This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives.
STORAGE NAME: h1549.RRS
DATE: 3/25/2023
HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: HB 1549 Pub. Rec./Investigations by the Department of Legal Affairs
SPONSOR(S): McFarland
TIED BILLS: HB 1547 IDEN./SIM. BILLS: SB 1648
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
1) Regulatory Reform & Economic Development
Subcommittee
Wright Anstead
2) Ethics, Elections & Open Government
Subcommittee
3) Commerce Committee
SUMMARY ANALYSIS
As technologies that capture and analyze data proliferate, so, too, do businesses' abilities to contextualize
consumer data. Businesses use it for a range of purposes. The European Union, California, and a few other
states have enacted data privacy regulations to protect consumers’ personal information and give consumers
more control over how their information is used.
HB 1574, to which this bill is linked, gives certain consumer rights related to personal information, including:
The right to access personal information collected about them;
The right to delete or correct their personal information; and
The right to opt-out of the sale or sharing of their personal information to third parties.
The Department of Legal Affairs (DLA), upon belief that any controller, processor, or third party is in violation of
HB 1574’s provisions, may bring an action under the Florida Unfair or Deceptive Trade Practices Act against a
controller, processor, or third party.
This bill, which is linked to the passage of HB 1574, provides that all information received by DLA pursuant to a
notification or investigation by DLA or a law enforcement agency of a violation is confidential and exempt from
public record requirements. The bill provides that the information may be released during an active
investigation:
• In the furtherance of official duties and responsibilities;
• For print, publication, or broadcast to notify the public of a data breach; or
• To another governmental entity in the furtherance of its official duties and responsibilities.
Once an investigation is completed, the following information will remain confidential and exempt:
• All information to which another public records exemption applies;
• Personal information;
• A computer forensic report;
• Information that would otherwise reveal weaknesses in data security; and
• Information that would otherwise disclose proprietary information.
The bill provides that the public record exemption is subject to the Open Government Sunset Review Act and
will repeal on October 2, 2027, unless the Legislature reviews and reenacts the exemption by that date.
Article I, s. 24(c) of the Florida Constitution requires a two-thirds vote of the members present and
voting for final passage of a newly created or expanded public record or public meeting exemption.
The bill creates a public record exemption; thus, it requires a two-thirds vote for final passage. STORAGE NAME: h1549.RRS PAGE: 2
DATE: 3/25/2023
FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Public Records
Article I, s. 24(a) of the State Constitution sets forth the state’s public policy regarding access to
government records. This section guarantees every person a right to inspect or copy any public record
of the legislative, executive, and judicial branches of government. The Legislature, however, may
provide by general law for the exemption of records from the requirements of Article I, section 24(a).
1
The general law must state with specificity the public necessity justifying the exemption
2
and must be
no more broad than necessary to accomplish its purpose.
3
Public policy regarding access to government records is addressed further in the Florida Statutes.
Section 119.07(1), F.S., guarantees every person a right to inspect and copy any state, county, or
municipal record, unless the record is exempt. Furthermore, the Open Government Sunset Review Act
4
provides that a public record or public meeting exemption may be created or maintained only if it serves
an identifiable public purpose. In addition, it may be no broader than is necessary to meet one of the
following purposes:
Allow the state or its political subdivisions to effectively and efficiently administer a
governmental program, which administration would be significantly impaired without the
exemption.
Protect sensitive personal information that, if released, would be defamatory or would
jeopardize an individual’s safety; however, only the identity of an individual may be exempted
under this provision.
Protect trade or business secrets.
5
The Open Government Sunset Review Act requires the automatic repeal of a newly created exemption
on October 2nd of the fifth year after creation or substantial amendment, unless the Legislature
reenacts the exemption.
6
Consumer Data Privacy
As technologies that capture and analyze data proliferate, so, too, do businesses' abilities to
contextualize consumer data. Businesses use it for a range of purposes, including better understanding
day-to-day operations, making more informed business decisions and learning about their customers.
7
The European Union, several other countries, California, and a few other states have enacted data
privacy regulations to protect such data and give consumers more control over how their information is
used. Florida does not have a broad data privacy law, but there is a law which governs what actions
must be taken by certain government and business entities in the event of a data breach of personal
information.
