Have you ever wondered why Florida Privacy Act has one of the strictest privacy laws in the country? The answer lies in the state’s history of being a haven for cyber criminals. In fact, Florida was once known as the “criminal’s paradise” because of its lax laws and lack of enforcement, especially in data protection and data security. Florida is actually one of the states with the most notorious data breaches in history.
Today, Florida is home to over 20% of the nation’s population. Crime rates have decreased since the 1990s, and Florida remains one of the safest states in the U.S.
However, despite these statistics, Florida continues to struggle with high levels of data breaches. According to the FBI, there were more than 1 million identity theft victims in 2020 alone. This equates to an average of 2,000 Floridians who fall victim to identity theft each day.
The problem is that many people don't take steps to protect their personal information. They often fail to use strong passwords or change them frequently. They also give out too much information online, such as credit card numbers, social security numbers, bank account numbers, etc.
The result is that they become easy targets for hackers and online criminals. Most information shared with websites is used against the consumers. If you are a business seeking to mine, process, and share personal consumer data, you need to be aware of these top 6 techniques to keep customer data private.
With the increasing cases of data breaches in Florida, authorities have considered several data protection enactments. In response to this issue, Florida’s Information Protection Act of 2014 and the later update HB 969: Consumer Data Privacy was passed.
Florida’s Information Protection Act (FIPA) of 2014
FIPA’s purpose is to protect consumer data from misuse by businesses. It requires companies to obtain consent before collecting any personal information about individuals. Companies must also notify individuals when they collect information on them.
In addition, the law prohibits companies from selling personal information without consent. If a company violates the act, it can be fined up to $1,000 per violation.
Type of Data Protected Under Florida’s Information Protection Act of 2014
As we have already discussed, FIPA protects vulnerable internet users from data misuse. It has a strict component that provides all the categories of protected data and what companies and organizations should do to ensure data compliance. The act also specifies what organizations should do after experiencing a data breach. Additionally, it has a clear list of the data protected under the act.
This includes, but is not limited to, the following types of data:
- Financial records
- Credit card details
- Medical records
- Phone numbers
- Email addresses
- Social security numbers
- Driver's license information
- Bank account information
The act also defines personally identifiable information (PII) to include other sensitive details, such as:
- Medical records/medical history of a user
- Data pertaining to the mental and physical state of an individual
- Health insurance policy numbers
- Identifiers that are used by health insurers
FIPA Notice Requirements
Every business entity must provide notice to affected customers if their data is breached. Businesses must notify the affected customers within 30 days of discovering a security incident.
One big difference is that FIPA reduced the notification time from 45 days to 30 days. However, if a good cause is sent in writing to the Department of Legal Affairs, the Department can grant an additional 15 days to provide notice.
The organization is also expected to provide a notice for a breach affecting more than 500 users. In the case of more than 1,000 users, the organization should send notice to nationwide consumer credit reporting agencies.
FIPA Penalties for Non-Compliance
If a business fails to comply with the requirements of the act, then it can face penalties. This means that the company will need to pay fines to the Department for each day it does not follow the rules. For example, if a company is found to violate the act for 10 days, then it will be required to pay a fine of $1,000 per day.
This is clearly shown below:
1. $1,000 a day for the first 30 days,
2. $50,000 subsequently for any 30-day period up to 180 days, and
3. $500,000 maximum amount of penalties. This is for violations exceeding 180 days.
House Bill 969: Consumer Data Privacy
This bill was introduced to reduce instances of data breaches for all companies in Florida effective 7th January 2022. This bill requires all businesses collecting consumer data to disclose what kind of data they are collecting from consumers. If any business fails to comply with this law, it will face a fine of $1,000 per violation.
In addition, the bill requires all businesses to notify affected customers about data breaches within 72 hours after learning about them. Furthermore, if any company fails to do so, it will be fined $1,000 every time it violates this rule. In order to understand HB 969, let’s discuss each of the provisions separately.
Notify Consumers About Data Collection and Selling Practices
The Florida Consumer Data Privacy Bill requires all websites or online businesses collecting personal data to notify the users of all the data collected and the selling practices. The law provides that all the businesses or websites collecting personal data must:
- Notify the user about the category of data being collected (e.g., name, address, email)
- The specific data being collected (e-mail addresses, phone number, date of birth, gender, etc.)
- Specific sources where the data was sourced (Facebook, Google, etc.)
- Category of the third-party with whom the data will be shared
- Category of the personal data that the company will share
If any business collects sensitive data like financial details, social security numbers, or medical records, then it should not collect this data without first getting permission from the user.
The Right to Opt-In or Opt-Out of Sale or Sharing of Such Data
The bill also stipulates that the company should uphold the user's right to opt-in and out of the sale and the sharing of data. For example, if a user wants to share his/her Facebook profile on another site, then he/she can choose whether to allow it or not.
Non-Discrimination Measures
The bill also prohibits discrimination based on race, color, national origin, religion, sex, disability, age, marital status, sexual orientation, genetic information, political affiliation, veteran status, or any other category protected by federal, state, or local laws.
After the user has been informed which information has been collected, they have the right to ask the company collecting the data to delete the information and ask all the third-parties and providers to do the same.
Private Right of Action
Under the bill, there is a private right of action against companies who violate the bill’s provisions. A person may bring an individual lawsuit against a company that violates the bill’s provisions or file an administrative complaint with the Department of Financial Services.
Does Florida’s HB 969 Affect My Business?
Yes, HB 969 applies to all for-profit organizations conducting business in Florida. This takes into account all businesses, whether inside or outside of Florida, that collects and controls personal data of Florida residents that meets the below requirements:
1. A business with annual global revenue that exceeds $25 million, excluding Florida revenue.
2. A company sharing personal data of 50,000 or more consumers, households, or devices.
3. A company that at least derives more than half of its revenues from sharing and processing personal data.
This is a clear indication that all businesses under these three categories are subject to the bill. The bill will equally apply to all third-party businesses that are controlled by a qualifying business.
Notable Exceptions
Yes, there are exemptions from the law. These exemptions include:
1. Businesses that are exempt from the provision of Section 8(a)(1) because they are covered by the Federal Trade Commission Act, the Gramm-Leach-Bliley Act, or the Children's Online Privacy Protection Act.
2. Businesses regulated as a bank holding company under the Bank Holding Company Act of 1956, 12 U.S.C. 1841 et seq., or a savings association under the Savings Association Act, 12 U.S.C. 1461 et seq.
3. Employee data
4. Aggregate data
What Does HB 969 Mean for Your Business?
If you are a small business owner, you must be aware of what the new privacy legislation means for you. It means that you need to take extra care when handling customer data. You should ensure that you comply with the guidelines set forth by the bill. If you fail to comply, then you could face legal consequences.
Increasing Data Awareness
It is very important to increase awareness about the collection of data. You can start by educating your employees about how their work affects customers. Also, make sure that your employees understand the importance of protecting customer data. Your employees should be trained to identify and report any suspicious activity on your network.
Ensure Data Is Used as Registered by the Department
You should also make sure that the data is only used as per the rules and regulations of the state. Make sure that you register the data with the Department before using it. In this regard, you must know how to hire trustworthy customer support reps.
Final Thoughts
HB 969 is a significant piece of legislation that will have far-reaching effects on the way we do things online. As a business owner, you need to be aware of the changes that this bill brings. This way, you can easily comply with the law and avoid penalties.