HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: CS/CS/CS/HB 969 Consumer Data Privacy
SPONSOR(S): Commerce Committee, Civil Justice & Property Rights Subcommittee, Regulatory Reform
Subcommittee, McFarland, and others
TIED BILLS: CS/CS/HB 971 IDEN./SIM. BILLS:
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
1) Regulatory Reform Subcommittee 18 Y, 0 N, As CS Wright Anstead
2) Civil Justice & Property Rights Subcommittee 17 Y, 0 N, As CS Mathews Jones
3) Commerce Committee 22 Y, 0 N, As CS Wright Hamon
SUMMARY ANALYSIS
Florida, like most states, has laws requiring businesses to disclose to consumers when a breach of security
occurs that affects a consumer’s personal information. In 2014, Florida passed the Florida Information
Protection Act (FIPA) that requires commercial and government entities which store or maintain a Floridian’s
personal information to take reasonable measures to protect such information and report data breaches.
The bill adds “biometric data” to the definition of “personal information” in FIPA. Thus, entities in possession of
fingerprints, DNA, and other biological or physiological identifying information must take reasonable measures
to protect the biometric data and report data breaches.
Due to the growth in the Internet and specifically the growth in companies whose entire business model is the
collection of personal information for the purpose of selling targeted advertising, many countries and states
have adopted or updated their laws relating to the collection and use of personal information. Specifically, the
European Union, and states like California, Virginia and Illinois, have enacted data privacy regulations to
protect personal information and give consumers more control over how their information is used.
The bill requires certain controllers to publish a privacy policy for personal information.
The bill defines “personal information” as information that identifies, relates to, or describes a particular
consumer or household, or is reasonably capable of being directly or indirectly associated or linked with, a
particular consumer or household. The term does not include public information that is readily available to the
public from government records, certain employee information, or deidentified or aggregate information.
The bill gives consumers certain rights related to personal information collected by a controller, including:
 The right to access personal information collected,
 The right to delete or correct personal information, and
 The right to opt-out of the sale or sharing of personal information.
The bill requires controllers to comply with certain consumer requests and make certain information available
on the controller’s website.
The bill allows the Department of Legal Affairs to bring an action against, and collect civil penalties from, a
controller, processor, or person who violates these requirements. Consumers whose personal information has
been breached, sold, or shared after opting-out, or retained after a request to delete or correct may also bring
a cause of action against the controller, processor, or person in certain limited circumstances.
The bill has no fiscal impact on local governments, and an indeterminate fiscal impact on state government.
The bill has an effective date of July 1, 2022.
This document does not reflect the intent or official position of the bill sponsor or House of Representatives .
STORAGE NAME: h0969f.COM
DATE: 4/16/2021
 FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Florida Information Protection Act – Current Situation
In 2014, Florida passed the Florida Information Protection Act (FIPA).1 FIPA requires commercial
covered entities2 and government entities which hold personal information to take reasonable
measures to protect such information and report data breaches to affected consumers.3
FIPA defines “personal information” as:
 online account information, such as security questions and answers, email addresses and
passwords;
 an individual’s first name or first initial and last name in combination with any one or more of the
following:
o A social security number;
o A driver license or similar identity verification number issued on a government
document;
o A financial account number or credit or debit card number, in combination with any
required security code, access code, or password that is necessary to permit access to
an individual’s financial account;
o Any medical history information; or
o An individual’s health insurance identification numbers.4
Personal information does not include information:
 about an individual that has been made publicly available by a federal, state, or local
governmental entity; or
 that is encrypted, secured, or modified to remove elements that personally identify an individual
or that otherwise renders the information unusable.5
If a breach of personal information occurs, notice must be given to each individual in this state whose
personal information was accessed as a result of the breach. If the breach affected 500 or more
individuals in this state, the covered entity must also provide notice to the Department of Legal Affairs
(DLA). If the breach affected more than 1,000 individuals at a single time, credit reporting agencies
must be notified of such breach, with certain exceptions.6
FIPA expressly does not provide a private cause of action, but does authorize enforcement actions by
DLA under Florida’s Unfair and Deceptive Trade Practices Act (FDUTPA) against covered entities for
any statutory violations.7
In addition to the remedies provided for under FDUTPA, a covered entity that fails to notify DLA, or an
individual whose personal information was accessed, of the data breach is liable for a civil penalty not
to exceed $500,000:
 In the amount of $1,000 for each day up to the first 30 days following any violation, thereafter,
$50,000 for each subsequent 30-day period or portion thereof for up to 180 days.
