Florida Senate - 2021 COMMITTEE AMENDMENT
Bill No. SB 1734
Ì482404~Î482404
LEGISLATIVE ACTION
Senate . House
.
.
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Commerce and Tourism (Bradley) recommended the
following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Section 501.172, Florida Statutes, is created to
6 read:
7 501.172 Short title.—This act may be cited as the “Florida
8 Privacy Protection Act.”
9 Section 2. Section 501.173, Florida Statutes, is created to
10 read:
11 501.173 Purpose.—This act shall be construed liberally in
12 recognition that privacy is an important right, and consumers in
13 this state should have the ability to share their personal
14 information as they wish, in a way that is safe and that they
15 understand and control.
16 Section 3. Section 501.174, Florida Statutes, is created to
17 read:
18 501.174 Definitions.—As used in ss. 501.172-501.177, unless
19 the context otherwise requires, the term:
20 (1) “Advertising and marketing” means a communication by a
21 business or a person acting on behalf of the business through
22 any medium intended to induce a consumer to obtain goods,
23 services, or employment.
24 (2) “Aggregate consumer information” means information that
25 relates to a group or category of consumers, from which
26 individual consumer identities have been removed, which is not
27 linked or reasonably linkable to any consumer or household,
28 including through a device. The term does not include one or
29 more individual consumer records that have been de-identified.
30 (3) “Biometric information” means an individual’s
31 physiological, biological, or behavioral characteristics,
32 including an individual’s deoxyribonucleic acid (DNA), which can
33 be used, singly or in combination with each other or with other
34 identifying data, to establish individual identity. The term
35 includes, but is not limited to, imagery of the iris, retina,
36 fingerprint, face, hand, or palm; vein patterns; voice
37 recordings from which an identifier template, such as a
38 faceprint, a minutiae template, or a voice print, can be
39 extracted; keystroke patterns or rhythms; gait patterns or
40 rhythms; and sleep, health, or exercise data that contain
41 identifying information.
42 (4) “Business” means:
43 (a) A sole proprietorship, a partnership, a limited
44 liability company, a corporation, or an association or any other
45 legal entity that meets the following requirements:
46 1. Is organized or operated for the profit or financial
47 benefit of its shareholders or owners;
48 2. Does business in this state;
49 3. Collects personal information about consumers, or is the
50 entity on behalf of which such information is collected;
51 4. Determines the purposes and means of processing personal
52 information about consumers, alone or jointly with others; and
53 5. Satisfies at least one of the following thresholds:
54 a. Has global annual gross revenues in excess of $25
55 million, as adjusted in January of every odd-numbered year to
56 reflect any increase in the Consumer Price Index.
57 b. Annually buys, sells, or shares the personal information
58 of 50,000 or more consumers, households, or devices.
59 c. Derives 50 percent or more of its global annual revenues
60 from selling or sharing personal information about consumers.
61 (b) An entity that controls or is controlled by a business
62 and that shares common branding with the business. As used in
63 this paragraph, the term:
64 1. “Common branding” means a shared name, service mark, or
65 trademark that the average consumer would understand to mean
66 that two or more entities are commonly owned.
67 2. “Control” means:
68 a. Ownership of, or the power to vote, more than 50 percent
69 of the outstanding shares of any class of voting security of a
70 business;
71 b. Control in any manner over the election of a majority of
72 the directors, or of individuals exercising similar functions;
73 or
74 c. The power to exercise a controlling influence over the
75 management of a company.
76 (c) A joint venture or partnership composed of businesses
77 in which each business has at least a 40 percent interest. For
78 the purposes of this act, the joint venture or partnership, and
79 each business that comprises the joint venture or partnership,
80 must be considered a separate, single business, except that
81 personal information in the possession of each business and
82 disclosed to the joint venture or partnership may not be shared
83 with the other business. A joint venture does not include a
84 third party that operates, hosts, or manages a website or an
85 online service on behalf of a business or processes information
86 on behalf of a business.
87 (5) “Business purpose” means the use of personal
88 information for the business’ operational or other notice-given
89 purposes or for the service provider’s operational purposes,
90 provided that the use of the personal information is reasonably
91 necessary to achieve, and proportionate to the benefit of
92 achieving, the purpose for which the personal information was
93 collected or processed or for another purpose that is compatible
94 with the context in which the personal information was
95 collected. The term includes all of the following:
96 (a) Auditing related to counting ad impressions of unique
97 visitors and verifying positioning and the quality of ad
98 impressions, and auditing compliance with this specification and
99 other standards.
