Data Points: Privacy & Data Security Blog

Last week the Florida Senate passed its version of a comprehensive privacy law (SB 262), entitled the Florida Digital Bill of Rights. If signed by Governor DeSantis, the Digital Bill of Rights will require large companies (those with at least $1 billion in annual global gross revenues and who meet other metrics) to provide consumers with certain rights, including access, correction and deletion rights, opt-ins for processing of sensitive personal information and data of known children, and opting out of the collection of targeting advertising, profiling, and voice recognition data. Although the threshold for coverage is high, the obligations are significant, including reasonable security measures, fair information practices, data protection assessments, mandated data retention limits, specific disclosures if the controller is engaged in targeted advertising, and a controversial requirement for disclosure of search engine methodology. Although there is no private cause of action, the Florida Department of Legal Affairs can enforce the law and impose civil penalties up to $50,000 per violation with trebling in certain instances. SB 262 also imposes restrictions on government employees related to social media companies and amends Florida’s data breach notice statute, adding biometric data and “any” geolocation data to the list of personal data that must be protected by reasonable security measures and that will trigger a breach notice under Florida’s 30 day notice requirement. 

Coverage  

Covered Entities

The threshold for coverage of a business is high and targets online advertisers and tech companies.  Like most of the state comprehensive privacy laws (except California’s CCPA), the Florida Act uses the EU GDPR “controller” and “processor” terminology. A “controller” is an entity that conducts business in Florida, collects personal data about “consumers” (either directly or through another on its behalf), determines the purposes and means of processing personal data about consumers alone or jointly with others; makes in excess of $1 billion in global gross annual revenues; and

1. derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of advertisements online;
2. operates a “consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation” (think Apple’s Siri function or Amazon’s Alexa), but excluding certain voice command features connected to a vehicle that is operated by a motor vehicle manufacturer; or
3. operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

A business can be covered by the Act even if it neither does business in Florida nor targets goods and services to residents in Florida. It is sufficient if the business produces a product or service “used by” Florida residents and the business processes or sells personal data. Processor and processing carries the common definition used in other comprehensive privacy laws.

Perhaps unnecessary given the narrow focus of the definition of “controller”, the Act has exceptions for financial institutions and data subject to GLBA, covered entities and business associates under HIPAA’s privacy and security rules, non-profits, and other specified entities and data. Like other state comprehensive privacy laws, the Act expressly does not restrict an entity’s use of personal information for certain purposes, such as responding to a subpoena, complying with the law, defending against a legal claim, prevention of fraud, harassment, identity theft and other illegal activity, and specified internal purposes.

Protected Individuals

The law protects consumers who are residents of or domiciled in Florida but only if they are engaged in an individual or household context. The law does not apply to employees or other individuals acting in commercial contexts. 

Covered Data

Consistent with other state comprehensive privacy laws, the Act applies to a broad range of data – data that is linked to or reasonably linkable to an identified or identifiable person, including pseudonymous data when used with other data that reasonably links the pseudonymous data to an identified or identifiable individual. The Act only excludes de-identified or publicly available information from the definition of personal data. De-identified data is data that is not reasonably linkable to an individual or a device linked to that individual. Unlike the CCPA, the Act does not contain a list of categories of personal data. 

Following the trend set by Virginia’s Consumer Data Protection Act, Florida’s proposed law protects a special category of sensitive data. Sensitive data is defined as personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data collected from a known child; and precise geolocation data (with a radius of 1,750 feet).

The Florida Digital Bill of Rights includes a definition of “aggregate” consumer information similar to the California Consumer Privacy Act—information related to a group in which the identities of individuals have been removed and are not reasonably capable of bringing linked directly or indirectly to a consumer, household or device. Notably, the Florida law explicitly excludes from the definition of aggregate consumer information “information about a group or category of consumers used to facilitate targeted ads or even a display of ads online.” 

