Modeled after a California law that last year became the strongest data privacy law in the country, SB 1734 creates the Florida Privacy Protection Act and requires businesses to tell consumers what information they've collected and how they're going to use it. The bill requires any company that collects and sells consumer information to establish a button on its website to allow consumers to opt out of allowing the company to sell the information it has collected about them.
"The landscape of the Internet has changed considerably in a relatively short period of time, and the internet of today is a one-way street, where the most intimate details of the consumer's life are monetized, and sold to the highest bidder," said Sen. Jennifer Bradley, a Fleming Island Republican who is sponsoring the Senate bill. "The financial success of these companies who market our private lives are built on the consumer's lack of knowledge and lack of consent to this process."
Bradley said the goal of the measure is to "shift the balance of power over data collection back to consumers" by requiring companies to give notice of their practices and seek consent from consumers. Since California adopted a similar law in 2020, companies across the state have placed "do not sell my information buttons" on their web pages, and the state has set up model templates.
In November, California voters went further in strengthening the privacy laws by passing Proposition 24. It added new requirements for businesses to protect personal information, including by "reasonably" minimizing data collection, limiting data retention, and protecting data security. A similar privacy law was passed in Illinois. And in Europe, the General Data Protection Regulation (GDPR) protects personal data and restricts the use of it by business entities and internet companies.
Bradley's more modest proposal, however, is fiercely opposed by Florida businesses, many of whom make money off selling people's data.
"The cost would be significant to comply with this law," said Alfred Saikali, chair of the Privacy and Data Security Practice at the Shook, Hardy & Bacon law firm in Miami. "You're going to have to purchase technology, you're going to have to perform data inventories, you're going to have to hire lawyers, like myself."
In an attempt to reach a middle ground Tuesday during the Senate Rules Committee meeting, Bradley introduced a strike-all amendment to her bill that creates a loophole for companies that contract with a "service provider" to handle their data. She also limited the businesses required to comply to those that sell personal information of more than 100,000 customers to third parties, or businesses that derive 50 percent or more of their global annual revenues from selling or sharing personal information about consumers.
And in a major concession to the Florida Chamber of Commerce and Associated Industries of Florida, Bradley agreed to remove the enforcement teeth by eliminating a provision that allowed consumers to sue businesses if they could show their private data was sold in violation of the proposal. The Florida Attorney General's office would be responsible for enforcing the law, which would take effect July 1, 2022.
Despite the deep concessions, industry lobbyists remained opposed to the measure and an advocacy group that supports the legislation but won't identify its donors, warned that the change could undermine the intent of the bill.
"The amendment to the bill changes the definition of 'sale' in a way that allows Big Tech to share or loan private data to anyone they want — without consumers knowing or having anything to say about it," said Ron Sachs, spokesman for Propel Florida, the advocacy organization. "It enables those giant companies to escape legal accountability and any responsibility to get any consumer's permission."
The Cost of Compliance
Brewster Bevis, lobbyist for Associated Industries of Florida, said that while the amendments were helpful the bill "is still going to cost Florida businesses a gigantic amount."Florida TaxWatch, a non-profit research organization funded by business, produced a study that estimated it would cost Florida businesses $36.5 billion to develop the technology and meet the requirements.
"These compliance costs would disproportionately affect smaller businesses with fewer resources to comply, which is why Florida TaxWatch recommends state policymakers first conduct a formal economic impact analysis to study the possible effects of the law change and delay implementation beyond January 1, 2022, until more can be known," said Dominic Calabro, TaxWatch president, in a statement.
Sen. Jeff Brandes, a St. Petersburg Republican, argued that Florida should not attempt to regulate data on its own.
"The thought that you could have 50 different privacy laws in 50 different states around the country and any business could potentially possibly comply with that is unfathomable," he said.
But senators from both sides of the political aisle commend Bradley for tackling the issue. Sen. Dennis Baxley, an Ocala Republican, said there is wide public support for privacy restrictions. According to the Senate staff analysis, the Pew Research Institute found that 84 percent of Americans say they feel they have very little or no control over the data that is collected about them by both the government and private companies, but few people read privacy policies.
"We have an enormous, enormous amount of personal data risks out there that ordinary people are very concerned about what's happening," Baxley said.
Senate Democratic Leader Gary Farmer of Lighthouse Point said "the time has come to level the playing field when it comes to our rights of privacy."
"You know our Founding Fathers anticipated this type of stuff when they put privacy in the Constitution," Farmer said. "But now we've got to go farther and ensure that we have a say in what happens to our personal information."
The Issue is Privacy, But Secrecy Shields Donation
In a classic irony, Politico has reported that a nonprofit named Propel Florida, which lists its address as a UPS box in Hillsborough County, has contributed $300,000 to legislators to get the data privacy law passed. Propel Florida does not disclose its donors and has hired a Tallahassee-based lobbying team. Even the lobbyists told the Herald/ Times they don't know who is funding the effort.Before the Rules Committee approved her bill, Bradley assured her colleagues: "This is not the California law" and promised that the compliance costs "are going to be much lower."
But, she added, there is also a cost to consumers because of their lack of privacy. "Their information is put into predictive analysis that's going to affect their credit worthiness, their employability," she said. "They're the only ones bearing the cost of this, and they can't delete it." Bradley did not respond to requests for comment about Propel Florida's position on her amendment.
A companion House bill, HB 969, retains the private right of action for any consumer who alleges a violation to file a lawsuit. It is being sponsored by Rep. Fiona McFarland, R- Sarasota, but opponents warn it will encourage lawsuits. California's law includes the private right of action and, according to the Senate staff analysis of the bill, there have been no lawsuits filed in the first year the law was in effect.
(c)2021 Miami Herald Distributed by Tribune Content Agency, LLC.