100 (b) Helping to ensure security and integrity to the extent
101 that the use of the consumer’s personal information is
102 reasonably necessary for these purposes and proportionate to the
103 benefit of its use for these purposes.
104 (c) Debugging to identify and repair errors that impair
105 existing intended functionality.
106 (d) Short-term, transient use, including, but not limited
107 to, nonpersonalized advertising shown as part of a consumer’s
108 current interaction with the business, provided that the
109 consumer’s personal information is not disclosed to a third
110 party and is not used to build a profile of the consumer or to
111 otherwise alter the consumer’s experience outside his or her
112 current interaction with the business.
113 (e) Performing services on behalf of the business,
114 including maintaining or servicing accounts, providing customer
115 service, processing or fulfilling orders and transactions,
116 verifying customer information, processing payments, or
117 providing financing, analytic services, storage, or similar
118 services on behalf of the business.
119 (f) Providing advertising and marketing services, not
120 including targeted advertising, to the consumer provided that,
121 for the purpose of advertising and marketing, a service provider
122 may not combine the personal information of consumers who opt
123 out which the service provider receives from, or on behalf of,
124 the business with personal information that the service provider
125 receives from, or on behalf of, another person or persons or
126 collects from its own interaction with consumers.
127 (g) Undertaking internal research for technological
128 development and demonstration.
129 (h) Undertaking activities to verify or maintain the
130 quality or safety of a service or device that is owned,
131 manufactured, manufactured for, or controlled by the business,
132 and to improve, upgrade, or enhance the service or device that
133 is owned, manufactured, manufactured for, or controlled by the
134 business.
135 (6) “Categories” or “category” means the items of personal
136 identifying information specified as being included as personal
137 information under subsection (18).
138 (7) “Collects,” “collected,” or “collection” means buying,
139 renting, gathering, obtaining, receiving, or accessing by any
140 means any personal information pertaining to a consumer. The
141 term includes receiving information from the consumer, either
142 actively or passively, or by observing the consumer’s behavior.
143 (8) “Commercial purposes” means to advance a person’s
144 commercial or economic interests, such as by inducing another
145 person to buy, rent, lease, join, subscribe to, provide, or
146 exchange products, goods, property, information, or services or
147 enabling or effecting, directly or indirectly, a commercial
148 transaction. The term does not include engaging in speech that
149 state or federal courts have recognized as noncommercial speech,
150 including political speech and journalism.
151 (9) “Consumer” means a natural person, however identified,
152 including identification by a unique identifier, who is in this
153 state for other than a temporary or transitory purpose. The term
154 does not include any other natural person who is a nonresident.
155 (10) “De-identified” means information:
156 (a) That cannot reasonably identify, relate to, describe,
157 be associated with, or be linked directly or indirectly to a
158 particular consumer or device;
159 (b) Containing data that the business has taken reasonable
160 measures to ensure could not be reidentified;
161 (c) Containing data that the business publicly commits to
162 maintain and use in a de-identified fashion and that it does not
163 attempt to reidentify; and
164 (d) Containing data that the business contractually
165 prohibits downstream recipients from attempting to reidentify.
166 (11) “Designated request address” means an electronic mail
167 address, a toll-free telephone number, or a website established
168 by a business through which a consumer may submit a verified
169 request to the business.
170 (12)“Device” means a physical object capable of directly or
171 indirectly connecting to the Internet.
172 (13) “Home page” means the introductory page of an Internet
173 website and any Internet web page where personal information is
174 collected. In the case of an online service, such as a mobile
175 application, the term means the application’s platform page or
176 download page; a link within the application, such as from the
177 application configuration, “about,” “information,” or settings
178 page; and any other location that allows consumers to review the
179 notices required by this act, at any time, including, but not
180 limited to, before downloading the application.
181 (14) “Household” means a person or group of persons living
182 together or sharing living quarters who are or are not related.
183 (15) “Intentional interaction” or “intentionally
184 interacting” means the consumer intends to interact with or
185 disclose personal information to a person through one or more
186 deliberate interactions, including visiting the person’s website
187 or purchasing a good or service from the person. The term does
188 not include hovering over, muting, pausing, or closing a given
189 piece of content.
