Florida Senate - 2023                              CS for SB 262
       
       
        
       By the Committee on Commerce and Tourism; and Senator Bradley
       
       
       
       
       
       577-03495-23                                           2023262c1
    1                        A bill to be entitled                      
    2         An act relating to technology transparency; creating
    3         s. 112.23, F.S.; defining terms; prohibiting officers
    4         or salaried employees of governmental entities from
    5         using their positions or state resources to make
    6         certain requests of social media platforms;
    7         prohibiting governmental entities from initiating or
    8         maintaining agreements or working relationships with
    9         social media platforms under a specified circumstance;
   10         providing exceptions; creating s. 501.173, F.S.;
   11         providing applicability; defining terms; prohibiting a
   12         controller from collecting certain consumer
   13         information without the consumer’s authorization;
   14         requiring controllers that collect a consumer’s
   15         personal information to disclose certain information
   16         regarding data collection and selling practices to the
   17         consumer at or before the point of collection;
   18         specifying that such information may be provided
   19         through a general privacy policy or through a notice
   20         informing the consumer that additional specific
   21         information will be provided upon a certain request;
   22         prohibiting controllers from collecting additional
   23         categories of personal information or using personal
   24         information for additional purposes without notifying
   25         the consumer; requiring controllers that collect
   26         personal information to implement reasonable security
   27         procedures and practices to protect such information;
   28         authorizing consumers to request controllers to
   29         disclose the specific personal information the
   30         controller has collected about the consumer; requiring
   31         controllers to make available two or more methods for
   32         consumers to request their personal information;
   33         requiring controllers to provide such information free
   34         of charge within a certain timeframe and in a certain
   35         format upon receiving a verifiable consumer request;
   36         specifying requirements for third parties with respect
   37         to consumer information acquired or used; providing
   38         construction; authorizing consumers to request
   39         controllers to delete or correct personal information
   40         collected by the controllers; providing exceptions;
   41         specifying requirements for controllers to comply with
   42         deletion or correction requests; authorizing consumers
   43         to opt out of third-party disclosure of personal
   44         information collected by a controller; prohibiting
   45         controllers from selling or disclosing the personal
   46         information of consumers younger than a certain age,
   47         except under certain circumstances; prohibiting
   48         controllers from selling or sharing a consumer’s
   49         information if the consumer has opted out of such
   50         disclosure; prohibiting controllers from taking
   51         certain actions to retaliate against consumers who
   52         exercise certain rights; providing applicability;
   53         providing that a contract or agreement that waives or
   54         limits certain consumer rights is void and
   55         unenforceable; authorizing the Department of Legal
   56         Affairs to bring an action under the Florida Deceptive
   57         and Unfair Trade Practices Act and to adopt rules;
   58         requiring the department to submit an annual report to
   59         the Legislature; providing report requirements;
   60         providing that controllers must have a specified
   61         timeframe to cure any violations; providing
   62         jurisdiction; declaring that the act is a matter of
   63         statewide concern; preempting the collection,
   64         processing, sharing, and sale of consumer personal
   65         information to the state; amending s. 501.171, F.S.;
   66         revising the definition of “personal information”;
   67         amending s. 16.53, F.S.; requiring that certain
   68         attorney fees, costs, and penalties recovered by the
   69         Attorney General be deposited in the Legal Affairs
   70         Revolving Trust Fund; providing an effective date.
   71          
   72  Be It Enacted by the Legislature of the State of Florida:
   73  
   74         Section 1. Section 112.23, Florida Statutes, is created to
   75  read:
   76         112.23 Government-directed content moderation of social
   77  media platforms prohibited.—
   78         (1) As used in this section, the term:
   79         (a) “Social media platform” means a form of electronic
   80  communication through which users create online communities to
   81  share information, ideas, personal messages, and other content.
   82         (b)“Governmental entity” means any state, county,
   83  district, authority, or municipal officer, department, division,
   84  board, bureau, commission, or other separate unit of government
   85  created or established by law, including, but not limited to,
   86  the Commission on Ethics, the Public Service Commission, the
   87  Office of Public Counsel, and any other public or private
   88  agency, person, partnership, corporation, or business entity
   89  acting on behalf of any public agency.
   90         (2) An officer or a salaried employee of a governmental
   91  entity may not use his or her position or any state resources to
   92  communicate with a social media platform to request the social
   93  media platform to remove content or accounts from the social
   94  media platform.
   95         (3)A governmental entity, or an officer or a salaried
   96  employee acting on behalf of a governmental entity, may not
   97  initiate or maintain any agreements or working relationships
   98  with a social media platform for the purpose of content
   99  moderation.
  100         (4)Subsections (2) and (3) do not apply if the
  101  governmental entity or an officer or a salaried employee acting
  102  on behalf of a governmental entity is acting as part of any of
  103  the following:
  104         (a) Routine account management of the governmental entity’s
  105  account.
  106         (b)An attempt to remove content that pertains to the
  107  commission of a crime or violation of this state’s public
  108  records law.
  109         (c)An attempt to remove an account that pertains to the
  110  commission of a crime or violation of this state’s public
  111  records law.
  112         (d)An investigation or inquiry related to public safety.
  113         Section 2. Section 501.173, Florida Statutes, is created to
  114  read:
  115         501.173Consumer data privacy.—
  116         (1)APPLICABILITY.—This section does not apply to:
  117         (a)Personal information collected and transmitted which is
  118  necessary for the sole purpose of sharing such personal
  119  information with a financial service provider solely to
  120  facilitate short term, transactional payment processing for the
  121  purchase of products or services.
  122         (b)Personal information collected, used, retained, sold,
  123  shared, or disclosed as deidentified personal information or
  124  aggregate consumer information.
  125         (c)Compliance with federal, state, or local laws.
  126         (d)Compliance with a civil, criminal, or regulatory
  127  inquiry, investigation, subpoena, or summons by federal, state,
  128  or local authorities.
  129         (e)Cooperation with law enforcement agencies concerning
  130  conduct or activity that the controller, processor, or third
  131  party reasonably and in good faith believes may violate federal,
  132  state, or local law.
