This week, Florida TaxWatch (FTW) released “Who Knows What? An Independent Analysis of the Potential Effects of Consumer Data Privacy Legislation in Florida.”
Building on a previous FTW briefing, the report examines experience data from existing consumer data privacy laws across the country to generate an estimate of compliance and litigation costs businesses would face with the implementation of consumer data privacy legislation in Florida.
Florida TaxWatch President and CEO Dominic Calabro weighed in on the report on Thursday.
“Privacy is so important to Floridians that it is a notion enshrined in our Constitution. Florida TaxWatch applauds legislative leaders for raising this issue because we agree with the nearly 80 percent of U.S. adults concerned about how their personal information is being used – we should find a proper way to protect personal data and information. But, as the trusted eyes and ears of Florida taxpayers, we have a responsibility to make sure leaders and decision makers understand the costs and impact their plans have on Florida’s businesses,” Calabro said.
“Our independent analysis found that if Florida proceeded with the legislation as discussed last year, the direct cost to Florida businesses will be between $6.2 billion and $21 billion in the first year alone, with an ongoing annual compliance cost anywhere from $4.6 billion to $12.7 billion thereafter,” he added. “Moreover, if a bill passes with a private right of action provision, experience data suggests we can expect over 80 class-action lawsuits within the first year and a half, with an estimated $4.2 billion in litigation expenses and costs.
“Strengthening personal privacy protections for consumers is critical, and we’re hopeful our analysis will inform these important conversations and debates during the upcoming legislative session,” Calabro said in conclusion.
To date, California, Virginia, and Colorado are the only states that have enacted comprehensive consumer data privacy legislation. However, during the 2020-21 Legislative Session, Florida joined 20 other states across the nation that considered similar legislation last year, with active bills still in Massachusetts, New York, North Carolina, Ohio, and Pennsylvania. FTW asserts that, as this state-level momentum continues to build, many businesses will face challenges complying with “a patchwork of state laws,” and calls for a more uniform federal approach rather than a state-by-state standard.
The FTW report looks at the key drivers of costs associated with Florida-specific consumer data privacy legislation, which include compliance and operational costs, litigation expenses, and the threshold for the size and number of businesses covered by the provisions.
For businesses that would be covered under proposed consumer data privacy legislation in Florida, FTW notes that compliance costs include staffing and training requirements (between $138,865 and $393,848 annually per business); IT infrastructure and data inventory assessments (between $253,660 and $1.3 million per business); responses to consumer requests to access, delete, correct, or opt-out of personal information (between $140,000 and $275,000 annually per business); and implementation of reasonable data security safeguards (between $200,000 and $500,000 annually per business).
Enforcement of data privacy provisions vary across the states that have implemented their own laws. Some states rely on their Attorneys General for this, while others include a private right to action provision, which allows consumers to sue businesses directly. The two different strategies were proposed in Florida last year, so FTW includes an analysis of the increase in class-action lawsuits, which would raise potential litigation costs. Based on experience data from other states, and independent analysis of situations that allow consumers to sue companies directly for civil penalties, FTW projects there would be roughly 84 class-action lawsuits over the first year and a half of compliance, with a potential cost of litigation estimated at $4.2 billion. Even without a private right of action, firms are still expected to incur legal costs in order to comply with consumer data privacy provisions.
FTW also notes that even if small to mid-sized businesses are not primarily covered under a consumer data privacy law, there are secondary effects that will likely cause them to have to comply, despite having fewer resources than the larger firms to accomplish this task.
FTW recommendations, as outlined in the report, include delaying implementation of consumer data privacy legislation until at least July 1, 2024, providing covered businesses ample time to comply with new regulations, and omitting a private right of action provision in the bill to reduce litigation costs. FTW also suggests urging Florida’s congressional delegation to support the passage of a federal law that would standardize consumer rights, businesses obligations, and enforcement mechanisms across all 50 states.