190 (16) “Nonpersonalized advertising” means advertising and
191 marketing that is based solely on a consumer’s personal
192 information derived from the consumer’s current interaction with
193 the business, with the exception of the consumer’s precise
194 geolocation.
195 (17) “Person” means an individual, a proprietorship, a
196 firm, a partnership, a joint venture, a syndicate, a business
197 trust, a company, a corporation, a limited liability company, an
198 association, a committee, and any other organization or group of
199 persons acting in concert.
200 (18) “Personal information” means information that
201 identifies, relates to, describes, is reasonably capable of
202 being associated with, or could reasonably be linked, directly
203 or indirectly, with a particular consumer or household.
204 (a) The term includes, but is not limited to, all of the
205 following items of personal identifying information about a
206 consumer collected and maintained by a person or business:
207 1. A first and last name.
208 2. A home or other physical address that includes the name
209 of a street and the name of a city or town.
210 3. An electronic mail address.
211 4. A telephone number.
212 5. A social security number.
213 6. An identifier such as an alias, a unique personal
214 identifier, an online identifier, an Internet protocol address,
215 an account name, a driver license number, a passport number, or
216 other similar identifiers.
217 7. Biometric information, such as DNA or fingerprints or
218 any other biometric information collected by a business about a
219 consumer without the consumer’s knowledge.
220 8. Internet or other electronic network activity
221 information, including, but not limited to, browsing history,
222 search history, and information regarding a consumer’s
223 interaction with a website, an application, or an advertisement.
224 9. Audio, electronic, visual, thermal, olfactory,
225 geolocation, or similar information.
226 10. Professional or employment-related information.
227 11. Education information, defined as only information that
228 is not publicly available.
229 12. Inferences drawn from any information specified in this
230 paragraph which can create a profile about a consumer reflecting
231 the consumer’s preferences, characteristics, psychological
232 trends, predispositions, behavior, attitudes, intelligence,
233 abilities, and aptitudes.
234 13. Any other information that may serve as a probabilistic
235 identifier concerning a consumer which is collected from the
236 consumer through a website, an online service, or some other
237 means by the business and maintained by the business in
238 combination with an identifier in a form that, when used
239 together with the information, identifies the consumer.
240 14. Characteristics of protected classifications under
241 state or federal law.
242 15. Commercial information, including records of personal
243 property; products or services purchased, obtained, or
244 considered; or other purchasing or consuming histories or
245 tendencies.
246 16. Geolocation data.
247 (b) The term does not include:
248 1. Information about a consumer obtained from public
249 records, including information that is lawfully made available
250 from federal, state, or local governmental records; information
251 that a business has a reasonable basis to believe is lawfully
252 made available to the general public by the consumer or from
253 widely distributed media; or lawfully obtained, truthful
254 information that is a matter of public concern.
255 2. Consumer information that is de-identified or aggregate
256 consumer information that relates to a group or category of
257 consumers from which individual consumer identities have been
258 removed.
259 (19) “Probabilistic identifier” means the identification of
260 a consumer or a device to a degree of certainty more probable
261 than not, based on any categories of personal information
262 included in or similar to the items of personal identifying
263 information specified in subsection (18).
264 (20) “Processing” means any operation or set of operations
265 performed on personal information or on sets of personal
266 information, whether or not by automated means.
267 (21) “Profiling” means any form of automated processing
268 performed on personal data to evaluate, analyze, or predict
269 personal aspects related to an identified or identifiable
270 natural person’s economic situation, health, personal
271 preferences, interests, reliability, behavior, location, or
272 movements.
273 (22)(a) “Sale” or “sell” means the sale, rental, release,
274 disclosure, dissemination, making available, loaning, sharing,
275 transferring, or other communication, orally, in writing, or by
276 electronic or other means, of a consumer’s personal information
277 by a business to a third party for monetary or other tangible or
278 intangible consideration or for any commercial purpose.
279 (b) The term does not include any of the following:
280 1. The disclosure, for a business purpose, of personal
281 information by a business to a service provider who processes
282 the personal information on behalf of the business.
283 2. The disclosure, for the purposes of providing a product
284 or service requested by the consumer, of personal information by
285 a business to another business resulting from the consumer’s
286 intentional interaction.
287 (23) “Security and integrity” means the ability of a:
288 (a) Network or information system to detect security
289 incidents that compromise the availability, authenticity,
290 integrity, and confidentiality of stored or transmitted personal
291 information.