  133         (f)Exercising or defending legal rights, claims, or
  134  privileges.
  135         (g)Personal information collected through the controller’s
  136  direct interactions with the consumer, if collected in
  137  accordance with this section, which is used by the controller or
  138  the processor that the controller directly contracts with for
  139  advertising or marketing services to advertise or market
  140  products or services that are produced or offered directly by
  141  the controller. Such information may not be sold, shared, or
  142  disclosed unless otherwise authorized under this section.
  143         (h)Personal information of a person acting in the role of
  144  a job applicant, employee, owner, director, officer, contractor,
  145  volunteer, or intern of a controller which is collected by a
  146  controller, to the extent the personal information is collected
  147  and used solely within the context of the person’s role or
  148  former role with the controller. For purposes of this paragraph,
  149  personal information includes employee benefit information.
  150         (i)Protected health information for purposes of the
  151  federal Health Insurance Portability and Accountability Act of
  152  1996 and related regulations, and patient identifying
  153  information for purposes of 42 C.F.R. part 2, established
  154  pursuant to 42 U.S.C. s. 290dd-2.
  155         (j)An entity or business associate governed by the
  156  privacy, security, and breach notification rules issued by the
  157  United States Department of Health and Human Services in 45
  158  C.F.R. parts 160 and 164, or a program or a qualified service
  159  program as defined in 42 C.F.R. part 2, to the extent the
  160  entity, business associate, or program maintains personal
  161  information in the same manner as medical information or
  162  protected health information as described in paragraph (i), and
  163  as long as the entity, business associate, or program does not
  164  use personal information for targeted advertising with third
  165  parties and does not sell or share personal information to a
  166  third party unless such sale or sharing is covered by an
  167  exception under this section.
  168         (k)Identifiable private information collected for purposes
  169  of research as defined in 45 C.F.R. s. 164.501 conducted in
  170  accordance with the Federal Policy for the Protection of Human
  171  Subjects for purposes of 45 C.F.R. part 46, the good clinical
  172  practice guidelines issued by the International Council for
  173  Harmonisation of Technical Requirements for Pharmaceuticals for
  174  Human Use, or the Federal Policy for the Protection for Human
  175  Subjects for purposes of 21 C.F.R. parts 50 and 56, or personal
  176  information used or shared in research conducted in accordance
  177  with one or more of these standards.
  178         (l)Information and documents created for purposes of the
  179  federal Health Care Quality Improvement Act of 1986 and related
  180  regulations, or patient safety work product for purposes of 42
  181  C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21
  182  through 299b-26.
  183         (m)Information that is deidentified in accordance with 45
  184  C.F.R. part 164 and derived from individually identifiable
  185  health information as described in the Health Insurance
  186  Portability and Accountability Act of 1996, or identifiable
  187  personal information, consistent with the Federal Policy for the
  188  Protection of Human Subjects or the human subject protection
  189  requirements of the United States Food and Drug Administration.
  190         (n)Information used only for public health activities and
  191  purposes as described in 45 C.F.R. s. 164.512.
  192         (o)Personal information collected, processed, sold, or
  193  disclosed pursuant to the federal Fair Credit Reporting Act, 15
  194  U.S.C. s. 1681 and implementing regulations.
  195         (p)Nonpublic personal information collected, processed,
  196  sold, or disclosed pursuant to the Gramm-Leach-Bliley Act, 15
  197  U.S.C. s. 6801 et seq., and implementing regulations.
  198         (q)A financial institution as defined in the Gramm-Leach
  199  Bliley Act, 15 U.S.C. s. 6801 et seq., to the extent the
  200  financial institution maintains personal information in the same
  201  manner as nonpublic personal information as described in
  202  paragraph (p), and as long as such financial institution does
  203  not use personal information for targeted advertising with third
  204  parties and does not sell or share personal information to a
  205  third party unless such sale or sharing is covered by an
  206  exception under this section.
  207         (r)Personal information collected, processed, sold, or
  208  disclosed pursuant to the federal Driver’s Privacy Protection
  209  Act of 1994, 18 U.S.C. s. 2721 et seq.
  210         (s)Education information covered by the Family Educational
  211  Rights and Privacy Act, 20 U.S.C. s. 1232(g) and 34 C.F.R. part
  212  99.
  213         (t)Information collected as part of public or peer
  214  reviewed scientific or statistical research in the public
  215  interest and which adheres to all other applicable ethics and
  216  privacy laws, if the consumer has provided informed consent.
  217  Research with personal information must be subjected by the
  218  controller conducting the research to additional security
  219  controls that limit access to the research data to only those
  220  individuals necessary to carry out the research purpose, and
  221  such personal information must be subsequently deidentified.
  222         (u)Personal information disclosed for the purpose of
  223  responding to an alert of a present risk of harm to a person or
  224  property or prosecuting those responsible for that activity.
  225         (v)Personal information disclosed when a consumer uses or
  226  directs a controller to intentionally disclose information to a
  227  third party or uses the controller to intentionally interact
  228  with a third party. An intentional interaction occurs when the
  229  consumer intends to interact with the third party, by one or
  230  more deliberate interactions. Hovering over, muting, pausing, or
  231  closing a given piece of content does not constitute a
  232  consumer’s intent to interact with a third party.
  233         (w)An identifier used for a consumer who has opted out of
  234  the sale or sharing of the consumer’s personal information for
  235  the sole purpose of alerting processors and third parties that
  236  the consumer has opted out of the sale or sharing of the
  237  consumer’s personal information.
  238         (x)Personal information transferred by a controller to a
  239  third party as an asset that is part of a merger, acquisition,
  240  bankruptcy, or other transaction in which the third party
  241  assumes control of all or part of the controller, provided that
  242  the information is used or shared consistently with this
  243  section. If a third party materially alters how it uses or
  244  shares the personal information of a consumer in a manner that
  245  is materially inconsistent with the commitments or promises made
  246  at the time of collection, it must provide prior notice of the
  247  new or changed practice to the consumer. The notice must be
  248  sufficiently prominent and robust to ensure that consumers can
  249  easily exercise choices consistent with this section.