Focus on Targeted Advertising and Selling Personal Data

The Act’s prohibitions include a particular focus on businesses engaged in targeted advertising and the sale of personal data. Unlike some more recent comprehensive data privacy laws, Florida adopts the CCPA’s broad definition of “sale” as including the sharing, disclosure, or transfer of personal data for “monetary or other valuable consideration.” Sale does not include such sharing with the consumer, controller, processor, or affiliate (whether by virtue of control or common branding) of the controller, disclosure to others in order to provide the product or service requested by the consumer, or disclosure of certain information that the consumer intentionally made public.

“Targeted advertising” carries a familiar meaning -- defined as displaying advertisements to a consumer based on personal data “obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s  preferences or interests.” Like other laws, the Act excludes ads based on the consumer’s activities on the controller’s website or apps, the consumer’s current search query or site visit, or in response to the consumer’s request for information or feedback. Targeted advertisement also does not include processing to measure and report advertising performance, reach and frequency. The Florida Act appears to go a step further than other states’ privacy laws, requiring the controller to provide a clear and conspicuous notice of the “process” if the controller engages in targeted advertising.

Disclosure of Search Engine Methodology

Another example of the Act’s tech focus is its unique requirement on search engines. Specifically, the Act requires controllers who operate a search engine to make it easily accessible on its website “an up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining the ranking and the relative importance of those main parameters.”  Controversially, the disclosure must include “the prioritization or deprioritization of political partisanship or political ideology in search results.” Algorithms and other data that would with reasonable certainty enable deception of or harm to consumers by manipulating search results is not required. “Search engine” is defined as “technology and systems that use algorithms to sift through and index vast third-party websites and content on the Internet in response to search queries entered by a user” but excludes licensees who don’t have control over the search algorithm, the index from which results are generated, or the ranking order in which the results are provided.

Retention Schedules

The Act mandates that controllers and processors adopt a retention schedule that prohibits use and retention of personal data not subject to an exemption. The retention period ends after (i) the satisfaction of the initial purpose for which such information was collected or obtained, (ii) the expiration or termination of the contract pursuant to which the information was collected or obtained, or (iii) 2 years after the consumer’s last interaction with the controller or processor. 

Data Protection Assessments

The Florida Act follows the trend of requiring the controller to conduct data protection assessments (“DPAs”). DPAs are required for (i) processing for targeted advertising; (ii) the sale of personal data; (iii) profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of or unlawful disparate impact on consumers, financial, physical, or reputational injury to consumers, a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns of consumers if the intrusion would be offensive to a reasonable person, or other “substantial injury to consumers; (iv) processing of sensitive data; and (v) any processing activities involving personal data which present a heightened risk of harm to consumers.  

Consumer Rights

General rights

The Act grants consumers the full slate of consumer rights seen in the CCPA (as amended), Colorado, Connecticut, and Virginia, including the right to know, access, obtain a copy, correct, and delete personal data. The right to deletion covers “any and all personal data provided by or obtained about” the consumer.  The Act also prohibits discrimination.  The controller must provide at least two methods for the consumer to exercise their rights, one of which must be via the controller’s website. The controller has 45 days to respond to a consumer request, and the Act only allows for an extension of an additional 15 days if reasonably necessary (instead of longer periods provided under other laws). The controller must notify the consumer that it took action within 60 days of the request. The controller also must provide a clear appeal process that the consumer can follow for any denied requests. 

The Act limits the controller’s obligations to respond to the consumer’s requests with respect to de-identified data if all of the following are true: (i) the controller is not reasonably capable of (or it would be unduly burdensome) associating the request with the personal data; (ii) the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about  the same specific consumer; and (iii) the controller does not sell the personal data to a third party or voluntarily engage in unauthorized disclosure of the personal data to a third party.

Opt-Outs

The consumers opt-out rights are broad as well, including opting out of processing for (i) targeted advertising, (ii) sale, (iii) the collection of personal data collected through the operation of a voice recognition feature, and (iv) profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer. “Profiling” is defined as solely automated processing of personal data “to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” Legal or “similarly significant effects” require a decision by a controller that  results in the provision or denial by the controller of financial or lending services; housing, insurance or healthcare services; education enrollment; employment opportunities; criminal justice; or access to basic necessities like food and water. 

