By Jackson Chen
Florida legislators failed to pass a comprehensive privacy law Friday, as the issue of guaranteeing citizens a private right of action against offenders proved to be a major sticking point between the state’s two chambers.
“We started an important conversation about data privacy for Floridians this session and took strong first steps toward common-sense changes,” Republican Rep. Fiona McFarland, who introduced the bill in February to the Florida House of Representatives, said on Twitter over the weekend.
“Although we ran out of time in the 60-day session, the fight for data rights is far from over!”
This year’s session of the Florida Legislature, which began March 3, ended Friday. The Sunshine State, the nation’s third most populous, would have been the latest to enact consumer protections against Big Data’s ability to harvest personal information, following California and Virginia.
While Florida politicians are likely to continue debating the necessity of a private right of action — allowing consumers to individually sue companies for privacy violations — experts told Digital Privacy News that excluding the enforcement mechanism would have made for an ineffective law.
“Although we ran out of time …, the fight for data rights is far from over!”
Rep. Fiona McFarland, R.
“Enforcement has long been a sticking point, because companies don’t want to face consequences for bad behavior,” said Maureen Mahoney, a policy analyst at Consumer Reports. “But without appropriate enforcement, they won’t have incentives to comply.”
Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center (EPIC), added that a private right of action was a critical enforcement tool in the Florida bill, versus bringing cases to the Florida Attorney General’s Office, with its limited budget and scope.
“The bill, without the private right of action, is not particularly strong,” she told Digital Privacy News. “It’s not much of a privacy bill at all.”
From Inception to Impasse
Known as the Florida Consumer Data Privacy Act, it first was proposed by McFarland and fellow Republicans Gov. Ron DeSantis and House Speaker Chris Sprowls.
The initial House version included provisions to give Floridians more control over their personal information.
Those included the right to request businesses to disclose what personal information was collected, the right for consumers to have collected personal information deleted, the right to correct personal information and a choice to opt out of personal information being sold.
“Enforcement has long been a sticking point, because companies don’t want to face consequences for bad behavior.”
Maureen Mahoney, Consumer Reports.
To protect the new guarantees, the bill would give the Florida Attorney General enforcement power, fining companies up to $2,500 for each unintentional violation and up to $7,500 for every deliberate violation.
The bill also sought to create a limited private right of action, allowing consumers to sue a business for each intentional data-privacy violation for up to $750.
The legislation passed the House last month on a 118-1 vote, with Republican Rep. Anthony Sabatini being the lone dissenter.
McFarland said before the April 21 vote: “No one is a better advocate for their own privacy than themselves.
“The enforcement power of the private sector is the most powerful tool of enforcement we have against this country’s and this world’s most-advanced companies.”
Business Effects
Despite the final vote, some representatives feared the bill could harm Florida businesses.
Democratic Rep. Ben Diamond said that the Legislature should address the sharing and selling of personal data but added that a private right of action could hurt Florida’s pro-business reputation.
“The bill, without the private right of action, is not particularly strong.”
Caitriona Fitzgerald, Electronic Privacy Information Center.
Florida TaxWatch, an independent, nonpartisan research group, argued that the earlier iterations of the House privacy bill would “disproportionately affect smaller businesses with fewer resources to comply.”
While not opposed to protecting Floridians’ privacy, the watchdog group said that the earlier versions could introduce “a boon in private litigation” that would hamper small businesses and the courts.
Senate Strikes Clause
With the basic protective elements of the House bill largely intact, the Florida Senate later offered up several major amendments.
One struck the private right of action. In seeking to protect small businesses, while focusing on bad actors, other amendments altered the thresholds for businesses to comply.
“If a business doesn’t want to have compliance costs, they don’t need to sell our private information.”
Sen. Jennifer Bradley, R.
Those affected by the Senate’s changes, for instance, would be companies that controlled the processing of personal information of 100,000 or more consumers — or firms that controlled or processed the personal data of at least 25,000 consumers but received more than 50% of its global annual revenues from selling such information.
