Florida will not pass a comprehensive data privacy law for the second year in a row. It will be easy for some to speculate that the bill died because the House insisted on a private right of action. That speculation would be wrong. The bill died because there were multiple differing views on the law’s scope, what activity the law should apply to, and how the law should be enforced. I am confident we will see another data privacy bill introduced next year. But I don’t know how vigorously the new incoming House Speaker will push it.

I have truly enjoyed my experiences in Tallahassee these last two legislative sessions. I found our lawmakers always willing to listen (even if they didn’t change their positions). The ones I met were humble and deferential. They genuinely wanted to learn more about how (and why) companies collect, use, and share personal information. The political climate in Tallahassee was nothing like what I had imagined based on what I see occurred in Washington, DC. I always observed Republicans and Democrats at the local watering holes together every evening. They laughed, shared personal stories, played practical jokes on each other, and engaged in real discussion about their pet projects. I never heard a nasty or demeaning word spoken about a fellow politician, even when there was vehement disagreement with their underlying position on an issue.

I met so political figures who made me proud to be a Floridian. I was blown away by the fortitude and deep knowledge Representative McFarland exhibited fighting for her bill on telephone calls and in committee hearings. I admired the thoughtfulness and moderation Representative Diamond showed in debating the legitimate strengths and real concerns with HB 9. I enjoyed watching the tenacity Representative Learned displayed introducing several amendments that could have resulted in the bill becoming law if they had passed. I appreciated the kind and generous ear Representative Ingoglia gave to individuals like me who went over our allotted time to provide public comment. And then there were all the wonderful folks “behind the scenes” – the legislative aides (in both parties) who wanted to engage in debate/discussion and learn more about the practical implications of the language of their bills.

I can tell you first hand, Florida, you have some amazing leaders in Tallahassee. I truly hope we get to see some of them represent us at the national level.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The Florida House of Representatives today passed HB 9 by a vote of 103 to 8. The bill would be Florida’s first “comprehensive” data privacy law. You can read this post to learn more about what the bill would do; this one for a deeper dive; and, this one for the latest amendments.

Floor Debate

Unsurprisingly, the floor debate was filled with the same arguments we heard in committee hearings. Unfortunately, that included the myth that HB 9 applies only to companies that buy or sell personal information.  At one point, Rep. Eskamani (D) said, “If you’re not selling data, you are fine. If you are not making off personal identifying information, then you are fine.”  Similarly, Representative Beltran (R) said, “This bill only applies to people who buy and sell people’s data. If you’re not in that business then you shouldn’t have a problem.”

Let’s be clear – this argument is patently and objectively false. As I’ve pointed out in a previous blog post and in my public comment directly to the House Commerce and Judiciary committees, the mere “access” to personal information can trigger this bill’s scope. Nevertheless, from HB 9’s inception, the House leadership promoted the bill as limited only to “companies that buy or sell information” and “companies that earn at least 50% of their revenue from buying or selling personal information.” Why? Because it’s an easier pill to swallow if the House members think the bill is narrowly tailored such that it won’t adversely impact Florida businesses. It’s easier to “vilify” companies that exist primarily to buy/sell personal information. But it’s intellectually dishonest and it festers the growing distrust people have of certain elected leaders.

One of the most insightful comments was by Rep. Diamond (D), who hesitatingly predicted, “I think that this issue is not going to be resolved this session, most likely, as I understand the posture we’re in with regard to the Senate.” Rep. Diamond voted in favor of the bill but encouraged further consideration of a right to cure in the private right of action provision similar to the right to cure built into the Florida Attorney General’s enforcement authority:  “I just wanted to encourage the members of the House that are going to continue to work on this project going forward to the extent it’s not resolved this session to think about the enforcement provisions in this bill versus other ways we could enforce these provisions. Because I do think 99% of the businesses in this state are going to want to come into compliance with these new regulations and we want to provide opportunities for businesses to come into compliance. And that is there in the enforcement mechanism that the representative has in this bill for the Attorney General. It’s geared around businesses coming into compliance. It’s not quite there yet with regard to the private cause of action because there isn’t a formal notice and opportunity to cure provision, but you can’t let the perfect be the enemy of the good.”

Ultimately, 75% of the members who opposed the bill were Democrats, yet Democrats make up only one-third of the House membership.

What’s Next?

