As Florida becomes a growing haven for both Latin American and domestic enterprises seeking to expand their businesses, new data privacy legislation poses new compliance issues in the Florida market. With House Bill 969 (“HB 969”), Florida appears poised to join a growing number of states enacting their own consumer data privacy legislation. With the potential to become one of the more comprehensive data privacy laws in the U.S., the bill has the backing of Florida Governor Ron DeSantis, and will significantly expand consumer rights of Florida residents regarding their personal data, in addition to expanding notification responsibilities of covered companies suffering data breaches. If passed, HB 969 would become effective on January 1, 2022.
Covered Companies
HB 969 will apply to any for-profit business entity that transacts business in Florida, whether or not the business is actually organized under Florida law or physically located inside the state, where such business meets any of the following criteria (a “Covered Business”):
- Such business has global annual gross revenues in excess of $25 million;
- Such business buys, receives, sells or makes available the personal data of at least 50,000 Florida residents, households or devices owned by Florida residents, on an annual basis; or
- Such business derives 50% or more of its global annual gross revenues from the transfer (whether via sale or sharing) of Florida resident personal data.
As with similar data privacy regulations being enacted nationwide, covered personal data is broadly defined, and is comprised by a wide array of information reasonably capable of being directly or indirectly associated with a particular Florida resident or household.
HB 969 would also apply to entities that control, or are under the control of, a Covered Business. Service providers of Covered Businesses will also face compliance requirements, as particularly contract language will need to be in place between Covered Businesses and their service providers in order to ensure compliance with the provisions of HB 969 (not unlike similar language used to comply with the California Consumer Privacy Act or the European Union General Data Protection Regulation).
Compliance Requirements
HB 969 requires Covered Businesses to meet a number of compliance requirements, including (among other requirements):
- Maintenance of an online privacy policy notifying Florida residents of their rights under HB 969 and describing categories of personal data collected or transferred by the Covered Business;
- Allowing Florida residents to demand, disclose, correct and, in some cases, delete personal data collected by the Covered Business;
- Permitting Florida residents to opt out of the transfer of their personal data to third parties;
- Making disclosures where personal data is collected;
- Not discriminating against Florida residents choosing to exercise any of their rights under HB 969
- Create reasonable policies regarding the retention of personal data, including security procedures and schedules for how long such data is retained.
Consumer Private Right of Action
HB 969 also provides Florida residents with a private right of action against Covered Businesses failing to comply with HB 969 (including Covered Businesses failing to maintain compliant security or retention policies). Florida residents may bring civil actions against such Covered Businesses, and damages with respect to such civil actions can range from $100 to $700 per Florida resident, per violation of HB 969, or could equal actual damages where such actual damages are greater. Given the proliferation of class action lawsuits arising in jurisdictions enacting similar legislation, this means that Covered Businesses failing to comply with HB 969 can be exposed to significant liability.
Next Steps
Given the bipartisan backing of HB 969, it appears to have a significant likelihood of passage. With that in mind, businesses operating in Florida, whether or not they are located in Florida, would do well to work with their compliance counsel to determine whether or not HB 969 applies to their business (whether as a Covered Business or a related service provider), and to ensure that their policies and procedures are compliant as well. Given the growing trend toward e-commerce and data collection in a growing number of industries, data privacy compliance is no longer the concern of specific, “tech” business niches, but must be taken into consideration by every business operating in Florida.