On May 4, 2023, the Florida State legislature passed the Florida Digital Bill of Rights ("SB 262"). If Governor DeSantis signs SB 262 into law, as expected, Florida will become the ninth state of the Union to enact its own comprehensive consumer privacy law. As our readership knows, the California Consumer Privacy Act of 2018 ("CCPA") was the first comprehensive consumer privacy law passed in the United States. While Florida's privacy law is similar to the CCPA in many respects, it is noticeably more consumer friendly. Florida's legislature also recently passed an amendment to Florida's Telephone Solicitation Act ("FTSA"). The amendment, if signed into law by Governor DeSantis, would make the FTSA much more business friendly. Given the foregoing recent measures, it would appear that the Florida legislature is now adjusting to the glut of lawsuits filed under the State's consumer-friendly statutes.

Should Governor DeSantis endorse Florida's new privacy law, it will take effect on July 1, 2024.

Who Would Florida's New Privacy Law Apply to?

Florida's new comprehensive privacy law would apply to controllers that earn more than $1 billion a year in gross revenue and:

  • Make at least 50% of their revenue from the sale of advertisements online;
  • Operate an app store or digital distribution platform that offers at least 250,000 different software applications for consumers to download and install; or
  • Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud-computing service that uses hands-free verbal activation (e.g. Alexa, Siri, Google home, etc.).

SB 262 defines a "controller" as a for-profit business that operates in Florida, collects personal information about consumers, or is the entity on behalf of which information is collected, and jointly or solely determines the purpose and means of processing said personal information. By comparison, the CCPA's gross revenue threshold is $25 million. This means that the vast majority of businesses that are subject to the CCPA will not meet SB 262's definition of a "controller" and, as such, the bulk of the measure's provisions will not apply to them.

What are Some Key Provisions of Florida's Proposed Comprehensive Privacy Law?

The primary purpose of SB 262 is to provide Florida consumers with many of the rights that residents of other states with existing comprehensive privacy laws enjoy. These include the right to:

  • Opt out of the sale of personal information;
  • Opt out of the collection and/or processing of sensitive data;
  • View the personal information that a company possesses about a given consumer; and
  • Request that personal information be deleted or corrected

Under the proposed privacy law, a controller that engages in the sale of sensitive data must provide notice to consumers and obtain their prior consent to do so. SB 262 defines "sensitive data" as personal data concerning an individual's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data. These requirements apply to all for-profit companies that conduct business in the State, regardless of whether they meet the definition of "controller."

It is important to note that, unlike the CCPA, Florida's privacy law does not afford even a limited private right of action. Only the Florida State Attorney General would be able to sue for violations of the proposed privacy law. In addition, a violation of Florida's proposed privacy law could not be used as a basis for a lawsuit under any other law. This is important because consumers are often able to circumvent many privacy laws that do not allow for a private right of action by filing unfair business practice claims. Under SB 262, the Florida Department of Legal Affairs would be able to assess a civil penalty of up to $50,000 per violation. These penalties may also be trebled if a violation involves a Florida State consumer who the company knows to be under 18 years of age.

The law would require controllers to respond to consumer requests within 45 days of receipt. If a controller cannot accommodate the consumer's request, it would need to immediately notify the consumer and provide a reason why it could not do so. The controller would also need to instruct the consumer on how he/she may appeal the controller's decision.

Hire Experienced Data Privacy Attorneys to Comply with Florida's Upcoming Privacy Law

If Governor DeSantis signs SB 262 into law, the Florida Digital Bill of Rights would take effect on July 1, 2024. Even though this is over a year from now, businesses that meet the narrow definition of "controller" should begin addressing compliance now. Remember that civil penalties accrue quickly with multiple violations, and your business may need a complete data privacy overhaul to avoid them. The attorneys at Klein Moynihan Turco have years of experience in advising companies on comprehensive privacy law compliance and are well-equipped to keep your business updated on significant regulatory developments.

Similar Blog Posts:

Connecticut Privacy Law Advances to House

How Does the Colorado Privacy Law Compare to the CCPA?

FTSA Amendment Bill Could Bring Clarity

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.