March 02, 2021
Florida’s proposed “Consumer Data Privacy” Bill gives California a run for its money, and if passed, goes into effect on January 1, 2022.
For years, companies not impacted by the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been sitting pretty, but the times are changing. With Florida’s proposed legislation HB969 Consumer Data Privacy already green-lighted by Governor DeSantis, it’s got a much better chance of passing than previously rejected incarnations. Time will tell whether the bill passes as currently drafted, or is amended or scrapped altogether, but below are the highlights of the proposed legislation, who needs to worry about it, and what you should be doing now to prepare.
Greatest Hits of HB969
- Requires certain businesses to provide notice to consumers about data collection & selling practices
- Provides consumers the right to request that certain data be disclosed, deleted, or corrected & to opt-in or opt-out of the sale or sharing of such data
- Provides nondiscrimination measures to protect consumers to request deletion/opt-out
- Provides methods for requesting data & opting-in or opting-out of sale or sharing of such data
- Guidance and requirements for contracts
- Allows for a private cause of action related to a data breach
Will this apply to my business?
As currently drafted, the legislation applies to any for-profit entities doing business in Florida that collect or otherwise control consumer personal information that meet any one of the following criteria:
- Has more than $25million in annual gross revenue;
- Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more Florida consumers, households, or devices; or
- Derives 50% or more of its global annual revenues from selling or sharing personal information about consumers.
Also, if your business is under the common control and branding of an entity that meets any of the above criteria, HB969 would apply to you, too.
All together, Class…
There is no time like the present to begin implementing processes and procedures that will keep you compliant with whatever privacy legislation gets implemented in your state.
This is particularly true in the case of Florida’s proposed bill, which would give consumers a private right of action, individually and as a class action, against data breaches, a relatively unique feature among state privacy laws. You can just picture the “Data Breach? Call ###-####” billboards lining the highways now…
What Do I Do Now???
- If you aren’t sure if this legislation would apply to you, consult with your legal counsel ASAP to determine whether your business meets any of the proposed criteria.
- Review your data collection, storage, and transfer procedures with your IT professional so that you have a full understanding of what personal information you collect and process, how it’s used, and how it’s stored and destroyed.
- Review with your legal counsel any privacy-related documents and policies to identify where amendments may be needed and where new procedures and policies need to be implemented.
- If you have already been complying with CCPA and/or GDPR, you’re most of the way there, but it’s important to point out that HB969 incorporates some language from the California Consumer Public Records Act (CPRA), which expands the scope of CCPA so there may still be some updating needed to conform with both the CPRA (which begins going into effect July 1, 2022) and, if passed, HB969.
- Review your vendor and third-party agreements to ensure that adequate information security measures, indemnification, and insurance measures are in place to protect your business. Your legal counsel can assist with any addendums needed to bring those contracts into compliance and also revise your standard documents for future contracts.
This blog was written by Hunter Business Law Attorney Haley Lemon.
DISCLAIMER: This blog is for educational purposes only and does not offer nor substitute legal advice. Additionally, this blog does not establish an attorney-client relationship and is not for advertising or solicitation purposes. Any of the content contained herein shall not be used to make any decision without first consulting an attorney. The hiring of an attorney is an important decision not to be based on advertisements or blogs. Hunter Business Law expressly disclaims any and all liability in regard to any actions, or lack thereof, based on any contents of this blog.