After the bill passed the House, it was sent to the Senate and the Senate referred the bill to the Judiciary Committee.  The Judiciary Committee has a number of options at this point, including:

  • Doing nothing. With a little over a week remaining in the legislative session and many priorities still for the Senate to consider, there simply may not be enough time for the Senate Judiciary Committee to consider any draft of a privacy bill. It’s also possible that the Judiciary Committee may not meet again at all.
  • Amending HB 9 with a proposed strike-all (approved by the Senate President). The strike-all would replace HB 9 with a more business-friendly version of a privacy bill that does some or all of the following: removes the private right of action; builds in a right to cure (if a private right of action remains); limits the bill’s scope to companies that only buy or sell personal information; changes the scope to focus on certain kinds of companies; and/or eliminates some of the compliance challenges created by HB 9. That version would pass the Judiciary Committee, then the Senate Floor, and the Senate President would then engage in horse-trading with the House Speaker to pick a version for the Governor to sign.
  • Consider SB 1864. We have forgotten that the Senate has its own privacy bill (which was actually the first privacy bill to be introduced this legislative session). That bill’s sponsor ( Jennifer Bradley) is a member of the Senate Judiciary Committee. That could be the version of a privacy law the Senate Judiciary Committee considers.
  • Consider HB 9 in its current form. Pretty self-explanatory.

If I were forced to pick the most likely option, I’d go with the second one, but the first and third options wouldn’t surprise me either. I don’t think the fourth option is realistic. The next 48 hours could be revealing.

Governor DeSantis, who for the most part has stayed out of the public debate on HB 9 this year, will likely weigh in behind the scenes to push one version over the other. We know the Governor is a supporter of Florida businesses, wants to encourage investment in Florida, and is concerned about the potential for abuse of an unnecessary private right of action, but we also know he supports a law that gives Floridians more control over their data and creates an ability to punish “big tech” for any lack of compliance. A version of HB 9 with a more narrowly-tailored scope and without a private right of action would strike that balance because the Republican Attorney General could still use the law to pursue companies she determined to be in violation of it.

It will be interesting to see how things unfold over the next week.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

It was a busy week for HB 9 in Tallahassee. There was a strike-all amendment, several proposed unfriendly amendments, a House Judiciary Committee meeting, a second strike-all, more unfriendly amendments, and a date for a House floor vote. This post will summarize what happened and provide a roadmap for the final two weeks of the Florida legislative session. Continue Reading HB 9 Moves to House Floor, Democratic Opposition Emerges

In my last post, I wrote about my impression that legislators and staff do not intend for HB 9 to apply to companies that merely “receive” personal information (i.e., those that do not engage in buying or selling personal information). Based on that understanding, I suggested the second threshold of the bill’s scope be amended as follows: “Annually buys, receives, sells, or shares the personal information of 50,000 of more consumers, households, and devices for the purpose of targeted advertising in conjunction with third parties or for a purpose that is not listed under subsection (1).” (You’ll recall that the other two threshold requirements under HB 9 are global annual gross revenue of more than $50 million, and at least 50% of global annual revenue from selling or sharing personal information about consumers.)

I now realize that I missed an important additional change to the definition of “share” that would need to be made in conjunction with the above changes. The bill defines “share” as “to share, rent, release, disclose, disseminate, make available, transfer, or access a consumer’s personal information for advertising or marketing.”  Which of those words is not like the other?  Access. Access is a passive activity that does not require the provision of personal information to another entity.

Why is this change important? Because the removal of “receives” is based on the proposition that companies that merely receive personal information, but do not buy or sell it, should not fall within the bill’s scope.  But if the definition of share includes “access” then companies that merely receive (i.e., access) personal information without buying/selling the information would still be within the bill’s scope.

In short, the bill should also remove the term “access” from definition of share if it is to truly be limited to companies that buy and sell personal information for targeted advertising purposes.

What’s Next for HB 9 and SB 1864?

HB 9 is expected to be heard by the House Judiciary Committee on Wednesday.

The Senate, however, is far more concerned about the $300,000 to $750,000 annual “tax” (in the form of compliance costs) and the potential abuse from a private right of action with statutory damages that a bill like HB 9 will impose on companies doing business in Florida. If HB 9 were to pass, Florida would become the first state in the country to create a private right of action for violation of privacy provisions like right of access, deletion, correction, and opt-in consent. None of these developments are consistent with the state’s attempt to brand itself as business-friendly. In contrast, just north of the border, Georgia has introduced its own privacy bill that would be limited to companies that generate at least 50% of their revenue from selling/buying personal information.

This promises to be an interesting week ahead.

One Last Consideration As We Enter The Final Stretch

I have wondered whether lawmakers have contemplated the impact of HB 9 on their own campaigns. Political campaigning and the research that goes into creating strategy and identifying voters have become extremely sophisticated, as we saw from the Cambridge Analytica issue. To be sure, some of the collected information is public or deidentified/aggregated (and therefore exempt) but much of the information that goes into profiling and research is not. Additionally, political committees/entities are not typically considered “not for profit” entities that would be exempt from the definition of a controller. Nor is much of the information collected directly from the Florida resident.

