Florida lawmakers are considering two comprehensive state privacy laws this session, one of which includes a “private right of action”. But the state’s House of Representatives rejected similar legislation last year—precisely because it included such a provision.

miami-bayside city

A private right of action provides grounds for consumers to bring a civil claim against a business that violates the law under certain conditions.

When draft privacy laws are considered by state lawmakers, businesses typically lobby hard against the inclusion of a private right of action. Many organizations and politicians would prefer enforcement to sit exclusively with a public office such as the state’s Attorney General.

Currently, the only comprehensive US state privacy law with a private right of action is the California Consumer Privacy Act (CCPA). The California Privacy Rights Act (CPRA), which will come into force on Jan 1, 2023, also contains a private right of action.

The CCPA’s private right of action is relatively limited. Consumers may only sue a business that is responsible for a (narrowly-defined) data breach that involves some very specific types of personal information. 

Like several other state legislatures, Florida’s House of Representatives considered a privacy law containing a much broader private right of action in 2021. 

The bill failed to pass. But this year, the Sunshine State is trying again.

Florida’s 2021 House Privacy Bill

Here’s a look at Florida’s HB 696, the House privacy bill that failed to pass last year. Compared to the CCPA, HB 696 included a relatively powerful private right of action. 

Under early versions of HB 696, consumers would have been able to sue a business under any of the following conditions:

  1. Failing to uphold the law’s “reasonable security” duties, resulting in the unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted and nonredacted email address in combination with information that would allow access to the account (i.e., a data breach involving email addresses and passwords);
  2. Failing to fulfill a valid “verifiable consumer request” under the law’s rights to deletion or correction;
  3. Continuing to sell or share a consumer’s personal information despite a valid request under the law’s “right to opt out”;
  4. Selling or sharing the personal information of a minor under 16 without obtaining parental consent.

Much like California’s privacy laws, the Florida bill would have empowered courts to order controllers and processors to pay statutory damages of between $100-$750 or actual damages, plus reasonable costs. This could add up to billions of dollars for a large-scale data breach.

It’s also worth noting that Florida’s other 2021 draft privacy law, SB 1734, also originally contained a private right of action, but that provision was struck out by an amendment—and the bill eventually failed to pass before the end of the state’s legislative session in April 2021.

There’s another privacy bill before the Senate this session, SB 1864, which, like its Senate predecessor, doesn’t contain a private right of action.

Florida’s 2022 House Privacy Bill

Now let’s look at the new privacy bill that Florida’s House of Representatives will consider this year, HB 9. Like last year’s HB 696, 2022’s HB 9 also contains a private right of action. But how is the law different from its predecessor, and will its differences make the law more likely to pass?

HB 9 shares three of the four grounds on which to bring a civil claim with last year’s HB 696:

  1. Failing to fulfill a valid “verifiable consumer request” under the law’s rights to deletion or correction;
  2. Continuing to sell or share a consumer’s personal information despite a valid request under the law’s “right to opt out”;
  3. Selling or sharing the personal information of a minor under 16 without obtaining parental consent.

The bill contains the same rules around damages as 2021’s draft law (statutory damages of between $100-$750 or actual damages, plus reasonable costs),

Interestingly, HB 9 does not allow a consumer to bring a civil claim on the basis of a data breach. This distinguishes the bill from the CCPA and CPRA, which only allow for civil claims that result from a data breach.

The removal of a civil right to sue following a data breach represents a significant watering-down of the law’s private right of action. 

Consumers in any state can, of course, sue a business in tort if they incur damages from a data breach, provided they can prove liability in negligence (among other requirements).

As mentioned, a statutory damages regime can lead to some eye-watering potential damages claims in the case of a large-scale data breach. Perhaps removing these grounds for bringing a civil claim will be enough to placate nervous businesses that might otherwise lobby against the bill.

Could HB 9’s Private Right of Action Be The Bill’s Undoing?

As mentioned, businesses hate the private right of action. These provisions have led to the downfall of many draft privacy bills.

Washington, for example, has had several years of attempting to pass doomed privacy laws. The most common bone of contention has been the presence of a private right of action in these bills.

To some extent, it’s understandable that businesses that are liable to become the subject of civil privacy claims are apprehensive. 

According to law firm Perkins Coie, there are nearly 200 ongoing California cases that cite the CCPA as of January 2022. And while most of these cases are unlikely to result in significant payouts, they each present a major inconvenience for some CCPA-covered entity—many of whom appear not to have not violated the law at all.

By slimming down HB 9’s private right of action, lawmakers may have done enough to get it over the finishing line. 

But Florida’s other draft privacy law SB 1864, which does not contain a private right of action, might be more like to pass than its House counterpart.

PrivSec Miami logo

7th April 2022

The Loews Hotel, South Beach, Miami 

If you are an organization operating in this region, PrivSec Miami is a must-attend.

Our one-day program of sessions will deep dive into data protection, privacy and security issues which are relevant to you, plus a hand selected group of vendors will be available for you to explore technologies to help future-proof your business.

 Benefits of attending: 

  • Access a curated agenda, deep-diving into local, regional and global challenges and opportunities
  • Get up to speed on regional trends, technologies and topics that impact your business
  • Have your questions answered by leading experts from within your region
  • Discover fresh perspectives and understanding of how you can build competitive edge
  • Hear the views, insight and analysis of subject matter experts, thought leaders and activists
  • Improve your awareness of the regulatory and compliance landscape in your region
  • Network with your peers throughout the event and at the exclusive drinks reception available to all attendees
  • Meet prospective suppliers split by sector, and discover technologies to future-proof your organization

And much more…

BOOK YOUR TICKET FOR PRIVSEC MIAMI