Senate Bills 262 and 264 are landmark legislations that address vital aspects of data privacy and protection for Florida residents. Senate Bill 262, often referred to as the Technology Transparency Bill, is also known as “Florida’s Digital Bill of Rights.” This pioneering legislation puts forth constraints on for-profit entities operating in Florida that accumulate “sensitive data” about its residents. On the other hand, Senate Bill 264 introduces pivotal changes pertaining to the storage of patient records by licensed healthcare providers in Florida. Together, these bills represent a robust effort by the State of Florida to secure the personal and health data of its residents, ensuring that businesses and healthcare entities adhere to best practices for data management and consumer protection.
Senate Bill 262: Florida’s Digital Bill of Rights
Senate Bill 262, often referred to as the Technology Transparency Bill, has earned the nickname “Florida’s Digital Bill of Rights.” This groundbreaking legislation places constraints on for-profit businesses operating in Florida that amass “sensitive data” about Florida residents. Such data includes personal information revealing one’s race, ethnicity, religious beliefs, mental or physical health, sexual orientation, citizenship, or immigration status; genetic or biometric details meant for uniquely identifying a person; data from a known minor; and specific geolocation information. As of July 1, 2023, the State of Florida mandates that companies must:
- Refrain from selling “sensitive data” without first obtaining the consumer’s permission.
- Not process “sensitive data” of those below 18 years of age without consent per the Children’s Online Privacy Protection Act.
In the spirit of public welfare, any contracts that attempt to waive or limit these consumer rights are rendered null and void by the new legislation. Companies engaged in the sale of “sensitive data” are also required to feature a notice on their websites that reads: “NOTICE: This website may sell your sensitive personal data.” Noteworthy exemptions from these new restrictions include Protected Health Information (“PHI”), health records, data gathered for clinical studies, and anonymous data.
The Digital Bill of Rights in Florida not only amplifies individual autonomy over personal data but also sets forth stricter stipulations for certain business entities: (i) “Controllers”; (ii) “Processors” of all magnitudes; and (iii) “Affiliates” linked to Controllers and Processors.
I. Controllers
Within the framework of Florida’s Digital Bill of Rights, a “Controller” is defined as any entity that:
- Pursues profits or financial gains for its owners or shareholders.
- Carries out business activities in Florida.
- Accumulates personal consumer data, or for whom such data is collected.
- Dictates the objectives and mechanisms for processing personal consumer data either individually or in collaboration with others.
- Generates over $1 billion in worldwide gross annual revenue.
- Fulfills at least one of the following conditions: deriving a majority of its worldwide gross annual revenue from online ad sales or related activities; operating a consumer voice-activated smart speaker connected to a cloud service; or running an app marketplace with a minimum of 250,000 distinct software applications available for consumers.
Controllers, as per the new rules, can only gather personal data to the extent that it’s reasonably pertinent to its processing aims. They are also restricted from retaining data beyond its initial usage, after contract expiration, or 2 years post the consumer’s last interaction. Controllers have to act on specific consumer demands like deletion of personal data, correction of inaccuracies, and enabling opt-outs from targeted ads, specific geolocation collection, and voice or facial recognition. They are required to respond within 45 days to an authenticated consumer data request, with a potential 15-day extension for intricate situations. If a request is deemed baseless or excessive, fees may be imposed, or the request may be declined. The law also lays out an appeal process for consumers.
Controllers are expected to offer clear channels for consumers to put forth personal data requests and to annually refresh a prominently displayed privacy notice. Separate mandates apply to controllers with de-identified, pseudonymous, or aggregate consumer information.
II. Processors
In this context, “Processors” are individuals or entities processing personal data on a Controller’s behalf. Processors are obliged to adhere to a Controller’s directives and aid them in addressing consumer requests. Their data processing activities must be underlined in contracts with Controllers.
Both Controllers and Processors are barred from data collection when devices are idle, barring explicit consumer authorization.
III. Enforcement
Non-compliance with the Digital Bill of Rights in Florida is viewed as unfair and deceptive commercial practices. Transgressions can attract penalties of up to $50,000 for each instance, with potential tripling in cases involving minors’ data. Importantly, third parties receiving personal data lawfully from a Controller or Processor are exempt from liabilities arising from the Controller or Processor’s infringements.
Geographical Storage Mandates and Compliance: Delving into SB 264’s Implications for Healthcare Providers
SB 264 elaborates that, alongside the stipulations in 45 C.F.R. part 160 and subparts A and C of part 164 (linked to the HIPAA Information Security Rule), healthcare providers employing certified electronic health record technology must guarantee that any patient data saved in an offsite tangible or digital storage – be it through a subcontracted computing facility, a third-party, or a cloud service provider – remains within the bounds of the continental U.S., its territories, or Canada.[1] This stipulation pertains to all “qualified electronic health records that are housed using any mechanism permitting digital retrieval, access, or transmission of the information.”[2] Notably, the onus to ensure the records’ location does not fall on electronic health record service companies but squarely on the shoulders of the healthcare providers.
