This blog post will summarize Senate Bill 1864, released on Friday, which is the first “comprehensive” privacy bill to be released in advance of the 2022 Florida legislative session. This is a long post, so I begin with a “too long, didn’t read” section that I’ve found helpful in articles I’ve read. I then describe the FPPA in detail, but by pulling various pieces of the 34-page law together by subject matter. I close with some personal opinions about this bill and what we can expect in the upcoming legislative session.
TL;DR
The Florida Senate has released the first privacy bill of the 2022 legislative session. The Florida Privacy Protection Act (FPPA), drafted by Sen. Jennifer Bradley, is a combination of the CCPA and VCDPA, but does not contain a private right of action. It is similar to the bill Sen. Bradley authored last year but with a few tweaks and one significant change – it would create a dedicated Consumer Data Privacy Unit in the Florida Attorney General’s Office.
I expect to see several more privacy bills released soon, including Rep. Fiona McFarland’s bill, which I anticipate will have some form of a private right of action and perhaps more aggressive and broader requirements. I also think we will see a few other privacy/cybersecurity bills this legislative session including one that updates the Florida Information Protection Act (Florida’s data breach notification law) in ways that most will not expect.
We can anticipate that, like last year, the big fight will be over whether the law includes a private right of action. If, like last year, the House insists on including an incredibly broad private right of action, I believe it is unlikely to become law, because the political composition in the Florida legislature has not changed significantly since last year. That said, whether a bill ultimately becomes law depends less on the desire of the legislators as a whole, and more on the “horse trading” that ultimately takes place in the final hours of the legislative session.
The FPPA’s Scope and Key Definitions
The Florida Senate was first out of the gate in the 2022 Florida privacy race, releasing SB 1864, a bill authored by Senator Jennifer Bradley (the leader on all things data privacy in the Florida Senate). The proposed law (the Florida Privacy Protection Act) is similar to the privacy bill the Senate passed at the end of the last legislative session – which contained many consumer rights but no private right of action. The FPPA draws from the California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR), and the Virginia Consumer Data Protection Act (VCDPA). (Author’s Note – I think it was smart of the Senate to release this bill quickly and, whether intentional or not, it helps the Senate appear proactive on privacy and set the narrative.)
To whom does the FPPA apply? Like the GDPR (and the VCDPA), the FPPA applies to “controllers” and “processors.” A controller is a for-profit entity that does business in Florida and determines the purposes/means of processing. Also, similar to the VCDPA, a controller must either: (a) control the processing of personal information of 100,000 or more Florida residents (“consumers”); or (b) control or process the personal information of at least 25,000 consumers and derive 50% or more of its revenue from selling personal information.
A “processor” processes personal information on behalf of, and at the direction of, a controller. Whether an entity is a controller or processor is a fact-based determination that depends upon the context in which the personal information is processed.
What is personal information? Personal information is defined broadly as “information that identifies or is linked or reasonably linkable to an identified or identifiable consumer.” It does not include consumer information available in governmental records, information that is publicly available, or information that is de-identified or aggregate consumer information. Additionally, the FPPA’s consumer rights do not apply to pseudonymous information as long as all information necessary to identify the consumer is kept separate and is subject to effective technical and organizational controls that prevent the accessing/combining of such information.
What is a “sale” of personal information? A core part of the FPPA governs the sale of personal information, but the term “sale” is not limited to a monetary exchange. A sale occurs where a controller makes a consumer’s personal information available to a third party in exchange for monetary “or other valuable consideration, including nonmonetary transactions and agreements for other valuable consideration between a controller and a third party for the benefit of a controller.”
A sale does NOT include:
(a) disclosing personal information to a processor;
(b) disclosing personal information to a third party to provide a product/service requested by the consumer;
(c) disclosing personal information to an affiliate;
(d) disclosing personal information for nontargeted advertising;
(e) transferring personal information as an asset that is part of a merger, acquisition, bankruptcy, or other transaction where a third party assumes control of the controller’s assets; or,
(f) disclosing personal information to law enforcement or emergency services for the purpose of providing assistance to the consumer.
What Are A Controller’s Obligations Under The FPPA?
Notice of collection/processing. A controller must inform consumers of the purposes for which personal information is collected or used and whether that information is sold. It must do this at or before the point of collection. These notice requirements do not apply if the controller does not control the collection of personal information. In an instance where the controller collects personal information about (but not directly from) consumers, the controller may provide the required information on its Internet home page or in its online privacy policy.
