The Florida House of Representatives has introduced its version of a comprehensive privacy law (HB 9 – no fancy acronym, unlike the FPPA in the Senate).  This blog post will explain the key differences between the House and Senate versions. I also propose two changes to the private right of action that would mitigate the risk of professional plaintiffs filing gotcha lawsuits. The post ends with a roadmap of what to expect moving forward in this legislative session.

Continue Reading Comparing Florida’s Two Leading Privacy Bills

The Florida House of Representatives has released its version of a proposed comprehensive privacy law.  Coming in at 31 pages, HB 9 is sponsored by Representative McFarland (a champion of data privacy on the House side). On quick review, it appears to have some important changes from the version the House considered last year (HB 969), including:

  • a significantly reduced private right of action (no private right of action for data breaches), though the lack of a right to cure will create problems;
  • a universal plug-in option for communicating privacy preferences;
  • annual AG reports to Legislature; and,
  • changes to data retention rules.

I intend to provide more thoughts, a deeper analysis, and a comparison to the Senate’s version within the next 24 hours.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

This blog post will summarize Senate Bill 1864, released on Friday, which is the first “comprehensive” privacy bill to be released in advance of the 2022 Florida legislative session. This is a long post, so I begin with a “too long, didn’t read” section that I’ve found helpful in articles I’ve read. I then describe the FPPA in detail, but by pulling various pieces of the 34-page law together by subject matter. I close with some personal opinions about this bill and what we can expect in the upcoming legislative session.

Continue Reading Will The FPPA Be Florida’s First Comprehensive Privacy Law?

New regulatory activity may help companies experience fewer ransomware attacks and could impact whether ransoms can be paid to threat actors. The activity includes guidance and sanctions by the Department of Treasury (“Treasury”) and a host of resources provided by the Health and Human Services Office for Civil Rights. This post describes the activity, its impact on companies that experience a ransomware attack, and practical takeaways for in-house counsel.

Continue Reading To Pay or Not To Pay: What New Regulatory Activity Means for Ransomware Victims

The Florida privacy legislation appears to be dead, and the best way to explain it is with the southern adage that “pigs get fat, hogs get slaughtered.” With a strong privacy bill in hand that gave privacy advocates 95% of everything they wanted and approved by the Senate, the House decided it wanted more. It really wanted its private right of action.

Realizing that wasn’t going to happen, the House decided it was better to do nothing than pass a comprehensive privacy law enforced only by the Florida Attorney General. As a result, Florida privacy legislation is dead for 2021.

There will be a lot of Monday-morning-quarterbacking by privacy advocates who pushed too hard and ultimately came away with nothing. Would it have been smarter to start with AG enforcement, then add a private right of action later after a year or two showing that AG enforcement does not meet the mark? All along, was it only important to the House and privacy advocates that the bill provide a private right to sue? Was this bill always just a tool of the plaintiffs’ bar to generate a ton of new revenue through class action lawsuits, and having lost the most important part of that tool, they walked away? How else do we explain the House’s refusal to take up the Senate version that had 95% of the rest of the House version and in some ways was stronger? None of that seems good for Floridians, businesses, or the development of privacy law.

Stepping back, I still believe the blueprint for privacy laws in Red states has been shaped by this process — strong consumer rights accompanied by significant compliance obligations, lots of exceptions/exemptions (initially), but no private right of action. We will see what impact Florida’s legislative roller coaster has on other states and Congress. But for now, I get to enjoy not having to prepare a bunch of webinar slides this weekend on what the new Florida privacy law means to in-house counsel!

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

By a vote of 29-11, the Florida Senate passed its version of HB 969 and sent the bill back to the House for consideration of the rewritten version. At this point, there are only two legislative options remaining: (1) the House passes it without any changes, or (2) no privacy law is adopted in Florida during this legislative session. There is not enough time for the House to change the law again and have Senate reconsider/pass it by tomorrow. The odds are high that the House will pass HB 969 tomorrow and Governor DeSantis will sign it.

Assuming that’s the case, advocates on all sides of this law will have “won” and “lost” something, but the consequences of these last few months will have an enormous impact on privacy law moving forward for much more significant reasons than the bill itself. Continue Reading Florida Privacy Bill Passes Penultimate Legislative Hurdle; Significant Implications Follow

With only three days left in the legislative session, and on the morning when my Op-Ed was published by the Tallahassee Democrat, the Florida Senate weighed in on the House’s passage of HB 969.  There were two ways it could have done that: (1) take the House version sent to the Senate via messages and make changes to and vote on that version; or (2) ignore the version provided via messages and simply pass the pending version of SB 1734 in the Senate then send that version to the House via messages. It chose path #1. Moments ago, the  Senate passed a strike-all amendment that struck the entirety of HB 969 and replaced it with a modified version of SB 1734. A separate post will discuss the modified version of SB 1734 in greater detail, but this post briefly explains where things stand now and what to expect next.