Opt-Ins

The Act requires an opt-in for the processing of sensitive data (although the Act also provides for an opt-out right), processing of personal data for a purpose not reasonably necessary or compatible with the original purpose of the collection, the data of a known child aged 13 to 18 (through an “affirmative authorization”), and processing of data of a known child under 13 years (in compliance with COPPA). 

Consent requires an affirmative act. Acceptance of broad terms of use or consent obtained by dark patterns are not sufficient.

Notices

The Act requires controllers to publish a privacy notice, including the categories of personal data processed by the controller (including sensitive data), the purpose of the processing, the categories of third parties (which does not include processors and affiliates) with whom the personal data is shared, and how consumers can exercise their rights. Specifically worded notices are required if the controller sells sensitive data (“NOTICE: This website may sell your sensitive personal data.”) or biometric data (“NOTICE: This website may sell your biometric personal data.”).  If the controller sells other personal data to third parties or processes personal data for targeted advertising, the controller must “conspicuously” disclose that process and how the consumer can opt out of the process. Biometric data is defined as “data generated by automated measurements of an individual’s biological characteristics” including fingerprints, voiceprints, eye retinas or irises,  or other unique biological patterns or characteristics used to identify a specific individual, but excludes physical or digital photographs, video or audio recordings or data generated from video or audio recordings, or information collected, used, or stored for health care treatment, payment,  or operations under HIPAA. As discussed above, the notice also must provide a clear and conspicuous notice of the controller’s targeted advertising and how the consumer can opt-out.

Vendor (Processor) Obligations

Processor obligations track those set forth in other comprehensive privacy laws, including requiring the processor to adhere to the instructions of a controller, assist the controller in meeting or complying with the controller’s duties (including responding to consumer rights requests), assisting the controller in data breach notices, and providing necessary information to the controller to prepare its DPA. The controller’s contract with the vendor must include:

1. Clear instructions for processing data;
2. the nature and purpose of processing;
3. the type of data subject to processing;
4. the duration of processing;
5. the rights and obligations of both parties;
6. a requirement that the processor ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
7. a requirement that the processor delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;
8. a requirement that the processor make available to the controller, upon reasonable request, all information in the processor’s possession necessary to demonstrate the processor’s compliance with this part;
9. a requirement that the processor allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; and
10. a requirement that the processor engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

If the processors engage an independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures under the Act, the processor shall provide the assessor’s report to the controller upon request.

If the controller discloses pseudonymous data, deidentified data, or aggregate consumer information to the processor, it must engage in reasonable oversight to monitor compliance with any contractual commitments to which the data or information is subject and must take appropriate steps to address any breach of the contractual commitments.

Enforcement

Like other recent state comprehensive privacy laws, there is no general private right of action.  Instead, the Act will be enforced by the Florida Department of Legal Affairs. In addition to other remedies, the Department can assess a civil penalty up to $50,000 per violation, which can be trebled for certain violations like violations related to the personal data of a known child or failing to delete information on a proper consumer request. The Act permits, but does not require, the Department to allow a business a 45 day cure period. 

Technology Transparency

SB 262 also includes An Act Relating to Technology Transparency which will limit actions by government officials with respect to social media platforms. If signed into law, the Act will prohibit an officer or a salaried employee of a governmental entity, among other things, from using their position or state resources to ask a social media platform to remove content or accounts from the platform, and prohibits a governmental entity, or an officer or a salaried employee acting on behalf of a governmental entity, from initiating or maintaining “any agreements or working relationships with a social media platform for the purpose of content moderation.” Exceptions include routine account management and removal of content related to a commission of a crime or violation of public records law.  The Act defines “social media platform” as a “form of electronic  communication through which users create online communities to share information, ideas, personal messages, and other content.”