Who Knows What—Analysis of Data Privacy Legislation in Florida
Drawn from everyday consumer interactions, digital information has become a pervasive part of the modern economy. Underpinning this explosion of digital data is the availability of personal information—traditionally understood to cover categories of information such as names, addresses, passwords, social security numbers, credit cards, and more. Due to new technologies, personal information has become decidedly broader and more complicated to define, encompassing new areas such as engagement and attitudinal data that provide insights on customer behavior.
Addressing the perceived need for consumer data privacy, governments across the world have begun extensively legislating on the safe handling and protection of personal information. At the center of most of this legislation is the principle that consumers should be afforded certain rights regarding how their personal data is used, such as the ability to know, correct, delete, or opt-out of the sale of personal information. Given differing interpretations of what exactly constitutes “personal information,” however, consumer data privacy legislation has produced numerous technical complexities and direct costs for covered businesses.
The Florida Legislature has endeavored to pass substantive consumer data privacy legislation. Although more detailed than presently described, the efforts would grant consumers certain rights, require a covered business to follow certain obligations regarding the use of personal data, and provide for an enforcement mechanism. Based on specified threshold requirements, only certain businesses would be required to comply, but failure to do so would conceivably lead to some statutory remedy or potential civil litigation. Compliance would require some companies to hire additional staff, build out IT infrastructure, improve security safeguards, and more.
Florida TaxWatch analyzed the potential costs of compliance and litigation that would result from a consumer data privacy law in Florida and estimated the following based on various assumptions:
The direct cost of initial compliance is estimated to be between $6.2 billion and $21.0 billion for the state of Florida;
The direct cost of ongoing compliance is estimated to be between $4.6 billion and $12.7 billion annually for the state of Florida; and
If included, a private right of action provision is estimated to produce more than 80 class- action lawsuits initially and exceed $4.2 billion in litigation costs. This amount would be expected to grow over time due to more compliance difficulties, enforcement actions, and number of cases.
There are also several non-quantifiable considerations and secondary effects that are worth noting. Even if small to mid-sized businesses are not primarily covered under a consumer data privacy law, they may still feel compelled to adopt data privacy measures to remain competitive, despite many having fewer resources than larger firms. This outcome would create an unintended competitive advantage for larger businesses and create a market expectation for many smaller businesses. Additionally, inferences and probabilistic identifiers—potential categories in consumer data privacy legislation—create practical difficulties for companies to comply and therefore raise the potential cost of litigation.
To minimize the economic costs of consumer data privacy legislation while achieving the goal of strengthening privacy protections, passing a comprehensive federal consumer data privacy law would be the ideal course of action. Such a federal law would supplant a patchwork of state laws and standardize consumer rights, business obligations, and enforcement mechanisms across all fifty states. In the absence of a federal framework, however, legislative measures such as omitting a private right of action or delaying an implementation date to 2024 or beyond would be preferable options to reduce potential compliance and litigation costs.