  250         (y)Personal information necessary to fulfill the terms of
  251  a written warranty when such warranty was purchased by the
  252  consumer or the product that is warranted was purchased by the
  253  consumer. Such information may not be sold or shared unless
  254  otherwise authorized under this section.
  255         (z)Personal information necessary for a product recall for
  256  a product purchased or owned by the consumer conducted in
  257  accordance with federal law. Such information may not be sold or
  258  shared unless otherwise authorized under this section.
  259         (aa)Personal information processed solely for the purpose
  260  of independently measuring or reporting advertising or content
  261  performance, reach, or frequency pursuant to a contract with a
  262  controller that collected personal information in accordance
  263  with this section. Such information may not be sold or shared
  264  unless otherwise authorized under this section.
  265         (bb)Personal information shared between a manufacturer of
  266  a tangible product and authorized third-party distributors or
  267  vendors of the product, as long as such personal information is
  268  used solely for advertising, marketing, or servicing the product
  269  that is acquired directly through such manufacturer and such
  270  authorized third-party distributors or vendors. Such personal
  271  information may not be sold or shared unless otherwise
  272  authorized under this section.
  273         (2)DEFINITIONS.—As used in this section, the term:
  274         (a)“Aggregate consumer information” means information that
  275  relates to a group or category of consumers, from which the
  276  identity of an individual consumer has been removed and is not
  277  reasonably capable of being directly or indirectly associated or
  278  linked with any consumer, household, or device. The term does
  279  not include information about a group or category of consumers
  280  used to facilitate targeted advertising or the display of ads
  281  online. The term does not include personal information that has
  282  been deidentified.
  283         (b)“Biometric information” means an individual’s
  284  physiological, biological, or behavioral characteristics that
  285  can be used, singly or in combination with each other or with
  286  other identifying data, to establish individual identity. The
  287  term includes, but is not limited to, imagery of the iris,
  288  retina, fingerprint, face, hand, palm, vein patterns, and voice
  289  recordings, from which an identifier template, such as a
  290  faceprint, a minutiae template, or a voiceprint, can be
  291  extracted, and keystroke patterns or rhythms, gait patterns or
  292  rhythms, and sleep, health, or exercise data that contain
  293  identifying information.
  294         (c)“Collect” means to buy, rent, gather, obtain, receive,
  295  or access any personal information pertaining to a consumer by
  296  any means. The term includes, but is not limited to, actively or
  297  passively receiving information from the consumer or by
  298  observing the consumer’s behavior or actions.
  299         (d)“Consumer” means a natural person who resides in or is
  300  domiciled in this state, however identified, including by any
  301  unique identifier, who is acting in a personal capacity or
  302  household context. The term does not include a natural person
  303  acting on behalf of a legal entity in a commercial or employment
  304  context.
  305         (e)“Controller” means:
  306         1.A sole proprietorship, partnership, limited liability
  307  company, corporation, association, or legal entity that meets
  308  the following requirements:
  309         a.Is organized or operated for the profit or financial
  310  benefit of its shareholders or owners;
  311         b.Does business in this state;
  312         c.Collects personal information about consumers, or is the
  313  entity on behalf of which such information is collected;
  314         d.Determines the purposes and means of processing personal
  315  information about consumers alone or jointly with others;
  316         e.Makes in excess of $1 billion in gross revenues, as
  317  adjusted in January of every odd-numbered year to reflect any
  318  increase in the Consumer Price Index; and
  319         f.Satisfies one of the following:
  320         (I)Derives 50 percent or more of its global annual
  321  revenues from providing targeted advertising or the sale of ads
  322  online; or
  323         (II)Operates a consumer smart speaker and voice command
  324  component service with an integrated virtual assistant connected
  325  to a cloud computing service that uses hands-free verbal
  326  activation. For purposes of this sub-sub-subparagraph, a
  327  consumer smart speaker and voice command component service does
  328  not include a motor vehicle or speaker or device associated with
  329  or connected to a vehicle.
  330         2.Any entity that controls or is controlled by a
  331  controller. As used in this subparagraph, the term “control”
  332  means:
  333         a.Ownership of, or the power to vote, more than 50 percent
  334  of the outstanding shares of any class of voting security of a
  335  controller;
  336         b.Control in any manner over the election of a majority of
  337  the directors, or of individuals exercising similar functions;
  338  or
  339         c.The power to exercise a controlling influence over the
  340  management of a company.
  341         (f)“Deidentified” means information that cannot reasonably
  342  be used to infer information about or otherwise be linked to a
  343  particular consumer, provided that the controller that possesses
  344  the information:
  345         1.Takes reasonable measures to ensure that the information
  346  cannot be associated with a specific consumer;
  347         2.Maintains and uses the information in deidentified form
  348  and does not attempt to reidentify the information, except that
  349  the controller may attempt to reidentify the information solely
  350  for the purpose of determining whether its deidentification
  351  processes satisfy the requirements of this paragraph;
  352         3.Contractually obligates any recipients of the
  353  information to comply with all this paragraph to avoid
  354  reidentifying such information; and
  355         4.Implements business processes to prevent the inadvertent
  356  release of deidentified information.
  357         (g)“Department” means the Department of Legal Affairs.
  358         (h)“Device” means a physical object associated with a
  359  consumer or household capable of directly or indirectly
  360  connecting to the Internet.
  361         (i)“Genetic information” means information about an
  362  individual’s deoxyribonucleic acid (DNA).
  363         (j)“Homepage” means the introductory page of an Internet
  364  website and any Internet webpage where personal information is
  365  collected. In the case of a mobile application, the homepage is
  366  the application’s platform page or download page, a link within
  367  the application, such as the “About” or “Information”
  368  application configurations, or the settings page, and any other
  369  location that allows consumers to review the notice required by
  370  subsection (7), including, but not limited to, before
  371  downloading the application.
  372         (k)“Household” means a natural person or a group of people
  373  in this state who reside at the same address, share a common
  374  device or the same service provided by a controller, and are
  375  identified by a controller as sharing the same group account or
  376  unique identifier.
  377         (l)“Personal information” means information that is linked
  378  or reasonably linkable to an identified or identifiable consumer
  379  or household, including biometric information, genetic
  380  information, and unique identifiers to the consumer.
