Florida’s Legislature to Consider Consumer Data Privacy Bill Akin to California’s CCPA
Tuesday, January 14, 2020
Florida Considers CCPA Type Bill
Print Mail Download i

Florida lawmakers have proposed data privacy legislation that, if adopted, would impose significant new obligations on companies offering a website or online service to Florida residents, including allowing consumers to “opt out” of the sale of their personal information. While the bill (SB 1670 and HB 963) does not go as far as did the recent California Consumer Privacy Act, its adoption would mark a significant increase in Florida residents’ privacy rights. Companies that have an online presence in Florida should study the proposed legislation carefully. Our initial take on the proposed legislation appears below.

The proposed legislation requires an “operator” of a website or online service to provide consumers with (i) a “notice” regarding the personal information collected from consumers on the operator’s website or through the service and (ii) an opportunity to “opt out” of the sale of certain of a consumer’s personal information, known as “covered information” in the draft statute.

The “notice” would need to include several items. Most importantly, the operator would have to disclose “the categories of covered information that the operator collects through its website or online service about consumers who use [them] … and the categories of third parties with whom the operator may share such covered information.” The notice would also have to disclose “a description of the process, if applicable, for a consumer who uses or visits the website or online service to review and request changes to any of his or her covered information. . . .” The bill does not otherwise list when this “process” would be “applicable,” and it nowhere else appears to create for consumers any right to review and request changes.

While the draft legislation obligates operators to stop selling data of a consumer who submits a verified request to do so, it does not appear to require a description of those rights in the “notice.” That may just be an oversight in drafting. In any event, the bill is notable as it would be the first Florida law to require an online privacy notice. Further, a “sale” is defined as an exchange of covered information “for monetary consideration,” which is narrower than its CCPA counterpart, and contains exceptions for disclosures to an entity that merely processes information for the operator.

There are also significant questions about which entities would be subject to the proposed law. An “operator” is defined as a person who owns or operates a website or online service for commercial purposes, collects and maintains covered information from Florida residents, and purposefully directs activities toward the state. That “and” is assumed, as the proposed bill does not state whether those three requirements are conjunctive or disjunctive.

Excluded from the definition of “operator” is a financial institution (such as a bank or insurance company) already subject to the Gramm-Leach-Bliley Act, and an entity subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Outside of the definition of “operator,” the proposed legislation appears to further restrict the companies to which it would apply, to eliminate its application to smaller companies based in Florida, described as entities “located in this state,” whose “revenue is derived primarily from a source other than the sale or lease of goods, services, or credit on websites or online services,” and “whose website or online service has fewer than 20,000 unique visitors per year.” Again, that “and” is assumed as the bill does not specify “and” or “or.”

Lastly, the Department of Legal Affairs appears to be vested with authority to enforce the law. The proposed legislation states explicitly that it does not create a private right of action, although it also says that it is in addition to any other remedies provided by law.

The proposed legislation is part of an anticipated wave of privacy legislation under consideration across the country. California’s CCPA took effect in January and imposes significant obligations on covered businesses. Last year, Nevada passed privacy legislation that bears a striking resemblance to the proposed Florida legislation. Other privacy legislation has been proposed in Massachusetts and other jurisdictions.

©2011-2024 Carlton Fields, P.A.

Current Legal Analysis

More from Carlton Fields

Construction Contractors Take Note: OFCCP’s Industry-Focused Technical Assistance Guide (TAG) May Prove Helpful in Preparing for Anticipated “Compliance Check” Reviews
by: Rae T. Vann
Suitability Model Crosses the Finish Line
by: Ann Young Black , Jamie Bigayer
Massachusetts High Court Upholds Consent-to-Settle Provision, Protecting Insurer Who Did Not Have the “Final Say"
by: Kelley C. Godfrey
Big Changes for Small Business Bankruptcies
by: David L. Gay , Yolanda P. Strader
You've Been Served: The Legal Effects of Games as a Service
by: Steven Blickensderfer , Nicholas A. Brown
Canna We Talk Cannabis? Cybersecurity Risks Bring Growing Pains to Cannabis Businesses [PODCAST]
by: Kevin McCoy , Joseph W. Swanson
NAIC Life Insurance and Annuities (A) Committee Ends 2019 With a Big Bang
by: Ann Young Black , Jamie Bigayer
Round and Round – Will 2020 Bring the End to Inconsistent Anti-Rebating Prohibitions?
by: Ann Young Black , Jamie Bigayer
Innovation and Technology at the NAIC 2019 Fall Meeting
by: Ann Young Black , Jamie Bigayer
Life Insurance That Benefits the Living
by: Ann Young Black , Megan K. Dhillon

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins