Florida Expands Privacy Protections Including a Ban on Offshoring of Certain Patient Data

6 Jul 2023

In recent times, the Governor of Florida, Ron DeSantis, officially approved Senate Bill 262 and Senate Bill 264, imparting enhanced authority to Floridians over their personal information and introducing a novel benchmark for safeguarding and managing data. These legislations, known as Senate Bill 262 and Senate Bill 264, will become operative as of July 1, 2023.

Florida's Digital Rights: Senate Bill 262

As we mentioned before, Senate Bill 262, also known as the Technology Transparency Bill, has been given the nickname "Florida's Digital Bill of Rights". This recent legislation places limits on for-profit businesses operating in Florida that gather "sensitive information" about Florida residents. This sensitive information includes personal details that reveal a person's race, ethnicity, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric information used for identification purposes, personal information about a known child, and precise location data. Starting from July 1, 2023, companies are prohibited in the State of Florida from: (i) selling "sensitive information" without obtaining consent from the consumer or (ii) processing "sensitive information" of individuals below the age of eighteen (18) without authorization according to the Children's Online Privacy Protection Act. As part of the law's stance on public policy, any contractual waivers or restrictions on these consumer rights are rendered invalid. Companies selling "sensitive information" are required to display a notice on their website stating: "NOTICE: This website may sell your sensitive personal information." It is important to note that Protected Health Information ("PHI"), health records, data gathered for clinical research, and de-identified information are specifically exempted from these new regulations.

Even though the Digital Bill of Rights in Florida grants individuals greater authority over their personal information, it enforces stricter obligations on particular enterprises: (i) "Controllers"; (ii) "Processors" regardless of their magnitude; and (iii) "Affiliates" of Controllers and Processors.

In relation to Florida's Digital Bill of Rights, the term "Controller" refers to any individual or organization, including sole proprietors, partnerships, LLCs, corporations, associations, or any other legal entity, that fulfills the following criteria:

is structured or managed with the aim of generating profit or financial gain for its shareholders or proprietors;

operates within the boundaries of this state

gathers individuals' personal information, or represents the organization responsible for collecting such data;

decides the objectives and methods of handling individuals' personal information either by themselves or in collaboration with others

earns over $1 billion in total worldwide annual income; and,

meets at least one of the subsequent criteria: (i) generates a minimum of 50 percent of its total yearly earnings from online advertising, including targeted advertising or the online sale of advertisements; (ii) provides a consumer smart speaker and voice command service along with an integrated virtual assistant that connects to a cloud computing service and can be activated verbally without the need for hands; or (iii) manages a platform, such as an app store or digital distribution platform, that offers a minimum of 250,000 diverse software applications for consumers to download and install.

Controllers are now limited in the amount of personal data they can collect. They can only collect what is necessary for processing and must have appropriate data security measures in place. Furthermore, Controllers are not allowed to use or keep data after its initial purpose has been fulfilled, the contract has expired, or two years after the consumer's last interaction with them. Controllers must also comply with consumer requests to delete or correct personal data, as well as allow consumers to opt-out of targeted advertising, geolocation tracking, and voice/facial recognition. They must respond to consumer requests within 45 days, though a 15-day extension may be granted for complex situations. If a request is deemed unfounded, excessive, or repetitive, a Controller may charge a reasonable fee or decline to act on the request. Additionally, the law provides an appeals process for consumers who have been denied a request from a Controller.

Controllers must create two or more evident and noticeable ways for consumers to make personal data requests. Furthermore, controllers should make sure that consumers can easily access an updated privacy notice at least once a year. Special rules apply to controllers who possess de-identified data, pseudonymous data, or aggregate consumer information. These rules include taking reasonable steps to prevent data from being linked to an individual and refraining from trying to re-identify the data.

"Service providers" according to the Florida Digital Bill of Rights legislation refer to individuals or entities responsible for handling personal information on behalf of a Controller. Service providers are required to obey the Controller's instructions and aid them in addressing consumer inquiries. The contractual agreements between the Controller and the Service providers must outline how data processing is to be conducted by the Service providers.

Both Controllers and Processors are not allowed to gather information when devices are not being used by a consumer, unless the consumer explicitly grants permission.

Unauthorized actions that infringe upon the Florida Digital Bill of Rights Law are deemed as unjust and misleading trade practices. These acts can lead to financial penalties of no more than $50,000 for each violation, with the possibility of tripling the penalty in specific instances involving the unauthorized use of a child's personal information. However, it should be noted that third parties who receive personal data from a Controller or Processor, while adhering to the law, cannot be held responsible for any violations committed by the Controller or Processor who initially provided the personal data.

Restrictions On Health Records: Senate Bill 264

Senate Bill 264 modifies the Electronic Health Records Exchange Act in Florida and forbids the outsourcing of specific patient data. The law now requires licensed healthcare providers in Florida who use certified electronic health record technology (CEHRT) to make sure that any patient data stored outside of their physical or virtual premises is kept within the continental United States, its territories, or Canada. This rule applies to patient data stored by third-party entities, subcontracted computing facilities, and cloud computing services, and it encompasses all "qualified electronic health records." A qualified electronic health record is described as an electronic record that contains health-related information about an individual, including their demographic details and clinical health information like medical history and problem lists. It also has the capacity to provide clinical decision support, aid in physician order entry, collect and search information relevant to healthcare quality, and exchange electronic health information with other sources. Therefore, although the new law only affects providers who use CEHRT, it is not entirely clear whether the restriction on outsourcing could also be interpreted as applicable to a wider range of health data, beyond what is stored in CEHRT.

The recently proposed legislation presents other uncertainties and poses inquiries regarding the extent of its applicability. Specifically, it seems that the law would not be enforced for service providers who have yet to implement CEHRT, such as pharmacies, long-term acute care providers, home health and hospice providers, and mental and substance abuse health providers. Furthermore, the language used in the new law, which includes the prohibition of offshoring for "all qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted," raises doubts about whether personnel operating offshore (such as remote employees, subcontractors, or even U.S.-based employees traveling abroad) may access these records from offshore locations.

The State of Florida has shown its dedication to safeguarding the personal privacy of its residents and supporting responsible data practices through proactive measures. Nevertheless, businesses that operate in Florida should pay attention to these recently enacted laws and take necessary actions to adhere to them.