South Florida corporations whose interests extend beyond the state now face challenges in meeting personal privacy requirements coming from California. And this is only the beginning.
Blame Google, Facebook, Amazon and every other online company that scoops up personal information from web searches, social media and online shopping. Add Congress to the list because if we had a national standard for online personal privacy, consumers would not be pushing back through state legislation to restrict and then delete their personal data.
While Florida’s legislature and agencies do not limit what companies can collect, they cannot prevent other states from imposing rules on local companies and enabling consumers to punish them when they fail to comply.
The California Consumer Privacy Act, or CCPA, makes many demands of Florida companies that do business in that state. The most visible requirement is that a qualifying business provide a “Do Not Sell My Personal Information” link on its website. The Florida entity must disclose to a California resident who asks for information such as categories and specific pieces of personal information it has collected; the business or commercial purpose for collecting or selling that information; and the third parties that receive it.
When demanded, the company must delete personal information, with certain exceptions, and may not sell the information.
A CEO and the vice president of sales may question whether it’s wise to continue doing business in California. They will have to decide quickly because Florida companies must comply, starting in January. Penalties will rack up fast: $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to correct the problem.
Participating in the world’s fifth-largest economy will require a major investment in technology to meld pots of customer information into one vat and then dispense or dispose of it as required.
But that’s not the bad news. California is blazing a path for other states. New York and Massachusetts, with their many business connections and many times more snowbirds in Florida, are considering privacy legislation. Potential headaches exist not just for the chief executive and sales team, but for the chief operating, financial and information officers and, naturally, general counsel: How can their company meet multiple privacy standards?
As of late September, the Massachusetts measure was moving through a joint committee. The legislation resembles California law and, according to bill watchers, gives residents the right to seek large damages in class action lawsuits without showing actual injury.
New York’s legislation, recently in its senate, has a private right of action for any violation that applies to all businesses regardless of how much or how little business they do in the state. If the bill becomes law, it would immediately affect many of South Florida’s major employers, such as tourism, real estate, health care, financial services and logistics.
Florida executives might be less concerned that legislatures in Maryland, North Dakota and Hawaii have also considered personal privacy laws. What should worry them is that those and other states are taking notice of California. Are our local businesses preparing for more privacy rules? Probably not. Should they be? Unequivocally, yes. ♦
Luis Salazar is the founder of Salazar Law, a minority-owned firm specializing in complex data privacy and compliance matters. The Department of Justice has appointed him 25 times as consumer privacy ombudsman to protect more than 40 million data profiles for consumers. He can be reached at luis@salazar.law.
