Florida - Sectoral Privacy Overview
1.1. Constitutional Right of Privacy
The Constitution of the State of Florida ('the Constitution') recognizes an individual's right of privacy under Article 1 of Section 23, which provides that every natural person has the right to be let alone and free from governmental intrusion into the person's private life except as otherwise provided in the Constitution. This Section must not be construed to limit the public's right of access to public records and meetings as provided by law.
It is important to note, however, that this right of privacy specifically protects against 'governmental intrusion,' not any or all intrusions. Floridians must look to other areas of the law, some of which are highlighted below, for privacy protections against other actors and forms of intrusion.
1.2. Statutory Right to Privacy
- Florida has codified its statutory right of publicity, which has been treated as a property right at §540.08 of Chapter 540 of Title XXXIII of the Florida Statutes ('Fla. Stat.'). For more discussion, see section 2.1.
1.3. Common Law Right to Privacy
Florida courts generally recognize three theories or categories of privacy torts, originally set forth by Prosser in the Law of Torts (Fourth Edition, 1971), including:
- intrusion, namely invading physical solitude or seclusion;
- public disclosure of private facts; and
- appropriation, namely commercial exploitation of the property value of one's name (see Loft v. Fuller, 408 So. 2d 619, 622 (District Court of Appeal of Florida, Fourth District 1981)).
Note that courts previously recognized a fourth category, false light in the public eye, but this was done away with in 2008 (see Jews for Jesus, Inc. v. Rapp, 997 So. 2d 1098, 1114 (Fla. 2008)).
'Intrusion' is defined by Florida law as 'physically or electronically intruding into one's private quarters' (Oppenheim v. I.C. Sys., Inc., 695 F.Supp.2d 1303, 1308 (M.D. Fla. 2010) (quoting Allstate Ins. Co. v. Ginsberg, 863 So.2d 156, 162 (Fla. 2003)). The tort focuses on 'the right of a private person to be free from public gaze' and requires that 'the intrusion […] be highly offensive to a reasonable person' (Oppenheim at 1309 (quoting Ginsberg, 863 So.2d at 162 (Fla. 2003)).
Public disclosure of private facts
The tort of public disclosure of private facts has four elements: (i) the publication, (ii) of private facts, (iii) that are offensive, and (iv) are not of public concern (Cape Publ'n, Inc. v. Hitchner, 549 So. 2d 1374, 1377 (Fla. 1989)). However, this 'right of privacy does not forbid the publication of information that is of public benefit, and the right does not exist as to persons and events in which the public has a rightful interest' (Cape Publ'n, Inc. at 1378 (quoting Harms v. Miami Daily News, Inc., 127 So.2d 715, 717 (Fla. 3d DCA 1971))). As such, the 'newsworthiness' defense can be a substantial obstacle for potential plaintiffs.
The tort of misappropriation, i.e. 'the unauthorized use of a person's name or likeness to obtain some benefit, ' is very similar to the statutory right to publicity under Fla. Stat. §540.08, discussed below in section 2.1., (Oppenheim v. IC System, Inc., 695 F.Supp.2d at 1309 (M.D. Fla. 2010)). Furthermore, a 'plaintiff may assert common law and statutory claims for misappropriation in the same action" (Coton v. Televised Visual X-Ography, Inc., 740 F.Supp.2d 1299, 1313 (M.D. Fla. 2010)).
2.1. Senate Bill 262
On June 6, 2023, Florida became the tenth state in the US to enact a comprehensive privacy law, namely the Florida Digital Bill of Rights ('FDBR'). The FDBR has three distinct parts. It creates Chapter 501, part V of the Florida Statutes, providing a unified scheme to allow Florida's consumers to control the digital flow of their personal data and provides consumers with certain rights over their data privacy. It also creates Section 112.23 of the Florida Statutes, which prohibits employees of a governmental entity from using their position or any state resources to communicate with social media platforms to request the removal of content or accounts. Additionally, it creates Section 501.1734 of the Florida Statute to establish protection for children in online spaces.
The FDBR provides Florida residents with certain rights with respect to their personal data and imposes significant obligations on large companies to whom the law applies. The FDBR redesignates current portions of Chapter 501, Florida Statutes and creates a new Part V of Chapter 501, consisting of F.S. §§ 501.701-501.721 entitled 'Data Privacy and Security.'
The provisions of the FDBR will take effect on July 1, 2024. Notably, the FDBR supersedes all rules, regulations, codes, ordinances and other laws adopted by a city, county, municipality or other local agency regarding consumer personal data.
The FDBR applies to 'controllers' which is defined as businesses that collect Florida consumers’ personal data, make in excess of $1 billion in global gross annual revenue and meet one of the following three thresholds (Section 501.703(1) of the FDBR):
- derives 50% or more of its global gross annual revenues from the online sale of advertisements, including from providing targeted advertising or the sale of ads online;
- operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or
- operates an app store or digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
However, the FDBR does not apply to state agencies, political subdivisions of the state, financial institutions subject to the Gramm-Leach-Bliley Act of 1999, covered entities or business associates governed by the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules ('the Privacy and Security Rules') established under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), or Florida postsecondary education institutions. Additionally, the FDBR does not apply to the processing of personal data by a person in the course of a purely personal or household activity solely for measuring or reporting advertising performance, reach or frequency. Finally, the FDBR does not apply to employee data or business data (Section 501.703(2) of the FDBR).
Similar to other state comprehensive privacy laws, there is no general private right of action. Instead, the FDBR will be enforced by the Florida Department of Legal Affairs ('the Department'). In addition to other remedies, the Department can assess a civil penalty of up to $50,000 per violation, which can be trebled for certain violations like violations related to the personal data of a known child or failing to delete information on a proper consumer request. The FDBR permits but does not require, the Department to allow a business a 45-day cure period.
Data subject rights
The FDBR provides consumers the right to 501.711 of the FDBR):
- confirm and access their personal data;
- delete, correct, or obtain a copy of that personal data;
- opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer;
- opt out of the collection or processing of sensitive data, including precise geolocation data; and
- opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.
Child: means an individual younger than 18 years of age (Section 501.702(6) of the FDBR).
Consumer: means an individual who is a resident of Florida or is domiciled in Florida acting in an individual or household context. It does not include individuals acting in a commercial or employment context (Section 501.702(8) of the FDBR).
Dark Pattern: means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision making or choice. The term includes any practice the Federal Trade Commission ('FTC')) refers to as a dark pattern (Section 501.702(11) of the FDBR).
Decision that produces a legal or similarly significant effect concerning a consumer: means a decision made by a controller which results in the provision or denial by the controller of any of the following (Section 501.702(12) of the FDBR):
- Financial and lending services.
- Housing, insurance, or health care services.
- Education enrollment.
- Employment opportunities.
- Criminal justice.
- Access to basic necessities, such as food and water.
Personal data: means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include de-identified data or publicly available information (Section 501.702(19) of the FDBR).
Profiling: means any form of solely automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements (Section 501.702(25) of the FDBR).
Sale of personal data: means the sharing, disclosing or transferring of personal data for monetary or other valuable consideration by the controller to a third party. The term does not include (Section 501.702(29) of the FDBR):
- the disclosure of personal data to a processor who processes the personal data on the controller’s behalf;
- the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
- the disclosure of information that the consumer:
- Intentionally made available to the general public through a mass media channel; and
- Did not restrict to a specific audience.
- the disclosure or transfer of personal data to a third party as an asset that is part of a merger or an acquisition.
Sensitive data: Means a category of personal data that includes any of the following (Section 501.702(31) of the FDBR):
- personal data revealing an individual's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- genetic or biometric data processed for the purpose of uniquely identifying an individual;
- personal data collected from a known child; and
- precise geolocation data.
Targeted advertising: means displaying to a consumer an advertisement selected based on personal data obtained from that consumer's activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer’s preferences or interests. The term does not include an advertisement that is (Section 501.702(33) of the FDBR):
- based on the context of a consumer's current search query on the controller’s own website or online application; or
- directed to a consumer search query on the controller's own website or online application in response to the consumer’s request for information or feedback.
A controller under the FDBR must:
- establish two or more methods to enable consumers to submit requests to exercise their rights under the FDBR. The methods must be secure, reliable, and clearly and conspicuously accessible;
- authenticate and respond to consumer requests and must provide an appeal process for any requests that are unfulfilled;
- limit the collection of personal data to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed and as disclosed to the consumer;
- establish, implement and maintain reasonable administrative, technical and physical data security practices appropriate to the volume and nature of the personal data at issue;
- provide consumers with a reasonably accessible and clear privacy notice, updated at least annually;
- enter into contracts with its processors with the requirements described below;
- take certain measures with respect to deidentified data, pseudonymous data and aggregate consumer information;
- conduct and document data protection assessments;
- where operating a search engine, make available, in an easily accessible location on the webpage that does not require a consumer to log in or register to read, an up-to-date plain language description of the main parameters that are used to determine rankings of results, including the prioritization of deprioritization of political partisanship or ideologies.
Controllers under the FDBR must not:
- process personal data for a purpose that is neither reasonably necessary nor compatible with the purpose for which the personal data is processed, as disclosed to the consumer, unless the consumer provides consent;
- process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers;
- discriminate against a consumer by exercising their rights under the FDBR;
- sell sensitive personal data of a consumer without obtaining the consumer’s consent.
Responding to Consumer Requests
A controller shall provide information or take action in response to a consumer request free of charge at least twice per year per consumer. If a request is manifestly unfounded, excessive or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of comply with the request or may deny the request. The controller bears the burden of demonstrating that a request is manifestly unfounded, excessive or repetitive (Section 501.706(5) of the FDBR).
A controller shall comply with consumer requests without undue delay, which may be no later than 45 days after receiving the request. A controller may extend the response by an additional 15 days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial 45 day period and provides the reason for the extension (Section 501.706(2) of the FDBR).
If a controller cannot take action regarding the consumer's request, the controller must inform the consumer with 45 days of receiving the request. The controller must also provide the consumer with the justification for the inability to take action and must provide instructions on how the consumer can appeal the decision (Section 501.706(3) of the FDBR).
A controller is not required to comply with a consumer request if the controller cannot authenticate the request. However, the controller must make a reasonable effort to request that the consumer provide additional information reasonably necessary to authenticate the request (Section 501.706(3) of the FDBR). If a controller maintains a self-service mechanism to allow a consumer to correct certain personal data, the controller may deny the consumer’s request and require the consumer to correct his or her own personal data through such a mechanism (Section 501.706(3) of the FDBR).
If a controller receives a request to delete from a customer who the controller has obtained personal data about from a source other than the consumer, the controller will be in compliance with the request if it (Section 501.706(6) of the FDBR):
- deletes the personal data, retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring that the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose under this part; or
- opting the consumer out of the processing of that personal data.
A controller shall establish a process for a consumer to appeal the controller's refusal to take action of a request within a reasonable period of time after the consumer receives the controller's decision. The appeal process must be conspicuously available and similar to the process for initiating a request to exercise the consumer's rights. A controller must inform the consumer in writing of any action taken or not taken in response to an appeal within 60 days of receiving the appeal, including a written explanation for the decision (Section 501.707 of the FDBR).
Any contractual provision which waives or limits in any way a consumer right provided in the FDBR is contrary to public policy and is void and unenforceable (Section 501.708 of the FDBR).
A controller must provide consumers with a reasonably accessible and clear privacy notice, updated at least annually, that includes (Section 501.711(1) of the FDBR):
- the categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller;
- the purpose of processing personal data;
- how consumers may exercise their rights, including the process by which a consumer may appeal a decision;
- the categories of personal data that the controller shares with third parties (if applicable);
- the categories of third parties with whom the controller shares personal data (if applicable); and
- a description of the methods by which consumers can submit requests to exercise their consumer rights.
Where a person who engages in the sale of sensitive personal data must provide a notice that states: 'NOTICE: This website may sell your sensitive personal data.', and where a controller engages in the sale of biometric data, the controller must provide a notice stating: 'NOTICE: This website may sell your biometric personal data,' and be in line with the above (Section 501.711(2) and (3) of the FDBR).
- With regard to the sale of data to third parties by the controller or the processing of personal data for targeted advertising, the data controller must clearly and conspicuously disclose the same and the manner in which a consumer may exercise the right to opt-out (Section 501.711(4) of the FDBR).
Data processors must adhere to the instructions of the controller and shall assist the controller in compliance with the requirements of the FDBR (Section 501.712(1) of the FDBR). The controller and processor must also enter into a contract that governs the processor’s data processing procedures and must include (Section 501.712(1) of the FDBR):
- clear instructions for processing data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of processing;
- the rights and obligations of both parties;
- a requirement that the processor ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
- a requirement that the processor delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;
- a requirement that the processor make available to the controller, upon reasonable request, all information in the processor’s possession necessary to demonstrate the processor's compliance with this part;
- a requirement that the processor allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; and
- a requirement that the processor engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.
If the processor engages an independent assessor to conduct an assessment of the processor's policies and technical and organizational measures under the FDBR, the processor shall provide the assessor's report to the controller upon request.
Data Protection Assessments
The FDBR follows the trend of requiring controllers to conduct and document data protection assessments ('DPAs'). DPAs are required for (Section 501.713(1) of the FDBR):
- the processing of personal data for targeted advertising;
- the sale of personal data;
- the processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- a physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person; or
- other substantial injuries to consumers;
- the processing of sensitive data; and
- any processing activities involving personal data which present a heightened risk of harm to consumers.
DPAs must cover processing activities generated on or after July 1, 2023 (Section 501.713(6) of the FDBR).
The DPA must (Section 501.713(2) of the FDBR):
- identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce such risks; and
- factor into the assessment:
- the use of deidentified data;
- the reasonable expectations of consumers;
- the context of the processing; and
- the relationship between the controller and the consumer whose personal data will be processed.
If a controller must disclose its DPA to the Florida Attorney General under the FDBR, such disclosure will not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment (Section 501.713(3) of the FDBR). A single data protection assessment may address a comparable set of processing operations which include similar activities (Section 501.713(4) of the FDBR). A data protection assessment conducted by a controller for the purpose of compliance with any other law or regulation may constitute compliance with the requirements of this section if the assessment has a reasonably comparable scope and effect (Section 501.713(5) of the FDBR).
Government-Directed Content Moderation of Social Media Platforms (F.S. §112.23)
The FDBR also created Florida Statutes §112.23. This provision applies to each governmental entity, which is defined broadly as 'any officer or employee of a state, county, district, authority, municipality, department, agency, division, board, bureau, commission, or other separate unit of government created or established by law, and includes any other public or private entity acting on behalf of such governmental entity.' §112.23 enters into effect on July 1, 2023. Notably, §112.23 prohibits governmental entities from:
- communicating with social media platforms to request the removal of content or accounts; and
- initiating or maintaining any agreements or working relationships with social media platforms for the purpose of content moderation. Violations of the FDBR constitute the commission of a crime or violation of Florida's public records law.
The prohibitions do not apply in the following instances:
- routine account management;
- attempts to remove content or accounts that pertain to the commission of a crime or violation of Florida's public records law;
- investigations or inquiries related to an effort to prevent imminent bodily harm, loss of life or property damage.
Protection of Children in Online Spaces (F.S. 501.1735)
The FDBR amends Part II of Chapter 501 (Deceptive and Unfair Trade Practices) to provide protections for children who use online platforms and games. Such provisions enter into effect July 1, 2024.
The FDBR prohibits online platforms that provide an online service, product, game or feature, that is likely to be predominantly used by children from (Section 501.1735(2) of the FDBR):
- processing the child's data if the platform has actual knowledge of or wilfully disregards that the processing may result in substantial harm or privacy risk to children;
- profiling a child unless both of the following criteria are met:
- the online platform can demonstrate it has appropriate safeguards in place to protect children; and
- the profiling is necessary to provide the service, product or feature or the online platform can demonstrate a compelling reason that profiling does not pose a substantial harm of privacy risk to children.
- collecting, selling, sharing or retaining any personal information that is not necessary to provide the online service, product or feature with which a child is actively and knowingly engaged unless the online platform can demonstrate a compelling reason that the collecting, selling, sharing or retaining the personal information does not pose a substantial harm or privacy risk to children;
- using personal information of a child for any reason other than the reason for which the personal information was collected, unless the online platform can demonstrate a compelling reason that the use of the personal information does not pose a substantial harm or privacy risk to children;
- collecting, selling or sharing any precise geolocation data of children unless such collection is strictly necessary for the online platform to provide the service, product or feature, and only for the limited time that the collection of such data is necessary;
- using dark patterns to:
- lead or encourage children to provide personal information beyond the personal information would otherwise be reasonably expected to be provided for that online service, product, game or feature;
- forego privacy protections; or
- take any action that the online platform has actual knowledge of or willfully disregards that may result in substantial harm or privacy risk to children.
- using any personal information collected to estimate age or age range for any other purpose or retain that personal information longer than necessary to estimate age. The age estimate must be proportionate to the risks and data practice of an online service, product or feature.
If an online platform processes the personal information of children as part of providing its online services, product, game or feature to children, the online platform bears the burden of demonstrating that its processes do not violate the prohibitions enumerated above (Section 501.1735(3) of the FDBR).
The FDBR does not include a private cause of action. Any violation of §501.1735 is an unfair and deceptive trade practice actionable under Part II of Chapter 501 solely be the Department of Legal Affairs against the online platform. Remedies include standard remedies under Part II of Chapter 501 (which includes attorneys' fees), along with a civil penalty of up to $50,000 per violation. Civil penalties may be tripled for any violation involving a Florida child, where the online platform has actual knowledge is under 18 years of age. Actions may be brought only on behalf of a Florida child (Section 501.1735(4) of the FDBR).
The FDBR specifically includes a broadly encompassing jurisdictional provision. An online platform is subject to the jurisdiction of Florida courts if it operates an online service, product, game or feature likely to be predominantly accessed by children and is accessible by Florida children located in Florida (Section 501.1735(5) of the FDBR).
Right to Cure: There is no automatic right to cure, but the Department, in its sole discretion, may grant a 45-day cure period after providing an online platform in writing of an alleged violation. If a cure period is granted and the online provider cures the alleged violation to the satisfaction of the Department, the Department may not bring an action for the alleged violation but may issue a letter of guidance that indicates the online platform will not be offered a 45-day cure period for future violations. If the online platform does not cure any violations within a 45-day cure period, the Department may bring an action against the online platform (Section 501.72(2) of the FDBR).
2.2. Statutory Right to Privacy/Publicity
Florida has codified its statutory right of publicity, which has been treated as a property right, at Fla. Stat. §540.08. Specifically, under Fla. Stat. §540.08, no person shall publish, print, display, or otherwise publicly use for purposes of trade or for any commercial or advertising purpose the name, portrait, photograph, or other likeness of any natural person without the express written or oral consent to such use given by:
- such person;
- any other person, firm or corporation authorized in writing by such person to license the commercial use of her or his name or likeness; or
- if such person is deceased, any person, firm or corporation authorized in writing to license the commercial use of her or his name or likeness, or if no person, firm or corporation is so authorised, then by any one from among a class composed of her or his surviving spouse and surviving children.
