July 31, 2021

Volume XI, Number 212

Advertisement

July 30, 2021

Subscribe to Latest Legal News and Analysis

July 29, 2021

Subscribe to Latest Legal News and Analysis

July 28, 2021

Subscribe to Latest Legal News and Analysis

Florida Moves Forward a Revised Consumer Privacy Bill

Will Florida be the next state to enact a comprehensive consumer privacy law? It sure is starting to look like a viable possibility.  With the California Consumer Privacy Act (“CCPA”) in full effect, and the recent enactment of Virginia’s Consumer Data Protection Act (“CDPA”), there has been a flurry of state privacy legislative proposals since the start of 2021, with Florida leading the way.  Backed by Governor Ron DeSantis,   Florida House Bill 969 (HB 969) would create new obligations for covered businesses and greatly expand consumers’ rights concerning their personal information, such as a right to notice about a business’s data collection and selling practices.

Florida’s HB 969 was originally introduced in February (a full overview of the initial bill is available here), and has continued to move swiftly through the legislative process. On April 21, the a slightly revised version of the bill passed the Florida House of Representatives by a 118 – 1 vote, expanding the scope of the private cause of action, changing the effective date and modifying the scope of companies subject to the law.

Here are the key changes made to HB 969 since originally introduced:

Significantly, and similar to the California Consumer Privacy Act (CCPA), HB 969 would establish a private cause of action for consumers affected by a data breach involving certain personal information when reasonable safeguards were not in place to protect that information. More expansive than the CCPA, however, a private cause of action would now also be available to consumers for a company’s failure to comply with deletion, opt-out and correction requests.  Conversely, Virginia’s CDPA lacks a private cause of action in its entirety, and the state’s attorney general has exclusive enforcement authority.

Second, if passed, HB 969 would go into effect on July 1, 2022 – instead of the originally proposed January 1, 2022.  And finally, initially, HB 969 stated that the law would apply to for profit businesses that conduct business in Florida, collect personal information about consumers, and satisfy at least one of the following threshold requirements:

  1. The business has global annual gross revenues over $25 million (adjusted to reflect any increase in the consumer price index); or

  2. The business annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices; or

  3. The business derives at least half of its global annual revenues from selling or sharing personal information about consumers.

Instead, HB 969 now stipulates that the law would only apply to for profit businesses that satisfy at least two the above threshold requirements.  In addition, the revised bill increased the annual gross revenues threshold from over $25 million to over $50 million.

Florida seems to be leading the way as the next state  poised to enact a consumer privacy law, but it is not alone.  The International Association of Privacy Professionals (IAPP) has observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” The IAPP maintains a map of state consumer privacy legislative activity, with in-depth analysis comparing key provisions. There are currently at least 14 states with consumer privacy bills undergoing the legislative process, and several other states where bills were introduced but died in committee or were postponed.  One key state to keep an eye on is Washington. For three consecutive years, the Washington state legislature has introduced versions of the WPA. In 2019, the bill failed in the Assembly. In 2020, the Assembly passed an amended version of the bill, but the two chambers failed to reach a compromise regarding enforcement provisions. Currently in cross committee, the WPA would impose GDPR-like requirements on businesses that collect personal information related to Washington residents. In addition to requirements for notice and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.

States across the country are contemplating ways to enhance their data privacy and security protections. Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.

Jackson Lewis P.C. © 2021National Law Review, Volume XI, Number 117
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer
Principal

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies,...

(973) 538-6890
Attorney

Maya Atrakchi is the Knowledge Management (“KM”) Attorney for Jackson Lewis P.C.’s Privacy, e-Communication and Data Security and International Employment Issues Practice Groups, and is based in the New York City, New York, office of Jackson Lewis P.C.

212-545-4000
Advertisement
Advertisement