This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives.
STORAGE NAME: h1549b.SAC
DATE: 4/7/2023
HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: CS/HB 1549 Pub. Rec./Investigations by the Department of Legal Affairs
SPONSOR(S): Regulatory Reform & Economic Development Subcommittee, McFarland
TIED BILLS: CS/HB 1547 IDEN./SIM. BILLS: CS/SB 1648
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
1) Regulatory Reform & Economic Development
Subcommittee
15 Y, 0 N, As CS Wright Anstead
2) State Affairs Committee Poreda Williamson
3) Commerce Committee
SUMMARY ANALYSIS
As technologies that capture and analyze data proliferate, so, too, do businesses' abilities to contextualize
consumer data. Businesses use it for a range of purposes. The European Union, California, and a few other
states have enacted data privacy regulations to protect consumers’ personal information and give consumers
more control over how their information is used.
CS/HB 1574, to which this bill is linked, gives certain consumer rights related to personal information, including
the right to access personal information collected about them; the right to delete or correct their personal
information; the right to opt-out of the sale or sharing of their personal information to third parties; and online
platform protections for children. The Department of Legal Affairs (DLA), upon belief that any controller,
processor, third party, or online platform is in violation of CS/HB 1574’s provisions, may bring an action under
the Florida Unfair or Deceptive Trade Practices Act against a controller, processor, or third party.
This bill, which is linked to the passage of CS/HB 1574, provides that all information received by DLA pursuant
to a notification or investigation by DLA or a law enforcement agency of a violation is confidential and exempt
from public record requirements. The bill provides that the information may be released by DLA during an
active investigation:
• In the furtherance of its official duties and responsibilities;
• For print, publication, or broadcast to notify the public of a data breach; or
• To another governmental entity in the furtherance of the receiving entity’s official duties and
responsibilities.
Once an investigation is completed, the following information remains confidential and exempt:
• All information to which another public records exemption applies;
• Personal information;
• A computer forensic report;
• Information that would otherwise reveal weaknesses in data security; and
• Information that would otherwise disclose proprietary information.
The bill provides that the public record exemption is subject to the Open Government Sunset Review Act and
will repeal on October 2, 2028, unless reviewed and saved from repeal through reenactment by the
Legislature.
Article I, s. 24(c) of the Florida Constitution requires a two-thirds vote of the members present and
voting for final passage of a newly created or expanded public record or public meeting exemption.
The bill creates a public record exemption; thus, it requires a two-thirds vote for final passage.
STORAGE NAME: h1549b.SAC PAGE: 2
DATE: 4/7/2023
FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Present Situation
Public Records
Article I, s. 24(a) of the State Constitution sets forth the state’s public policy regarding access to
government records. This section guarantees every person a right to inspect or copy any public record
of the legislative, executive, and judicial branches of government.
1
The Legislature, however, may
provide by general law for the exemption of records from these requirements provided the exemption
passes by two-thirds vote of each chamber, states with specificity the public necessity justifying the
exemption, and is no broader than necessary to meet its public purpose.
2
Public policy regarding access to government records is also addressed by statute. Section 119.07(1),
F.S., guarantees every person a right to inspect and copy any state, county, or municipal record, unless
the record is exempt.
3
Furthermore, the Open Government Sunset Review Act
4
provides that a public
record exemption may be created or maintained only if it serves an identifiable public purpose that is
sufficiently compelling to override the strong public policy of open government and that cannot be
accomplished without the exemption.
5
An identifiable public purpose is served if the exemption meets
one of the following purposes:
Allows the state or its political subdivisions to effectively and efficiently administer a
governmental program, which administration would be significantly impaired without the
exemption;
Protects sensitive personal information that, if released, would be defamatory or would
jeopardize an individual’s safety; however, only the identity of an individual may be exempted
under this provision; or
Protects trade or business secrets.
6
The Open Government Sunset Review Act requires the automatic repeal of a newly created exemption
on October 2nd of the fifth year after creation or substantial amendment, unless the Legislature
reenacts the exemption.
7
Technology Transparency
As technologies that capture and analyze data proliferate, so, too, do businesses' abilities to
contextualize consumer data. Businesses use it for a range of purposes, including better understanding
day-to-day operations, making more informed business decisions and learning about their customers.
8
The European Union, several other countries, California, and a few other states have enacted data
privacy regulations to protect such data and give consumers more control over how their information is
used. Florida does not have a broad data privacy law, but there is a law which governs what actions
must be taken by certain government and business entities in the event of a data breach of personal
information.
9
1
Art. I, s. 24(a), FLA. CONST.
2
Art. I, s. 24(c), FLA. CONST.
3
A “public record exemption” means a provision of general law which provides that a specified record, or portion thereof, is not subject
to the access requirements of s. 119.07(1), F.S., or s. 24, Art. I of the State Constitution. See s. 119.011(8), F.S.
4
S. 119.15, F.S.
5
S. 119.15(6)(b), F.S.
6
Id.
7
S. 119.15(3), F.S.
8
Max Freedman, How Businesses Are Collecting Data (And What They’re Doing With It), Business News Daily (Jun. 17, 2020)
https://www.businessnewsdaily.com/10625-businesses-collecting-data.html. (last visited Mar. 31, 2023)
9
S. 501.171, F.S. STORAGE NAME: h1549b.SAC PAGE: 3
DATE: 4/7/2023
Department of Legal Affairs
The Office of the Attorney General, also known as the Department of Legal Affairs (DLA), provides a
wide variety of legal services, including defending the state in civil litigation cases, representing the
people of Florida in criminal appeals in state and federal courts, protecting rights of children,
consumers, and victims through its various protection programs, and investigating and litigating against
businesses that seek to limit competition and defraud taxpayers.
10
CS/HB 1547
CS/HB 1547, to which this bill is linked, gives certain consumer rights related to personal information,
including:
• The right to access personal information collected on them by a controller;
• The right to delete or correct their personal information; and
• The right to opt-out of the sale or sharing of their personal information to third parties.
A “controller” is a for profit entity doing business in Florida that:
Collects and controls personal information;
Has global annual gross revenues in excess of $1 billion; and
Satisfies one of the following thresholds:
o Derives 50 percent or more of its global annual revenues from providing targeted
advertising or the sale of ads online; or
o Operates a consumer smart speaker and voice command component service with an
integrated virtual assistant connected to a cloud computing service that uses hands-free
verbal activation. A consumer smart speaker and voice command component service
does not include a motor vehicle or speaker or device associated with or connected to a
vehicle.
Under the bill, personal information is information that identifies, relates to, or describes a particular
consumer or household, or is reasonably capable of being directly or indirectly associated or linked
with, a particular consumer or household. The term does not include public information from
government records, certain employment information, or deidentified or aggregate consumer
information.
The bill provides certain operational requirements on controllers with respect to collecting, selling, or
sharing personal information with processors or third parties.
Also, the bill provides that online platforms that are predominantly accessed by children may not,
except under certain circumstances:
Process personal information of or profile a child.
Collect, sell, share, or retain personal information or geolocation of a child.
Use a child’s personal information for any unstated reason.
Use dark patterns to obtain more information of a child than necessary.
Use collected information to estimate age for any other reason.
DLA, upon belief that any controller, processor, third party, or online platform is in violation of the bill,
may bring an action under the Florida Unfair or Deceptive Trade Practices Act against a controller,
processor, or third party.
10
OPPAGA, Office of the Attorney General (Department of Legal Affairs),
https://oppaga.fl.gov/ProgramSummary/ProgramDetail?programNumber=1026 (last visited Mar. 31, 2023). STORAGE NAME: h1549b.SAC PAGE: 4
DATE: 4/7/2023
Effect of Proposed Changes
The bill creates a public record exemption for all information received by DLA pursuant to a notification
or investigation by DLA or a law enforcement agency of a violation of certain statutory requirements.
Such information is made confidential and exempt
11
from public record requirements.
During an active investigation, information made confidential and exempt may be disclosed by DLA:
In the furtherance of its official duties and responsibilities;
• For print, publication, or broadcast if DLA determines that such release would assist in notifying
the public or locating or identifying a person that DLA believes to be a victim of a data breach or
improper use or disposal of customer records, except that information made confidential and
exempt after an investigation may not be released in this manner; or
• To another governmental entity in the furtherance of the receiving entity’s official duties and
responsibilities.
Once an investigation is completed or once an investigation ceases to be active, the following
information received by DLA remains confidential and exempt:
All information to which another public records exemption applies;
Personal information;
A computer forensic report;
Information that would otherwise reveal weaknesses in a controller’s, processor’s, or third
party’s data security; and
Information that would otherwise disclose a controller’s, processor’s, or third party’s proprietary
information.
The bill defines the term "proprietary information" to mean information that:
Is owned or controlled by the controller, processor, or third party;
Is intended to be private and is treated by the controller, processor, or third party as private
because disclosure would harm the controller, processor, or third party or its business
operations;
Has not been disclosed except as required by law or a private agreement that provides that the
information will not be released to the public;
Is not publicly available or otherwise readily ascertainable through proper means from another
source in the same configuration as received by DLA; and
Includes trade secrets and competitive interests.