Notice of sale. A controller that sells personal information must provide notice that the information may be sold and that consumers have the right to opt out. Additionally, the controller must provide a link on its home page titled “Do Not Sell My Personal Information” that enables a consumer to opt out of the sale of the consumer’s personal information. The controller may not require a consumer to create an account in order to direct the controller not to sell the consumer’s information.
Website privacy policy. Where a controller collects personal information through its website or an online service, the controller must provide a notice that includes:
(a) the categories of personal information the controller collects through the site or online service and the categories of third parties to whom the controller may disclose such personal information;
(b) a description of the process for a consumer who uses or visits the site or online service to review and request changes to any of his/her personal information collected from the consumer through the site or online service;
(c) the process by which the controller notifies consumers of material changes to the privacy policy;
(d) whether a third party may collect personal information about a consumer’s online activities over time and across different sites or online services when the consumer uses the controller’s site or online service; and,
(e) the effective date of the notice.
Minimum necessary. A controller’s collection, use, and retention of personal information must be reasonably necessary to achieve the purposes for which the personal information was collected or processed. This remains the case for any onward transfer of personal information. If a controller wants to do otherwise, it must obtain the consumer’s consent.
Reasonable security or practices. A controller must implement reasonable security procedures and practices, appropriate to the nature of the personal information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Agreement with processor. If a controller discloses personal information to a processor, it must enter into an agreement that requires the processor to comply with the controller’s obligations under the FPPA and prohibits downstream recipients from selling the personal information or disclosing, retaining, or using it. (Author’s Note – this appears to be an error in the bill; the downstream recipients must retain and use the information, so I assume what the bill means is that the downstream recipients cannot retain or use the personal information outside the scope of why it is being shared with them.) If a processor shares the information with a third party for a “business purpose,” the processor must notify the controller and restrict the downstream recipients from selling the personal information or retaining, using, or disclosing it (again, I’m assuming retention/use is permitted, but only to the extent necessary to complete the transaction).
Consent for processing sensitive data. A controller must obtain the consumer’s consent before processing sensitive data concerning that consumer. Sensitive data means information like racial or ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship/immigration status, biometric information, personal information collected from a known child, and precise geolocation data. Additionally, if a controller wants to process sensitive data obtained from a known child (i.e., younger than 13), the processing must be limited to delivery of a product or service requested by the child’s parent and must be in accordance with the Children’s Online Privacy Protection Act (COPPA).
Establish a request process. A controller must establish a designated address through which a consumer may submit a request to exercise his or her FPPA rights. If the request is pursuant to the “right to know” (below) then the controller must disclose any personal information about the consumer it has collected, directly or indirectly, since January 1, 2023, including information it obtained through a processor. (Author’s Note – so this means a comprehensive data inventory may not be necessary, but a process for identifying and recording the collection of this data will be crucial.) The controller has 45 days to respond to a right to know/delete/repair request. This time period can be extended by 45 days if the controller determines that such an extension is reasonable necessary, but the controller must notify the consumer of the necessity of the extension. If a processor receives a right to know/delete/repair request, it must notify the controller of the request within 10 days. The processor must help the controller respond to the request by, at minimum, providing the consumer’s personal information in the processor’s possession. Where directed by the controller, a processor must correct inaccurate personal information or delete personal information, or enable the controller to do the same.
Employee training. A controller must ensure that all individuals who handle consumer inquiries about the controller’s privacy practices or the controller’s compliance with the opt-in and opt-out requirements are informed of the requirements and how to direct consumers to exercise their rights.
What Are A Consumer’s Rights Under The FPPA?
Opt out of sale. A consumer can opt out of the sale of his/her personal information at any time. Once a controller receives an opt-out request, or if a controller does not obtain consent to sell “a minor’s” personal information, the controller is not allowed to sell that information without a subsequent express authorization from the consumer. (Author’s Note – the bill is confusing in its use of “minor” and “child”, which each have different meanings under Florida law). The controller has only 10 days to comply with the consumer’s request to opt out. (Author’s Note – for larger companies that collect personal information in many different ways, this timeline will be challenging.)
Opt out of advertising. A consumer can opt out of the processing of his/her personal information for targeted advertising or profiling at any time. To that end, a controller must provide a link on its home page titled “Do not Advertise To Me” that enables a consumer to opt out of targeted advertising or profiling. Even if the consumer opts out, however, a controller may still: (a) offer a different price, rate, level, quality, or selection of goods/services to the consumer; and (b) offer a loyalty, reward, premium feature, discount, or club card program. Additionally, a controller may charge a different price, rate, level, quality, or selection of goods/services to a consumer who has opted out of advertising as long as the charge is not unjust, unreasonable, coercive, or usurious.
