Florida’s proposed data privacy law would hurt consumers and businesses

by | Mar 3, 2022

While trying to give consumers more control over their data, House Bill 9 violates several of the best practices for good consumer privacy laws.

Spence Purnell

Aiming to protect Floridians’ privacy, the Florida House of Representatives is considering a data privacy bill that, unfortunately, would fail to improve consumers’ privacy while also unintentionally lowering the quality of digital products available in the state and adding tens of billions of dollars to the cost of doing business here. While trying to give consumers more control over their data, House Bill 9 violates several of the best practices for good consumer privacy laws outlined in a legislative checklist by Reason Foundation and the International Center for Law and Economics showing how to protect individuals’ privacy without stifling innovation.

Most notably, House Bill 9 would likely reduce consumers’ access to platforms and drive companies to change business models or create a paid category of social media. Social media platforms and apps often use the data collected from users to sell advertisements. For example, around 97 percent of Facebook’s revenue comes from advertising that is based on data that its customers have voluntarily opted into sharing in exchange for using Facebook for free. If companies were forced to give free access to customers who completely blocked the sharing of that data, some platforms would have to shift to other business models and find other revenue sources to cover their costs.

Users are already free to choose which apps they use. The large number of consumers who willingly share their data or consider viewing ads as the “price” of using and benefiting from free digital services shows most users don’t consider themselves harmed by the data they share. It is a trade-off they are willing to make. Most people are choosing to trade some of their data for digital services, knowing they can end that relationship whenever they choose.

House Bill 9 tries to create a space for people who want to use digital services but don’t want to share their data, but this space is already developing and evolving without state legislation. Many popular web browsers, for instance, already contain features that allow users to set tracking and privacy preferences, such as cookie retention and deletion.

Different apps and platforms choose different approaches to data privacy, which is a good thing because users can select the apps they want to use based on how much data the respective app wants from the user.  This variation and innovation is better for consumers and businesses than a state law that mandates how firms are allowed to handle data.

Importantly, HB 9 also fails to adequately distinguish between privacy and security by including a requirement that companies must “implement reasonable security procedures” to protect data.  Privacy refers to how the data is shared legally with other companies and security addresses illegal breaches of that data or other improper releases related to technical failures and hacks.  There are already laws governing security requirements for companies that collect data, plus a robust regime of civil liability if firms negligently treat consumer data.

Hence, most digital companies already have security protocols in place. HB 9, however, adds the new twist of a private right of action, which would allow any individual consumer to bring a lawsuit against a company for perceived data privacy harms.

In the event of actual online data breaches, it is rarely one single individual who is harmed by a data breach but, rather, like in the Equifax breach that exposed the private information of over 100 million people, a class action is created that lets all the harmed consumers seek redress.

The provisions in HB9 would allow lawsuits by individuals claiming violations of any of a host of very minor procedural requirements regardless of whether or not there are actual consumer harms. This could unleash a ridiculous flood of lawsuits from individuals who are trying to force digital service companies to change their policies.

For example, the bill requires that users’ requests to opt-out or be deleted be completed in less than 10 days. Thus, users could frequently opt-in and out of data sharing with the hope that the firm does not comply with one of these requests in time, giving grounds for a suit.

HB 9 is ripe for abuse and would greatly increase compliance and litigation costs for companies, which would likely increase the cost of using digital services for consumers. Rather than enabling lawsuits through HB 9, lawmakers should want unhappy customers to seek out other digital service companies that offer the policies they prefer.

Rather than reducing the products available to consumers and increasing the costs of doing business in Florida, a better path forward would be for the state to take a consumer-focused approach. That approach would start by recognizing that consumers already have a choice in whether or not to use any free digital services that require data in return. Most consumers overwhelmingly do choose to do so—viewing what they gain from the apps and platforms to be as valuable as the data they’re providing.

At the same time, Florida could work with industry standards groups to identify best practices in determining how data is collected and protected, who it is shared with, and in ways that allow online firms to maintain their current and future business models while also addressing the concerns of consumers. Any consumer privacy law should focus on creating proportional remedies for actual consumer harms when they do occur instead of mandating requirements and actions.
Spence Purnell is the Director of Technology Policy for Reason Foundation.


%d bloggers like this: