Privacy & Information Security Law Blog

On March 25, 2024, Florida Governor Ron DeSantis signed into law a bill prohibiting minors under the age of 14 from having accounts on social media platforms.

On September 29, 2023, the Supreme Court of the United States (“SCOTUS”) accepted petitions challenging the constitutionality of social media laws in Florida and Texas. Florida’s law, S.B. 7072, prohibits “a social media platform from willfully deplatforming a [political] candidate.” Texas’s law, H.B. 20, refers to social media platforms as “common carriers” that are “central public forums for public debate,” and requires common carriers to publicly disclose information related to the common carrier’s method of recommending content to users, content moderation efforts, use of algorithms to determine search results, and the common carrier’s ordinary disclosures to its users on user performance data for each of its platforms. Both of these laws were challenged by NetChoice, LLC, a national trade association of large online businesses, who had recent successes in blocking several laws, including the California Age-Appropriate Design Code and a similar social media law in Arkansas.

On May 4, 2023, the Florida Senate and House of Representatives voted in favor of sending the Florida Digital Bill of Rights (“FDBR”) and other amendments related to government moderation of social media and protection of children in online spaces (S.B. 262) to Governor Ron DeSantis for signature. Unlike the other comprehensive state privacy laws that have been enacted, the FDBR applies to a much narrower subset of entities.

On July 26, 2022, the attorneys general of New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida and Washington D.C. announced an $8 million multistate settlement with Wawa Inc. that resolves the states’ investigation into a 2019 data breach that compromised approximately 34 million payment cards used by consumers at Wawa stores and fueling locations. 

On July 1, 2022, amendments to Florida’s State Cybersecurity Act (the “Act”) took effect, imposing certain ransomware reporting obligations on state agencies, counties and municipalities and prohibiting those entities from paying cyber ransoms.

On March 2, 2022, eight states announced a bipartisan, nationwide investigation into whether TikTok operates in a way that causes or exacerbates harm to the physical and mental health of children, teens and young adults. The probe will further consider whether the company violated state consumer protection laws and put the public at risk.

As reported on the Hunton Retail Resource Blog, on October 20, 2021, a new wave in the fight against “robocalls” is targeting telemarketing text messages. In the past six months, there has been an uptick in activity at both the state and federal level to reign in telemarketing text messages.

On October 1, 2021, Florida’s Protecting DNA Privacy Act (the “Act”), took effect. The Act, signed into law by Governor Ron DeSantis on June 29, restricts certain willful collection, retention, analysis and disclosure of the DNA samples or DNA analysis results of persons in Florida without their express consent.

On February 8, 2021, Pinellas County, Florida officials announced that a hacker had remotely gained access to the City of Oldsmar's water treatment system on two separate occasions and was able to change the setting for sodium hydroxide in the water supply. The incident highlights the danger to local government information systems and the dangers of remote access vulnerabilities.

As reported on the Insurance Recovery Blog, Hunton Andrews Kurth insurance practice head Walter Andrews recently commented to the Global Data Review regarding the infirmities underlying an Orlando, Florida federal district court’s ruling that an insurer does not have to defend its insured for damage caused by a third-party data breach.

On April 28, 2015, the Florida House of Representatives passed a bill (SB 766) that prohibits businesses and government agencies from using drones to conduct surveillance by capturing images of private real property or individuals on such property without valid written consent under circumstances where a reasonable expectation of privacy exists.

On June 20, 2014, Florida Governor Rick Scott signed a bill into law that repeals and replaces the state’s existing breach notification statute with a similar law entitled the Florida Information Protection Act (Section 501.171 of the Florida Statutes) (the “Act”).

On April 9, 2013, the United States Court of Appeals for the Eleventh Circuit held that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) preempted a Florida law regarding the disclosure of patient records by nursing homes. The law required nursing homes in Florida to provide the medical records of a deceased nursing home resident to the “spouse, guardian, surrogate, proxy, or attorney in fact,” including “medical and psychiatric records and any records concerning the care and treatment of the resident performed by the facility, except progress notes and consultation report sections of a psychiatric nature.”

On June 9, 2011, two plaintiffs filed a class action complaint against Google in the United States District Court for the Southern District of Florida.  The complaint alleges that Google’s Android phone “engaged in illegal tracking and recording of [p]laintiffs’ movements and locations … without their knowledge or consent” and that Google violated the Computer Fraud and Abuse Act and Florida statutory and common law by failing to inform Android users that their movements were being tracked and recorded through their phones.

As reported in BNA’s Privacy Law Watch, on April 1, 2011, a New York law went in effect requiring manufacturers of certain electronic equipment, including devices that have hard drives capable of storing personal information or other confidential data, to register with the Department of Environmental Conservation and maintain an electronic waste acceptance program.  The program must include convenient methods for consumers to return electronic waste to the manufacturer and instructions on how consumers can destroy data on the devices before recycling or disposing of them.  Retailers of covered electronic equipment will be required to provide consumers with information at the point of sale about opportunities offered by manufacturers for the return of electronic waste, to the extent they have been provided such information by the manufacturer.