The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Sole proprietorships, partnerships, corporations, trusts, estates, cooperatives, associations, or other commercial entities that acquire, maintain, store, or use personal information. For purposes of notice requirements, the definition also includes governmental entities.
Consumer Notification: Any individual in Florida whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach.
Regulatory Notification: If 500 or more individuals in the state are affected, notice must be made to the Florida Department of Legal Affairs.
Notification Timeline: As expeditiously as practicable and without unreasonable delay, taking into account the time necessary to determine the scope of the breach, to identify affected individuals, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred.
Data Format: Data stored electronically or digitally on any computer system or other database, including recordable tapes and other mass storage devices.
Citations: Fla. Stat. § 501.171 (the “Florida Information Protection Act of 2014”)
- Breach: Unauthorized access of data in electronic form containing personal information.
- Personal Information (PI): An individual’s first name or first initial and last name, in combination with any one or more of the following data elements if the data elements are not encrypted:
- Social Security number;
- Driver’s license number, identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
- Financial account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- Any information regarding an individual's medical history, mental or physical condition or medical treatment or diagnosis by a health care professional;
- An individual’s health insurance policy number of subscriber ID number and any unique identifier used by a health insurer to identify the individual; or
- A username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
- Encryption: Statue does not apply to information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.
- Good Faith: Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
- Risk of Harm: Notification not required if, after an appropriate investigation and written consultation with relevant federal and state law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be in writing, maintained for at least five (5) years and provided to the Department of Legal Affairs within 30 days.
- Law Enforcement Delay If a federal, state, or local law enforcement agency determines that notice to individuals would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary.
- Timing: As expeditiously as practicable and without unreasonable delay, but no later than 30 days after the determination of a breach.
- Format: N/A
- Content: Written notice to an individual must include, at a minimum:
- (1) The date, estimated date, or estimated date range of the breach of security;
- (2) A description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security; and
- (3) Information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual.
- Method: Consumer notice to an affected individual shall be by one of the following methods:
- Written notice sent to the mailing address of the individual in the records of the subject entity; or
- Email notice sent to the email address of the individual in the records of the subject entity.
An entity may provide substitute notice if (1) the cost of direct notice would exceed $250,000, (2) the notification population exceeds 500,000, or (3) the covered entity does not have an e-mail address or mailing address for the affected individuals.
If 500 or more individuals in the state are affected, notice must be made to the Florida Department of Legal Affairs.
Credit Reporting Agencies Notice:
If required to notify more than 1,000 Florida residents at a single time, must also notify all nationwide consumer reporting agencies of the timing, distribution and content of the notices.
Third-party agent must notify covered entity of breach of security as expeditiously as practicable, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred; covered entity must then provide required notices.
Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity’s primary or functional federal regulator is deemed to be in compliance with the notice requirement in this subsection if the covered entity notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the event of a breach of security. Under this paragraph, a covered entity that timely provides a copy of such notice to the department is deemed to be in compliance with the notice requirement.
Comprehensive Data Privacy Law
Florida Digital Bill of Rights
Fla. Stat. § 501.701-719
For-profit entities that conduct business in Florida and:
- Act as a controller of personal data of Florida consumers;
- Make in excess of $1 billion in global gross annual revenues; and
- Satisfy at least one of the following:
- Derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
- Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or
- Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
Among other exclusions, the Florida Digital Bill of Rights excludes state or local government entities, postsecondary education institutions, nonprofit organizations, employment-related data, and entities or data regulated by HIPAA, FCRA, or GLBA as well as the processing of personal data for purely personal or household activities or solely for measuring or reporting advertising performance, reach, or frequency.
However, the law prohibits government entities from communicating with social media platforms to request that they remove content or accounts or initiate or maintain any agreements or working relationships with social media platforms for the purpose of content moderation.
Covered Entity Obligations:
Controllers. Controller duties include obligations to:
- Limit collection of Personal Data to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed, as disclosed to the consumer.
- Adoption and implementation of a data retention schedule.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the Personal Data at issue.
- Refrain from Processing Personal Data for a purpose that is neither reasonably necessary nor compatible with the purpose for which the Personal Data is processed without the consumers’ consent.
- Refrain from processing Personal Data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
- Not discriminate against consumers for exercising consumer rights. Controllers may offer financial incentives for processing of Personal Data with prior consent.
- Not process sensitive data without obtaining consumer’s consent.
- Make available a reasonably accessible and clear privacy notice, updated at least annually that includes: categories of personal data processed; purpose of processing personal data; how consumers may exercise their rights; categories of personal data shared with third parties; categories of third parties with whom controller shares personal data; description of methods by which consumers may appeal a controller’s refusal to take action on data rights requests.
- Clearly and conspicuously disclose whether they sell Personal Data or use Personal Data for targeted advertising and how to exercise opt-out rights.
- Post a notice that they sell sensitive or biometric personal data.
- Enter into a contract with a processor that must include certain terms limiting processor’s data processing, including clear instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.