Furthermore, any individual or entity either applying for or already holding a license under F.S. chapter 408 from the Florida Agency for Health Care Administration (the “AHCA”) will henceforth need to sign an affidavit. This should either be during their initial application or during renewals, affirming, under oath, their adherence to the F.S. 408.051(3) statute. This statute mandates the aforesaid records to remain within the continental U.S., its territories, or Canada.[3] Non-compliance will result in the AHCA taking disciplinary actions against the license holder.
According to SB 264, the license holder must also ensure that any entity or individual with a significant stake in any healthcare establishment does not, either directly or indirectly, have an interest in a company that maintains business ties with a foreign nation of concern or those governed by F.S. 287.135.[4] The term “Business relationship” is interpreted broadly to include commerce in any form, like “procuring, establishing, retaining, owning, trading, holding, renting, or managing equipment, properties, manpower, goods, services, tangible assets, real estate, military equipment, or any other business or commercial tools.”[5] Existing licensed healthcare professionals must verify their compliance with these rules before renewing their licenses.
For healthcare providers active in multiple states, including Florida, there may be a necessity to revamp their IT infrastructure to align with this new regulation.
Impact of Senate Bills 262 & 264 on Patient Data Rights, Florida Laws, and Emerging Case Law
Senate Bills 262 and 264 represent a significant step forward for the State of Florida in the realm of data rights and protections. Their combined effect not only augments the rights of Florida residents over their personal and health data but also provides a new landscape for legal practitioners, regulators, and businesses. This analysis dives into how these bills interact with existing Florida laws, influence patient data rights, and pave the way for new case law.
1. Strengthening Patient Data Rights
The main thrust of Senate Bill 264 is the imposition of new restrictions on how licensed Florida healthcare providers store patient records. Before this bill, patient data storage regulations primarily revolved around the federal Health Insurance Portability and Accountability Act (HIPAA). SB 264 builds upon this by requiring health care providers to ensure that all patient information stored offsite, including in cloud services, be physically maintained within the continental United States, its territories, or Canada. This geographical limitation underscores the importance of data sovereignty and aims to reduce potential risks associated with data breaches or unauthorized access in foreign jurisdictions.
2. Interaction with Existing Florida Laws
While SB 262 primarily focuses on digital rights and data protection in the broader context, its implications on patient data are inescapable, especially when read in tandem with SB 264. The comprehensive approach of SB 262, which addresses data from race, ethnicity, and health diagnoses, among others, resonates with health-related data protection concerns.
These bills accentuate the rights already granted under the Florida Information Protection Act (FIPA), which mandates businesses to notify individuals about data breaches involving their personal information. With the advent of these Senate bills, the parameters of “personal information” gain further depth and breadth.
3. Potential Overlaps and Conflicts
It’s worth noting that while these bills augment data rights, they also introduce potential overlaps and areas of conflict with existing regulations. For instance, HIPAA already governs a significant portion of health data management and protection. The added layer of mandates from SB 264 might lead to complexities in implementation. How do healthcare providers navigate scenarios where there might be apparent contradictions between federal and state laws? Clear guidelines and possibly additional clarifications might be needed.
4. Paving the Way for New Case Law
Given the enhanced rights and restrictions introduced by SB 262 and SB 264, it’s only a matter of time before disputes arise that will lead to the courts interpreting and providing clarity on these statutes. These legal interpretations will serve as precedents for future disputes, shaping how these bills are understood and implemented.
For instance, the geographical restriction on data storage introduced by SB 264 could lead to legal challenges on the grounds of inter-state commerce or globalization of digital services. Additionally, the parameters defining “sensitive data” in SB 262 are broad and might witness challenges, seeking clarity on what precisely falls within its ambit.
Furthermore, the stipulation under SB 262 that requires businesses to inform users if their website sells sensitive data could become a focal point in litigation, especially in cases of data breaches. Questions might arise as to what constitutes adequate notice and whether companies have been transparent enough in their declarations.
5. Implications for Businesses and Healthcare Providers
Healthcare providers and businesses operating in Florida now face an augmented responsibility. While they must still adhere to federal regulations, these bills introduce additional layers of compliance at the state level. Providers and businesses must revisit their data storage and processing strategies, assess current partnerships (especially with third-party data processors), and possibly even renegotiate contracts to ensure compliance.
6. Broader Impacts on Florida’s Legislative Landscape
The enactment of SB 262 and SB 264 signals a broader shift in Florida’s legislative landscape towards prioritizing individual data rights and privacy. It reflects a global trend, reminiscent of Europe’s General Data Protection Regulation (GDPR). Florida might just be setting the tone for other U.S. states to follow, by placing its residents’ rights at the forefront of the digital age.
Conclusion:
This document serves merely as an informative guide and does not replace the need for specialized legal or tax advice. For detailed inquiries, please connect with the author. We aim to keep tracking the subjects discussed here and will offer more updates for our clients as needed.
_________________
[1] SB 264 §408.051(3).
[2] SB 264 §408.051(3).
[3] SB 264 §408.810(14).
[4] SB 264 §408.810(15(a)).
[5] SB 264 §408.810(15(a))(1).
