Last Friday, October 1, the Protecting DNA Privacy Act (HB 833), a new genetic privacy law, went into effect in the state of Florida establishing four new crimes related to the unlawful use of another person’s DNA.  While the criminal penalties in HB 833 are notable, Florida is not alone in its focus on increased genetic privacy protections.  A growing number of states, including Utah, Arizona, and California, have begun developing a net of genetic privacy protections to fill gaps in federal and other state legislation, often focused on the privacy practices of direct-to-consumer (“DTC”) genetic testing companies.  While some processing of genetic information is covered by federal law, the existing patchwork of federal genetic privacy protections do not clearly cover all forms of genetic testing, including DTC genetic tests.
Continue Reading Newly Effective Florida Law Imposing Criminal Sanctions Adds to Developing Nationwide Patchwork of State Genetic Privacy Laws

Florida may be next state to join the growing number of states with a consumer privacy law, as both chambers of Florida’s legislature are currently considering comprehensive state privacy legislation.  Both HB 969 and SB 1734 resemble the California Consumer Privacy Act (“CCPA”), though they contain some notable differences.  Florida Governor Ron DeSantis expressed support of these measures, stating that these proposals “finally check these companies’ unfettered ability to profit off our data and ensure the protection of Floridians’ personal and private information.”

Continue Reading Florida Legislature Considering Comprehensive Privacy Law

Last Friday, Florida’s governor signed into law the Florida Information Protection Act of 2014 (“FIPA”), a bill repealing Florida’s existing data security breach notice law and replacing it with what will be one of the nation’s most stringent breach notice laws.  This post summarizes the key aspects of the new law, which becomes effective July 1, 2014

The Definition of “Personal Information” Now Includes Online Account Credentials

FIPA broadly defines that type of information that, if breached, could require a company to provide notice to consumers and (as discussed below) regulators (“personal information”).  Going beyond the narrow scope of information protected by most state data breach laws, FIPA’s definition of personal information includes “a user name or e-mail, in combination with a password or security question and answer that would permit access to an online account.”  (California’s breach notice law also defines covered information to include online account credentials.) 

Notice to Individuals Must Now Be Provided Within 30 Days of the Incident

The new law states that any required notices to individuals generally must be provided “no later than 30 days after the determination of a breach or reason to believe a breach occurred.”  This represents a shortening of Florida’s existing 45-day notice requirement. 


Continue Reading Florida Enacts Stringent Breach Notice Law

Last week, Judge Ungaro of the Southern District of Florida granted in part and denied in part a motion to dismiss in Burrows v. Purchasing Power, LLC.  The court found that the plaintiff had asserted a plausible claim under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), granted the plaintiff leave to amend his claims for negligence and common-law invasion of privacy, and dismissed without leave to amend his claims under the Stored Communications Act (SCA) and Florida Constitution.

According to the Amended Complaint, defendant Winn-Dixie Stores, Inc. transferred employees’ personally identifiable information (PII) to a third-party service provider named Purchasing Power, which allows employees to purchase goods via automatic payroll deductions.  The Amended Complaint alleges that a Purchasing Power employee inappropriately accessed the Winn-Dixie employees’ PII, and that Winn-Dixie learned about the data breach in October 2011 but failed to notify employees until January 2012.  Plaintiff Patrick Burrows, who was a Winn-Dixie employee, claimed that an unknown person used his compromised PII to file a false tax return under his name, leaving him unable to collect his tax refund.


Continue Reading Florida Data Security Claims Survive Motion to Dismiss