As reported on the January 31, 2020 posting to the Hunton Retail Law Resource Blog, the Florida legislature has introduced identical bills in the Florida House of Representatives (HB 963) and the Senate (SB 1670) (collectively the Act) that, if adopted, will require companies operating websites and other online services in the state to inform Florida consumers whether it is collecting personal information, and to provide an opportunity for the consumer to opt out of the sale of the personal information.
Key provisions to the Act include:
- Definition of a Consumer. “Consumer” is defined as “a person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the website or online service of an operator.”
- Definition of an Operator. “Operator” is broadly defined to include (1) “a person who [o]wns or operates a website or online service for commercial purposes”; (2) “[c]ollects and maintains covered information from consumers who reside in this state and use or visit the website or online service”; and (3) “[p]urposefully directs activities toward this state or purposefully executes a transaction or engages in any activity with this state or a resident thereof.” However, excluded from the definition of “operator” are: entities that are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), financial institutions (such as banks, insurance companies and loan brokers) that are already subject to the Gramm-Leach-Bliley Act, motor vehicle manufacturers, motor vehicle repair or service persons “who collect, generate, record, or store covered information that is retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle or that is provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle” and third parties “that operate, host, or manage a website or online service on behalf of its operator or process information on behalf of its operator.”
- Personal Information that is Covered. “Covered information” is defined to include the following information that may be collected by website or online service operator: (1) a consumer’s first and last name; (2) a home or other physical address which includes the name of a street and the name of a city or town; (3) email address; (4) telephone number; (5) a Social Security number; (6) an identifier that allows a consumer to be contacted either physically or online; and (7) any other information concerning a consumer that is collected from the consumer through the website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.
- Notice Requirement. The Act requires an operator to provide consumers with “notice” of which “covered information” it collects through its website or online service. Additionally, any third parties the operator shares such covered information with must be identified. The operator must provide consumers with a description of the process to review and request changes to the covered information that is collected by the website or online service.
- Exclusions from Notice Requirement. Operators who are located out of this state are not required to provide notice to consumers. Further, operators who have less than 20,000 unique visitors to their website or online service, or whose revenue is derived primarily from a source other than the sale or lease of goods, services or credit on websites or online services are not required to provide notice.
- Consumer Rights. A consumer may submit a “verified request” to an operator directing the operator not to sell any of the consumer’s covered information that the operator has collected or will collect. An operator who receives a verified request may not sell any of the covered information it has collected or will collect about the consumer. A “sale” is defined as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” The definition of “sale” does contain five (5) exceptions, such as the disclosure of information to processors.
- Enforcement. The Act, as proposed, limits enforcement to the office of the Florida attorney general. The attorney general’s office may institute proceedings in a district court against a violator, and seek a temporary or permanent injunction or a $5,000.00 civil penalty for each violation of the Act. However, the Act does not create a private right of action directly against the operator.
- Operator Remedy. An operator who fails to comply with the Act will have 30 days to remedy a failure upon being notified.
Currently, Florida has very limited laws regulating data privacy. While the proposed Act is not as extensive as other state consumer privacy laws, if passed, Florida’s consumer protection laws on data privacy would be greatly expanded. If passed, the Act would take effect July 1, 2020.