Florida TaxWatch (FTW) released an independent analysis on Thursday, examining the potential effects of consumer data privacy legislation in the Sunshine State.
The nonpartisan, nonprofit government watchdog released Who Knows What? An Independent Analysis of the Potential Effects of Consumer Data Privacy Legislation in Florida, building on a previous FTW briefing. The report examines experience data from existing consumer data privacy laws across the country to generate an estimate of compliance and litigation costs businesses would face with the implementation of consumer data privacy legislation in Florida.
“Privacy is so important to Floridians that it is a notion enshrined in our Constitution. Florida TaxWatch applauds legislative leaders for raising this issue because we agree with the nearly 80 percent of U.S. adults concerned about how their personal information is being used – we should find a proper way to protect personal data and information. But, as the trusted eyes and ears of Florida taxpayers, we have a responsibility to make sure leaders and decision makers understand the costs and impact their plans have on Florida’s businesses,” said Florida TaxWatch President and CEO Dominic M. Calabro.
The FTW report examines key drivers of costs associated with Florida-specific consumer data privacy legislation, which include compliance and operational costs, litigation expenses, and the threshold for the size and number of businesses covered by the provisions.
For businesses that would be covered under proposed consumer data privacy legislation in Florida, FTW notes that compliance costs include staffing and training requirements (between $138,865 and $393,848 annually per business); IT infrastructure and data inventory assessments (between $253,660 and $1.3 million per business); responses to consumer requests to access, delete, correct, or opt-out of personal information (between $140,000 and $275,000 annually per business); and implementation of reasonable data security safeguards (between $200,000 and $500,000 annually per business).
“Our independent analysis found that if Florida proceeded with the legislation as discussed last year, the direct cost to Florida businesses will be between $6.2 billion and $21 billion in the first year alone, with an ongoing annual compliance cost anywhere from $4.6 billion to $12.7 billion thereafter,” Calabro added.
Enforcement of data privacy provisions vary across the states that have implemented their own laws. Some states rely on their Attorneys General for this, while others include a private right to action provision, which allows consumers to sue businesses directly. The two different strategies were proposed in Florida last year, so FTW includes an analysis of the increase in class-action lawsuits, which would raise potential litigation costs. Based on experience data from other states, and independent analysis of situations that allow consumers to sue companies directly for civil penalties, FTW projects there would be roughly 84 class-action lawsuits over the first year and a half of compliance, with a potential cost of litigation estimated at $4.2 billion. Even without a private right of action, firms are still expected to incur legal costs in order to comply with consumer data privacy provisions.
“Moreover, if a bill passes with a private right of action provision, experience data suggests we can expect over 80 class-action lawsuits within the first year and a half, with an estimated $4.2 billion in litigation expenses and costs,” Calabro continued. “Strengthening personal privacy protections for consumers is critical, and we’re hopeful our analysis will inform these important conversations and debates during the upcoming legislative session.”
FTW also noted that even if small to mid-sized businesses are not primarily covered under a consumer data privacy law, there are secondary effects that will likely cause them to have to comply, despite having fewer resources than the larger firms to accomplish this task.
According to recommendations outlined in the report, FTW highlighted the importance of delaying implementation of consumer data privacy legislation until at least July 1, 2024, providing covered businesses ample time to comply with new regulations, and omitting a private right of action provision in the bill to reduce litigation costs. FTW also suggests urging Florida’s congressional delegation to support the passage of a federal law that would standardize consumer rights, businesses obligations, and enforcement mechanisms across all 50 states.
To date, California, Virginia, and Colorado are the only states that have enacted comprehensive consumer data privacy legislation.