Will Florida be the next state to enact a comprehensive consumer privacy law? It sure is starting to look like a viable possibility.  With the California Consumer Privacy Act (“CCPA”) in full effect, and the recent enactment of Virginia’s Consumer Data Protection Act (“CDPA”), there has been a flurry of state privacy legislative proposals since the start of 2021, with Florida leading the way.  Backed by Governor Ron DeSantis,   Florida House Bill 969 (HB 969) would create new obligations for covered businesses and greatly expand consumers’ rights concerning their personal information, such as a right to notice about a business’s data collection and selling practices.

Florida’s HB 969 was originally introduced in February (a full overview of the initial bill is available here), and has continued to move swiftly through the legislative process. On April 21, the a slightly revised version of the bill passed the Florida House of Representatives by a 118 – 1 vote, expanding the scope of the private cause of action, changing the effective date and modifying the scope of companies subject to the law.

Here are the key changes made to HB 969 since originally introduced:

Significantly, and similar to the California Consumer Privacy Act (CCPA), HB 969 would establish a private cause of action for consumers affected by a data breach involving certain personal information when reasonable safeguards were not in place to protect that information. More expansive than the CCPA, however, a private cause of action would now also be available to consumers for a company’s failure to comply with deletion, opt-out and correction requests.  Conversely, Virginia’s CDPA lacks a private cause of action in its entirety, and the state’s attorney general has exclusive enforcement authority.

Second, if passed, HB 969 would go into effect on July 1, 2022 – instead of the originally proposed January 1, 2022.  And finally, initially, HB 969 stated that the law would apply to for profit businesses that conduct business in Florida, collect personal information about consumers, and satisfy at least one of the following threshold requirements:

  1. The business has global annual gross revenues over $25 million (adjusted to reflect any increase in the consumer price index); or
  2. The business annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices; or
  3. The business derives at least half of its global annual revenues from selling or sharing personal information about consumers.

Instead, HB 969 now stipulates that the law would only apply to for profit businesses that satisfy at least two the above threshold requirements.  In addition, the revised bill increased the annual gross revenues threshold from over $25 million to over $50 million.

Florida seems to be leading the way as the next state  poised to enact a consumer privacy law, but it is not alone.  The International Association of Privacy Professionals (IAPP) has observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” The IAPP maintains a map of state consumer privacy legislative activity, with in-depth analysis comparing key provisions. There are currently at least 14 states with consumer privacy bills undergoing the legislative process, and several other states where bills were introduced but died in committee or were postponed.  One key state to keep an eye on is Washington. For three consecutive years, the Washington state legislature has introduced versions of the WPA. In 2019, the bill failed in the Assembly. In 2020, the Assembly passed an amended version of the bill, but the two chambers failed to reach a compromise regarding enforcement provisions. Currently in cross committee, the WPA would impose GDPR-like requirements on businesses that collect personal information related to Washington residents. In addition to requirements for notice and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.

States across the country are contemplating ways to enhance their data privacy and security protections. Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.