The bill provides a public necessity statement as required by article I, s. 24(c) of the Florida
Constitution. The public necessity statement provides that, if released, information received by DLA
pursuant to an investigation by DLA or a law enforcement agency could:
Frustrate or thwart the investigation and impair the ability of DLA to perform assigned functions;
Undo a specific statutory exemption protecting the information;
Be used for the purpose of identity theft;
Result in the identification of vulnerabilities; and
Result in economic harm.
The bill provides that the public record exemption is subject to the Open Government Sunset Review
Act and will repeal on October 2, 2028, unless the Legislature reviews and reenacts the exemption by
that date.
11
There is a difference between records the Legislature designates exempt from public record requirements and those the Legislature
deems confidential and exempt. A record classified as exempt from public disclosure may be disclosed under certain circumstances.
See WFTV, Inc. v. Sch. Bd. of Seminole, 874 So.2d 48, 53 (Fla. 5th DCA 2004), review denied 892 So.2d 1015 (Fla. 2004); City of
Rivera Beach v. Barfield, 642 So.2d 1135 (Fla. 4th DCA 1994); Williams v. City of Minneola, 575 So.2d 683, 687 (Fla. 5
th
DCA 1991). If
the Legislature designates a record as confidential and exempt from public disclosure, such record may not be released by the
custodian of public records, to anyone other than the persons or entities specifically designated in statute. See Op. Att’y Gen. Fla.
(1985). STORAGE NAME: h1549b.SAC PAGE: 5
DATE: 4/7/2023
The bill will become effective on the same date that CS/HB 1547 or similar legislation takes effect, if
such legislation is adopted in the same legislative session or an extension thereof and becomes a law.
B. SECTION DIRECTORY:
Section 1: Creates a public record exemption for investigations related to ss. 501.173 or 501.1735,
F.S.
Section 2: Provides a public necessity statement as required by the Florida Constitution.
Section 3: Provides an effective date of the same date that CS/HB 1547 or similar legislation takes
effect, if such legislation is adopted in the same legislative session or an extension
thereof and becomes law.
II. FISCAL ANALYSIS & ECONOMIC IMPACT STATEMENT
A. FISCAL IMPACT ON STATE GOVERNMENT:
1. Revenues:
None.
2. Expenditures:
See Fiscal Comments.
B. FISCAL IMPACT ON LOCAL GOVERNMENTS:
1. Revenues:
None.
2. Expenditures:
None.
C. DIRECT ECONOMIC IMPACT ON PRIVATE SECTOR:
None.
D. FISCAL COMMENTS:
The bill may have a minimal fiscal impact on DLA because agency staff responsible for complying with
public records requests may require training related to the creation of the public record exemption. DLA
could incur costs associated with redacting the confidential and exempt information prior to releasing a
record. The costs, however, would be absorbed by existing resources, as they are part of the day-to-
day responsibilities of agencies.
III. COMMENTS
A. CONSTITUTIONAL ISSUES:
1. Applicability of Municipality/County Mandates Provision:
Not applicable. The bill does not appear to affect county or municipal governments.
2. Other:
Vote Requirement
Article I, s. 24(c) of the Florida Constitution requires a two-thirds vote of the members present and
voting for final passage of a newly created or expanded public record or public meeting exemption.
The bill creates a public record exemption; thus, it requires a two-thirds vote for final passage.
STORAGE NAME: h1549b.SAC PAGE: 6
DATE: 4/7/2023
Public Necessity Statement
Article I, s. 24(c) of the Florida Constitution requires a public necessity statement for a newly created
or expanded public record or public meeting exemption. The bill creates a public record exemption;
thus, it includes a public necessity statement. The public necessity statement provides that, if
released, information received by DLA pursuant to an investigation could frustrate or thwart the
investigation and impair the ability of DLA to perform assigned functions, undo a specific statutory
exemption protecting the information, be used for the purpose of identity theft, result in the
identification of vulnerabilities, and result in economic harm.
Breadth of Exemption
Article I, s. 24(c) of the Florida Constitution requires a newly created or expanded public record or
public meeting exemption to be no broader than necessary to accomplish the stated purpose of the
law. The bill creates a public record exemption for sensitive investigative materials and personal
information, which does not appear to be broader than necessary to accomplish its purpose.
B. RULE-MAKING AUTHORITY:
None.
C. DRAFTING ISSUES OR OTHER COMMENTS:
None.
IV. AMENDMENTS/COMMITTEE SUBSTITUTE CHANGES
On March 28, 2023, the Regulatory Reform & Economic Development Subcommittee adopted an
amendment and reported the bill favorably as a committee substitute. The amendment made conforming
technical changes to conform to the linked bill.
This analysis is drafted to the committee substitute as adopted by the Regulatory Reform & Economic
Development Subcommittee.