Considerations for Florida’s 2023 Privacy Journey
Florida was recently shown to be the fourth worst state for data breaches in the United States. The state has taken measures to improve cybersecurity, joining the flurry of other states’ activity this year to find a legislative solution to data privacy and security. These efforts are aimed at ensuring that data ranging from health information to information on our shopping habits is safeguarded and not wrongly used by companies. While there are beneficial aspects to Florida’s approach, it would not apply outside of the biggest private companies, which would limit the overall benefit to data privacy and security. Fortunately, there is still an opportunity to make changes.
It is understandable that Florida wants to take action in the absence of a federal data privacy and security law, but it is even more important for Congress to pass a national law so Floridians can be confident that their data privacy and security is protected nationwide and so companies do not have to follow a patchwork of state laws.
SB 262 would permit Floridians to know what data is collected on them, request that it be deleted, and opt out of allowing the sale or sharing of the information, among other rights. The bill also includes enforcement mechanisms against entities that violate the law, including for the improper collection and use of data. Broader measures aimed at limiting interactions with social media companies by government entities and officials, such as content moderation, are also included.
The challenge with all privacy legislation is balancing the concerns of consumers, industry and security. On one hand, legislation should not become a compliance burden for companies, especially small and medium-sized businesses. On the other hand, it is important to have meaningful protection of consumer privacy, particularly as virtually every facet of our daily lives is online or contained in electronic files, whether it is health records or credit card statements.
SB 262 should weigh these concerns carefully. As it stands, the legislation would only apply to entities that exceed $1 billion in gross revenues and either derive 50 percent or more of their revenue from targeted ads or operate “consumer smart speaker and voice command component services.” Therefore, this limits the companies that would be covered to only the largest. However, companies of all sizes have proven that they can violate basic data privacy and security standards. For example, data brokers are often small in size but handle very sensitive data. While small Florida businesses that do not collect large amounts of data should not be covered by the legislation in most cases, a balance is important.
In addition, the enforcement provisions of SB 262 could be adjusted. It sets out potential penalties of $50,000 per violation and even $150,000 in some cases. Penalties can be important to hold violators accountable, but limits are important to prevent overly aggressive regulators and excessive fines that go beyond accomplishing what is needed to penalize or deter. This could include a cap and greater clarity on what counts as a violation.
Of note, this legislation also includes a “right to cure.” This means that an entity would have 45 calendar days to fix a violation and avoid enforcement action. The goal of any legislation should be to improve data privacy and data security and achieve compliance rather than being enforcement heavy, so a right to cure is a good approach that has been proven to work. However, SB 262’s “right to cure” is currently discretionary. It would be better to offer this to all companies on a uniform basis. This would provide certainty for businesses and also help Floridians have their privacy harms addressed in a timelier manner.
The legislation also relies on providing notice to Floridians or making information available before doing a series of actions, similar to how search engines operate or collect certain forms of data. Providing notice and more information to make an informed choice is positive, but too much of this information can have the opposite effect. Consumers can easily be overwhelmed by the information, not read or understand it, and have the burden shifted to them. An approach that puts an emphasis on limiting the amount of data collected in the first place to only what is necessary, like other states have done, could be beneficial. Florida’s interest in addressing data privacy and security concerns is laudable in the absence of congressional action. Given the impact it could have on the private sector and the need for action for data privacy and security to help Floridians, getting any solution right is critical.