HB 969, a comprehensive privacy law that would immediately become the most onerous in the United States, sailed through the Florida House of Representatives’ Regulatory Reform Subcommittee yesterday.
The following post was prepared by guest contributor, my friend, my brother-in-arms, and newly-minted Partner in Shook’s Privacy and Data Security Practice, Colman McCarthy
The Florida Legislature is considering a comprehensive privacy law (HB 969) that would fundamentally change the landscape of how/whether companies do business in Florida. The bill is largely a “cut-and-paste” of the California Consumer Privacy Act (CCPA), but in some ways, it goes further than the CCPA and would make Florida’s law the most aggressive privacy law in the United States. As I have previously described, the bill would create significant privacy rights for Florida residents, including the right to know what personal information companies are collecting about them, the source of that information, how the information is being shared, a right to request a copy of that information, and a right to delete/correct that information. But the law goes too far – placing a crushing financial burden on most small and medium-sized businesses and creating a private right of action that dwarfs California’s version. This post analyzes the five most significant problems with HB 969 and proposes solutions.
Yesterday, the Governor of Florida threw his support behind a newly introduced consumer data privacy bill (HB 969) which is very similar to the California Consumer Privacy Act of 2018. The Governor’s support is a significant development given that he and both chambers of the Florida Legislature are Republican and, to date, there has not been any aligned support for a privacy law since the Florida Information Protection Act (FIPA), Florida’s data breach notification law. Nevertheless, as with the CCPA, the bill proposes a boondoggle for the plaintiffs’ bar in the form of a private right of action for data breaches and statutory damages, which could present a significant obstacle to passage in the bill’s current form, particularly for a fairly business-friendly Florida Legislature.
Yesterday, in a 26-page opinion, the 11th U.S. Circuit Court of Appeals has weighed in on two important questions in the world of privacy and data breach litigation. First, does a plaintiff have standing where he was exposed to a substantial risk of future identity theft, even though there was no misuse of his information. The court’s answer is no. Second, what efforts to mitigate this risk does a plaintiff need to undertake to meet the standing requirement. Here, the court held that the plaintiff essentially manufactured his own injuries (wasted time, lost use of his preferred card, and lost credit card benefits) by voluntarily canceling his credit card, which is not enough to confer standing.
The Florida Senate and House of Representatives are considering two bills (SB 1670 and HB 963) that, if adopted, will amend Florida law to create the state’s first comprehensive privacy law (though they do not go nearly as far as the CCPA). The proposed amendments would: (1) prohibit the use of personal data in public records maintained by state agencies for unsolicited marketing purposes, and (2) require companies doing business online to provide notice of their personal data collection/use activities and allow consumers to opt out of the sale of that data to third parties. This article takes a deeper look at the proposed amendments, provides some context for them, and discusses the likelihood that they will become law. (Spoiler alert: the proposed amendments are significant and well-intended, but currently contain some flaws that, if addressed, create a good chance of the amendments becoming law).
An identical version of the Illinois Biometric Information Privacy Act (BIPA) has been introduced in the Florida Senate. The bill includes the same private right of action. The Illinois BIPA has become an enormous revenue earner for the plaintiff’s bar, who have filed gotcha lawsuits against companies seeking millions of dollars on the ground that the companies did not comply with all of the technical requirements of the law. I suspect that is a similar driving force behind the Florida version.
The Illinois Supreme Court’s decision last week in Rosenbach v. Six Flags may have closed the first of what will be several chapters in class action litigation arising from the Illinois Biometric Information Privacy Act (BIPA). The court addressed the very narrow issue of what it means for a person to be “aggrieved” under BIPA. Ultimately, the court held that a violation of the notice, consent, disclosure, or other requirements of BIPA alone, without proof of actual harm, is sufficient for a person to be considered “aggrieved” by a violation of the law.
On Friday afternoon an Illinois intermediate appellate court decided that the bar for a plaintiff bringing a class action lawsuit under the Illinois Biometric Information Privacy Act (BIPA) is low, creating a conflict with its sister intermediate appellate court. The Illinois Supreme Court is expected to resolve the conflict early next year. How the court resolves the conflict will significantly impact companies doing business in Illinois.
In three months, the EU’s General Data Protection Regulation (GDPR), one of the strictest privacy laws in the world, will go into effect. It will apply to companies that collect or process personal data of EU residents, regardless of whether the company is physically located in the EU. Companies that violate the law will be penalized up to 4% of their annual worldwide revenue for the preceding financial year or 20,000,000 EUR, whichever is greater. Is your organization ready?
Shook’s Privacy and Data Security Team regularly counsels multinational companies to comply with international privacy laws like the GDPR. In an effort to help in-house lawyers understand whether the GDPR applies to their organizations and how to minimize its risks, we have prepared a webinar that provides tips on developing a GDPR compliance program. The webinar is on-demand and complimentary. Check it out here, and feel free to leave comments.