Friday, March 12, 2021

Florida Vies for Bronze in Race to Create Patchwork of State Data Privacy Laws

Florida seems likely to become the third state, after California and Virginia, to adopt a comprehensive data policy law.

The California Consumer Privacy Act (CCPA) has been in effect since the beginning of 2020. Given the inability of Congress thus far to reach consensus on federal legislation, the CCPA has served as the de facto U.S. data privacy law for over a year. Last November, voters approved the California Privacy Rights Act (CPRA), which will expand upon the CCPA in numerous ways at the beginning of 2023.

On March 2, Virginia Governor Ralph Northam added the second square to the quilt when he signed into law the Consumer Data Privacy Act, the details of which I described in a February 5 post to the FSF Blog. Like the CPRA, it becomes effective on January 1, 2023.

A number of additional states, including Minnesota, New York, Oklahoma, and Washington State, are considering comprehensive data privacy legislation. Florida, however, appears poised to be the next to act.

On February 15, Florida House of Representatives member Fiona McFarland introduced House Bill (H.B.) 969. The draft legislation, which has the support of Governor Ron DeSantis and House Speaker Chris Sprowls, on Wednesday received unanimous committee approval upon its first reading.

H.B. 969 would establish a number of consumer data privacy rights: the right to know what personal information businesses collect; rights to receive a copy of, correct, and delete that data; and the right to opt-out of its sale to third parties. It also would prohibit discrimination against a consumer who exercises any of these rights.

In addition, H.B. 969 would impose a requirement to delete collected data "after satisfaction of the initial purpose for collecting or obtaining such information, or after the duration of a contract, or 1 year after the consumer's last interaction with the business, whichever comes first."

The Department of Legal Affairs would be responsible for enforcing the provisions of H.B. 969. However, businesses first would be afforded a 30-day opportunity to cure.

Of perhaps greatest concern, H.B. 969 also would establish a private right of action in connection with a data breach. Affected consumers could pursue both (1) up to $750 in statutory damages or actual damages, whichever is greater, and (2) injunctive or declaratory relief.

If passed, H.B. 969 would go into effect at the beginning of next year.

Be on the lookout for additional commentary from the Free State Foundation on state data privacy laws in the coming days.