Florida Senate - 2019 SB 1468
By Senator Farmer
34-01205A-19 20191468__
1 A bill to be entitled
2 An act relating to personal online accounts; defining
3 terms; prohibiting employers, educational
4 institutions, or landlords from taking specified
5 actions relating to personal online accounts;
6 providing construction; requiring employers,
7 educational institutions, or landlords that
8 inadvertently receive authentication information for
9 personal online accounts to take certain actions;
10 providing that such employers, educational
11 institutions, or landlords are not liable for having
12 such information, subject to certain requirements;
13 authorizing a person with specified injuries as a
14 result of a violation of the act to bring legal
15 action; specifying that such person is entitled to
16 certain damages, fees, and costs; providing
17 construction; providing that certain data relating to
18 a violation of the act is inadmissible in certain
19 proceedings, except for proof of a violation;
20 providing an effective date.
21
22 Be It Enacted by the Legislature of the State of Florida:
23
24 Section 1. Personal Online Account Privacy Act.—
25 (1) DEFINITIONS.—As used in this section, the term:
26 (a) “Employee” has the same meaning as in s. 448.101,
27 Florida Statutes.
28 (b) “Employer” has the same meaning as in s. 448.101,
29 Florida Statutes.
30 (c) “Educational institution” means:
31 1. A private or public school, institution, or school
32 district, or any subdivision thereof, which offers participants,
33 students, or trainees an organized course of study or training
34 that is academic, trade oriented, or preparatory for gainful
35 employment;
36 2. Educational institution employees or agents acting under
37 the authority or on behalf of an educational institution; or
38 3. A state or local educational agency authorized to direct
39 or control an entity identified in subparagraph 1.
40 (d) “Landlord” has the same meaning as in s. 83.43(3),
41 Florida Statutes.
42 (e) “Lease” means a legally binding agreement between a
43 landlord and a tenant for the rental of real property.
44 (f) “Personal online account” means any online account
45 maintained by a person which is password protected, including,
46 but not limited to, a social media account or an e-mail account.
47 The term does not include an account or a discrete portion of an
48 account that:
49 1. Was opened at an employer’s behest or provided by an
50 employer and intended to be used solely or primarily on behalf
51 of or under the direction of the employer; or
52 2. Opened at an educational institution’s behest or
53 provided by an educational institution and intended to be used
54 solely or primarily on behalf of or under the direction of the
55 educational institution.
56 (g) “Prospective employee” means an applicant for
57 employment.
58 (h) “Prospective student” means an applicant for admission
59 to an educational institution.
60 (i) “Prospective tenant” means a person who inquires about
61 or applies to rent for residential purposes a real property from
62 a landlord.
63 (j) “Specifically identified content” means data or
64 information stored in a personal online account which is
65 identified with sufficient particularity to distinguish such
66 content from any other data or information stored in the account
67 with which it may share similar characteristics.
68 (k) “Student” means any person who is enrolled in a class
69 or any other organized course of study at an educational
70 institution, regardless of whether the enrollment is full-time
71 or part-time.
72 (l) “Tenant” means a person who leases real property for
73 residential purposes from a landlord.
74 (2) EMPLOYERS; PROHIBITED ACTS.—An employer may not do any
75 of the following:
76 (a) Request, require, or coerce an employee or prospective
77 employee to:
78 1. Disclose the username, password, or any other means of
79 authentication, or provide access through the username or
80 password, to a personal online account;
81 2. Disclose contents of a personal online account which are
82 not available to the public;
83 3. Provide a password or any other authentication
84 information to a personal technological device for the purposes
85 of gaining access to a personal online account;
86 4. Turn over an unlocked personal technological device for
87 purposes of gaining access to a personal online account;
88 5. Access a personal online account in the presence of the
89 employer in a manner that enables the employer to observe the
90 contents of such account; or
91 6. Change the settings of an account so as to increase
92 third-party access to such account’s contents.
93 (b) Require or coerce an employee or a prospective employee
94 to add any other person, including the employer, to the list of
95 contacts associated with such employee’s personal online
96 account.
