The Florida state legislature is considering a sweeping data privacy bill introduced by Governor Ron DeSantis in February. House Bill 969 is the latest state provision to follow in the footsteps of the California Consumer Privacy Act (“CCPA”), the California Privacy Rights Act and the Virginia Consumer Data Protection Act, in giving consumers greater control over how their personal information is used while imposing greater restrictions on companies’ use of that data.
The Florida bill includes a private right of action for consumers in the event that a data breach occurs that involves consumers’ nonencrypted and nonredacted personal information, a term that is defined very broadly (“information that identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer or household”). A consumer who is affected can bring suit against a covered entity under this provision, either for damages – the bill provides for the greater of up to $750 per consumer per incident or actual damages – or injunctive or declaratory relief. This is a significant change from current Florida law. While Florida does have a data breach notification statute, that law does not include a private right of action. If enacted, the new bill is likely to lead to a new wave of class action consumer privacy litigation, similar to what we have seen under the CCPA or Illinois’ Biometric Information Privacy Act (“BIPA”), following data breaches. The law would otherwise be enforceable solely by Florida’s attorney general.
If passed, House Bill 969 would take effect on January 1, 2022. The House bill will be assigned to committees for consideration, and must pass each committee and the full House to become law. The bill must also pass in the Senate to be sent to Governor DeSantis for approval, and there is currently no companion bill in the Florida Senate. We’ll keep an eye on how this develops for you.