Florida Senate - 2020 SB 1670
By Senator Broxson
1-01853-20 20201670__
1 A bill to be entitled
2 An act relating to consumer data privacy; amending s.
3 119.01, F.S.; prohibiting the use of personal data
4 contained in public records for certain marketing,
5 soliciting, and contact without the person’s consent;
6 creating s. 501.062, F.S.; defining terms; requiring
7 the operator of a website or online service that
8 collects certain information from consumers in this
9 state to establish a designated request address and
10 provide specified notice regarding the collection and
11 sale of such information; prohibiting such operator
12 from making any sale of consumer information upon
13 request of the consumer; providing applicability;
14 requiring the Department of Legal Affairs to adopt
15 rules; providing for injunctions and civil penalties;
16 providing construction; providing an effective date.
17
18 Be It Enacted by the Legislature of the State of Florida:
19
20 Section 1. Subsection (4) is added to section 119.01,
21 Florida Statutes, to read:
22 119.01 General state policy on public records.—
23 (4) Any public records requested from state agencies that
24 include the personal data, including the name, address, and
25 birthdate, or any portion thereof, of a resident of this state
26 may not be used to market or solicit the sale of products or
27 services to the person or to contact the person for the purpose
28 of marketing or soliciting sales without the consent of the
29 person. Such marketing, soliciting, and contact is prohibited
30 unless the person has affirmatively consented by electronic or
31 paper notification to share the data with a third party before
32 the data is used for such purpose.
33 Section 2. Section 501.062, Florida Statutes, is created to
34 read:
35 501.062 Notice regarding privacy of information collected
36 on the Internet from consumers.-
37 (1) As used in this section, the term:
38 (a) “Consumer” means a person who seeks or acquires, by
39 purchase or lease, any good, service, money, or credit for
40 personal, family, or household purposes from the website or
41 online service of an operator.
42 (b) “Covered information” means all of the following items
43 of personally identifiable information about a consumer
44 collected by an operator through a website or online service and
45 maintained by the operator in an accessible format:
46 1. A first and last name.
47 2. A home or other physical address which includes the name
48 of a street and the name of a city or town.
49 3. An electronic mail address.
50 4. A telephone number.
51 5. A social security number.
52 6. An identifier that allows a consumer to be contacted
53 either physically or online.
54 7. Any other information concerning a consumer that is
55 collected from the consumer through the website or online
56 service of the operator and maintained by the operator in
57 combination with an identifier in a form that makes the
58 information personally identifiable.
59 (c) “Designated request address” means an electronic mail
60 address, a toll-free telephone number, or a website established
61 by an operator through which a consumer may submit a verified
62 request to an operator.
63 (d)1. “Operator” means a person who:
64 a. Owns or operates a website or online service for
65 commercial purposes.
66 b. Collects and maintains covered information from
67 consumers who reside in this state and use or visit the website
68 or online service.
69 c. Purposefully directs activities toward this state or
70 purposefully executes a transaction or engages in any activity
71 with this state or a resident thereof.
72 2. The term does not include:
73 a. A third party that operates, hosts, or manages a website
74 or online service on behalf of its operator or processes
75 information on behalf of its operator;
76 b. A financial institution or an affiliate thereof that is
77 subject to the Gramm-Leach-Bliley Act, 15 U.S.C. s. 6801 et
78 seq., and regulations adopted pursuant thereto;
79 c. An entity that is subject to the Health Insurance
80 Portability and Accountability Act of 1996 (HIPAA), Pub. L. No.
81 104-191, and regulations adopted pursuant thereto; or
82 d. A manufacturer of a motor vehicle or a person who
83 repairs or services a motor vehicle who collects, generates,
84 records, or stores covered information that is retrieved from a
85 motor vehicle in connection with a technology or service related
86 to the motor vehicle or that is provided by a consumer in
87 connection with a subscription or registration for a technology
88 or service related to the motor vehicle.
89 (e)1. “Sale” means the exchange of covered information for
90 monetary consideration by the operator to a person for the
91 person to license or sell the covered information to additional
92 persons.
