California-style data privacy law gets bipartisan support in Fla.
In an attempt to “put consumers in the driver’s seat” of their data privacy, Florida legislators are giving bipartisan support to legislation that imposes new disclosure requirements on companies that collect information on their customers and sell it to data brokers.
Modeled after a California law that last year became the strongest data privacy law in the country, SB 1734 creates the Florida Privacy Protection Act and requires businesses to tell consumers what information they’ve collected and how they’re going to use it. The bill requires any company that collects and sells consumer information to establish a button on its website to allow consumers to opt out of allowing the company to sell the information it has collected about them.
“The landscape of the Internet has changed considerably in a relatively short period of time, and the internet of today is a one-way street, where the most intimate details of the consumer’s life are monetized, and sold to the highest bidder,” said Sen. Jennifer Bradley, a Fleming Island Republican who is sponsoring the Senate bill. “The financial success of these companies who market our private lives are built on the consumer’s lack of knowledge and lack of consent to this process.”
Bradley said the goal of the measure is to “shift the balance of power over data collection back to consumers” by requiring companies to give notice of their practices and seek consent from consumers. Since California adopted a similar law in 2020, companies across the state have placed “do not sell my information buttons” on their web pages, and the state has set up model templates.
In November, California voters went further in strengthening the privacy laws by passing Proposition 24. It added new requirements for businesses to protect personal information, including by “reasonably” minimizing data collection, limiting data retention, and protecting data security. A similar privacy law was passed in Illinois. And in Europe, the General Data Protection Regulation (GDPR) protects personal data and restricts the use of it by business entities and internet companies.
Bradley’s more modest proposal, however, is fiercely opposed by Florida businesses, many of whom make money off selling people’s data.
“The cost would be significant to comply with this law,” said Alfred Saikali, chair of the Privacy and Data Security Practice at the Shook, Hardy & Bacon law firm in Miami. “You’re going to have to purchase technology, you’re going to have to perform data inventories, you’re going to have to hire lawyers, like myself.”
In an attempt to reach a middle ground Tuesday during the Senate Rules Committee meeting, Bradley introduced a strike-all amendment to her bill that creates a loophole for companies that contract with a “service provider” to handle their data. She also limited the businesses required to comply to those that sell personal information of more than 100,000 customers to third parties, or businesses that derive 50% or more of their global annual revenues from selling or sharing personal information about consumers.
And in a major concession to the Florida Chamber of Commerce and Associated Industries of Florida, Bradley agreed to remove the enforcement teeth by eliminating a provision that allowed consumers to sue businesses if they could show their private data was sold in violation of the proposal. The Florida Attorney General’s office would be responsible for enforcing the law, which would take effect July 1, 2022.
Despite the deep concessions, industry lobbyists remained opposed to the measure.
THE COST OF COMPLIANCE
Brewster Bevis, lobbyist for Associated Industries of Florida, said that while the amendments were helpful the bill “is still going to cost Florida businesses a gigantic amount.”
Florida TaxWatch, which produced a study financed by unnamed industry sources, estimated it would cost Florida businesses $36.5 billion to develop the technology and meet the requirements.