With Virginia's new privacy law in the books and other states aspiring to push out their own legislation during 2021, it is easy to get caught up wondering where and when the next shoe will drop. There are some clear front-runners in Washington and Oklahoma, but could another state Legislature mimic Virginia's unforeseen momentum? There is reason to believe Florida could answer that call.
House Bill 969 concerning consumer data privacy has a number of things working to its favor out of the gate, including clear support in the Florida House of Representatives after a unanimous 18–0 approval for a favorable recommendation from the Regulatory Reform Subcommittee March 10. The bill was formally introduced and endorsed by Gov. Ron DeSantis, R-Fla., in February as part of a crusade against Big Tech companies, but sponsoring Rep. Fiona McFarland, R-Fla., ensured the committee that Florida residents were the priority with this bill.
"This bill is purely about a Florida consumer who, through interacting with a for-profit business online, hands over troves of personal, very intimate information about themselves that could reasonably be used to identify them," McFarland said.
Among the noteworthy provisions included in McFarland's bill is required opt-out consent for the sale or sharing of an adult's data, which turns to opt-in consent when dealing with data belonging to minors. Businesses would also need to offer data subject rights, including rights to deletion or collection and the right to know, while also being mandated to publish a privacy policy. Notably, a private right of action has been included in the initial draft law.
McFarland made it clear she is open to tweaking the bill, bringing her own amendments to the table during her presentation. McFarland moved to update the definitions for a third party and unique identifier, as well as added exceptions to what is deemed a "sale."
"I've worked quite closely with many members of industry, ranging from leaders of different tech companies we've all heard of to privacy rights advocates, and even companies we wouldn't think of as tech companies," McFarland said. "I'm taking all forms of productive feedback … and I have an open door."
HB 969 covers companies with an annual gross revenue of $25 million, those that hold data belonging to more than 50,000 consumers, and derive more than 50% of their revenue from data sales or sharing. Asked about what compliance costs would look like for these companies, McFarland indicated if companies don't have reasonable data security in place already, then "I don't frankly think you deserve protection of the law." Exemptions from the proposed law are still very much up in the air, but McFarland isn't keen on following approaches in California and Virginia.
"When we look to some of the loopholes other states have created through exemption of industries is an area of concern that I have," McFarland said. "I'll clarify that that is an area we are still working on. The bill that comes before you is not there yet, but we are aware of those other industry exemptions and we will not be making them here in Florida."
Along the same lines, McFarland believes HB 969 will offer more of a crackdown on data sales and sharing than what is regulated by other states. She said other states "stopped at sell and didn't go all the way on share," but Florida intends to "go the full way."
Despite support from the committee, public testimony was not equally positive. The majority of stakeholders that chimed in on the bill — some with in-person testimony and others with a simple notice of approval or opposition — deemed it incomplete for various reasons. A consensus take, however, was that the current proposal burdens companies that many believe shouldn't fall under the law.
"The net that is being cast here is catching a lot of fish that it does not intend to catch," Associated Industries of Florida Senior Vice President of State and Federal Affairs Brewster Bevis said. "California is estimating that the implementation of its bill, which is a little less restrictive than ours, is going to cost businesses $55 million. For businesses with under 20 employees, that's $50,000 in compliance. These are small employers that are barely surviving during a pandemic. It's just a little bit overly broad."
As has been the case with other state proposals, the private right of action raised red flags. Florida Justice Reform Institute President William Large put forth a detailed explanation of potential harms to businesses stemming from potential class-action suits that could potentially be brought, while Rep. Dan Daley, D-Fla., said the broadness of the private right of action gives him "a lot of heartburn" and will need to be reassessed.
McFarland's willingness to hear people out on amending the bill will be something to watch, but she does not appear willing to back off holding companies accountable to the highest degree possible.
"The amount of power we've handed over to companies through the use of our data, I believe, has resulted in an erosion of our right to privacy and even how we think of ownership over our data," McFarland said. "We did not take this bill from another jurisdiction and merely copy it. We reviewed all these bills and the successes they had to create our own uniquely Floridian version of this bill, which is clear and effective in protecting Floridians. If a business is built on exploitation or tricking us into being the product rather than the customer, it does not deserve our information. I think it deserves our reform."