Florida has joined the ranks of the states adding a groundbreaking Data Privacy and Security Law, effective July 1, 2024.
Embedded in the Technology Transparency Act are the “Digital Bill of Rights,” several provisions regarding consumer data and controllers who collect consumer data, specific requirements for controllers to comply with consumer requests including an appeals process, privacy notices, requiring certain persons to receive consumer consent before engaging in the sale of sensitive personal data and providing for civil penalties.
Notably, there is NO private cause of action.
The Digital Bill of Rights (Fla. Stat. 501.701) includes:
-
The right to control personal data, including the right to confirm, access, and delete your personal data from a social platform;
-
The right to know that your personal data will not be used against you when purchasing a home, obtaining health insurance, or being hired;
-
The right to know how internet search engines manipulate search results;
-
The right to opt out of having personal data sold; and
-
The right to protect children from personal data collection.
This law directly impacts Big Tech!
It focuses on controllers, which are defined generally as a for profit legal entity that conducts business in Florida, collects personal data about consumers, determines the purposes and means of processing personal data, makes in excess of $1 billion in global gross annual revenues and satisfies one of three additional criterion: derives 50% or more of its global gross revenues from the sale of advertisements online, operates a consumer smart speaker and voice command component, or operates an app store.
A brief overview of the new law:
Submitting Consumer Requests
A controller shall establish two or more methods to enable consumers to submit a request to exercise their consumer rights under this part. The methods must be secure, reliable, and clearly and conspicuously accessible.
Comply with Consumer Requests
A controller shall respond to the consumer request without undue delay, which may not be later than 45 days after the date of receipt of the request. If a controller cannot take action regarding the consumer’s request, the controller must inform the consumer without undue delay, which may not be later than 45 days after the date of receipt of the request, of the justification for the inability to take action on the request and provide instructions on how to appeal the decision.
A controller shall provide information or take action in response to a consumer request free of charge, at least twice annually per consumer. But…if a request from a consumer is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request.
Waiver or Limitation of Consumer Rights Prohibited
Any provision of a contract or agreement which waives or limits in any way as described by s. herein is contrary to public policy and is void and unenforceable.
Consumer Privacy Notice
A controller shall provide consumers with a reasonably accessible and clear privacy notice, updated at least annually, that includes all of the following information:
(a) The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller.
(b) The purpose of processing personal data.
(c) How consumers may exercise their rights, including the process by which a consumer may appeal a controller’s decision with regard to the consumer’s request.
(d) If applicable, the categories of personal data that the controller shares with third parties.
(e) If applicable, the categories of third parties with whom the controller shares personal data.
(f) A description of the methods by which consumers can submit requests to exercise their consumer rights under this part.
Sale of Personal Consumer Data
If a controller engages in the sale of personal data that is sensitive data, the controller must provide the following notice: “NOTICE: This website may sell your sensitive personal data.”
If a controller engages in the sale of personal data that is biometric data, the controller must provide the following notice: “NOTICE: This website may sell your biometric personal data.”
If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process.
Civil Penalties (with a 45-day cure period allowed)
A violation of this part is an unfair and deceptive trade practice actionable under part II of this chapter solely by the Department of Legal Affairs.
In addition to other remedies under part II of this chapter, the department may collect a civil penalty of up to $50,000 per violation.
After the department has notified a person in writing of an alleged violation, the department may grant a 45-day period to cure the alleged violation and issue a letter of guidance.
Florida has now joined Indiana, Tennessee, Montana, and Washington in passing major privacy bills THIS YEAR ALONE!