- Conduct data protection assessments for each of the controller’s processing activities that present a heightened risk of harm, including: processing personal data for targeted advertising, sale of personal data, processing of personal data for profiling if the profiling presents reasonably foreseeable risks of certain harms or substantial injury to consumers; processing sensitive personal data; or other Personal Data processing that presents a heightened risk of harm to consumers.
- If online platforms provide services, products games, or features that will likely be predominantly accessed by children, the Florida statute imposes additional restrictions on processing of children’s data.
Processors. Processor duties include obligations to:
- Adhere to the instructions of a Controller.
- Reasonably assist the Controller in meeting its obligations, including:
- Assisting the Controller in responding to Consumer rights requests;
- Assisting the Controller in meeting its obligations to implement data security practices and breach notification; and
- Providing necessary information to enable the controller to conduct and document data protection assessments.
- Enter into written contracts with any subcontractors engaged to Process Personal Data which meet the obligations of the Processor with respect to the Personal Data.
- Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
- At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.
- Upon the reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with its obligations.
Businesses must respond without undue delay and within 45 days (with a possible extension of 15 days when reasonably necessary) to verified consumer requests regarding the processing of Personal Data and Sensitive Personal Data (SPD), including consumers’:
- Right to know whether a Controller is Processing their Personal Data;
- Right to access Personal Data;
- Right to request deletion of Personal Data;
- Right to obtain Personal Data in a format that is generally portable and readily usable;
- Right to correct inaccurate Personal Data;
- Right to opt out of Personal Data sales, targeting advertising, and profiling for decisions producing legal or other significant effects;
- Right to opt out of collection or processing of SPD, including precise geolocation data or collection of Personal Data through operation of a voice recognition or facial recognition feature.
Additionally, a Controller shall establish a process for the consumer to appeal the Controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision. The appeal process must be made conspicuously available and similar to the process for submitting requests to initiate action. The Controller is required to take action within sixty (60) days of receipt of an appeal and inform the consumer in writing of action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.
- Consumer: An individual who is a resident of or is domiciled in Florida acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.
- Controller: A person that, alone or jointly with others, determines the purposes and means for processing Personal Data.
- Personal Data: Any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
Personal Data excludes: de-identified data and publicly available data (defined as information lawfully made available through government records and information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience).
Personal Data also excludes Personal Data regulated under HIPAA, FCRA, Driver’s Privacy Protection Act, FERPA, Farm Credit Act, employment data, and other exceptions.
- Process: An operation or set of operations performed, whether by manual or automated means, on Personal Data or on sets of Personal Data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of Personal Data.
- Processor: A person who processes Personal Data on behalf of a Controller.
- Profiling: Any form of solely automated processing performed on Personal Data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Sale of Personal Data: Sharing, disclosing, or transferring of Personal Data for monetary or other valuable consideration by the Controller to a third party.
The Florida statute excludes the following disclosures from this definition: (i) disclosure of Personal Data to a Processor who Processes the Personal Data on the Controller’s behalf; (ii) disclosure of Personal Data to a third party for purposes of providing a product or service requested by the consumer; (iii) disclosure of information that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; and (iv) disclosure or transfer of
Personal Data to a third party as an asset that is part of a merger or an acquisition.
- Sensitive Personal Data: Personal Data revealing: racial or ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, or citizenship/immigration status; genetic and biometric data; Personal Data collected from a known child; and precise geolocation data.
Violations of the Florida statute constitute an unfair and deceptive trade practice and may be enforced by the Florida Department of Legal Affairs. The maximum civil penalty for violations is up to $50,000 per violation and penalties may be tripled for violations committed against a known child, for failure to delete or correct Personal Data after receiving an authenticated request, and for continuing to sell or share Personal Data after a consumer chooses to opt-out.
The Florida statute provides a 45-day cure period that may be granted by the Department of Legal Affairs at its discretion but does not apply to violations involving a known child.
July 1, 2024
Information Security Standard
Covered Entities: A sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses PI.
First Party Security Standard: Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.
Third Party Security Standard: N/A
Disposal/Destruction Standard: Each covered entity or third-party agent shall take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
Data Format: Electronic and physical.
Citations: Fla. Stat. § 501.171.
- Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:
- Social Security number;
- Driver’s license number or state identification card number;
- Passport number, military identification number, or other similar government-issued identification number used to verify identity;
- Financial account or payment card number plus any required security code, access code, or password that would permit access to an individual’s financial account;
- Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
- Health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.
A username or email address in combination with a password or security question and answer that would permit access to an online account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Methods of Compliance:
The statute does not define what constitutes reasonable measures and methods of compliance.
- Health Care: N/A
- Financial: N/A
- Other: N/A
A violation of this section shall be treated as an unfair or deceptive trade practice in any action brought by the department under s. 501.207 against a covered entity or third-party agent.
A consumer may not bring a private cause of action for violation of these standards.