  381         1.The term includes, but is not limited to, the following:
  382         a.Identifiers such as a real name, alias, postal address,
  383  unique identifier, online identifier, internet protocol address,
  384  email address, account name, social security number, driver
  385  license number, passport number, or other similar identifiers.
  386         b.Information that identifies, relates to, or describes,
  387  or could be associated with, a particular individual, including,
  388  but not limited to, a name, signature, social security number,
  389  physical characteristics or description, address, location,
  390  telephone number, passport number, driver license or state
  391  identification card number, insurance policy number, education,
  392  employment, employment history, bank account number, credit card
  393  number, debit card number, or any other financial information,
  394  medical information, or health insurance information.
  395         c.Characteristics of protected classifications under state
  396  or federal law.
  397         d.Commercial information, including records of personal
  398  property, products or services purchased, obtained, or
  399  considered, or other purchasing or consuming histories or
  400  tendencies.
  401         e.Biometric information.
  402         f.Internet or other electronic network activity
  403  information, including, but not limited to, browsing history,
  404  search history, and information regarding a consumer’s
  405  interaction with an Internet website, application, or
  406  advertisement.
  407         g.Geolocation data.
  408         h.Audio, electronic, visual, thermal, olfactory, or
  409  similar information.
  410         i.Inferences drawn from any of the information identified
  411  in this paragraph to create a profile about a consumer
  412  reflecting the consumer’s preferences, characteristics,
  413  psychological trends, predispositions, behavior, attitudes,
  414  intelligence, abilities, and aptitudes.
  415         2.The term does not include consumer information that is:
  416         a.Consumer employment contact information, including a
  417  position name or title, employment qualifications, emergency
  418  contact information, business telephone number, business
  419  electronic mail address, employee benefit information, and
  420  similar information used solely in an employment context.
  421         b.Deidentified or aggregate consumer information.
  422         c.Publicly and lawfully available information reasonably
  423  believed to be made available to the general public in a lawful
  424  manner and without legal restrictions:
  425         (I)From federal, state, or local government records.
  426         (II)By a widely distributed media source.
  427         (III)By the consumer or by someone to whom the consumer
  428  disclosed the information unless the consumer has purposely and
  429  effectively restricted the information to a certain audience on
  430  a private account.
  431         (m) “Precise geolocation data” means information from
  432  technology, such as global positioning system level latitude and
  433  longitude coordinates or other mechanisms, which directly
  434  identifies the specific location of a natural person with
  435  precision and accuracy within a radius of 1,750 feet. The term
  436  does not include information generated by the transmission of
  437  communications or any information generated by or connected to
  438  advance utility metering infrastructure systems or equipment for
  439  use by a utility.
  440         (n)“Processing” means any operation or set of operations
  441  performed on personal information or on sets of personal
  442  information, regardless of whether by automated means.
  443         (o)“Processor” means a sole proprietorship, partnership,
  444  limited liability company, corporation, association, or other
  445  legal entity that is organized or operated for the profit or
  446  financial benefit of its shareholders or other owners, that
  447  processes information on behalf of a controller and to which the
  448  controller discloses a consumer’s personal information pursuant
  449  to a written contract, provided that the contract prohibits the
  450  entity receiving the information from retaining, using, or
  451  disclosing the personal information for any purpose other than
  452  for the specific purpose of performing the services specified in
  453  the contract for the controller, as authorized by this section.
  454         (p)“Sell” means to sell, rent, release, disclose,
  455  disseminate, make available, transfer, or otherwise communicate
  456  orally, in writing, or by electronic or other means, a
  457  consumer’s personal information or information that relates to a
  458  group or category of consumers by a controller to another
  459  controller or a third party for monetary or other valuable
  460  consideration.
  461         (q)“Share” means to share, rent, release, disclose,
  462  disseminate, make available, transfer, or access a consumer’s
  463  personal information for advertising or marketing. The term
  464  includes:
  465         1.Allowing a third party to advertise or market to a
  466  consumer based on a consumer’s personal information without
  467  disclosure of the personal information to the third party.
  468         2.Monetary transactions, nonmonetary transactions, and
  469  transactions for other valuable consideration between a
  470  controller and a third party for advertising or marketing.
  471         (r)“Targeted advertising” means marketing to a consumer or
  472  displaying an advertisement to a consumer when the advertisement
  473  is selected based on personal information used to predict such
  474  consumer’s preferences or interests.
  475         (s)“Third party” means a person who is not a controller or
  476  a processor.
  477         (t)“Unique identifier” means a persistent identifier that
  478  can be used to recognize a consumer, a family, or a device that
  479  is linked to a consumer or a family, over time and across
  480  different services, including, but not limited to, a device
  481  identifier; an Internet Protocol address; cookies, beacons,
  482  pixel tags, mobile ad identifiers, or similar technology; a
  483  customer number, unique pseudonym, or user alias; telephone
  484  numbers, or other forms of persistent or probabilistic
  485  identifiers that can be used to identify a particular consumer,
  486  family, or device that is linked to a consumer or family. As
  487  used in this paragraph, the term “family” means a custodial
  488  parent or guardian and any minor children of whom the parent or
  489  guardian has custody, or a household as defined in paragraph
  490  (k).
  491         (u)“Verifiable consumer request” means a request made by a
  492  consumer, by a parent or guardian on behalf of a consumer who is
  493  a minor child, or by a person authorized by the consumer to act
  494  on the consumer’s behalf, that the controller can reasonably
  495  verify to be the consumer, pursuant to rules adopted by the
  496  department. A verifiable consumer request is presumed to have
  497  been made when requested through an established account using
  498  the controller’s established security features to access the
  499  account through communication features offered to consumers, but
  500  a controller may not require the consumer to create or have an
  501  account with the controller in order to make a verifiable
  502  consumer request.
  503         (v)“Voice recognition feature” means the function of a
  504  device which enables the collection, recording, storage,
  505  analysis, transmission, interpretation, or other use of spoken
  506  words or other sounds.