8
Department of Legal Affairs
The Office of the Attorney General, also known as the Department of Legal Affairs (DLA), provides a
wide variety of legal services, including defending the state in civil litigation cases, representing the
1
Art. I, s. 24(c), FLA. CONST.
2
This portion of a public record exemption is commonly referred to as a “public necessity statement.”
3
Art. I, s. 24(c), FLA. CONST.
4
Section 119.15, F.S.
5
Section 119.15(6)(b), F.S.
6
Section 119.15(3), F.S.
7
Max Freedman, How Businesses Are Collecting Data (And What They’re Doing With It), Business News Daily (Jun. 17, 2020)
https://www.businessnewsdaily.com/10625-businesses-collecting-data.html.
8
S. 501.171, F.S. STORAGE NAME: h1549.RRS PAGE: 3
DATE: 3/25/2023
people of Florida in criminal appeals in state and federal courts, protecting rights of children,
consumers, and victims through its various protection programs, and investigating and litigating against
businesses that seek to limit competition and defraud taxpayers.
9
HB 1547
HB 1547, to which this bill is linked, gives certain consumer rights related to personal information,
including:
• The right to access personal information collected on them by a controller;
• The right to delete or correct their personal information; and
• The right to opt-out of the sale or sharing of their personal information to third parties.
A “controller” is a for profit entity that does business in Florida, collects and controls personal
information, and satisfies two or more of the following thresholds:
• Has global annual gross revenues in excess of $50 million, as adjusted in January of every odd-
numbered year to reflect any increase in the Consumer Price Index.
• Annually buys, receives, sells, or shares the personal information of 50,000 or more consumers,
households, or devices for targeted advertising in conjunction with third parties or that is not
covered by an exception.
• Derives 50 percent or more of its global annual revenues from selling or sharing personal
information about consumers.
Under the bill, personal information is information that identifies, relates to, or describes a particular
consumer or household, or is reasonably capable of being directly or indirectly associated or linked
with, a particular consumer or household. The term does not include public information from
government records, certain employment information, or deidentified or aggregate consumer
information.
The bill proscribes certain operational requirements on controllers with respect to collecting, selling, or
sharing personal information with processors or third parties.
DLA, upon belief that any controller, processor, or third party is in violation of the consumer data
requirement provisions, may bring an action under the Florida Unfair or Deceptive Trade Practices Act
against a controller, processor, or third party.
Effect of Proposed Changes
The bill creates a public record exemption for all information received by DLA pursuant to a notification
or investigation by DLA or a law enforcement agency of a violation of certain statutory requirements.
Such information is made confidential and exempt
10
from public record requirements.
During an active investigation, information made confidential and exempt may be disclosed by DLA:
In the furtherance of its official duties and responsibilities;
• For print, publication, or broadcast if DLA determines that such release would assist in notifying
the public or locating or identifying a person that DLA believes to be a victim of a data breach or
improper use or disposal of customer records, except that information made confidential and
exempt after an investigation may not be released in this manner; or
• To another governmental entity in the furtherance of its official duties and responsibilities.
9
OPPAGA, Office of the Attorney General (Department of Legal Affairs),
https://oppaga.fl.gov/ProgramSummary/ProgramDetail?programNumber=1026 (last visited Mar. 25, 2023).
10
There is a difference between records the Legislature designates exempt from public record requirements and those the Legislature
deems confidential and exempt. A record classified as exempt from public disclosure may be disclosed under certain circumstances.
See WFTV, Inc. v. Sch. Bd. of Seminole, 874 So.2d 48, 53 (Fla. 5th DCA 2004), review denied 892 So.2d 1015 (Fla. 2004); City of
Rivera Beach v. Barfield, 642 So.2d 1135 (Fla. 4th DCA 1994); Williams v. City of Minneola, 575 So.2d 683, 687 (Fla. 5
th
DCA 1991). If
the Legislature designates a record as confidential and exempt from public disclosure, such record may not be released by the
custodian of public records, to anyone other than the persons or entities specifically designated in statute. See Op. Att’y Gen. Fla.