Note that consent is not required for a deceased person if at least 40 years have passed from the date of the person's death (Fla. Stat. §540.08(5)). Likewise, exceptions apply for news media, including newspapers, magazines, broadcasts and news reports, and publications connected with resale or distribution where consent was given with initial sale or distribution (Fla. Stat. §540.08(4)).
A person whose likeness is used without consent may bring an action to enjoin such unauthorized publication, printing, display or other public use, and recover damages for any loss or injury sustained by reason thereof, including an amount that would have been a reasonable royalty, and punitive or exemplary damages (Fla. Stat. §540.08(2)). These remedies are intended to be 'in addition to and not in limitation of' those provided under the common law protections against invasions of privacy (Fla. Stat. §540.08(7)).
2.3. Confidentiality of Public Records
Generally, under Florida law, all state, county, and municipal records are open for personal inspection and copying by any person, and providing access to public records is a duty of each agency (§119.01(1) of Chapter 119 of Title X of the Fla. Stat.). Public records include 'all documents, papers, letters, maps, books, tapes, photographs, films, sound recordings, data processing software, or other material, regardless of the physical form, characteristics, or means of transmission, made or received pursuant to law or ordinance or in connection with the transaction of official business by any agency' (Fla. Stat. §119.011(12)). However, Chapter 119 of Title X of the Fla. Stat. provides several exemptions to disclosure under Fla. Stat. §119.01(1). For example, Fla. Stat. §119.071(5) exempts certain personal information from disclosure, including social security numbers, bank account numbers and debit, charge, and credit card numbers, medical history records and information related to health or property insurance, and biometric identification information. Other exemptions under Fla. Stat. §119.071 include certain agency actions (administration, investigations), information (security and fire safety), and agency personnel information. Additional exemptions can be found in various Florida statutes, including, for example, §395.0162 of Chapter 395 of Title XXIX of the Fla. Stat. (hospital inspection reports), §456.057 of Chapter 456 of Title XXXII of the Fla. Stat. (patient records), §624.23 of Chapter 624 of Title XXXVII of the Fla. Stat.(personal and financial health information) and, as discussed below, §501.171(11) of Chapter 501 of Title XXXIII of the Fla. Stat. (records relating to data breach notifications).
Florida has several laws related to privacy and confidentiality of patient health information. Below are examples of these laws, but this list is not exhaustive. Additionally, the Florida Administrative Code provides additional guidance on health data privacy.
3.1. General Confidentiality of Patient Records
Under Florida law, patient health records may not be furnished to, and the medical condition of a patient may not be discussed with, any person other than the patient, the patient's legal representative, or other health care practitioners and providers involved in the patient's care or treatment, except upon written authorization from the patient (Fla. Stat. §456.057(7)(a)). Moreover, Fla. Stat. §395.3025(4) reaffirms that patient records are confidential and must not be disclosed without the consent of the patient or his or her legal representative. In the following instances, however, such information may be disclosed without a patient's written authorization (Fla. Stat. §456.057(7)(a)):
- to any person, firm, or corporation that has procured or furnished such care or treatment with the patient's consent;
- when compulsory physical examination is made pursuant to Rule 1.360 of the Florida Rules of Civil Procedure, in which case copies of the medical records must be furnished to both the defendant and the plaintiff;
- in any civil or criminal action, unless otherwise prohibited by law, upon the issuance of a subpoena from a court of competent jurisdiction and proper notice to the patient or the patient's legal representative by the party seeking such records;
- for statistical and scientific research, provided the information is abstracted in a way as to protect the identity of the patient or provided written permission is received from the patient or the patient's legal representative;
- to a regional poison control center for purposes of treating a poison episode under evaluation, case management of poison cases, or compliance with data collection and reporting requirements of Fla. Stat. §395.1027 and the professional organization that certifies poison control centers in accordance with federal law; and
- to the Florida Department of Children and Families, its agent, or its contracted entity, for the purpose of investigations of or services for cases of abuse, neglect, or exploitation of children or vulnerable adults.
See also the exceptions listed at Fla. Stat. §395.3025(4)(a) to (l).
3.2. Mental Health Treatment Records
Chapter 394 of Title XXIX of the Fla. Stat. sets forth laws related to mental health, and Fla. Stat. §394.4615(1) requires such clinical records be kept confidential, providing that, unless waived by express and informed consent, by the patient or the patient's guardian, the confidential status of the clinical record must not be lost by either authorized or unauthorized disclosure to any person, organization, or agency. A patient's mental health clinical record may be released in certain circumstances, including the following (Fla. Stat. §394.4615(2)(a) to (d)):
- The patient or the patient's guardian authorizes the release. The guardian or guardian advocate must be provided access to the appropriate clinical records of the patient. The patient or the patient's guardian or guardian advocate may authorize the release of information and clinical records to appropriate persons to ensure the continuity of the patient's health care or mental health care.