Verifying the opt-out request. A controller is only required to comply with opt-out requests it is reasonably able to authenticate. However, the controller cannot require the consumer to declare his/her privacy preferences every time he/she visits the controller’s website or uses the controller’s online services.
Limited use of opt-out request. A controller cannot use any personal information collected in connection with the submission of an opt-out request for any reason other than for complying with the opt-out request.
Right to be left alone for one year. The controller must wait one year before asking any consumer who opted out of the sale of his/her data to re-authorize the sale of that consumer’s personal information.
Sale of a minor’s information (“right to opt in”). A controller may not sell personal information collected from consumers that are known to be 16 or younger, unless: (a) for children who are 13 to 16 years-old, the child has authorized the sale; or (b) for children who are younger than 13, the parent/guardian has authorized the sale. If parental consent is obtained in compliance with COPPA, then such consent meets the parental consent requirements of the FPPA.
Right to know. Where requested by the consumer, a controller must provide: (a) the categories of sources from which the consumer’s personal information was collected; (b) the specific items of personal information it has collected about the consumer; and (c) the categories of any third parties to whom the personal information was sold.
Right to delete. Consumers have the right to request that personal information that has been collected from the consumer be deleted. A controller can deny this request for any of the following seven reasons:
(a) to complete the transaction for which the personal information was collected, fulfill the terms of a warranty or recall, provide a good/services requested by the consumer, or perform a contract between the business and the consumer;
(b) to help ensure security and integrity;
(c) to identify and repair errors that impair existing intended functionality;
(d) to exercise free speech or another legal right;
(e) to engage in public or peer-reviewed scientific, historical, or statistical research; or,
(f) to comply with a legal obligation.
Right to correction. Consumers have the right to submit a verified request for correction of their personal information held by a controller if that information is inaccurate, “taking into account the nature of the personal information and the purpose for processing the consumer’s personal information.” (Author’s Notes – (1) I’m not sure what the quoted language means or how it would be implemented; and (2) this unrestricted right would conceivably give the consumer the ability to “correct” their information with something that is knowingly false in order to “game the system” in some way (e.g., take advantage of discounts, rewards, etc.).
What Are The Controller’s Rights Under The FPPA?
Right to refuse requests. If a consumer’s request is manifestly unfounded or excessive (e.g., repetitive), a controller may either charge a reasonable fee or refuse to act on it (in which case the controller must notify the consumer of the reason for refusing the request).
Safe harbor for other controller/processor violations. A controller is not liable for a processor’s violation of the FPPA if at the time the controller disclosed the personal information to the processor the controller did not have actual knowledge or a reason to believe the processor intended to commit such a violation. Similarly, a processor is not liable for the obligations of a controller. Likewise, a controller or processor that discloses personal information to a third-party controller or processor is not in violation of the FPPA for the third party’s violations if the controller/processor did not have knowledge at the time of disclosing the information that the recipient intended to commit a violation. Conversely, a third-party controller or processor receiving personal information from a controller or processor in compliance with the FPPA is not in violation of the FPPA for the controller’s/processor’s noncompliance.
When Does The FPPA Not Apply?
The FPPA includes a significant number of exceptions and exclusions. For example, the FPPA would not apply where it would restrict a controller’s or processor’s ability to do any of the following 15 activities:
(a) comply with legal obligations;
(b) comply with an investigation, subpoena, or summons;
(c) cooperate with law enforcement;
(d) exercise, prepare for, or defend legal claims;
(e) conduct internal research to develop, improve, or repair products, services, or technology;
(f) effectuate a product recall or provide a warranty for products or services;
(g) identify or repair technical errors that impair existing or intended functionality;
(h) perform internal operations that are aligned with the consumer’s expectations or compatible with processing data in furtherance of the provision or a product or service requested by the consumer;
(i) provide a product/service (or perform a contract) specifically requested by a consumer; perform a contract to which the consumer or parent is a party;
(j) take steps to protect an interest that is essential for life or physical safety of the consumer or another person;
(k) prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, and prosecute those responsible;
(l) preserve the integrity or security of information technology systems;
(m) investigate, report, or prosecute those responsible for any illegal, malicious, harmful, deceptive, or otherwise harmful activities;
(n) engage in certain public or peer-reviewed scientific or statistical research in the public interest; and,
(o) assist another controller, processor, or third party with any of the above obligations.