  507         (3)CONTROLLER REQUIREMENTS; CONSUMER DATA COLLECTION
  508  REQUIREMENTS AND RESPONSIBILITIES.—
  509         (a)A controller may not collect, without the consumer’s
  510  authorization, a consumer’s precise geolocation data or personal
  511  information through the operation of a voice recognition
  512  feature.
  513         (b)A controller that operates a search engine shall
  514  provide a consumer with information of how the controller’s
  515  search engine algorithm prioritizes or deprioritizes political
  516  partisanship or political ideology in its search results.
  517         (c)A controller that collects personal information about
  518  consumers shall maintain an up-to-date online privacy policy and
  519  make such policy available on its homepage. The online privacy
  520  policy must include the following information:
  521         1.Any Florida-specific consumer privacy rights.
  522         2.A list of the types and categories of personal
  523  information that the controller collects, sells, or shares, or
  524  has collected, sold, or shared, about consumers.
  525         3.The consumer’s right to request deletion or correction
  526  of certain personal information.
  527         4.The consumer’s right to opt out of the sale or sharing
  528  to third parties.
  529         (d)A controller that collects personal information from
  530  the consumer shall, at or before the point of collection,
  531  inform, or direct the processor to inform, consumers of the
  532  categories of personal information to be collected and the
  533  purposes for which such categories of personal information will
  534  be used.
  535         (e)A controller may not collect additional categories of
  536  personal information or use personal information collected for
  537  additional purposes without providing the consumer with notice
  538  consistent with this section.
  539         (f)A controller that collects a consumer’s personal
  540  information shall implement and maintain reasonable security
  541  procedures and practices appropriate to the nature of the
  542  personal information to protect such personal information from
  543  unauthorized or illegal access, destruction, use, modification,
  544  or disclosure. A controller shall require any processors to
  545  implement and maintain the same or similar security procedures
  546  and practices for personal information.
  547         (g)A controller shall adopt and implement a retention
  548  schedule that prohibits the use or retention of personal
  549  information not subject to an exemption by the controller or
  550  processor after the satisfaction of the initial purpose for
  551  which such information was collected or obtained, after the
  552  expiration or termination of the contract pursuant to which the
  553  information was collected or obtained, or 2 years after the
  554  consumer’s last interaction with the controller. This paragraph
  555  does not apply to personal information reasonably used or
  556  retained to do any of the following:
  557         1.Fulfill the terms of a written warranty or product
  558  recall conducted in accordance with federal law.
  559         2.Provide a good or service requested by the consumer, or
  560  reasonably anticipate the request of such good or service within
  561  the context of a controller’s ongoing business relationship with
  562  the consumer.
  563         3.Detect security threats or incidents; protect against
  564  malicious, deceptive, fraudulent, unauthorized, or illegal
  565  activity or access; or prosecute those responsible for such
  566  activity or access.
  567         4.Debug to identify and repair errors that impair existing
  568  intended functionality.
  569         5.Engage in public or peer-reviewed scientific,
  570  historical, or statistical research in the public interest which
  571  adheres to all other applicable ethics and privacy laws when the
  572  controller’s deletion of the information is likely to render
  573  impossible or seriously impair the achievement of such research,
  574  if the consumer has provided informed consent.
  575         6.Enable solely internal uses that are reasonably aligned
  576  with the expectations of the consumer based on the consumer’s
  577  relationship with the controller or that are compatible with the
  578  context in which the consumer provided the information.
  579         7.Comply with a legal obligation, including any state or
  580  federal retention laws.
  581         8.Protect the controller’s interests against existing
  582  disputes, legal action, or governmental investigations.
  583         9.Assure the physical security of persons or property.
  584         (4)CONSUMER RIGHT TO REQUEST COPY OF PERSONAL INFORMATION
  585  COLLECTED, SOLD, OR SHARED.—
  586         (a)A consumer has the right to request that a controller
  587  that collects, sells, or shares personal information about the
  588  consumer disclose the following to the consumer:
  589         1.The specific pieces of personal information which have
  590  been collected about the consumer.
  591         2.The categories of sources from which the consumer’s
  592  personal information was collected.
  593         3.The specific pieces of personal information about the
  594  consumer which were sold or shared.
  595         4.The third parties to which the personal information
  596  about the consumer was sold or shared.
  597         5.The categories of personal information about the
  598  consumer which were disclosed to a processor.
  599         (b)A controller that collects, sells, or shares personal
  600  information about a consumer shall disclose the information
  601  specified in paragraph (a) to the consumer upon receipt of a
  602  verifiable consumer request.
  603         (c)This subsection does not require a controller to
  604  retain, reidentify, or otherwise link any data that, in the
  605  ordinary course of business is not maintained in a manner that
  606  would be considered personal information.
  607         (d)The controller shall deliver to a consumer the
  608  information required under this subsection or act on a request
  609  made under this subsection by a consumer free of charge within
  610  45 calendar days after receiving a verifiable consumer request.
  611  The response period may be extended once by 45 additional
  612  calendar days when reasonably necessary, provided the controller
  613  informs the consumer of any such extension within the initial
  614  45-day response period and the reason for the extension. The
  615  information must be delivered in a portable and, to the extent
  616  technically feasible, readily usable format that allows the
  617  consumer to transmit the data to another entity without
  618  hindrance. A controller may provide the data to the consumer in
  619  a manner that does not disclose the controller’s trade secrets.
  620  A controller is not obligated to provide information to the
  621  consumer if the consumer or a person authorized to act on the
  622  consumer’s behalf does not provide verification of identity or
  623  verification of authorization to act with the permission of the
  624  consumer.
  625         (e)A controller may provide personal information to a
  626  consumer at any time, but is not required to provide personal
  627  information to a consumer more than twice in a 12-month period.
  628         (f)This subsection does not apply to personal information
  629  relating solely to households.
  630         (5)RIGHT TO HAVE PERSONAL INFORMATION DELETED OR
  631  CORRECTED.—
  632         (a)A consumer has the right to request that a controller
  633  delete any personal information about the consumer or about the
  634  consumer’s child younger than 18 years of age which the
  635  controller has collected.
  636         1.A controller that receives a verifiable consumer request
  637  to delete the consumer’s personal information shall delete the
  638  consumer’s personal information from its records and direct any
  639  processors to delete such information within 90 calendar days
  640  after receipt of the verifiable consumer request.
