There is currently a strong national trend towards strengthening data protection and consumer privacy rights. Recently, eight state regulators announced a bipartisan initiative aimed at coordinating the implementation and enforcement of new privacy laws. The Consortium of Privacy Regulators includes the California Privacy Protection Agency, along with the Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon. This movement underscores a growing awareness among both regulators and consumers regarding the collection and dissemination of personal data and emphasizes the need for businesses to adopt robust privacy practices to ensure compliance with the new regulations and an ever-growing body of case law.
Although the Florida Attorney General is not currently part of the Consortium, the consumer protection class action plaintiff's bar -- often referred to as the "alphabet soup" bar, which typically pursues claims under statutes like the Telephone Consumer Protection Act, Fair Debt Collection Practices Act, and Fair Credit Reporting Act -- has begun to test the waters of privacy litigation in Florida. This shift is driven by the potential for substantial settlements and awards, leading to innovative interpretations of traditional common law claims and existing regulations.
For example, following a data breach in May 2023, Florida Health Sciences Center, Inc. (Tampa General Hospital) was served with a putative class action lawsuit in DiPierro v. Fla. Health Sciences Center, Inc. d/b/a Tampa Gen. Hosp., Case No. 23-CA-013984 (Fla. 13th Jud. Cir. Ct., Hillsborough Cty.) for purportedly failing to properly safeguard its patient information. The plaintiff based its complaint on traditional common law claims of negligence, breach of implied contract, and unjust enrichment, as well as violations of the Florida Deceptive and Unfair Trade Practices Act (Fla. Stat. §§ 501.204, et seq.). Faced with an alleged potential class of over a million individuals, Tampa General Hospital settled for $6.8 million.
Just a few weeks ago, in W.W. v. Orlando Health, Inc., No. 6:24-CV-1068-JSS-RMN, 2025 WL 722892 (M.D. Fla. Mar. 6, 2025), a U.S. District Court in the Middle District of Florida declined to dismiss a putative class action brought under the decades-old Florida Security of Communications Act, Fla. Stat. § 934.01, as courts had routinely done in the past. This case involves allegations that the defendant secretly implemented tracking technologies from Meta and Google on its website, which allowed for the collection and transmission of sensitive patient communications and personal health information to third parties, thereby facilitating targeted advertising and compromising patient privacy. The ruling in Orlando Health, Inc., like that in DiPierro, may signal a wave of new litigation to come in the state.
Given these developments, businesses must proactively review and enhance their data protection strategies. The evolving legal landscape requires a thorough understanding of existing state laws and compliance requirements to mitigate the risk of litigation. Companies should prioritize transparency in their data collection and usage practices to foster consumer trust and minimize legal repercussions. Spending a few minutes revising your website's consumer privacy disclosures and processes could save your company from expensive legal fights down the road.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
