TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Whittled Florida privacy bill moves forward Related reading: Florida privacy bill aces first House test

rss_feed

""

""

Whether it be at the state or federal level, passing legislation in the U.S. is no walk in the park. The expectation that a law will pass in its original form or close to it is something of a fantasy these days.

Concessions have been a regular occurrence with proposed privacy laws being considered thus far in 2021 U.S. state legislative sessions, which made approved amendments to Florida Senate Bill 1734, the Florida Privacy Protection Act, not at all surprising. The Florida Senate Rules Committee voted 11–5 April 6 to give a favorable recommendation to an amended version of SB 1734 that has businesses breathing a sigh of relief as the bill heads to the Senate floor.

The "strike all" amendment to the privacy bill made sweeping changes, with the removal of the private right of action being chief among the revisions. The scope of the law was changed to only cover businesses that sell data per the definition of "sale," which was also tweaked for clarity, instead of reaching organizations that simply collect personal information. Application thresholds were also changed to companies selling or sharing the data of more than 100,000 consumers or those generating 50% of their annual revenue from data sales or sharing. The effective date of the law was also moved to July 1, 2022, following compliance concerns.

Sponsoring State Sen. Jennifer Bradley, R-Fla., kept her remarks on the revisions short and sweet, noting the loaded amendment "incorporates a lot of feedback from the business community, and I believe it still protects consumers."

The removal of the private right of action was easily the most talked-about concession given the firm stance Bradley and State Rep. Fiona McFarland, R-Fla., took on the provision through prior hearings for SB 1734 and its companion bill, House Bill 969. Shook Hardy & Bacon Partner Al Saikali, CIPP/E, CIPP/US, CIPT, FIP, PLS, testified before the committee to laud Bradley's reversal on the right of action, pointing out that its existence would "create a cottage industry of plaintiffs lawyers filing 'gotcha' lawsuits." U.S. Chamber Institute for Legal Reform's George Feijoo said the right of action would have promoted "onerous and abusive litigation tactics" while also offering a vote of confidence for the attorney general's ability to properly and effectively enforce the proposed law.

"Enforcement of these privacy violations by the attorney general strikes a good balance between consumer protection and an efficient process devoid of frivolous lawsuits," Feijoo said. "To preempt unforeseen issues in Florida, we ask that you consider three things: Add explicit language that says privacy violations may not be the basis for any private right of action; add explicit language which clearly says the (attorney general) is the exclusive enforcer of privacy violations; and we would also ask that you give businesses the right to cure violations."

Consumer advocates were displeased with the private right of action being scrapped a day after a coalition of advocacy groups sent a letter to lawmakers urging the right of action remain. In a Twitter post, Electronic Information Privacy Center Deputy Director Caitriona Fitzgerald said the private right of action was more than appropriate in the Florida law because "the scope of data collection is simply too vast for a state (attorney general) to regulate alone." Fitzgerald added lawmakers need to ignore industries' smearing of the private right of action as it is "necessary to ensure that privacy rights will be taken seriously."

The revised definition of "sale" is another concession that favors businesses as many are let off the hook for their data collection practices so long as they do not participate in data sales. More specifically, Bradley explained how the word "share" was removed from the definition.

"There was concern on the part of businesses complying with the act that it would require compliance to be cumbersome," Bradley said. "They would have to have contractual relationships with those they disclose the information to and having that relationship with every entity it does business with would be burdensome."

Despite all the twists and turns made to try and appease all stakeholders, the bill still garnered its fair share of criticism.

"Has this bill come a heck of a long way since its first draft? Yes. Did the 'delete everything' amendment help move this bill along? Yes," Associated Industries of Florida Senior Vice President of State and Federal Affairs Brewster Bevis said. "The bill sponsor has certainly done yeoman's work really working with the business community to really whittle this bill down to something that's a little more manageable. But at the end of the day, this bill is still going to cost Florida businesses a gigantic amount of money to comply with."

Bevis alluded to a report from Florida TaxWatch that estimated compliance costs associated with SB 1734 may amount to as much as $36.5 billion. Bradley wasn't ready to cave to such an estimation, which created a contentious exchange with State Sen. Jeff Brandes, R-Fla., who pressed hard for details on compliance costs. In response to Brandes' probing, Bradley explained new provisions under the strike all amendment made costs impossible to estimate but indicated businesses wouldn't have to worry about compliance costs if they simply did not sell data.

There had been very little to no pushback from lawmakers on SB 1734 or HB 969 to this point. Brandes changed that narrative with pointed comments indicating privacy isn't something states should be acting on.

"This is one of those interesting bills where if you cornered us all individually in a room and asked us what this bill does, you'd get 20 different answers," Brandes said. "We're placing a lot of trust in a piece of legislation that, frankly, a lot of us don't know what the implications are. … If we are going to do something for privacy, have a federal law. Deal with it at the federal level and have all states comply. A patchwork quilt of privacy laws where we have no clue about the cost of compliance or a real handle on the definitions is overly problematic."

Ups and downs aside, Bradley indicated her door remains open on discussions toward additional changes to the proposed law and those that "bring certainty" to the subject matter it deals with. She also made clear that the bill's intent to protect consumers has not and will not waver.

"We have businesses which are collecting unknown amounts of information on Florida consumers. They are selling and monetizing it, and that is for certain," Bradley said. "Who is bearing the cost of this right now is entirely on the consumers. They are the subject of direct advertisement, targeted advertisement, profiling … they can't delete it, correct it and have no ability to change it. But we do have the ability to change things here for them in the Florida Legislature."

US State Comprehensive Privacy Law Comparison

The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.

View here

3 Comments

If you want to comment on this post, you need to login.

  • comment Jacques Mouton • Apr 7, 2021
    This is a great piece and I especially like the inclusion of the comment on the need for there to be a federal law. It would be great to see more articles that have a paragraph that addresses this to ensure conversations are happening around this.
  • comment Benjamin Walsh • Apr 7, 2021
    I'm very concerned that business is going to be able to carve its way out of most bills which could be proposed. Unfortunately, business concerns come before the concerns of everyday consumers. They shouldn't. We privacy professionals are pretty smart folx and can figure out the nuances of new laws, even if they seem "burdensome". There is so little real data protection for people out there and I'm concerned a set of bad laws across the states may be worse than not having a law because lawmakers may assume they've solved the problem, when they have not, or worse, made it harder to solve in future.
  • comment Peter Allen • Apr 8, 2021
    Reminds me of rhetoric around restaurant regulations being "overly burdensome" on the business. I wouldn't want to eat at a restaurant that's unregulated and not required to have proper hygiene and food safety practices in place. I feel the same way about how companies are handling my data.