- The patient is represented by counsel and the records are needed by the patient's counsel for adequate representation.
- The court orders such release. In determining whether there is good cause for disclosure, the court must weigh the need for the information to be disclosed against the possible harm of disclosure to the person to whom such information pertains.
- The patient is committed to, or is to be returned to, the Florida Department of Corrections from the Department of Children and Families, and the Department of Corrections requests such records. These records must be furnished without charge to the Department of Corrections.
See also Fla. Stat. §394.4615(3) and (4).
Furthermore, under Fla. Stat. §456.059, communications between a patient and a psychiatrist must be held confidential and may not be disclosed except upon the request of the patient or the patient's legal representative. However, if a patient communicates a 'specific threat' to cause serious bodily harm or death to a 'readily available person,' and the treating psychiatrist believes the patient has the ability and intent to actually carry out the threat, then the psychiatrist may disclose such communications as necessary to warn potential victims and alert law enforcement.
Florida law dictates that books and records pertaining to trust accounts, and the deposit accounts and loans of depositors, borrowers, members, and stockholders of any financial institution must be kept confidential by the financial institution and its directors, officers, and employees and may not be released except upon express authorization of the account holder as to her or his own accounts, loans, or voting rights (§655.059 of Chapter 655 of Title XXXVIII of the Fla. Stat.).
In certain circumstances, however, information relating to any loan made by a financial institution may be released without the borrower's authorization in a manner prescribed by the board of directors for the purpose of meeting the needs of commerce and for fair and accurate credit information, and to verify or corroborate the existence or amount of a customer's or member's account when such information is reasonably provided to meet the needs of commerce and to ensure accurate credit information (Fla. Stat. §655.059(2)(b)). Likewise, a financial institution, affiliate, and its subsidiaries, and any holding company of the financial institution or subsidiary of such holding company, may furnish to one another information relating to their customers or members, subject to the requirement that each corporation receiving information that is confidential maintain the confidentiality of such information and not provide or disclose such information to any unaffiliated person or entity (Fla. Stat. §655.059(2)(b)).
Furthermore, the books and records of a financial institution are confidential and must be made available for inspection and examination only in certain limited circumstances (Fla. Stat. §655.059(1)). However, each depositor, borrower, member, or stockholder has the right to inspect such books and records of a financial institution as they pertain to her or his loans or accounts (Fla. Stat. §655.059(2)(a)).
A willing violation of Fla. Stat. §655.059 related to unlawful disclosure of confidential information is a third-degree felony (Fla. Stat. §655.059(2)(c)).
Note, the Florida Insurance Code, codified under Chapter 624 of Title XXXVII of the Fla. Stat., provides additional privacy protections, as does Chapter 69O-128 of the Florida Administrative Code.
Florida statutory law does not explicitly protect employment data. However, under the exemptions provided from Florida's general public records law, Fla. Stat. §119.071, discussed in section 2.2. above, certain individuals' employment information may be exempt from disclosure, such as agency employees, US attorneys and judges, and servicemembers (see Fla. Stat. §119.071(4) and (5)(i)).
Some protections for personnel files, however, may be afforded via common law. Specifically, in Walker v. Ruot, 111 So. 3d 294 (Fla. Dist. Ct. App. 2013), the court stated that '[p]ersonnel files undoubtedly contain private information', and acknowledged that disclosure of this private information would be 'highly intrusive' to an employee's privacy interest (Walker at 295-96). Unfortunately, the court was considering this privacy interest in the context of litigation discovery, and therefore may not have wide applicability beyond this context, highlighting that '[w]hen privacy rights are implicated, discovery should be narrowly tailored to provide access to discoverable information while safeguarding privacy rights'.
See the section on key privacy laws in the section above for information on the FDBR.
7.1. Email Marketing
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('the CAN-SPAM Act'), which is a federal law, establishes requirements for commercial messages sent to recipients in the US. The CAN-SPAM Act expressly supersedes state laws or regulations that expressly regulate the use of electronic mail to send commercial messages, except to the extent that such laws or regulations prohibit false or deceptive actions.
