Florida’s Comprehensive Privacy Bill Falls Short . . . For Now

Florida just fell short of passing a comprehensive privacy law, but more regulations could still be on the horizon. Florida would have been the third state in the nation to adopt a comprehensive privacy law, following California and Virginia. Bills from both the Florida House and Senate aimed to require businesses to disclose how they collect and use personal information and to grant consumers certain rights to their information. But the competing bills died this year as the legislative session ended, largely because lawmakers could not agree on how the law should be enforced.

The Florida House bill set up consumer rights, business responsibilities and a private cause of action.

The Florida House of Representatives championed the Florida Privacy Law with House Bill 969, which would have changed Florida’s Information Protection Act. The bill granted consumers, among other things, the right to ask businesses to delete or correct their personal information and the right to opt out of the sale or sharing of this information to third parties. Businesses would have also had to implement and maintain reasonable security procedures to protect personal information.

If a regulated business failed to protect a consumer’s personal information, failed to delete or correct it after being asked to do so, or kept selling or sharing it after the consumer opted out, then the consumer would have had a private cause of action against the business. The civil action could have resulted in damages and injunctive or declaratory relief, and likely would have led to more consumer privacy litigation. The Florida Department of Legal Affairs could also have brought suit.

The Florida Senate bill took the private cause of action off the table.

Florida’s Senate Bill 1734, the Florida Privacy Protection Act, contained similar protections for consumers, with the notable distinction that consumers were not granted a private cause of action.

When the Senate received Bill 969, which the House passed by a vote of 118 to 1, the Senate removed the private cause of action. Florida businesses strongly approved this removal based on concerns of increased consumer litigation, which has been seen in California and Virginia since they passed their own privacy laws. The amended Senate bill went back to the House on the last day of the legislative session, but the House would not even consider it. So, the bill died for this year.

What happens next, and how can businesses prepare?

The privacy debate is not over—it will likely continue in Florida’s 2022 legislative session. Legislators have shown an unmistakable interest in passing more privacy regulations that will impact businesses. To prepare, businesses should make sure they comply with Florida’s current privacy law and position themselves to adapt to more comprehensive and stringent privacy laws in the future.

While the current law is mainly a data breach response law, it still requires a business that handles personal information to “take reasonable measures to protect and secure data in electronic form” and to “take all reasonable measures to dispose . . . of customer records containing personal information . . . when the records are no longer to be retained.” The law also suggests that businesses consider having a data breach response plan in case a security incident occurs.

Businesses should conduct an information inventory to meet these requirements. An information inventory detects:

• The personal information a company collects
• Why and how the company handles that data
• With whom the company shares that data
• How that data is stored and deleted
• What security measures are employed throughout that data’s life cycle

An information inventory helps businesses identify and respond to their vulnerabilities and more easily adapt to changing legal requirements linked to the personal information they handle.

The framework for a comprehensive Florida privacy bill exists, and many expect it will pass next year in some form. This will place major obligations on businesses who collect, store and manage data. For now, Florida businesses should evaluate their current information protocols and be prepared for more demanding requirements in the coming years.

Please contact Michael Hooker, Jason Pill or any member of Phelps’ Cybersecurity, Privacy and Data Protection team if you have questions or need compliance advice and guidance.