Florida legislators recently introduced companion bills in the Florida House (HB 963) and Senate (SB 1670) that would create restricted online privacy rights and obligations in the state.
The legislation looks to copy aspects of the Nevada Online Privacy Protection Act, which was amended in 2019 to include a right to opt-out of sales of covered information. Florida’s bill is different from the California Consumer Privacy Act (CCPA) and more like the California Online Privacy Protection Act (CalOPPA).
Florida joins a growing list of other states reviewing consumer privacy legislation, including Illinois, Washington, Nebraska, New Jersey, New Hampshire, Virginia, and Hawaii.
Florida’s Definitions
Florida’s act defines “consumer” as “a person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the website or online service of an operator. In turn, an “operator” under the act is anyone who owns or operates a website or online service for commercial purposes, collects and maintains covered information from consumers who reside in Florida and use or visit the website or online service, and “[p]urposefully directs activities toward this state or purposefully executes a transaction or engages in any activity with this state or a resident thereof.”
The definition of operators does not include third parties that operate, host, or manage a website or online service on behalf of its operator or processes information on behalf of its operator; financial institutions or their affiliates that are subject to the Gramm-Leach-Bliley Act and its corresponding regulations; HIPAA-regulated entities; or motor vehicle manufacturers or repairers who collect, generate, record, or store covered information that is retrieved from a motor vehicle in connection with a technology or service related to the vehicle or that is provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
Covered Information
The following types of personally identifiable information are deemed to be “covered information” under the Act when collected through a website or online service:
- A first and last name.
- A home or other physical address which includes the name of a street and the name of a city or town.
- An email address.
- A telephone number.
- A social security number.
- An identifier that allows a consumer to be contacted either physically or online.
- Any other information concerning a consumer that is collected from the consumer through the website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
Consumer Rights
Consumers in Florida would be given the right to submit a verified request to an operator directing that individual to refrain from selling any covered information the operator has or will collect about the consumer.
The act defines “sale” to mean only “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” That term does not mean any of the following:
- The disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator.
- The disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer.
- The disclosure of covered information by an operator to a person for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.
- The disclosure of covered information to a person who is an affiliate of the operator.
- The disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the person assumes control of all or part of the assets of the operator.
In addition, the proposed Florida law wouldn’t apply to an operator who meeting the following requirements: is located in Florida; whose revenue is derived primarily from a source other than the sale or lease of goods, services or credit on websites or online services; and whose website or online service has fewer than 20,000 unique visitors annually.
Enforcement
The Florida Attorney General would be responsible for enforcing the law. Before commencing an enforcement action, operators would be required to be notified of the violation and provide 30 days to correct the issue.
It’s unclear whether the notice would be required to originate at the AG’s office or if an investigation could be triggered from a consumer complaint. The AG’s office could seek a civil penalty of up to $5,000 per violation.
The bill would not Create a Private Right of Action and would go into effect July 1, 2020.