Continue Reading What Just Happened With Florida Privacy Legislation?

Within the week, we will know whether Florida will adopt the most aggressive privacy law in the country, something more moderate, or nothing at all. But an issue that has not received enough attention is the reason HB 969 and SB 1734 have received more support in a “red” state than any other privacy law. It is a reason that will come full circle to adversely impact the contingency of supporters using privacy laws as a way to attack “Big Tech.” Continue Reading The Long Game: Why Parler Has Everything To Do With Florida’s Privacy Legislation

The Florida House of Representatives has officially passed HB 969, which would create the most aggressive privacy law in the United States. The bill would apply to companies that generate $50 million or more in annual gross revenue and collect a significant amount of personal information about Florida residents. In addition to imposing CCPA-like compliance obligations on companies, it creates the broadest private right of action ever seen in privacy law. The private right of action for $100 to $750 per consumer per incident would apply to: (1) data breaches of broadly-defined personal information; (2) a company’s failure to comply with a consumer’s request to delete personal information; (3) a company’s failure to comply with a consumer’s request to correct personal information; and (4) a company’s failure to comply with a consumer’s request to opt-out of the sale of their personal information. Further encouraging these lawsuits, the bill would allow for attorney’s fees and costs (for the consumer only, not a prevailing defendant).

House Rep. Ben Diamond (a Democrat and someone who is destined to run for Florida Governor and/or Attorney General at some point in the future) expressed concern on the House Floor about the impact of the law on Florida businesses. He implied that enforcement by the Florida Attorney General, instead of a private right of action, would be the better approach. Nevertheless, he ultimately voted in favor of the bill. The only representative to vote against HB 969 was Rep. Anthony Sabatini (R).

In short, if ever there were a question as to whether the Speaker of the House is fully aligned with the plaintiffs’ bar, the movement of HB 969 through the House provided certainty that he is.

Attention now turns to the Florida Senate, which is considering SB 1734, a more moderate privacy law that does NOT contain a private right of action, but allows the law to be enforced by the Florida Attorney General’s office (like Florida’s data breach notification law). The bill still needs to go through a second and third reading, which is not expected to be completed until early next week (if at all). If the Senate does not pass its version by the end of next week, there will be no change in Florida privacy law.  If the Senate passes SB 1734, a race will begin with many behind-the-scenes negotiations taking place to determine which version of the two versions (or perhaps a modified version of one of them) will become law before the legislative session ends next Friday. These negotiations may include the House Speaker and Senate President pushing for and prioritizing their favorite pieces of legislation (it’s clear from HB 969’s ability to soar relatively untouched through the House how important that law is to the House Speaker).

Next week we can expect “The Big Dog” to get more involved in this dispute and put his finger on the scale, likely pushing one version over the other. But as it stands right now, Team Open-The-Floodgates has scored a touchdown in the fourth quarter to take the lead, but Team Protect-Florida-Businesses has the ball and is driving.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Despite concerns expressed by House Democrat Ben Diamond about the private right of action, HB 969 passed second reading in the Florida House of Representatives today. The bill now moves to a 3rd reading, which is the last step to passage by the House.

HB 969 would be the most aggressive privacy law in the country, allowing for a private right of action for: (1) data breaches of personal information (broadly defined); (2) a company’s failure to comply with a consumer’s request to delete personal information; (3) a company’s failure to comply with a consumer’s request to correct personal information; and (4) a company’s failure to comply with a consumer’s request to opt out of the sale of their personal information.  Unlike the CCPA, which limits the data breach private right of action to breaches of sensitive information and provides a right to cure, HB 969’s private right of action would apply to a data breach of the broad definition of personal information and the bill contains no opportunity to cure.  It is possible an amendment to HB 969 could be introduced between now and the 3rd reading.

Meanwhile, the Senate version of its privacy law (SB 1734) awaits second reading. That bill would create a more moderate version of a privacy law that would not include a private right of action, would be limited to the sale of personal information, and would be limited in scope to companies that buy or sell a significant amount of personal information.  The Senate version has its own problems, like the fact it adds requirements for “sensitive data” but doesn’t define what that means, and the fact that it requires companies to comply with opt-out requests within two days.

Assuming both versions of the law pass their respective chamber, the Florida Legislature would then have until April 30th to pass a unified version.

In short, we have entered the “fourth quarter” and the score is tied.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.