Will Florida Be the Next State to Enact a Comprehensive Privacy Law?

On January 7, 2022, the Florida Senate released the draft Florida Privacy Protection Act (FPPA). If passed, Florida could become the fourth state to enact comprehensive privacy regulation – following California, Virginia, and Colorado. There are many similarities between the FPPA and the California Consumer Privacy Act (CPPA), Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (CPA).

In addition, the FPPA continues the trend of state legislatures borrowing concepts from the European General Data Protection Regulation (GDPR).

What would it mean for businesses if Florida passed the FPPA? Here are a few key points.

To Whom Does It Apply?

The FPPA would apply to for-profit entities that conduct business in Florida or produce products or services that target Florida residents and that:

  • Control or process personal data of at least 100,000 consumers in a calendar year; or
  • Control or process information of at least 25,000 consumers and derives over 50% of its global annual revenue from the sale of personal information.

Compared to the CCPA, the FPPA (like the VCDPA) doubles the amount of consumer data that must be collected or processed for a business to fall within its scope.

Scope

The FPPA, like the CPPA and GDPR, includes a broad definition of personal information: “information that identifies or is linked or reasonably linkable to an identified or identifiable consumer.” Notably, similar to the VDPA, FPPA does not include publicly available information or de-identified or aggregate consumer information. The FPPA defines publicly available information as that which is “lawfully made available through federal, state, or local government records,” and information that a business “has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media unless the consumer has restricted the information to a specific audience.”

Notable Exemptions

The FPPA does include a few notable exemptions, including:

  • A covered entity or business associate under HIPAA;
  • Information and financial institutions regulated by the Gramm-Leach-Bliley Act;
  • Non-profits;
  • Governmental entities;
  • Certain employee data;
  • Information collected for purposes of research;
  • Information that is governed by FERPA;
  • Information collected, processed, sold, or disclosed pursuant to the FCRA; and
  • Information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act and Airline Deregulation Act.

Consumer Rights

Borrowing from the GDPR, the FPPA provides consumers with several rights, including:

  • Opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data;
  • Right to know from where the controller collected personal information, the specific personal information collected, and categories of any third parties to whom the controller sold the personal information;
  • Right to amend inaccuracies; and
  • Data deletion.

Data Controller Obligations 

Similar to the GDPR, the FPPA establishes “controller” and “processor” roles, which differentiate how entities handle personal data. Controllers are those who determine the purposes and means of processing personal data, while processors are entities that process personal data on behalf of a controller and at the controller’s direction. The law assigns different obligations based on an entity’s status as a controller or processor. The FPPA imposes several obligations on controllers, including:

  • Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
  • Providing consumers with privacy notices; and
  • Contractual requirements in engaging data processors.

Sensitive Data

Another concept borrowed from the GDPR is the requirement that controllers obtain consumers’ informed consent before processing “sensitive data.” Sensitive data includes:

  • Citizenship/immigration status;
  • Biometric information;
  • Geolocation data;
  • Health information; and
  • Sexual orientation.

Enforcement

Similar to the VCDPA, the FPPA does not provide for a private right of action; enforcement is solely through the Florida Attorney General. If the attorney general decides to act, the office may notify the controller, which then has 45 days to cure the violation. Notably, the right to cure is discretionary. If the attorney general does bring an action, a court may grant actual damages to a consumer and/or injunctive/declaratory relief.

In addition, the FPPA would create a Consumer Data Privacy Unit within the Florida Attorney General’s Office. The Unit would be responsible for enforcing the FPPA and protecting the personal information of Florida residents.

Looking Ahead

While it is only one month into 2022, many states have already introduced comprehensive privacy bills. In January, Indiana, Mississippi, and Vermont introduced bills that would expand state data privacy regulations and laws in the U.S. There are differences in the proposed privacy bills, so companies will need to continue navigating the convergence and diversion between the patchwork of privacy laws across the country. Redgrave LLP will continue to monitor and report on developments as the privacy landscape further evolves.

The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.

By Eliza Davis and Aviva Surugeon