292 (b) Business to detect security incidents; to resist
293 malicious, deceptive, fraudulent, or illegal actions; and to
294 help prosecute those responsible for such actions.
295 (c) Business to ensure the physical safety of natural
296 persons.
297 (24) “Service provider” means a person who processes
298 personal information on behalf of a business to whom the
299 business discloses a consumer’s personal information for a
300 business purpose pursuant to a written or electronic contract if
301 the contract prohibits the person from:
302 (a) Selling the information;
303 (b) Retaining, using, or disclosing the personal
304 information for any purpose other than the business purposes
305 specified in the contract, including a prohibition on retaining,
306 using, or disclosing the personal information for a commercial
307 purpose other than the business purposes specified in the
308 contract with the business;
309 (c) Combining the personal information that the service
310 provider receives from or on behalf of the business with
311 personal information that the service provider receives from or
312 on behalf of another person or persons or collects from its own
313 interaction with consumers, provided that the service provider
314 may combine personal information to perform a business purpose;
315 and
316 (d) Retaining, using, or disclosing the information outside
317 of the direct business relationship between the service provider
318 and the business.
319 (25) “Targeted advertising” means displaying an
320 advertisement to a consumer when the advertisement is selected
321 based on personal data obtained from a consumer’s activities
322 over time and across businesses, websites, or online
323 applications other than the business, website, or online
324 application with which the consumer is intentionally
325 interacting, to predict such consumer’s preferences or
326 interests. The term does not include nonpersonalized
327 advertising.
328 (26) “Third party” means a person who is not any of the
329 following:
330 (a) The business with which the consumer intentionally
331 interacts which collects personal information from the consumer
332 as part of the consumer’s current interaction with the business.
333 (b) A service provider to the business.
334 (27) “Unique identifier” or “unique personal identifier”
335 means a persistent identifier that can be used to recognize a
336 consumer, a family, or a device linked to a consumer or family
337 over time and across different services, including, but not
338 limited to, a device identifier; an Internet protocol address;
339 cookies, beacons, pixel tags, mobile ad identifiers, or similar
340 technology; a customer number, unique pseudonym, or user alias;
341 telephone numbers; or other forms of persistent or probabilistic
342 identifiers that can be used to identify a particular consumer
343 or device that is linked to a consumer or family. For purposes
344 of this subsection, the term “family” means a custodial parent
345 or guardian and any minor children of which the parent or
346 guardian has custody.
347 (28) “Verified request” means a request submitted by a
348 consumer, by a consumer on behalf of the consumer’s minor child,
349 or by a natural person or a person registered with the Secretary
350 of State, who is authorized by the consumer to act on the
351 consumer’s behalf, to a business for which the business can
352 reasonably verify the authenticity of the request.
353 Section 4. Section 501.1745, Florida Statutes, is created
354 to read:
355 501.1745 General duties of businesses that collect personal
356 information.—
357 (1) A business that controls the collection of a consumer’s
358 personal information that will be used for any purpose other
359 than a business purpose, at or before the point of collection,
360 shall inform consumers of all of the following:
361 (a) The purposes for which each category of personal
362 information is collected or used and whether that information is
363 sold. A business may not collect additional categories of
364 personal information, or use collected personal information for
365 additional purposes that are incompatible with the disclosed
366 purpose for which the personal information was collected,
367 without providing the consumer with notice consistent with this
368 section.
369 (b) The length of time the business intends to retain each
370 category of personal information or, if that is not possible,
371 the criteria used to determine such period, provided that a
372 business may not retain a consumer’s personal information for
373 each disclosed purpose for which the personal information was
374 collected for longer than is reasonably necessary for that
375 disclosed purpose.
376 (2) A business’ collection, use, retention, and sharing of
377 a consumer’s personal information must be reasonably necessary
378 to achieve, and proportionate to the benefit of achieving, the
379 purposes for which the personal information was collected or
380 processed, and such information may not be further processed in
381 a manner that is incompatible with those purposes.
382 (3) A business that collects a consumer’s personal
383 information shall implement reasonable security procedures and
384 practices appropriate to the nature of the personal information
385 to protect the personal information from unauthorized or illegal
386 access, destruction, use, modification, or disclosure.
