Lawmakers in Florida this week started deliberating a data privacy bill that could, if enacted, give the state data privacy protections on par with those offered by the landmark legislation California approved in 2018.
Gov. Ron DeSantis introduced the bill Monday at a Tallahassee press conference, saying that large technology companies “have created a surveillance economy, which enriches those platforms by free-riding on consumer data.”
Similar to the California Consumer Protection Act, the still unnamed House Bill 969 would require any company that conducts business in Florida and takes in at least $25 million in annual revenue to disclose to its online customers what personal information it collects and how that data is used. It would also give Floridians the options to ask that their data not be collected or resold, and the right to sue companies that violate those requests.
“Our state will once again lead the nation, this time with strong data privacy laws to protect consumers across the state of Florida,” State Rep. Fiona McFarland, the bill’s lead sponsor, said, according to FloridaPolitics.com
Similar to the popup notices that have appeared on websites since the implementation of the CCPA and the European Union’s 2017 General Data Protection Regulation, the Florida bill would also require companies to provide website visitors with a notice before the moment data is collected, and edit their homepages to include a “clear and conspicuous link” to a page on which people can opt out of data collection or ask to have their information deleted. Consumers could also ask businesses twice a year for a copy of their personal data that’s been collected.
All these new requirements would be in addition to the breach notification law that Florida, like other states, already has on its books.
House Bill 969 also came amid a broader initiative by DeSantis to attempt to crack down on the tech industry. Last month, he and Florida House Speaker Chris Sprowls introduced legislation that would impose daily $100,000 fines on social media companies like Twitter and Facebook that ban from their platforms candidates who are on the ballot in Florida.
But while DeSantis, a close ally of former Twitter user Donald Trump, has focused his messaging on a “big tech cartel,” the data privacy bill’s revenue floor of $25 million would apply to a much broader swath of the economy, which could make it difficult to pass or enforce in a business-friendly state like Florida.
“HB 969 faces some uphill challenges created by the proposed private right of action, the low threshold that allows the bill to capture many small businesses in its net, and the potentially significant enforcement fines a company may face,” Alfred Saikali, a Miami attorney who chairs the privacy and data security practice at the law firm Shook, Hardy & Bacon, wrote in the Data Security Law Journal. “Additionally, the high risk of class-action lawsuits may be enough to doom the bill, especially given Florida’s overt attempts to attract new business to the state.”
If passed, HB 969 would take effect Jan. 1, 2022. But as California’s experience shows, state-based data privacy laws can be arduous to bring into effect. While signed into law in June 2018, the CCPA didn’t take formal effect until Jan. 1, 2020, and prompted state Attorney General Xavier Becerra to issue numerous regulations designed to give businesses an easier time navigating the act.
This piece is part of StateScoop’s Special Report on Data & Analytics.