In this digital age, web commerce and marketing are essential for many small businesses.  Customers increasingly shop as well as research businesses on the internet in order to decide who to hire.  Whether you are a lawyer or an online boutique, having an interactive website that collects consumer information is very useful.  

        If a business collect consumer information, it should have a privacy policy that spells out the type of data it collect and how it uses it.   A privacy policy serves two purposes. First, it informs the consumer about how his or her data will be used, and ideally inspires trust.  Secondly, a privacy policy can be a tool that brings the website into compliance with applicable privacy laws.

 

         Governments around the world have recently placed increased importance on safeguarding data by enacting laws such as the GDPR (European Union) and the CCPA (California).  These  laws give consumers an increased ability to control how their information is used.   As more business moves online, the trend seems to be for more government regulation in this area and more protection of consumer data.  

Florida’s Digital Privacy Law

Florida recently enacted the “Florida Digital Bill of Rights” (Chapter 501.701-501.722, Florida Statutes),  which goes into effect on  July 1, 2024.  An important distinction is drawn in this law between large businesses (defined as “controllers”) and smaller businesses. Most of the restrictions in this law apply only to controllers, which represent a  small group of large tech companies.  A controller is defined as an entity that does business in the state of Florida, collects personal data from consumers, that has an annual global revenue of more than $1 billion and meets one of the following criteria:

• Derives 50 percent of its global gross annual revenue from the sale of advertisements online;

• Operates a consumer smart speaker and voice command service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or

• Operates an app store or digital distribution platform with at least 250,000 different software applications for consumers to download and install.

A consumer has the right under the FDBR to opt out of the collection and sale of her personal data (defined below) by the controller.  The consumer can also enforce these provisions against entities that handle her information on behalf of the controller.

 

 

A.    Definition of Personal Information

         The definition of personal information  in Florida’s data breach law, Section 501.171, is expanded in the FDBR to include biometric information as well as information regarding a person’s geolocation (if in combination with the individual’s first name or first initial and last name). This is an important development for all businesses to consider in reviewing their breach notification obligations.

 

B.     Sensitive Information

 “Sensitive data” means a category of personal data which includes any of the following:

(a) Personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.

(b) Genetic or biometric data processed for the purpose of uniquely identifying an individual.

(c) Personal data collected from a known child.

(d) Precise geolocation data.

 

The FDBR requires that a controller that sells a customer’s sensitive information must  display a prominent notice on the controller’s website to notify the customer of this practice.

C.     Data Processors

An entity that processes data for a controller also has obligations under the FDBR to safeguard consumer data.  In order to ensure compliance with the FDBR, a data processor should ensure its contract with the controller has provisions that ensure the safeguarding of consumer data.

 

D.    Enforcement

 

The FDBR lacks a private right of action.   Instead, the Florida’s Attorney General is tasked with enforcing the law (therefore, a consumer who believes his rights have been violated should file a complaint with Florida’s AG).  A 45 day cure period is at the discretion of the attorney general and civil penalties authorized by the FDBR run as high as $50,000 per violation.  

 

Summary

       In conclusion, the collection of consumer data is becoming more highly regulated in many jurisdictions.  It is essential that all businesses that collect customer information through a website or app have robust privacy policies in place that disclose how they use customer data.  A privacy policy builds customer trust and may also be required to comply with applicable privacy laws.  Florida’s FDBR gives consumers rights to restrict collection of their data against a limited set of entities. 

 

       Contact John Clarke Esq. today at (9540 556-8952 for assistance in drafting a privacy policy or complying with Florida’s privacy laws!