If political candidates and their campaign committees become controllers (or third parties) under the law, one could see how HB 9 could create problems for legislative and executive branch candidates who will need to devote scarce resources to build compliance programs and potentially defend lawsuits from their opponents supporters that use the private right of action with statutory damages and attorney’s fees to spend money on litigation and create negative publicity. 

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Last week, HB 9 (the leading privacy bill on the House side of the Florida legislature) made its first of two committee stops in the House Commerce Committee. The bill passed unanimously. Just as important, however, the hearing revealed a potential misunderstanding as to the scope of the bill.

This blog post will dive into HB 9’s scope in greater depth, as that may be the most significant issue for companies wondering whether the bill would apply to them. The post will offer suggestions to bridge the disconnect and it will make suggestions to address other concerns many companies have with HB 9. The post ends with an analysis of what to expect next with HB 9 and its Senate counterpart.

Continue Reading The Future Comes Into Focus For HB 9

The Florida House of Representatives has introduced its version of a comprehensive privacy law (HB 9 – no fancy acronym, unlike the FPPA in the Senate).  This blog post will explain the key differences between the House and Senate versions. I also propose two changes to the private right of action that would mitigate the risk of professional plaintiffs filing gotcha lawsuits. The post ends with a roadmap of what to expect moving forward in this legislative session.

Continue Reading Comparing Florida’s Two Leading Privacy Bills

The Florida House of Representatives has released its version of a proposed comprehensive privacy law.  Coming in at 31 pages, HB 9 is sponsored by Representative McFarland (a champion of data privacy on the House side). On quick review, it appears to have some important changes from the version the House considered last year (HB 969), including:

  • a significantly reduced private right of action (no private right of action for data breaches), though the lack of a right to cure will create problems;
  • a universal plug-in option for communicating privacy preferences;
  • annual AG reports to Legislature; and,
  • changes to data retention rules.

I intend to provide more thoughts, a deeper analysis, and a comparison to the Senate’s version within the next 24 hours.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

This blog post will summarize Senate Bill 1864, released on Friday, which is the first “comprehensive” privacy bill to be released in advance of the 2022 Florida legislative session. This is a long post, so I begin with a “too long, didn’t read” section that I’ve found helpful in articles I’ve read. I then describe the FPPA in detail, but by pulling various pieces of the 34-page law together by subject matter. I close with some personal opinions about this bill and what we can expect in the upcoming legislative session.

Continue Reading Will The FPPA Be Florida’s First Comprehensive Privacy Law?

New regulatory activity may help companies experience fewer ransomware attacks and could impact whether ransoms can be paid to threat actors. The activity includes guidance and sanctions by the Department of Treasury (“Treasury”) and a host of resources provided by the Health and Human Services Office for Civil Rights. This post describes the activity, its impact on companies that experience a ransomware attack, and practical takeaways for in-house counsel.

Continue Reading To Pay or Not To Pay: What New Regulatory Activity Means for Ransomware Victims

The Florida privacy legislation appears to be dead, and the best way to explain it is with the southern adage that “pigs get fat, hogs get slaughtered.” With a strong privacy bill in hand that gave privacy advocates 95% of everything they wanted and approved by the Senate, the House decided it wanted more. It really wanted its private right of action.

Realizing that wasn’t going to happen, the House decided it was better to do nothing than pass a comprehensive privacy law enforced only by the Florida Attorney General. As a result, Florida privacy legislation is dead for 2021.

There will be a lot of Monday-morning-quarterbacking by privacy advocates who pushed too hard and ultimately came away with nothing. Would it have been smarter to start with AG enforcement, then add a private right of action later after a year or two showing that AG enforcement does not meet the mark? All along, was it only important to the House and privacy advocates that the bill provide a private right to sue? Was this bill always just a tool of the plaintiffs’ bar to generate a ton of new revenue through class action lawsuits, and having lost the most important part of that tool, they walked away? How else do we explain the House’s refusal to take up the Senate version that had 95% of the rest of the House version and in some ways was stronger? None of that seems good for Floridians, businesses, or the development of privacy law.

Stepping back, I still believe the blueprint for privacy laws in Red states has been shaped by this process — strong consumer rights accompanied by significant compliance obligations, lots of exceptions/exemptions (initially), but no private right of action. We will see what impact Florida’s legislative roller coaster has on other states and Congress. But for now, I get to enjoy not having to prepare a bunch of webinar slides this weekend on what the new Florida privacy law means to in-house counsel!

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.