This bill, if enacted, would add to the growing list of data privacy laws being considered or recently put into effect nationally and internationally, putting a strain on businesses as they try to comply with the complex patchwork of legal requirements in the various jurisdictions where they operate. Most notable, of late, is the California Consumer Privacy Act (“CCPA”), which imposes substantial obligations on many companies that do business in California. While not as comprehensive as the CCPA, the Florida bill, like the CCPA, would impose monetary penalties against companies in violation. The penalty for violating the proposed Florida law would be up to $5,000 per violation.
The Florida bill was filed in the Florida House (HB 963) on December 16, 2019, and the Florida Senate (SB 1670) on January 10, 2020. The bill would apply to “operators,” defined to include companies doing business in Florida that own a website for commercial purposes and collect and maintain certain personal information (such as name, address, email address, and the like) of Florida residents who visit the website. There are carve outs for certain service providers that manage the website for the “operator” and for financial institutions regulated by the Gramm-Leach-Bliley Act and entities subject to HIPAA. The bill also says it would not apply to certain operators (a) located in Florida; (b) whose revenue is “derived primarily” from sources other than the sale or lease of goods, services, or credit on websites or online services; (c) whose website or online service has fewer than 20,000 unique visitors per year. The bill does not say how to determine whether revenue is “derived primarily” from one source or another. For example, to be considered a “primary” source of revenue, must that source generate more than fifty percent of revenue, or a higher percentage, and over what period of time? The bill also does not say whether an operator must meet all or one of (a), (b), and (c) to be excluded from the reach of the law. These issues may be clarified before the bill is enacted.
The bill would require covered businesses to establish an email address, toll-free telephone number, or a website through which a consumer could direct the business not to make a “sale” of the consumer’s personal information to a third party. Upon receiving such a request, if the business can reasonably verify the authenticity of the request, the business must honor the request and not make a “sale” of the consumer’s information. “Sale” is defined as an exchange of covered information for monetary consideration by the business to a person for the person to license or sell the covered information to additional persons. This definition of sale is unusual in that it requires a “sale” to result in a subsequent additional sale or licensing of the covered information, although this definition also mirrors a very similar law that took effect in Nevada in late 2019.
Online Privacy Policies
The Florida bill would require “operators” to make available a “notice” that identifies the categories of information the business collects and categories of third parties with whom the business shares information. The notice also must describe the process, if available, for a consumer to review and request changes to any personal information and the process by which the operator will communicate changes to the notice. The notice further must disclose whether a third party may collect information about the consumer’s online activities over time and across different websites when visiting the operator’s website. The notice also must state its effective date.
Proposed Effective Date
Companies doing business in Florida would be wise to monitor this bill. It proposes to take effect July 1, 2020.