(1985). STORAGE NAME: h1549.RRS PAGE: 4
DATE: 3/25/2023
Once an investigation is completed or once an investigation ceases to be active, the following
information received by DLA will remain confidential and exempt:
All information to which another public records exemption applies;
Personal information;
A computer forensic report;
Information that would otherwise reveal weaknesses in a controller’s, processor’s, or third
party’s data security; and
Information that would otherwise disclose a controller’s, processor’s, or third party’s proprietary
information.
The term "proprietary information" means information that:
Is owned or controlled by the controller, processor, or third party;
Is intended to be private and is treated by the controller, processor, or third party as private
because disclosure would harm the controller, processor, or third party or its business
operations;
Has not been disclosed except as required by law or a private agreement that provides that the
information will not be released to the public;
Is not publicly available or otherwise readily ascertainable through proper means from another
source in the same configuration as received by DLA; and
Includes trade secrets and competitive interests.
The bill provides a public necessity statement as required by article I, section 24(c) of the Florida
Constitution. The public necessity statement provides that, if released, information received by DLA
pursuant to an investigation by DLA or a law enforcement agency could:
Frustrate or thwart the investigation and impair the ability of DLA to perform assigned functions;
Undo a specific statutory exemption protecting the information;
Be used for the purpose of identity theft;
Result in the identification of vulnerabilities; and
Result in economic harm.
The bill provides that the public record exemption is subject to the Open Government Sunset Review
Act and will repeal on October 2, 2028, unless the Legislature reviews and reenacts the exemption by
that date.
The bill will become effective on the same date that HB 1547 or similar legislation takes effect, if such
legislation is adopted in the same legislative session or an extension thereof and becomes a law.
B. SECTION DIRECTORY:
Section 1: Creates a public records exemption for investigations related to s. 501.173, F.S.
Section 2: Provides a public necessity statement as required by the Florida Constitution.
Section 3: Provides an effective date of the same date that HB 1547 or similar legislation takes
effect, if such legislation is adopted in the same legislative session or an extension
thereof and becomes law.
II. FISCAL ANALYSIS & ECONOMIC IMPACT STATEMENT
A. FISCAL IMPACT ON STATE GOVERNMENT:
1. Revenues:
None.
2. Expenditures:
See Fiscal Comments.
STORAGE NAME: h1549.RRS PAGE: 5
DATE: 3/25/2023
B. FISCAL IMPACT ON LOCAL GOVERNMENTS:
1. Revenues:
None.
2. Expenditures:
None.
C. DIRECT ECONOMIC IMPACT ON PRIVATE SECTOR:
None.
D. FISCAL COMMENTS:
The bill may have a minimal fiscal impact on DLA because agency staff responsible for complying with
public records requests may require training related to the creation of the public records exemption.
DLA could incur costs associated with redacting the exempt information prior to releasing a record. The
costs, however, would be absorbed by existing resources, as they are part of the day-to-day
responsibilities of agencies.
III. COMMENTS
A. CONSTITUTIONAL ISSUES:
1. Applicability of Municipality/County Mandates Provision:
Not applicable. The bill does not appear to require counties or municipalities to take an action
requiring the expenditure of funds, reduce the authority that counties or municipalities have to raise
revenue in the aggregate, nor reduce the percentage of state tax shared with counties or
municipalities.
2. Other:
Vote Requirement
Article I, section 24(c) of the Florida Constitution requires a two-thirds vote of the members present
and voting for final passage of a newly created or expanded public record or public meeting
exemption. The bill creates a public record exemption; thus, it requires a two-thirds vote for final
passage.
Public Necessity Statement
Article I, section 24(c) of the Florida Constitution requires a public necessity statement for a newly
created or expanded public record or public meeting exemption. The bill creates a public record
exemption; thus, it includes a public necessity statement.
Breadth of Exemption
Article 1, section 24(c) of the Florida Constitution requires a newly created or expanded public record
or public meeting exemption to be no broader than necessary to accomplish the stated purpose of
the law. The bill creates a public records exemption for sensitive investigative materials and personal
information, which does not appear to be broader than necessary to accomplish its purpose.
B. RULE-MAKING AUTHORITY:
None.
C. DRAFTING ISSUES OR OTHER COMMENTS: STORAGE NAME: h1549.RRS PAGE: 6
DATE: 3/25/2023
None.
IV. AMENDMENTS/COMMITTEE SUBSTITUTE CHANGES