By a vote of 29-11, the Florida Senate passed its version of HB 969 and sent the bill back to the House for consideration of the rewritten version. At this point, there are only two legislative options remaining: (1) the House passes it without any changes, or (2) no privacy law is adopted in Florida during this legislative session. There is not enough time for the House to change the law again and have Senate reconsider/pass it by tomorrow. The odds are high that the House will pass HB 969 tomorrow and Governor DeSantis will sign it.

Assuming that’s the case, advocates on all sides of this law will have “won” and “lost” something, but the consequences of these last few months will have an enormous impact on privacy law moving forward for much more significant reasons than the bill itself.

With the bill’s passage, privacy advocates will have accomplished something they’ve never done before – passed a comprehensive privacy bill in a “red” state. More importantly, they will have figured out a formula they can replicate in other states and at the federal level. Additionally, the Florida law is no small privacy law. It provides consumers with some of the strongest rights to control their personal information of any privacy law in the country.

Businesses, too, have accomplished something. They made an important stand against the private right to sue and the abuse of statutory damages in privacy laws. The plaintiffs’ bar provided great ammunition by filing over 1,100 BIPA class actions, almost 100 class actions under the CCPA within the law’s first year, and thousands of lawsuits under the TCPA and FCRA throughout the country. To be sure, some of those lawsuits may have merit and it’s wrong to paint the plaintiffs’ bar with the same broad brush. But the harmful financial impact these lawsuits have had on businesses trying to do the right thing and making mistakes (often technical ones) is objectively real. As a result, we could now see the pendulum swing the other way.

Conservatives looking to attack social media companies they perceive as having a liberal agenda have also “won” the ability to leverage Florida’s Republican Attorney General to bring enforcement actions. For example, you could envision a situation where a social media company suffers a data breach, and the Florida AG then brings an enforcement action based on an alleged violation of the law’s requirement of reasonable security practices and procedures. You could also see the inadvertent failure to disclose a selling practice in the online privacy policy as the basis of a similar enforcement action. The law allows for fines of $2,500 per violation (though it’s not clear how to calculate a “violation”), so any slip-up could result in enormous regulatory fines if the “$2,500 per violation” provision means “$2,500 per affected individual.”

These same conservative groups, however, may have “lost” something in the long game. We have a Republican AG now, but that won’t always be the case, and the conservative social media applications are coming out of the woodwork. What’s good for the goose will be good for the gander.

In sum, the finish line is in sight, and what Florida is about to do is one of the most significant developments in the history of privacy law that will have an enormous impact well into the future.


DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP, or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site are for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.