Additionally, Chapter 668 of Title XXXIX of the Fla. Stat. protects against unsolicited commercial electronic mail messages, which is defined as 'any commercial electronic mail message that is not a transactional or relationship message and is sent to a recipient without the recipient's affirmative or implied consent' (Fla. Stat. §668.602(14)). An 'electronic mail message' is 'an electronic message or computer file that is transmitted between two or more telecommunications devices, computers, or computer networks, regardless of whether the network is a local, regional, or global network, or electronic devices capable of receiving electronic messages, regardless of whether the message is converted to a hard copy format after receipt, viewed upon transmission, or stored for later retrieval' (Fla. Stat. §668.602(7)). A 'commercial electronic mail message' is 'an electronic mail message sent to promote the sale or lease of, or investment in, property, goods, or services related to any trade or commerce. This includes any electronic mail message that may interfere with any trade or commerce, including messages that contain computer viruses' (Fla. Stat §668.602(3)).
Fla. Stat. §668.603 specifically dictates that a person may not:
- initiate or assist in the transmission of an unsolicited commercial electronic mail message from a computer located in Florida or to an electronic mail address that is held by a resident of Florida which:
- uses a third party's internet domain without permission of the third party;
- contains falsified or missing routing information or otherwise misrepresents, falsifies, or obscures any information in identifying the point of origin or the transmission path of the unsolicited commercial electronic mail message;
- contains false or misleading information in the subject line; or
- contains false or deceptive information in the body of the message which is designed and intended to cause damage to the receiving device of an addressee or of another recipient of the message.
Under Fla. Stat. §668.6075, a violation of Fla. Stat. §668.603 is considered 'an unfair and deceptive trade practice' as defined in Part II of Chapter 501 of Title XXXIII of the Fla. Stat. Additionally, anyone who violates Fla. Stat. §668.603 commits a first-degree misdemeanor, and may be subject to imprisonment for up to one year and a fine of no more than $1,000 (Fla. Stats. §668.608(1)). This violation may be upgraded to a third-degree felony, with commensurate imprisonment and fines, depending on the volume of the email messages sent or the revenue generated from such messages (See Fla. Stat. §668.608(2)).
7.2. Telephone Marketing
Under the Florida Telemarketing Act, codified under Part IV of Chapter 501 of Title XXXIII of the Fla. Stat., all non-exempt businesses engaged in the sale of consumer goods or services by telephone must be licensed by the Florida Department of Agriculture and Consumer Services ('FDACS'), along with the salespeople of that business.
A 'commercial telephone solicitation' includes the following (Fla. Stat. §501.603(1)):
- an unsolicited telephone call to a person initiated by a commercial telephone seller or salesperson, or an automated dialing machine used in accordance with the provisions of Fla. Stat. §501.059(8) for the purpose of inducing the person to purchase or invest in consumer goods or services;
- other communication with a person where:
- a gift, award, or prize is offered; or
- a telephone call response is invited; and
- the salesperson intends to complete a sale or enter into an agreement to purchase or invest in consumer goods or services during the course of the telephone call; or
- other communication with a person which represents a price, quality, or availability of consumer goods or services and which invites a response by a telephone or which is followed by a call to the person by a salesperson.
A person who violates the requirements of the Florida Telemarketing Act is liable for a Class III civil penalty under §570.971 of Chapter 570 of Title XXXV of the Fla. Stat. for each violation (Fla. Stat. §501.619). The FDACS will also be entitled to reasonable attorney's fees and costs from any non-prevailing parties involved in a civil action or investigation (Fla. Stat. §501.621).
See the section on key privacy laws for information on the FDBR.
Codified under §501.171 of Chapter 501 of Title XXXIII of the Fla. Stat. is Florida's Information Protection Act of 2014 ('FIPA'), which expressly requires covered entities, government agencies and third-party agents to properly disclose of records containing personal information, to implement reasonable security measures, and to provide notification of data breaches.
A 'covered entity' means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For the data breach notification provisions (§501.171(3) to (6) of FIPA), 'covered entity' includes governmental entities.
Under FIPA, 'personal information' means either:
- an individual's first name or first initial and last name in combination with any one or more of the following data elements for that individual:
- a social security number;
- a driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
- a financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account;
- any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
- an individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or
- a username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
9.1. Disposal of Records
Under §501.171(8) of FIPA, covered entities and their third-party agents are required to take 'all reasonable measures' to ensure proper disposal of records that no longer need to be retained. Acceptable disposal measures include shredding, erasing, or otherwise modifying the personal information in the records to make them unreadable or undecipherable through any means.
9.2. Data Security Requirements
Under §501.171(2) of FIPA, covered entities, governmental agencies, and third-party agents are required to take reasonable security measures to protect and secure data in electronic form containing personal information.
9.3. Breach Notification Requirements
Florida's data breach notification law is provided under §501.171(3) to (6) of FIPA.
'Breach of security' or 'breach' means the unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
There are three instances where an entity must provide notice to others of a data security incident, as outlined below.