  641         2.A controller or a processor acting pursuant to its
  642  contract with the controller may not be required to comply with
  643  a consumer’s request to delete the consumer’s personal
  644  information if it is reasonably necessary for the controller or
  645  processor to maintain the consumer’s personal information to do
  646  any of the following:
  647         a.Complete the transaction for which the personal
  648  information was collected.
  649         b.Fulfill the terms of a written warranty or product
  650  recall conducted in accordance with federal law.
  651         c.Provide a good or service requested by the consumer, or
  652  reasonably anticipate the request of such good or service within
  653  the context of a controller’s ongoing business relationship with
  654  the consumer, or otherwise perform a contract between the
  655  controller and the consumer.
  656         d.Detect security threats or incidents; protect against
  657  malicious, deceptive, fraudulent, unauthorized, or illegal
  658  activity or access; or prosecute those responsible for such
  659  activity or access.
  660         e.Debug to identify and repair errors that impair existing
  661  intended functionality.
  662         f.Engage in public or peer-reviewed scientific,
  663  historical, or statistical research in the public interest which
  664  adheres to all other applicable ethics and privacy laws when the
  665  controller’s deletion of the information is likely to render
  666  impossible or seriously impair the achievement of such research,
  667  if the consumer has provided informed consent.
  668         g.Enable solely internal uses that are reasonably aligned
  669  with the expectations of the consumer based on the consumer’s
  670  relationship with the controller or that are compatible with the
  671  context in which the consumer provided the information.
  672         h.Comply with a legal obligation, including any state or
  673  federal retention laws.
  674         i.Protect the controller’s interests against existing
  675  disputes, legal action, or governmental investigations.
  676         j.Assure the physical security of persons or property.
  677         (b)A consumer has the right to request that a controller
  678  correct inaccurate personal information maintained by the
  679  controller about the consumer or about the consumer’s child
  680  younger than 18 years of age. A controller that receives a
  681  verifiable consumer request to correct inaccurate personal
  682  information shall use commercially reasonable efforts to correct
  683  the inaccurate personal information as directed by the consumer
  684  and shall direct any processors to correct such information
  685  within 90 calendar days after receipt of the verifiable consumer
  686  request. If a controller maintains a self-service mechanism to
  687  allow a consumer to correct certain personal information, the
  688  controller may require the consumer to correct their own
  689  personal information through such mechanism. A controller or a
  690  processor acting pursuant to its contract with the controller
  691  may not be required to comply with a consumer’s request to
  692  correct the consumer’s personal information if it is reasonably
  693  necessary for the controller or processor to maintain the
  694  consumer’s personal information to do any of the following:
  695         1.Complete the transaction for which the personal
  696  information was collected.
  697         2.Fulfill the terms of a written warranty or product
  698  recall conducted in accordance with federal law.
  699         3.Detect security threats or incidents; protect against
  700  malicious, deceptive, fraudulent, unauthorized, or illegal
  701  activity or access; or prosecute those responsible for such
  702  activity or access.
  703         4.Debug to identify and repair errors that impair existing
  704  intended functionality.
  705         5.Enable solely internal uses that are reasonably aligned
  706  with the expectations of the consumer based on the consumer’s
  707  relationship with the controller or that are compatible with the
  708  context in which the consumer provided the information.
  709         6.Comply with a legal obligation, including any state or
  710  federal retention laws.
  711         7.Protect the controller’s interests against existing
  712  disputes, legal action, or governmental investigations.
  713         8.Assure the physical security of persons or property.
  714         (6)RIGHT TO OPT OUT OF THE SALE OR SHARING OF PERSONAL
  715  INFORMATION.—
  716         (a)A consumer has the right at any time to direct a
  717  controller not to sell or share the consumer’s personal
  718  information to a third party. This right may be referred to as
  719  the right to opt out.
  720         (b)Notwithstanding paragraph (a), a controller may not
  721  sell or share the personal information of a minor consumer if
  722  the controller has actual knowledge that the consumer is not 18
  723  years of age or older. However, if a consumer who is between 13
  724  and 18 years of age, or if the parent or guardian of a consumer
  725  who is 12 years of age or younger, has affirmatively authorized
  726  the sale or sharing of such consumer’s personal information,
  727  then a controller may sell or share such information in
  728  accordance with this section. A controller that willfully
  729  disregards the consumer’s age is deemed to have actual knowledge
  730  of the consumer’s age. A controller that complies with the
  731  verifiable parental consent requirements of the Children’s
  732  Online Privacy Protection Act, 15 U.S.C. s. 6501 et seq., shall
  733  be deemed compliant with any obligation to obtain parental
  734  consent.
  735         (c)A controller that has received direction from a
  736  consumer opting out of the sale or sharing of the consumer’s
  737  personal information is prohibited from selling or sharing the
  738  consumer’s personal information beginning 4 calendar days after
  739  receipt of such direction, unless the consumer subsequently
  740  provides express authorization for the sale or sharing of the
  741  consumer’s personal information.
  742         (7)FORM TO OPT OUT OF SALE OR SHARING OF PERSONAL
  743  INFORMATION.—
  744         (a)A controller shall:
  745         1.In a form that is reasonably accessible to consumers,
  746  provide a clear and conspicuous link on the controller’s
  747  Internet homepage, entitled “Do Not Sell or Share My Personal
  748  Information,” to an Internet webpage that enables a consumer, a
  749  parent or guardian of a minor who is a consumer, or a person
  750  authorized by the consumer, to opt out of the sale or sharing of
  751  the consumer’s personal information. A controller may not
  752  require a consumer to create an account in order to direct the
  753  controller not to sell or share the consumer’s personal
  754  information. A controller may accept a request to opt out
  755  received through a user-enabled global privacy control, such as
  756  a browser plug-in or privacy setting, device setting, or other
  757  mechanism, which communicates or signals the consumer’s choice
  758  to opt out.
  759         2.For consumers who opted out of the sale or sharing of
  760  their personal information, respect the consumer’s decision to
  761  opt out for at least 12 months before requesting that the
  762  consumer authorize the sale or sharing of the consumer’s
  763  personal information.
