The Florida House of Representatives introduced a new consumer data privacy bill with HB 969 that would take effect in 2022. If passed, HB 969 would amend parts of the Florida Information Protection Act (FIPA) under 501.171 and create a new data privacy section under 501.173.
Privacy policy requirement
HB 969 requires “a business that collects personal information about consumers” to maintain an online privacy policy. The definition of business in the bill targets large companies and data brokers. The privacy policy must be available on a business website, and the business must update the information every 12 months. The policy must include the following information:
- Privacy rights – Any Florida-specific consumer privacy rights.
- Categories of personal information collected – A list of the categories of personal information the business collects or has collected about consumers.
- Categories of personal information sold or shared – A list that identifies which categories of personal information the business sells or shares or has sold or shared about consumers. If the business does not sell or share personal information, the business shall disclose that fact.
- Categories of personal information disclosed – A list that identifies which categories of personal information the business discloses, shares, or does not disclosure or share about consumers for a business purpose.
- Right to opt-out – The right to opt-out of the selling or sharing to third parties and the ability to request deletion or correction of certain personal information. This would also require a business to disclose the use of information to consumers and follow a data retention schedule.
Right to request collected data
If enacted, HB 969 gives consumers the right to request a copy of personal data that a business collects. The Florida bill would require a business to disclose:
- The specific personal information collected about the consumer.
- The categories and sources of the collected information.
- The business or commercial purpose for collecting or selling information.
- The categories of third parties that shares the consumer’s personal information.
HB 969 forbids discrimination against consumers for exercising their rights. This includes actions towards consumers such as denying to provide goods or services, providing a different quality, and charging different rates.
Private cause of action
Unlike previous bills, HB 969 includes a private cause of action against a business. The bill allows consumers to bring a civil action if their “nonencrypted and nonredacted personal information or e-mail address” (when combined with an account password or security question and answer) is subject to an unauthorized access and exfiltration, theft, or disclosure. Remedies for consumers include:
- Damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.
- Injunctive or declaratory relief, as the court deems proper.
The remedies created in the bill give consumers a recourse when a business violates the duty to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the information.
State enforcement
If passed, HB 969 would allow the Department of Legal Affairs (DLA) to bring an action against a violator that includes a business, service provider, or other person or entity. Once notified of noncompliance, a business must cure any alleged violation within 30 days.
The bill would allow the DLA to seek civil penalties of not more than $2,500 for each unintentional violation or $7,500 for each intentional violation. These fines could be tripled if the violation involves a consumer who is 16 years of age or younger.