93 2. The term does not include:
94 a. The disclosure of covered information by an operator to
95 a person who processes the covered information on behalf of the
96 operator;
97 b. The disclosure of covered information by an operator to
98 a person with whom the consumer has a direct relationship for
99 the purposes of providing a product or service requested by the
100 consumer;
101 c. The disclosure of covered information by an operator to
102 a person for purposes that are consistent with the reasonable
103 expectations of a consumer considering the context in which the
104 consumer provided the covered information to the operator;
105 d. The disclosure of covered information to a person who is
106 an affiliate of the operator; or
107 e. The disclosure or transfer of covered information to a
108 person as an asset that is part of a merger, acquisition,
109 bankruptcy, or other transaction in which the person assumes
110 control of all or part of the assets of the operator.
111 (f) “Verified request” means a request submitted by a
112 consumer to an operator for the purposes provided in subsection
113 (2) for which an operator can reasonably verify the authenticity
114 of the request.
115 (2)(a) Each operator shall establish a designated request
116 address through which a consumer may submit a verified request.
117 (b) A consumer may, at any time, submit a verified request
118 through a designated request address to an operator directing
119 the operator not to make any sale of any covered information the
120 operator has collected or will collect about the consumer.
121 (c) An operator who has received a verified request
122 submitted by a consumer may not make any sale of any covered
123 information the operator has collected or will collect about the
124 consumer.
125 (d) An operator shall respond to a verified request
126 submitted by a consumer within 60 days after the date the
127 request is submitted. An operator may extend such period by up
128 to 30 days if the operator determines that such an extension is
129 reasonably necessary. An operator who extends the period shall
130 notify the consumer of such an extension.
131 (3) An operator shall make available, in a manner
132 reasonably accessible to consumers whose covered information the
133 operator collects through its website or online service, a
134 notice that:
135 (a) Identifies the categories of covered information that
136 the operator collects through its website or online service
137 about consumers who use or visit the website or online service
138 and the categories of third parties with whom the operator may
139 share such covered information.
140 (b) Provides a description of the process, if applicable,
141 for a consumer who uses or visits the website or online service
142 to review and request changes to any of his or her covered
143 information that is collected through the website or online
144 service.
145 (c) Describes the process by which the operator notifies
146 consumers who use or visit the website or online service of
147 material changes to the notice.
148 (d) Discloses whether a third party may collect covered
149 information about a consumer’s online activities over time and
150 across different websites or online services when the consumer
151 uses the operator’s website or online service.
152 (e) States the effective date of the notice.
153 (4) This section does not apply to an operator:
154 (a) Who is located in this state.
155 (b) Whose revenue is derived primarily from a source other
156 than the sale or lease of goods, services, or credit on websites
157 or online services.
158 (c) Whose website or online service has fewer than 20,000
159 unique visitors per year.
160 (5)(a) An operator may remedy any failure to comply with
161 this section within 30 days after being informed of such a
162 failure.
163 (b) An operator violates this section if the operator:
164 1. Knowingly and willfully fails to remedy a failure to
165 comply within 30 days after being informed of such a failure; or
166 2. Makes available a notice which constitutes a knowing and
167 material misrepresentation or omission that is likely to mislead
168 a consumer acting reasonably under the circumstances to the
169 detriment of the consumer.
170 (6)(a) The Department of Legal Affairs shall adopt rules to
171 enforce this section. If the department has reason to believe
172 that an operator, directly or indirectly, has violated or is
173 violating this section, the department may institute an
174 appropriate legal proceeding against the operator.
175 (b) The district court, upon a showing that the operator,
176 directly or indirectly, has violated or is violating this
177 section, may:
178 1. Issue a temporary or permanent injunction; or
179 2. Impose a civil penalty not to exceed $5,000 for each
180 violation.
181 (7) This section does not establish a private right of
182 action against an operator. This section is not exclusive and is
183 in addition to any other remedies provided by law.
184 Section 3. This act shall take effect July 1, 2020.