Fearing that it would lead to a flurry of lawsuits for local businesses, the Florida Senate killed a once-promising comprehensive data privacy bill. This comes after comparable bills from Washington state and Oklahoma met a similar fate. Here’s the scoop.
The Florida state House passed a comprehensive California Consumer Protection Act (CCPA)-like consumer data privacy bill with overwhelming support – a rare demonstration of bipartisanship coming out of a notorious swing state late last month. But, on April 30, the proposed law met its fatal blow in the state Senate.
Florida’s proposed bill, House Bill (HB) 969, had it passed in the Senate and been signed into law, would have expanded consumers’ visibility into how companies use consumer data and put a greater burden on businesses to comply with consumer requests regarding the collection, use and sale of their information.
The gist of the bill
HB 969 would have applied to any company doing business in Florida with a minimum of $50m in annual revenue, as well as to any company that collects, sells or shares data on 50,000 or more customers annually or can attribute at least half of its revenue to the sale of consumer data.
The bill would force companies to reveal what kinds of consumer data they gather. It would also give consumers the right to request deletion of their data and decide whether or not they wanted their data to be collected or resold. It put a greater burden on businesses to comply with such requests, as it would also make companies liable for selling consumer data if consumers have requested otherwise.
Why it failed
The bill was supported by 119 of 120 members of the House chamber, but was much more divisive in the Senate.
HB 969 garnered major opposition from Florida businesses, particularly in the technology and advertising sectors, many of whom felt that the bill exposed businesses to too much liability, as they could face prosecution for selling consumer data after consumers requested to opt out of sale – a consumer provision called ‘private right of action’. More than 300 lobbyists were registered to comment on the bill throughout the legislative process.
Cillian Kieran, chief executive and founder of data privacy software company Ethyca, says: “From what we know, the Florida bill died because the House and Senate could not align on a private right of action – in other words, an individual’s ability to sue a company for privacy damages. The Senate’s version of the bill removed the private right of action, and House members clearly felt this left the law toothless.
“We saw the same dynamic in Washington state recently – the WPA died in the legislature because staunch privacy advocates were unwilling to pass a watered-down bill with no private right of action. This feature has been a key sticking point at the federal level also.
“It’s worth noting that Europe’s GDPR, generally considered to be the world’s gold standard for privacy, contains no private right of action; enforcement is handled by national regulatory agencies that field consumer complaints. But in the United States, [both sides are] willing to go to the mats [over this issue]. This poses a real impediment on prospects for passing legislation at state and federal levels.”
HB 969, like the California Privacy Rights Act (CPRA) – the updated version of CCPA – and the Virginia Consumer Data Protection Act (VCDPA), included a definition for ‘sensitive personal information’ for which additional provisions were outlined. However, the parameters for ‘sensitive personal information’ outlined in the Florida law were broader than many other such proposals and would give the bill a much broader reach than its counterparts. This framework, in combination with the compliance burden put on companies by the opt-out provisions, could have created significant hurdles for many businesses and expose them to potential lawsuits.
A state Senate committee recently made a number of adjustments to the provisions of the bill in order to reduce the compliance burden on businesses. Many industry groups, businesses and Senate members, however, remained opposed to its adoption, arguing that the provisions still went too far.
The bill faced a vote in the state Senate on Friday April 30. Though it garnered 29 votes in favor of passing, it did not meet the necessary threshold and came to a sputtering halt.
What it means for marketers
As it stands, just two states – California and Virginia – have enacted sweeping consumer data protection legislation. While HB 969-like proposals are in movement across the country, there is no significant momentum on the federal level yet.
Today, marketers who depend on the collection, sale and use of consumer data must comply with all applicable state-level legislation. A growing number of state data privacy laws force marketers to remain nimble in order to meet all necessary requirements and ensure they are not left exposed to fines or lawsuits.
Kieran, like other experts, sees additional state legislation on the horizon. “The landscape is still highly dynamic – observers think Alaska might be the next state to follow Virginia in passing a CCPA-style modern privacy law,” he says. But as a growing number of states grapple with proposals of their own, many are left wondering if and when federal action will be taken.
Jules Polonetsky, chief executive of the Future of Privacy Forum, claims that the piecemeal approach can’t continue. He says that federal legislation will be the ultimate decider on the ongoing debates surrounding consumer data privacy. “We need federal law to decide what is or isn’t permissible when it comes to robust uses of data by companies that have a lot of data. And then you can then talk about competition – once we’ve determined what is actually fair for the users.” He says that the Biden administration needs to step in to help get the ball moving, as “Congress is really failing us by waiting”.