Notice to the Florida AG
A covered entity must provide notice to the AG affecting 500 or more individuals in Florida. The notice must be provided 'as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred.' A covered entity may receive 15 additional days if the covered entity provides a notification in writing to the AG within 30 days that good cause exists for the delay. Any notification of a need for additional time must include:
- a synopsis of the events surrounding the breach at the time the notice is provided;
- the number of individuals in Florida who were or potentially were impacted by the breach;
- information on any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, along with instructions on how to use such services;
- a copy of the breach notification letter sent to individuals or an explanation of other actions taken to notify individuals; and
- the name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained.
Upon further request, the covered entity must also provide:
- a police report, incident report, or computer forensics report;
- a copy of the policies in place regarding breaches; and
- steps taken to rectify the breach.
A covered entity may provide supplemental or additional information to the AG at any time.
If the covered entity is part of the Florida judicial branch, the Executive Office of the Governor, the Department of Financial Services, or the FDACS, in lieu of providing written notice to the AG, the entity may post the information set forth above on an agency-managed website.
Notice to individuals
A covered entity must give notice to each individual in Florida whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach.
Timing of notice
Notice to individuals must be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to an authorized delay (as described above).
Law enforcement delay
If a federal, state, or local law enforcement agency determines that notice to individuals would interfere with a criminal investigation, the notice must be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period set forth in the original request to a specified date if further delay is necessary.
Good faith determination that breach will not result in harm or identity theft
Notice to affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least five years. The covered entity must provide the written determination to the AG within 30 days after making this determination.
Acceptable notification methods
The notice to an affected individual must be by one of the following methods:
- written notice sent to the mailing address of the individual in the records of the covered entity; or
- email notice sent to the email address of the individual in the records of the covered entity.
The notice to an individual with respect to a breach of security must include, at a minimum:
- the date, estimated date, or estimated date range of the breach of security;
- a description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security; and
- information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual.
A covered entity required to provide notice to an individual may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $250,000, because the affected individuals exceed 500,000 persons, or because the covered entity does not have an email address or mailing address for the affected individuals. Such substitute notice must include the following:
- a conspicuous notice on the internet website of the covered entity if the covered entity maintains a website; and
- notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside.
Interplay with federal privacy laws and regulations
Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity's primary or functional federal regulator is deemed to be in compliance with the notice requirement in this subsection if the covered entity notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the event of a breach of security.
FIPA does not establish a private right of action. A violation of FIPA must be treated as an unfair or deceptive trade practice in any action brought by the AG pursuant to §501.207 of Chapter 501 of Title XXXIII of the Fla. Stat. against a covered entity or third-party agent. Pursuant to Fla. Stat. §501.207, the AG may seek injunctive relief, actual damages, and other appropriate legal or equitable relief.
In addition, a covered entity that violates its requirements to notify the AG or impacted individuals will be liable for a civil penalty not to exceed $500,000, as follows:
- in the amount of $1,000 for each day up to the first 30 days following a violation and, thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days; and
- if the violation continues for more than 180 days, in an amount not to exceed $500,000.
The civil penalties for failure to notify apply per breach and not per individual affected by the breach. All penalties collected pursuant to this subsection will be deposited into the General Revenue Fund.
9.5. Public Records Exemption
Like most US states, Florida has open records laws that permit individuals to inspect and examine public records (e.g. Fla. Stat. §119.07(1) and §24(a) of Article I of the Constitution). However, all information received by the AG pursuant to a notification required under FIPA or received by the AG pursuant to an investigation by the AG or a law enforcement agency, is confidential and exempt from Fla. Stat. §119.07(1) and §24(a) of Article I of the Constitution, until such time as the investigation is completed or ceases to be active.
During an active investigation, confidential information may be disclosed by the AG:
- in the furtherance of its official duties and responsibilities;
- for print, publication, or broadcast if the department determines that such release would assist in notifying the public or locating or identifying a person that the AG believes to be a victim of a data breach or improper disposal of customer records (unless it is a record that must maintain confidentiality as defined below); or
- to another governmental entity in the furtherance of its official duties and responsibilities.
Records that maintain confidentiality
Upon completion of an investigation or once an investigation ceases to be active, the following information received by the AG must remain confidential and exempt from Fla. Stat. §119.07(1) and §24(a) of Article I of the Constitution:
- all information to which another public records exemption applies;
- personal information;
- a computer forensic report;
- information that would otherwise reveal weaknesses in a covered entity's data security; and
- information that would disclose a covered entity's proprietary information.
'Proprietary information' means information that:
- is owned or controlled by the covered entity;
- is intended to be private and is treated by the covered entity as private because disclosure would harm the covered entity or its business operations;
- has not been disclosed except as required by law or a private agreement that provides that the information will not be released to the public;
- is not publicly available or otherwise readily ascertainable through proper means from another source in the same configuration as received by the AG; and
- specifically includes:
- trade secrets as defined in Fla. Stat. §688.02; and
- competitive interests, the disclosure of which would impair the competitive business of the covered entity who is the subject of the information.