In addition to the above restrictions, the FPPA also would not apply to any of the following 17 circumstances:
(a) personal information collected in the employment context. This means personal information about employees, owners, directors, officers, beneficiaries, job applicants, interns, or volunteers, as long as the controller is collecting/disclosing such information to the extent reasonable and necessary. (Author’s Note – this exclusion will likely require a correction by Sen. Bradley’s office because, as written, it implies that the FPPA would not apply to any controller that engages in this activity, which would be almost every company doing business in Florida).
(b) personal information in business-related communications/transactions;
(c) personal information in job applications and employment benefit documents;
(d) personal information in a contract with an independent contractor;
(e) protected health information (as that term is defined by HIPAA) that contains personal information;
(f) a covered entity or business associate under HIPAA;
(g) information collected for purposes of research;
(h) information created for purposes of the Health Care Quality Improvement Act;
(i) de-identified information under HIPAA or the Federal Policy for the Protection of Human Subjects (FPPHS);
(j) information collected as party of a clinical trial subject to the FPPHS;
(k) information collected, processed, sold, or disclosed pursuant to the Fair Credit Reporting Act;
(l) information and financial institutions regulated by the Gramm-Leach-Bliley Act;
(m) information collected, processed, sold, or disclosed pursuant to the Farm Credit Act;
(n) information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act;
(o) education information under the Family Education Rights and Privacy Act;
(p) information and entities governed by the Airline Deregulation Act (where preemption applies); and,
(q) vehicle information or ownership information shared between a new motor vehicle dealer, a distributor, or the vehicle’s manufacturer if the vehicle or ownership information is shared for the purpose of effectuating a vehicle repair covered by a warranty or recall, provided that the entity that receives the information does not sell, share, or use it for any other purpose.
How Will The FPPA Be Enforced?
First, there is no private cause of action established by the FPPA and will be enforced exclusively by the Florida Attorney General. In fact, it explicitly states that evidence of any noncompliance with the FPPA can only be used as the basis to prove a cause of action brought by the Florida Attorney General.
The bill defines two activities as unfair and deceptive trade practices: (a) failing to delete/correct a consumer’s personal information after received a verifiable request to which no exception applies; and (b) continuing to sell a consumer’s personal information after the consumer chooses to opt out, or selling the personal information of a consumer age 16 or younger without obtaining their consent. The Attorney General may give the controller/processor 45 days to cure such violations, but the right to cure is discretionary and whether it is provided depends on the number of violations, the likelihood of public injury, and the safety of persons/property.
On an annual basis, the Attorney General must submit a report to the Senate President and Speaker of the House of Representatives describing any actions taken to enforce the FPPA.
If the Attorney General brings an action, the court may grant actual damages to a consumer and/or injunctive/declaratory relief.
One More Thing . . .
The FPPA would create within the Florida Attorney’ General’s Office a Consumer Data Privacy Unit that must be headed by a director who is fully accountable to the Attorney General. That Unit will be responsible for enforcing the FPPA and, more generally, protecting the personal information of Florida residents.
When Will The FPPA Go Into Effect?
December 31, 2022.
What To Expect Next?
The FPPA is likely the first of at least two or three data privacy bills we can expect to be introduced in the Florida legislature during the 2022 session. Representative McFarland, the leader in data privacy and all things technology in the House of Representatives, is working on a comprehensive bill that will be introduced soon. She has been meeting with many different constituencies as she shapes version 2.0. I anticipate that bill will include broader requirements but (at least initially) keep a private right of action.
I also anticipate we will see a bill that updates Florida’s data breach notification law (the Florida Information Protection Act) by adding more specificity to the definition of “reasonable security.” We may even see a private right of action added to it.
What is the chance that any of these bills will become law? If you forced me to choose a side, I think a privacy bill will be passed during this legislative session, but I do not think it will include a private right of action. A comprehensive privacy bill almost passed last year and this year is an important election year in Florida for the Governor and members of both chambers, so passing a pro-populist privacy law will be important for political leaders who want to claim the mantle of “fighting back against big tech” even if the legislation goes far beyond that objective.
That said, there are many businesses who have not needed to comply with the CCPA or prepare for Virginia’s or Colorado’s privacy laws. For those companies, the FPPA will present a significant financial burden even without a private right of action. The truth is that whether we see a privacy law passed by the legislature will likely come down to how these bills are prioritized by leadership in both chambers during the “horse trading” process at the end of the legislative session. So strap yourself in for another three-month roller coaster!
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients. Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site are for informational purposes only. It is not legal advice nor should it be relied on as legal advice.