97 (c) Take or threaten any action to discharge, discipline,
98 or otherwise penalize an employee as a result of his or her
99 refusal to perform any of the actions specified in paragraph (a)
100 or paragraph (b).
101 (d) Fail or refuse to hire a prospective employee as a
102 result of the employee refusing to perform any of the actions
103 specified in paragraph (a) or paragraph (b).
104 (3) EDUCATIONAL INSTITUTIONS; PROHIBITED ACTS.—An
105 educational institution may not do any of the following:
106 (a) Require, request, or coerce a student or prospective
107 student to:
108 1. Disclose the username, password, or any other means of
109 authentication, or provide access through the username or
110 password, to a personal online account;
111 2. Disclose contents of a personal online account which are
112 not available to the public;
113 3. Provide a password or any other authentication
114 information to a personal technological device for the purposes
115 of gaining access to a personal online account;
116 4. Turn over an unlocked personal technological device for
117 purposes of gaining access to a personal online account;
118 5. Access a personal online account in the presence of an
119 employee or a volunteer of the educational institution,
120 including, but not limited to, a coach, teacher, or school
121 administrator, in a manner that enables such employee or
122 volunteer to observe the contents of such account; or
123 6. Change the settings of an account so as to increase
124 third-party access to such account’s contents.
125 (b) Require or coerce a student or prospective student to
126 add any person to the list of contacts associated with such
127 student’s personal online account.
128 (c) Take or threaten any action to discharge, discipline,
129 prohibit from participating in curricular or extracurricular
130 activities, or otherwise penalize a student as a result of the
131 student refusing to perform any of the actions specified in
132 paragraph (a) or paragraph (b).
133 (d) Fail or refuse to admit a prospective student as a
134 result of the student refusing to perform any of the actions
135 specified in paragraph (a) or paragraph (b).
136 (4) LANDLORDS; PROHIBITED ACTS.—A landlord may not do any
137 of the following:
138 (a) Require, request, or coerce a tenant or prospective
139 tenant to:
140 1. Disclose the username, password, or any other means of
141 authentication, or provide access through the username or
142 password, to a personal online account;
143 2. Disclose contents of a personal online account that are
144 not available to the public;
145 3. Provide a password or any other authentication
146 information to a personal technological device for the purposes
147 of gaining access to a personal online account;
148 4. Turn over an unlocked personal technological device for
149 purposes of gaining access to a personal online account;
150 5. Access a personal online account in the presence of the
151 landlord in a manner that enables the landlord to observe the
152 contents of such account; or
153 6. Change the settings of an account so as to increase
154 third-party access to such account’s contents.
155 (b) Require or coerce a tenant or prospective tenant to add
156 any person to the list of contacts associated with such tenant’s
157 personal online account.
158 (c) Evict or otherwise penalize a tenant as a result of the
159 tenant refusing to perform any of the actions specified in
160 paragraph (a) or paragraph (b).
161 (d) Fail or refuse to rent to a prospective tenant as a
162 result of the tenant refusing to perform any of the actions
163 specified in paragraph (a) or paragraph (b).
164 (e) Include a provision in a lease which conflicts with
165 this act. If a landlord includes such a provision, it is void
166 and unenforceable.
167 (5) LIMITATIONS.—This act does not prohibit any of the
168 following:
169 (a) An employer, an educational institution, or a landlord
170 from:
171 1. Accessing information about an employee, a student, or a
172 tenant, or a prospective employee, a student, or a tenant, as
173 applicable, which is publicly available; or
174 2. Complying with state or federal laws, rules, or
175 regulations or the rules of self-regulatory organizations as
176 defined in s. 3(a)(26) of the Securities and Exchange Act of
177 1934.
178 (b) An employer or an educational institution from:
179 1. Prohibiting an employee or student, or a prospective
180 employee or a student, as applicable, from using a personal
181 online account for business or educational institution purposes;
182 or
183 2. Prohibiting an employee, a student, a prospective
184 employee, or a prospective student from accessing or operating a
185 personal online account during business or school hours or while
186 on business or school property.