  764         3.Use any personal information collected from the consumer
  765  in connection with the submission of the consumer’s opt-out
  766  request solely for the purposes of complying with the opt-out
  767  request.
  768         (b)A consumer may authorize another person to opt out of
  769  the sale or sharing of the consumer’s personal information on
  770  the consumer’s behalf pursuant to rules adopted by the
  771  department.
  772         (8)ACTIONS RELATED TO CONSUMERS WHO EXERCISE PRIVACY
  773  RIGHTS.—
  774         (a)A controller may not deny goods or services to a
  775  consumer because the consumer exercised any of the consumer’s
  776  rights under this section.
  777         (b)A controller may charge a consumer who exercised any of
  778  the consumer’s rights under this section a different price or
  779  rate, or provide a different level or quality of goods or
  780  services to the consumer, only if that difference is reasonably
  781  related to the value provided to the controller by the
  782  consumer’s data or is related to a consumer’s voluntary
  783  participation in a financial incentive program, including a bona
  784  fide loyalty, rewards, premium features, discounts, or club card
  785  program offered by the controller.
  786         (c)A controller may offer financial incentives, including
  787  payments to consumers as compensation, for the collection,
  788  sharing, sale, or deletion of personal information if the
  789  consumer gives the controller prior consent that clearly
  790  describes the material terms of the financial incentive program.
  791  The consent may be revoked by the consumer at any time.
  792         (d)A controller may not use financial incentive practices
  793  that are unjust, unreasonable, coercive, or usurious in nature.
  794         (9)CONTRACTS AND ROLES.—
  795         (a)Any contract or agreement between a controller and a
  796  processor must:
  797         1.Prohibit the processor from selling, sharing, retaining,
  798  using, or disclosing the personal information for any purpose
  799  that violates this section;
  800         2.Prohibit the processor from retaining, using, or
  801  disclosing the personal information other than for the purposes
  802  specified in the contract or agreement;
  803         3.Prohibit the processor from combining the personal
  804  information that the processor receives from or on behalf of the
  805  controller with personal information that the processor receives
  806  from or on behalf of another person or that the processor
  807  collects from its own interaction with the consumer, provided
  808  that the processor may combine personal information to perform
  809  any purpose specified in the contract or agreement and such
  810  combination is reported to the controller;
  811         4.Govern the processor’s personal information processing
  812  procedures with respect to processing performed on behalf of the
  813  controller, including processing instructions, the nature and
  814  purpose of processing, the type of information subject to
  815  processing, the duration of processing, and the rights and
  816  obligations of both the controller and processor;
  817         5.Require the processor to return or delete all personal
  818  information under the contract to the controller as requested by
  819  the controller at the end of the provision of services, unless
  820  retention of the information is required by law; and
  821         6.Upon request of the controller, require the processor to
  822  make available to the controller all personal information in its
  823  possession under the contract or agreement.
  824         (b)Determining whether a person is acting as a controller
  825  or processor with respect to a specific processing of data is a
  826  fact-based determination that depends upon the context in which
  827  personal information is to be processed. The contract between a
  828  controller and processor must reflect their respective roles and
  829  relationships related to handling personal information. A
  830  processor that continues to adhere to a controller’s
  831  instructions with respect to a specific processing of personal
  832  information remains a processor.
  833         (c)A third party that has collected personal information
  834  from a controller in accordance with this section:
  835         1.May not sell or share personal information about a
  836  consumer unless the consumer is provided an opportunity by such
  837  third party to opt out under this section. Once a third party
  838  sells or shares personal information after providing the
  839  opportunity to opt out, the third party becomes a controller
  840  under this section if the entity meets the definition of
  841  controller in subsection (2).
  842         2.May use such personal information from a controller to
  843  advertise or market products or services that are produced or
  844  offered directly by such third party.
  845         (d)A processor or third party must require any
  846  subcontractor to meet the same obligations of such processor or
  847  third party with respect to personal information.
  848         (e)A processor or third party or any subcontractor thereof
  849  who violates any of the restrictions imposed upon it under this
  850  section is liable or responsible for any failure to comply with
  851  this section. A controller that discloses personal information
  852  to a third party or processor in compliance with this section is
  853  not liable or responsible if the person receiving the personal
  854  information uses it without complying with the restrictions
  855  under this section if, provided that at the time of disclosing
  856  the personal information, the controller does not have actual
  857  knowledge or reason to believe that the person does not intend
  858  to comply with this section.
  859         (f)Any provision of a contract or agreement of any kind
  860  that waives or limits in any way a consumer’s rights under this
  861  section, including, but not limited to, any right to a remedy or
  862  means of enforcement, is deemed contrary to public policy and is
  863  void and unenforceable. This section does not prevent a consumer
  864  from declining to exercise the consumer’s rights under this
  865  section.
  866         (10)ENFORCEMENT AND IMPLEMENTATION BY THE DEPARTMENT.—
  867         (a)Any violation of this section is an unfair and
  868  deceptive trade practice actionable under part II of chapter 501
  869  solely by the department against a controller, processor, or
  870  third party. If the department has reason to believe that any
  871  controller, processor, or third party is in violation of this
  872  section, the department, as the enforcing authority, may bring
  873  an action against such controller, processor, or third party for
  874  an unfair or deceptive act or practice. For the purpose of
  875  bringing an action pursuant to this section, ss. 501.211 and
  876  501.212 do not apply. In addition to other remedies under part
  877  II of chapter 501, the department may collect a civil penalty of
  878  up to $50,000 per violation of this section. Civil penalties may
  879  be tripled for the following violations:
  880         1.Any violation involving a Florida consumer who the
  881  controller, processor, or third party has actual knowledge is 18
  882  years of age or younger.
  883         2.Failure to delete or correct the consumer’s personal
  884  information pursuant to this section after receiving a
  885  verifiable consumer request or directions from a controller to
  886  delete or correct such personal information unless the
  887  controller, processor, or third party qualifies for an exception
  888  to the requirements to delete or correct such personal
  889  information under this section.