 If the violation continues for more than 180 days, in an amount not to exceed $500,000.
1 S. 501.171, F.S.; Fla. SB 1524 (2014) (FIPA expanded and updated Florida’s data breach disclosure laws contained in s. 817.5681,
F.S. (2013), which was adopted in 2005 and repealed in 2014.)
2 “Covered entity” means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial
entity that acquires, maintains, stores, or uses personal information. S. 501.171(1)(b), F.S.
3 Florida Office of the Attorney General, How to Protect Yourself: Data Security,
http://myfloridalegal.com/pages.nsf/Main/53D4216591361BCD85257F77004BE16C (last visited Mar. 24, 2021).
4 Id.; S. 501.171(1)(g)1., F.S.
5 S. 501.171(1)(g)2., F.S.
6 S. 501.171(3)-(6), F.S.
7 S. 501.171(9), (10), F.S.; OAG supra note 3.
STORAGE NAME: h0969f.COM PAGE: 2
DATE: 4/16/2021
 The civil penalties for failure to notify apply per breach and not per individual affected by the breach.
Florida Deceptive and Unfair Trade Practices Act
FDUTPA is a consumer and business protection measure that prohibits unfair methods of competition,
unconscionable acts or practices, and unfair or deceptive acts or practices in trade or commerce.8
FDUTPA is based on federal law.9
DLA or the Office of the State Attorney (SAO) may bring actions when it is in the public interest on
behalf of consumers or governmental entities.10 SAO may enforce violations of the FDUTPA if the
violations take place in its jurisdiction. DLA has enforcement authority if the violation is multi-
jurisdictional, the state attorney defers in writing, or the state attorney fails to act within 90 days after a
written complaint is filed.11 In certain circumstances, consumers may also file suit through private
actions.12
DLA and the SAO have powers to investigate FDUTPA claims, which include:13
 administering oaths and affirmations,
 subpoenaing witnesses or matter, and
 collecting evidence.
DLA and the State Attorney, as enforcing authorities, may seek the following remedies:
 declaratory judgments,
 injunctive relief,
 actual damages on behalf of consumers and businesses,
 cease and desist orders, and
 civil penalties of up to $10,000 per willful violation.14
FDUTPA may not be applied to certain entities in certain circumstances, including:15
• Any person or activity regulated under laws administered by The Office of Insurance Regulation
or The Department of Financial Services; or
• Banks, credit unions, and savings and loan associations regulated by the Office of Financial
Regulation or federal agencies.
Florida Information Protection Act – Effect of the Bill
The bill adds “biometric data” to the definition of “personal information.”
“Biometric data” is defined as an individual's physiological, biological, or behavioral characteristics,
including an individual's deoxyribonucleic acid (DNA), that can be used, singly or in combination with
each other or with other identifying data, to establish individual identity. The term includes, but is not
limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings,
8 Ch. 73-124, L.O.F., and s. 501.202, F.S.
9 D. Matthew Allen, et. al., The Federal Character of Florida’s Deceptive and Unfair Trade Practices Act, 65 U. MIAMI L. REV. 1083
(Summer 2011).
10 S. 501.207(1)(c) and (2), F.S.; see s. 501.203(2), F.S. (defining “enforcing authority” and referring to the office of the state attorney if
a violation occurs in or affects the judicial circuit under the office’s jurisdiction; or the Department of Legal Affairs if the violation occurs
in more than one circuit; or if the office of the state attorney defers to the department in writing; or fails to act within a specified period.);
see also David J. Federbush, FDUTPA for Civil Antitrust: Additional Conduct, Party, and Geographic Coverage; State Actions for
Consumer Restitution, 76 FLORIDA BAR JOURNAL 52, Dec. 2002 (analyzing the merits of FDUPTA and the potential for deterrence of
anticompetitive conduct in Florida), available at
http://www.floridabar.org/divcom/jn/jnjournal01.nsf/c0d731e03de9828d852574580042ae7a/99aa165b7d8ac8a485256c8300791ec1!Op
enDocument&Highlight=0,business,Division* (last visited on Mar. 24, 2021).
11 S. 501.203(2), F.S.
12 S. 501.211, F.S.
13 S. 501.206(1), F.S.
14 Ss. 501.207(1), 501.208, and 501.2075, F.S. Civil Penalties are deposited into general revenue. Enforcing authorities may also
request attorney fees and costs of investigation or litigation. S. 501.2105, F.S.
