de-identified data are expressly exempted from these new restrictions.

Although Florida’s Digital Bill of Rights strengthens individuals’ control over their personal data, it imposes more stringent requirements on certain businesses: (i) “Controllers”; (ii) “Processors” of any size; and (iii) “Affiliates” of Controllers and Processors.

I. Controllers

For the purposes of Florida’s Digital Bill of Rights, a “Controller” means: a sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:

1. is organized or operated for the profit or financial benefit of its shareholders or owners;

2. conducts business in this state;

3. collects personal data about consumers, or is the entity on behalf of which such information is collected;

4. determines the purposes and means of processing personal data about consumers alone or jointly with others;

5. makes in excess of $1 billion in global gross annual revenues; and,

6. satisfies at least one of the following: (i) derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online; (ii) operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or (iii) operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

Under the new law, Controllers are limited on personal data collection to what is reasonably necessary to the purpose of processing and the implementation of “reasonable administrative, technical, and physical data security practices.” Controllers also are prohibited from using or retaining data “after the satisfaction of the initial purpose for which the data was collected, after the expiration of the party’s contract, or 2 years after the expiration of the party’s contract, or 2 years after the consumer’s last interaction with the controller or processor.”  Controllers are required to comply with certain consumer requests relating to deleting personal data, correcting inaccuracies in personal data, and allowing a consumer to opt-out of targeted advertising, precise geolocation collection, and voice or facial recognition. A Controller must respond to an authenticated consumer’s request for personal data within 45 days; however, a 15-day extension may be granted for more complex circumstances. If a consumer request is unfounded, excessive, or repetitive, a Controller may charge a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. The new law also creates an appeals process for the consumer to appeal a denial of his or her request of a Controller.

Controllers must establish two or more clear and conspicuous methods that enable consumers to submit such personal data requests. Additionally, Controllers must provide a reasonably accessible privacy notice to consumers that is updated on an annual basis. Certain separate requirements are enumerated with regard to controllers in possession of de-identified data, pseudonymous data, or aggregate consumer information, such as taking reasonable measure to ensure data cannot be associated with an individual and not attempting to re-identify data.

II. Processors

“Processors” under the Florida Digital Bill of Rights law are those persons who process personal data on behalf of a Controller. Processors must follow instructions given by the Controller and assist the Controller in responding to consumer requests. Controller’s contracts with Processors must govern the Processor’s data processing procedures.

Both Controllers and Processors are prohibited from collecting data when devices are not in active use by a consumer, unless expressly authorized by the consumer.

III. Enforcement

Violations of the Florida Digital Bill of Rights Law constitute unfair and deceptive trade practices. Violations may result in civil monetary penalties of up to $50,000 per violation, which may be tripled in certain cases such as violations involving a child’s personal data. However, note that third parties receiving personal data from a Controller or Processor in compliance with the new law may not be held liable for violations committed by the Controller or Processor from which the third party received such personal data.

Senate Bill 264: Electronic Health Record Offsite Restrictions

Senate Bill 264 amends Florida’s Electronic Health Records Exchange Act and prohibits offshoring of certain patient information. Specifically, the new law requires licensed Florida health care providers utilizing certified electronic health record technology (“CEHRT”) to ensure that all patient information stored offsite, either in a physical or virtual environment, is physically maintained within the continental U.S., its territories, or Canada. This requirement applies to patient information stored through third parties, subcontracted computing facilities, and cloud computing services, and applies to all “qualified electronic health records”. A “qualified electronic health record” is defined as an electronic record of health-related information concerning an individual which includes patient demographic and clinical health information, such as medical history and problem lists, and which has the capacity to provide clinical decision support, to support physician order entry, to capture and query information relevant to health care quality, and to exchange electronic health information with, and integrate such information from, other sources. As such, while the new law only applies to providers using CEHRT, it is unclear whether the offshoring prohibition could be interpreted to apply to a broader set of health data beyond what is stored in CEHRT. 

The new law, as drafted, contains other ambiguities and raises questions about scope of application.  In particular, it appears the law would not apply to providers who have not yet adopted CEHRT, such as pharmacies, long-term acute care providers, home health and hospice providers, and mental and substance abuse health providers. Further, language in the new law applying the offshoring prohibition to “all qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted” raises questions about whether and to what extent personnel operating offshore (e.g., remote employees, subcontractors, or even U.S.-based employees traveling abroad) may access such records from offshore locations.

Conclusion

By taking proactive steps to protect individual privacy, the State of Florida has demonstrated its commitment to upholding the privacy of its residents’ data and promoting responsible data practices; however, businesses operating in Florida must take notice of these new laws and adopt measures to ensure compliance.