The Florida Capitol in Tallahassee, Fla., is pictured. | Phil Sears/AP Photo
Who is lobbying to change Florida's privacy laws? That's private
TALLAHASSEE — A mysterious group is the driving lobbying force behind sweeping legislation that would beef up Florida’s data privacy laws. It has hired a Tallahassee-based lobbying team and spent $300,000 in political contributions, but almost no one — including the sponsors of the bills — has any idea who is behind the group.
The organization, Propel Florida, is a nonprofit that is not required to disclose its donors, lists a UPS box in Lithia as its only address and was incorporated last April. But over the first half of the 2021 legislative session, the group has flexed its political muscle. It's so far steamrolling the state’s powerful business lobby, which almost universally opposes the legislation because it would allow consumers to sue companies over data-privacy violations, a provision supporters say is a needed enforcement mechanism to protect consumer rights.
The organization, whose existence POLITICO first reported in December, has hired well-known Tallahassee-based lobbyists who are actively meeting with lawmakers. The bills (FL HB969 (21R)/ FL SB1734 (21R)) ) would give consumers more access to data collected by companies and allow them to opt-out of the sale of that data. In early committee stops, the proposals have gotten overwhelming support in committee stops, but neither sponsor of the bills introduced in February says they know the true identity of the organization that has spurred a lobbying push to pass legislation they are sponsoring.
“I am aware of a group identified as Propel Florida, and have met with their lobbyists as well as many other lobbyists across the state on my data privacy bill,” state Sen. Jennifer Bradley, a Fleming Island Republican sponsoring the Senate version of the bill, said in an interview. “I don’t have any knowledge about the specifics of the group.”
Bradley said it does not concern her that a group she knows nothing about is a main lobbying force behind a bill she is sponsoring because “I support the policy.”
House sponsor, state Rep. Fiona McFarland (R-Sarasota), is also in the dark. She said she has met with lobbyist Derek Whitis, a Tallahassee-based contract lobbyist hired by Propel Florida, to discuss the bill, but has no idea who the organization is or who is funding its efforts.
“I have worked with lots of companies and industries on this bill,” she said in an interview. “Propel Florida was introduced to me through their lobbyists as a proponent of data privacy.”
In a text message, Whitis said Propel Florida is a “social advocacy group looking to support the data privacy protection legislation.” He did not respond to follow up questions about who is behind the group. The group is not violating any state laws, which allow organizations and nonprofits to lobby the Legislature without identifying donors.
Both Bradley and McFarland said they have spoken with dozens of lobbyists about the bill when asked about Propel Florida, but among those lobbying on the bill, an overwhelming majority are in opposition. Opponents include some of the biggest business groups in the state including the National Federation of Independent Businesses and Associated Industries of Florida. Propel Florida is the only outside group that expressed support in each of the bill’s three committees, which it has passed with just one “no” vote among the three. California-based software and cloud company Oracle also expressed support in its first House committee stop. Oracle is among the companies that helps with privacy law compliance. Many such firms emerged after passage of the California Consumer Privacy Act of 2018, a bill that resembles the Florida legislation, but differences exist.
Ken Glueck, who heads Oracle’s government affairs team, said that outside of a strong federal consumer data protection law, the company has been encouraging states to institute bills as data increasingly becomes a tool for “surveillance.”
“Let’s keep pushing the rock up the hill,” Glueck said. “We are encouraging states to go it alone, and Florida has an important economy.”
He said his company has no idea who Propel Florida is.
“We are supporting this bill out in the open under our company logo,” he said.
Florida CFO Jimmy Patronis’ office has also supported the bill in committee. Frank Collins, a spokesperson for Patronis, said the CFO is “concerned about consumer protections issues,” and that he had heard from Propel Florida, but did not return follow up questions about whether he knew who was behind the group.
Propel Florida has also hired contract lobbyists Cameron Yarbrough and Paul Hawkes, records show. Neither returned a request seeking comment.
The group has also given $300,000 in political contributions, according to campaign finance records. That includes $50,000 to both the Republican Party of Florida and the main Republican Senate campaign committee in October, and $100,000 last month to both a political committee chaired by Dave Ramba, whose lobbying firm employs Yarbrough, and a separate committee chaired by lobbyist Bill Helmich.
In December, Ramba told POLITICO that Propel Florida was led by someone named Shaun Keck, who at the time identified himself to POLITICO as Propel Florida’s director.
“The fact of the matter is Floridians can’t trust Big Tech,” Keck said in a December email. “For years, virtual platforms have been collecting personal, private information from all of us. After which they capitalize by renting and selling this private information.”
Keck did not respond to follow up questions at the time, and did not respond to several requests for comment for this story.
The bills in the House and Senate are not identical, but both have core provisions that would allow consumers the right to access personal information a business collects on them, the right to opt-out of the sale of their personal data, and allows them to request a business delete the personal data they have on them. The provisions would apply to companies that have $25 million or more in global annual revenue, annually buy data of more than 50,000 consumers for commercial purposes, or get 50 percent of their annual revenues from selling data.
The provisions specific to data-privacy are largely non-controversial. What has sparked a clash between supporters of the bill and nearly every major Florida business lobbying group is a separate provision that would allow consumers to sue over violations of the new data privacy laws, which supporters have said is a needed enforcement mechanism to give the new data privacy provisions legal teeth.
“It will be a litigation magnet,” said William Large, president of the Florida Justice Reform Institute, which regularly spars with state trial lawyers over lawsuit reform issues.
Each violation could come with a $100 to $750 fine, and because when a large company is impacted by something like a widespread data breach, thousands of consumers could be involved, opponents like Large have argued in committee that could lead to class action lawsuits.
During a meeting of the Senate Commerce and Tourism Committee last month, state Sen. Annette Taddeo (D-Miami) filed an amendment to remove the lawsuit provisions. She acknowledged the oddity of a Democrat sponsoring amendments to help the state’s generally Republican-leaning businesses lobby, but said she thought the lawsuit provisions were too large.
“If any businesses violate any provision of this bill, then they could be liable, and I believe it is too broad,” Taddeo said before her amendment was defeated.
Bradley defended the clause, but said she would work with opponents moving forward.
“This cause of action I believe is very important for enforcement ... and to be able to protect our consumers’ rights,” she said. “A lot of companies that operate in this space have the economic ability of some world nations.”
“These subtle differences combine with more serious ones — like who enforces the law — to add complexity to an already confusing regulatory landscape,” Anthony Prestia, head of privacy for TerraTrue, a data privacy firm.
He said one difference in the Florida bill is that it would become effective Jan. 1, 2022, which is a much quicker timeline for companies to comply with than in other states.
“This is a full year before already-passed legislation (like California’s CPRA and Virginia’s VCDPA) come into effect, which gives companies a little time to come into compliance,” he said.
Bradley said during the Senate committee meeting she is considering moving back her bill’s effective date.
McFarland said during the last House hearing that lawsuits and legal fights are not the point, but rather it is to make sure consumer data is protected.
“In society the amount of power we have handed companies through use of our data I believe has resulted in an erosion of our right to privacy and even how we think about ownership over our own data,” she said.