Who is affected by Florida data privacy laws?
All for-profit organizations doing business in Florida must comply with the Florida Information Protection Act of 2014 (FIPA) and the new House Bill 969, which went into effect in 2022, if they meet the following thresholds:
- Annual global revenue exceeding $25 million, excluding Florida revenue;
- Companies sharing personal data of 50,000 or more consumers, devices, or households; or
- Companies deriving at least half of their revenue from sharing and processing personal data.
There are certain data and business exceptions, including:
- Employee data
- Aggregate data
- Businesses exempt because they’re regulated by the FTC Act, the Gramm-Leach-Bliley Act, or COPPA
- Businesses regulated under the Bank Holding Company Act or Savings Association Act
What’s the difference between privacy policies and privacy notices?
Florida privacy laws
There are two main data privacy laws in Florida: FIPA and House Bill 969. FIPA prevents businesses from misusing consumer data. Companies must notify and obtain consumer consent before collecting any personal information. They’re also prohibited from selling that personal information without consent.
Protected types of data include:
- Credit card information
- Financial records
- Contact information
- Social Security numbers
- Driver’s license information
- Bank account details
- Medical records
Furthermore, FIPA requires that companies notify consumers within 30 days whenever their data has been breached, or when a breach affects more than 500 consumers. If more than 1,000 users are affected, the organization is expected to notify consumer credit reporting agencies. However, if companies meet certain “good cause” requirements, they may be granted an additional 15 days to provide notice. Violations can incur up to $500,000 in penalties.
House Bill 969 is a consumer data privacy act, which went into effect on January 7, 2022. Under HB 969, all companies collecting consumer data must disclose what kind of data they’re collecting from the consumers. They also must notify affected customers about data breaches within 72 hours of discovery.
HB 969 further requires that companies allow users to opt in or out of the sale or sharing of their personal data, or delete the data upon request. They cannot use this personal data for discriminatory purposes. Finally, the bill establishes a private right of action for consumers. Penalties start at $1,000 per violation.