  890         3.Continuing to sell or share the consumer’s personal
  891  information after the consumer chooses to opt out under this
  892  section.
  893         (b)After the department has notified a controller,
  894  processor, or third party in writing of an alleged violation,
  895  the department may in its discretion grant a 45-day period to
  896  cure the alleged violation. The 45-day cure period does not
  897  apply to a violation of subparagraph (a)1. The department may
  898  consider the number and frequency of violations, the substantial
  899  likelihood of injury to the public, and the safety of persons or
  900  property when determining whether to grant 45 calendar days to
  901  cure and the issuance of a letter of guidance. If the violation
  902  is cured to the satisfaction of the department and proof of such
  903  cure is provided to the department, the department may not bring
  904  an action for the alleged violation but in its discretion may
  905  issue a letter of guidance that indicates that the controller,
  906  processor, or person will not be offered a 45-day cure period
  907  for any future violations. If the controller, processor, or
  908  third party fails to cure the violation within 45 calendar days,
  909  the department may bring an action against the controller,
  910  processor, or third party for the alleged violation.
  911         (c)Any action brought by the department may be brought
  912  only on behalf of a Florida consumer.
  913         (d)By February 1 of each year, the department shall submit
  914  a report to the President of the Senate and the Speaker of the
  915  House of Representatives describing any actions taken by the
  916  department to enforce this section. Such report must be made
  917  publicly available on the department’s website. The report must
  918  include statistics and relevant information detailing:
  919         1.The number of complaints received and the categories or
  920  types of violations alleged by the complainant;
  921         2.The number and type of enforcement actions taken and the
  922  outcomes of such actions, including the amount of penalties
  923  issued and collected;
  924         3.The number of complaints resolved without the need for
  925  litigation; and
  926         4.The status of the development and implementation of
  927  rules to implement this section.
  928         (e)The department may adopt rules to implement this
  929  section, including standards for verifiable consumer requests,
  930  enforcement, data security, and authorized persons who may act
  931  on a consumer’s behalf.
  932         (f)The department may collaborate and cooperate with other
  933  enforcement authorities of the federal government or other state
  934  governments concerning consumer data privacy issues and consumer
  935  data privacy investigations if such enforcement authorities have
  936  restrictions governing confidentiality at least as stringent as
  937  the restrictions provided in this section.
  938         (g)Liability for a tort, contract claim, or consumer
  939  protection claim that is unrelated to an action brought under
  940  this subsection does not arise solely from the failure of a
  941  controller, processor, or third party to comply with this
  942  section.
  943         (h)This section does not establish a private cause of
  944  action.
  945         (i)The department may employ or use the legal services of
  946  outside counsel and the investigative services of outside
  947  personnel to fulfill the obligations of this section.
  948         (11)JURISDICTION.—For purposes of bringing an action
  949  pursuant to subsection (10), any person who meets the definition
  950  of controller as defined in this section which collects, shares,
  951  or sells the personal information of Florida consumers is
  952  considered to be both engaged in substantial and not isolated
  953  activities within this state and operating, conducting, engaging
  954  in, or carrying on a business, and doing business in this state,
  955  and is therefore subject to the jurisdiction of the courts of
  956  this state.
  957         (12)PREEMPTION.—This section is a matter of statewide
  958  concern and supersedes all rules, regulations, codes,
  959  ordinances, and other laws adopted by a city, county, city and
  960  county, municipality, or local agency regarding the collection,
  961  processing, sharing, or sale of consumer personal information by
  962  a controller or processor. The regulation of the collection,
  963  processing, sharing, or sale of consumer personal information by
  964  a controller or processor is preempted to the state.
  965         Section 3. Paragraph (g) of subsection (1) of section
  966  501.171, Florida Statutes, is amended to read:
  967         501.171 Security of confidential personal information.—
  968         (1) DEFINITIONS.—As used in this section, the term:
  969         (g)1. “Personal information” means either of the following:
  970         a. An individual’s first name or first initial and last
  971  name in combination with any one or more of the following data
  972  elements for that individual:
  973         (I) A social security number;
  974         (II) A driver license or identification card number,
  975  passport number, military identification number, or other
  976  similar number issued on a government document used to verify
  977  identity;
  978         (III) A financial account number or credit or debit card
  979  number, in combination with any required security code, access
  980  code, or password that is necessary to permit access to an
  981  individual’s financial account;
  982         (IV) Any information regarding an individual’s medical
  983  history, mental or physical condition, or medical treatment or
  984  diagnosis by a health care professional; or
  985         (V) An individual’s health insurance policy number or
  986  subscriber identification number and any unique identifier used
  987  by a health insurer to identify the individual;
  988         (VI)An individual’s biometric information or genetic
  989  information as defined in s. 501.173(2); or
  990         (VII)Any information regarding an individual’s
  991  geolocation.
  992         b. A user name or e-mail address, in combination with a
  993  password or security question and answer that would permit
  994  access to an online account.
  995         2. The term does not include information about an
  996  individual that has been made publicly available by a federal,
  997  state, or local governmental entity. The term also does not
  998  include information that is encrypted, secured, or modified by
  999  any other method or technology that removes elements that
 1000  personally identify an individual or that otherwise renders the
 1001  information unusable.
 1002         Section 4. Subsection (1) of section 16.53, Florida
 1003  Statutes, is amended, and subsection (8) is added to that
 1004  section, to read:
 1005         16.53 Legal Affairs Revolving Trust Fund.—
 1006         (1) There is created in the State Treasury the Legal
 1007  Affairs Revolving Trust Fund, from which the Legislature may
 1008  appropriate funds for the purpose of funding investigation,
 1009  prosecution, and enforcement by the Attorney General of the
 1010  provisions of the Racketeer Influenced and Corrupt Organization
 1011  Act, the Florida Deceptive and Unfair Trade Practices Act, the
 1012  Florida False Claims Act, or state or federal antitrust laws, or
 1013  s. 501.173.
 1014         (8)All moneys recovered by the Attorney General for
 1015  attorney fees, costs, and penalties in an action for a violation
 1016  of s. 501.173 must be deposited in the fund.
 1017         Section 5. This act shall take effect July 1, 2023.