“If a business doesn’t want to have compliance costs, they don’t need to sell our private information,” said Republican Sen. Jennifer Bradley.
Bradley spoke last week as she introduced an amended version of the House bill, which passed the Senate on a 29-11 vote.
“I believe this bill strikes a fair balance between the need for a free flow of information on the internet and protecting our most precious private information,” she said on the Senate floor.
With a far smaller majority in favor, senators expressed concerns about the bill even after several rounds of amendments.
Democratic Sen. Annette Taddeo joined Republican Sen. Jeff Brandes in voting down the bill.
“Strong privacy laws require strong enforcement.”
Hayley Tsukayama, Electronic Frontier Foundation.
They called for a comprehensive federal privacy law, but echoed concerns about how the Florida bill would create unintended costs for business. In addition, Democratic Sen. Gary Farmer was disappointed that the private right of action was stricken, arguing that it was necessary to enforce the bill’s many provisions.
A Watered-Down Bill
Tony Carvajal, executive vice president of Florida TaxWatch, told Digital Privacy News that the privacy bill that emerged from the Senate was far more balanced and considered all affected parties.
He added that leaving enforcement to the attorney general was sufficient.
“The Attorney General’s Office and the Department of Legal Affairs gets to still pursue cases,” Carvajal told Digital Privacy News.
“The fine is actually more than an individual would’ve been able to get.
“It’s good enough to try and limit the bad actors and not just capture all kinds of frivolous lawsuits that come up,” he said.
But privacy experts disagreed over leaving enforcement to the attorney general, arguing that removing the private right of action rendered the privacy bill useless.
“The fine is actually more than an individual would’ve been able to get.”
Tony Carvajal, Florida TaxWatch.
EPIC’s Fitzgerald said that without the right, companies would assess the risk of violating any new privacy law, calculating whether the chances of getting penalized outweighed the risk of not complying.
Fitzgerald also noted the effectiveness of the Illinois Biometric Information Privacy Act, saying its private right of action raised the constant specter of litigation.
Hayley Tsukayama, legislative activist with the Electronic Frontier Foundation, told Digital Privacy News that allowing Floridians to hold companies accountable empowered them to act on their own behalf, to preserve state resources — and to ensure that bad actors faced real consequences for violating privacy.
“Strong privacy laws require strong enforcement,” Tsukayama said. “The inclusion of a private right of action is the most important tool the Florida Legislature can give its constituents.”
Jackson Chen is a Connecticut writer.
Other Privacy Actions in the US
In not passing a privacy law, Florida joined Mississippi, North Dakota and Washington.
Their privacy proposals all included a private right of action, but they ultimately were postponed or frozen in the committee stages.
On the other hand, Massachusetts, Minnesota and New York are debating legislation with a private right of action.
If successful, they would join a patchwork of state privacy regulations across the United States, in the absence of a comprehensive national privacy law.
In March, Virginia became the second state to pass such a privacy law, taking effect in 2023.
California, which last year became the first state to enact a comprehensive privacy law, the California Consumer Privacy Act, updated it with a successful voter referendum in November, the California Privacy Rights Act.
On the federal level, Rep. Suzan DelBene, D-Wash., in March introduced the first comprehensive privacy legislation in Congress.
The bill came more than a week after Virginia signed its privacy law.
It lacks a private right of action, but DelBene’s bill increases resources to the Federal Trade Commission and to state attorneys general offices.
— Jackson Chen
Sources:
- Gov. Ron DeSantis: Governor Ron DeSantis and House Speaker Chris Sprowls Highlight Proposed Legislation to Increase Data Privacy and Security
- Florida Senate: House Bill 969 (2021)
- Florida TaxWatch: Florida TaxWatch Warns Against Florida’s Proposed Privacy Protection Act’s Unintended Consequences, Recommends Economic Study
- Illinois General Assembly: (740 ILCS 14/) Biometric Information Privacy Act
- IAPP: US State Comprehensive Privacy Law Comparison
- Bloomberg Law: Democrat Renews Data Privacy Effort With First Bill of 2021 (1)