January 25, 2021

Volume XI, Number 25


January 22, 2021

Subscribe to Latest Legal News and Analysis

Florida’s Legislature to Consider Consumer Data Privacy Bill Akin to California’s CCPA

Florida lawmakers have proposed data privacy legislation that, if adopted, would impose significant new obligations on companies offering a website or online service to Florida residents, including allowing consumers to “opt out” of the sale of their personal information. While the bill (SB 1670 and HB 963) does not go as far as did the recent California Consumer Privacy Act, its adoption would mark a significant increase in Florida residents’ privacy rights. Companies that have an online presence in Florida should study the proposed legislation carefully. Our initial take on the proposed legislation appears below.

The proposed legislation requires an “operator” of a website or online service to provide consumers with (i) a “notice” regarding the personal information collected from consumers on the operator’s website or through the service and (ii) an opportunity to “opt out” of the sale of certain of a consumer’s personal information, known as “covered information” in the draft statute.

The “notice” would need to include several items. Most importantly, the operator would have to disclose “the categories of covered information that the operator collects through its website or online service about consumers who use [them] … and the categories of third parties with whom the operator may share such covered information.” The notice would also have to disclose “a description of the process, if applicable, for a consumer who uses or visits the website or online service to review and request changes to any of his or her covered information. . . .” The bill does not otherwise list when this “process” would be “applicable,” and it nowhere else appears to create for consumers any right to review and request changes.

While the draft legislation obligates operators to stop selling data of a consumer who submits a verified request to do so, it does not appear to require a description of those rights in the “notice.” That may just be an oversight in drafting. In any event, the bill is notable as it would be the first Florida law to require an online privacy notice. Further, a “sale” is defined as an exchange of covered information “for monetary consideration,” which is narrower than its CCPA counterpart, and contains exceptions for disclosures to an entity that merely processes information for the operator.

There are also significant questions about which entities would be subject to the proposed law. An “operator” is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from Florida residents, and purposefully directs activities toward the state. That “and” is assumed, as the proposed bill does not state whether those three requirements are conjunctive or disjunctive.

Excluded from the definition of “operator” is a financial institution (such as a bank or insurance company) already subject to the Gramm-Leach-Bliley Act, and an entity subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Outside of the definition of “operator,” the proposed legislation appears to further restrict the companies to which it would apply, to eliminate its application to smaller companies based in Florida, described as entities “located in this state,” whose “revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on websites or online services,” and “whose website or online service has fewer than 20,000 unique visitors per year.” Again, that “and” is assumed as the bill does not specify “and” or “or.”

Lastly, the Department of Legal Affairs appears to be vested with authority to enforce the law. The proposed legislation states explicitly that it does not create a private right of action, although it also says that it is in addition to any other remedies provided by law.

The proposed legislation is part of an anticipated wave of privacy legislation under consideration across the country. California’s CCPA took effect in January and imposes significant obligations on covered businesses. Last year, Nevada passed privacy legislation that bears a striking resemblance to the proposed Florida legislation. Other privacy legislation has been proposed in Massachusetts and other jurisdictions.

©2011-2020 Carlton Fields, P.A. National Law Review, Volume X, Number 14



About this Author

Jack Clabby Attorney Carlton Fields Law Firm Tampa FL

Jack Clabby’s practices focus on corporate governance, fraud, and shareholder litigation, including the defense of securities fraud class actions and derivative lawsuits. A former Assistant U.S. Attorney, he also represents companies and special litigation committees in connection with internal corporate investigations. 

As a former cyber prosecutor, Jack also advises corporate boards and management on legal issues regarding cybersecurity and represents companies in litigation, including class actions, concerning breaches and data loss incidents. Jack serves as a...

Joseph Swanson Cybersecurity Privacy Attorney

Joe Swanson is a former federal prosecutor who advises clients on a variety of issues related to cybersecurity and privacy. He has investigated and responded to data breaches and similar cyber incidents, and he has defended clients in litigation stemming from those incidents. In addition, Joe advises on best practices for interacting with law enforcement, regulators, and other constituencies in the event of a cyber incident. Joe also assists clients with drafting incident response guides and related cyber policies and procedures, as well as complying with privacy laws and regulations, such...

Steven Blickensderfer, Litigation Attorney, Carlton Fields Law Firm

Steven Blickensderfer handles a wide variety of civil litigation matters in federal and state court for clients across a number of industries. He is experienced in all phases of litigation, including case analysis and strategy, written and electronic discovery, depositions, expert witness preparation, motion practice, alternative dispute resolution, trials, and appeals. He has participated in a number of trials, including a two-week federal jury trial involving First Amendment issues that attracted national media attention, and has argued in several appellate courts,...

Patricia M. Carreiro Miami Cybersecurity and Privacy, Litigation and Trials, Property & Casualty Insurance, Health Care

Trish Carreiro is a cybersecurity and data privacy litigator who advises clients on data breach prevention and response. As a certified information privacy professional (CIPP/US), she is accredited by the International Association of Privacy Professionals and experienced in high-stakes cybersecurity litigation. She has also handled complex commercial litigation involving financial instruments, contracts, insurance disputes, and antitrust law.

Trish is a frequent speaker and author on cybersecurity, privacy, and insurance issues. Her insights have been featured in publications...