187 (c) An employer, if the employer does not also request or
188 require an employee or a prospective employee to provide his or
189 her username and password, his or her password, or another means
190 of authentication which provides access to a personal online
191 account, from requesting or requiring the employee or
192 prospective employee to share specifically identified content
193 that has been reported to the employer for the purpose of:
194 1. Enabling the employer to comply with its own legal and
195 regulatory obligations;
196 2. Investigating an allegation, based on the receipt of
197 information regarding specifically identified content, of the
198 unauthorized transfer of an employer’s proprietary or
199 confidential information or financial data to an employee or
200 prospective employee’s personal online account; or
201 3. Investigating an allegation, based on the receipt of
202 information regarding specifically identified content, of
203 unlawful harassment or threats of violence in the workplace.
204 (d) An educational institution, if it does not also request
205 or require a student or prospective student to provide his or
206 her username and password, his or her password, or another means
207 of authentication that provides access to a personal online
208 account, from requesting or requiring the student or prospective
209 student to share specifically identified content that has been
210 reported to the educational institution for the purpose of
211 complying with its own legal obligations, subject to all legal
212 and constitutional protections that are applicable to the
213 student or prospective student.
214 (e) A landlord, if the landlord does not also request or
215 require a tenant or prospective tenant to provide his or her
216 username and password, his or her password, or another means of
217 authentication that provides access to a personal online
218 account, from requesting or requiring the tenant or prospective
219 tenant to share specifically identified content that has been
220 reported to the landlord for the purpose of:
221 1. Enabling a landlord to comply with its own legal and
222 regulatory obligations; or
223 2. Investigating an allegation, based on the receipt of
224 information regarding specifically identified content, of a
225 lease violation by the tenant where such a violation presents an
226 imminent threat of harm to the health or safety of another
227 tenant or occupant of the real property or of damage to the real
228 property.
229 (6) INADVERTENT RECEIPT OF PASSWORD.—If, through the use of
230 an otherwise lawful technology that monitors its network or
231 devices that it has provided to an employee, a student, or a
232 tenant, or a prospective employee, student, or tenant, for
233 network security or data confidentiality purposes, an employer,
234 an educational institution, or a landlord that inadvertently
235 receives the username and password, the password, or another
236 means of authentication that provides access to a personal
237 online account of the employee, student, or tenant, or the
238 prospective employee, student, or tenant, as applicable, the
239 employer, educational institution, or landlord, as applicable:
240 (a) Is not liable for having the information;
241 (b) May not use the information to access the personal
242 online account of the employee, student, or tenant, or the
243 prospective employee, student, or tenant;
244 (c) May not share the information with any other person or
245 entity; and
246 (d) Must delete the information as soon as is reasonably
247 practicable, unless it is retaining the information in
248 connection with the pursuit of a specific criminal complaint or
249 civil action, or the investigation thereof.
250 (7) ENFORCEMENT.—
251 (a) A person who is injured by a violation of this act,
252 including an injury to his or her reputation, may bring an
253 action for damages or equitable relief against his or her
254 employer, educational institution, or landlord, including its
255 employees or agents responsible for the violation. Such person
256 is entitled to actual damages, including mental pain and
257 suffering arising out of a violation of this act, and reasonable
258 attorney fees and other costs of litigation.
259 (b) Any employee or agent of an educational institution who
260 violates this act may be subject to disciplinary proceedings and
261 action. If the educational institution employees are represented
262 under the terms of a collective bargaining agreement, this act
263 prevails except where it conflicts with the collective
264 bargaining agreement, any memorandum of agreement or
265 understanding signed pursuant to the collective bargaining
266 agreement, or any recognized and established practice relative
267 to the members of the bargaining unit.
268 (8) ADMISSIBILITY.—Except as proof of a violation of this
269 act, data obtained, accessed, used, copied, disclosed, or
270 retained in violation of this act, or any evidence derived
271 therefrom, is not admissible in any criminal, civil,
272 administrative, or other proceeding.
273 Section 2. This act shall take effect upon becoming a law.