15 S. 501.212(4), F.S.
STORAGE NAME: h0969f.COM PAGE: 3
DATE: 4/16/2021
 from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be
extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise
data that contain identifying information.
The bill includes biometric data in FIPA’s definition of “personal information” so that covered entities are
required to notify the affected individual, the DLA, and credit reporting agencies of a breach of such
information. The bill also provides that DLA may bring a FDUTPA action against a covered entity which
fails to notify DLA of or an individual affected by a breach of biometric information.
Consumer Data Privacy – Current Situation
Consumer Data
As technologies that capture and analyze data proliferate, so, too, do businesses' abilities to
contextualize consumer data. Businesses use it for a range of purposes, including better understanding
of day-to-day operations, making more informed business decisions and learning about their
customers.16
From consumer behavior to predictive analytics, companies regularly capture, store, and analyze large
amounts of quantitative and qualitative data on their consumer base every day. Some companies have
built an entire business model around consumer data, whether the companies are selling personal
information to a third party or creating targeted ads.17
Generally, the types of consumer data that businesses collect are:18
• Personal data, which includes personally identifiable information, such as Social Security
numbers and gender, as well as identifiable information, including IP address, web browser
cookies, and device IDs;
• Engagement data, which details how consumers interact with a business's website, mobile
apps, social media pages, emails, paid ads and customer service routes;
• Behavioral data, which includes transactional details such as purchase histories, product usage
information, and qualitative data; and
• Attitudinal data. This data type encompasses metrics on consumer satisfaction, purchase
criteria, product desirability and more.
General Data Protection Regulation (European Union)
In 2016, The European Union passed a broad data privacy law that addressed several areas of
consumer rights and data protection called the General Data Protection Regulation (GDPR).19 The law
became effective in 2018 and unified the regulatory approach to data privacy across the European
Union. The GDPR has since become a model for other data privacy laws in other countries, including
Chile, Japan, Brazil, South Korea, Argentina, and Kenya.20
Under the GDPR, personal data is anything that allows a person to be identified. Under GDPR,
individuals, organizations, and companies that are either 'controllers' or 'processors' of personal data
are covered by the law. Controllers exercise overall control over the purposes and means of processing
personal data. Processors act on behalf of, and only on the instructions of, the relevant controller.21
Before processing or collecting any personal data, any business must ask for explicit permission from
the subject or person. The request must use clear language.
16 Max Freedman, How Businesses Are Collecting Data (And What They’re Doing With It), Business News Daily (Jun. 17, 2020)
https://www.businessnewsdaily.com/10625-businesses-collecting-data.html (last visited Mar. 24, 2021).
17 Id.
18 Id.
19 European Data Protection Supervisor, The History of the General Data Protection Regulation, https://edps.europa.eu/data-
protection/data-protection/legislation/history-general-data-protection-regulation_en (last visited Mar. 24, 2021).
20 Id.
21 Wired, What is the GDPR? The summary guide to GDPR compliance in the UK, https://www.wired.co.uk/article/what-is-gdpr-uk-eu-
legislation-compliance-summary-fines-2018 (last visited Mar. 24, 2021).
STORAGE NAME: h0969f.COM PAGE: 4
DATE: 4/16/2021
 The provisions of the GDPR specifically ban the use of long documents filled with legalese - hiding
permissions within Terms and Conditions or a Privacy Policy will not meet the requirements. Consent
must be given for a specific purpose and must be requested separately from other documents and
policy statements. 22
The GDPR requires companies to provide, at the data subject's request, confirmation as to whether
personal data pertaining to them is being processed, where it is being processed, and for what
purpose. Companies must also be able to provide, free of charge, a copy of the personal data being
processed in an electronic format.23
Under the GDPR, companies must erase all personal data when asked to do so by the data subject. At
that point, the company must cease further dissemination of the data, and halt all processing. Valid
conditions for erasure include situations where the data is no longer relevant, or the original purpose
has been satisfied, or merely a data subject's subsequent withdrawal of consent.24
The GDPR requires companies to provide mechanisms for a data subject to receive any previously
provided personal data in a commonly used and machine-readable format.25
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
The California Consumer Privacy Act of 2018 (CCPA) was passed to give consumers more control over
the personal information that businesses collect. This landmark law in the United States granted new
privacy rights for California consumers, including:26
• The right to know about the personal information a business collects, specifically about the
consumer, and how it is used and shared;
• The right to delete personal information collected with some exceptions;
• The right to opt-out of the sa