387 (4) A business that collects a consumer’s personal
388 information and sells that personal information to a third party
389 or discloses it to a service provider for a business purpose
390 shall enter into an agreement with such third party or service
391 provider which obligates the third party or service provider to
392 comply with applicable obligations under this act and obligates
393 those persons to provide the same level of privacy protection as
394 is required by this act. If a service provider engages any other
395 person to assist it in processing personal information for a
396 business purpose on behalf of the business, or if any other
397 person engaged by the service provider engages another person to
398 assist in processing personal information for that business
399 purpose, the provider or person must notify the business of that
400 engagement, and the engagement must be pursuant to a written
401 contract that includes the prohibitions described in s.
402 501.174(23) and a certification made by the person receiving the
403 personal information that he or she understands the restrictions
404 under this act and will comply with them.
405 Section 5. Section 501.175, Florida Statutes, is created to
406 read:
407 501.175 Use of personal information; third parties; other
408 rights.—
409 (1)(a) A consumer has the right, at any time, to direct a
410 business that sells personal information about the consumer not
411 to sell the consumer’s personal information. This right may be
412 referred to as the right to opt out of the sale.
413 (b) As part of the right to opt out of the sale of his or
414 her personal information, a consumer has the right, at any time,
415 to opt out of the processing of the consumer’s personal data for
416 purposes of targeted advertising or profiling. However, this
417 paragraph may not be construed to prohibit the business that
418 collected the consumer’s personal information from:
419 1. Offering a different price, rate, level, quality, or
420 selection of goods or services to a consumer, including offering
421 goods or services for no fee, if the consumer has opted out of
422 targeted advertising or the sale of his or her personal
423 information; or
424 2. Offering a loyalty, reward, premium feature, discount,
425 or club card program.
426 (c) A business that charges or offers a different price,
427 rate, level, quality, or selection of goods or services to a
428 consumer who has opted out of targeted advertising or the sale
429 of his or her personal information, or that offers goods or
430 services for no fee, shall ensure that such charge or offer is:
431 1. Reasonably related to the value provided to the business
432 by the consumer’s data; and
433 2. Not unjust, unreasonable, coercive, or usurious.
434 (2) A business that sells consumers’ personal information
435 shall provide notice to consumers that the information may be
436 sold and that consumers have the right to opt out of the sale of
437 their personal information.
438 (3) A business that sells consumer information and that has
439 received direction from a consumer not to sell the consumer’s
440 personal information or, in the case of a minor consumer’s
441 personal information, has not received consent to sell the minor
442 consumer’s personal information, is prohibited from selling the
443 consumer’s personal information after the business receives the
444 consumer’s direction, unless the consumer subsequently provides
445 express authorization for the sale of the consumer’s personal
446 information. A business that is able to authenticate the
447 consumer, for example, by the consumer logging in, or that uses
448 some other unique identifier for the consumer, must comply with
449 any privacy preferences the consumer previously directed. The
450 business may not require the consumer to declare privacy
451 preferences every time the consumer visits the business’ website
452 or uses the business’ online services.
453 (4)(a) Notwithstanding subsection (1), a business may not
454 sell the personal information of consumers if the business has
455 actual knowledge that the consumer is younger than 16 years of
456 age, unless:
457 1. The consumer, in the case of consumers between 13 and 16
458 years of age, has affirmatively authorized the sale of the
459 consumer’s personal information; or
460 2. The consumer’s parent or guardian, in the case of
461 consumers who are younger than 13 years of age, has
462 affirmatively authorized the sale of the consumer’s personal
463 information.
464 (b) This right may be referred to as the right to opt in.
465 (c) A business that willfully disregards the consumer’s age
466 is deemed to have actual knowledge of the consumer’s age.
467 (5) A business that is required to comply with this section
468 shall, in a form that is reasonably accessible to consumers, do
469 all of the following:
470 (a) Provide a clear and conspicuous link on the business’
471 Internet home page, titled “Do Not Sell My Personal
472 Information,” to a web page that enables a consumer or a person
473 authorized by the consumer to opt out of the sale of the
474 consumer’s personal information. A business may not require a
475 consumer to create an account in order to direct the business
476 not to sell the consumer’s information.
477 (b) Ensure that all individuals responsible for handling
478 consumer inquiries about the business’ privacy practices or the
479 business’ compliance with this section are informed of all
480 requirements of this section and how to direct consumers to
481 exercise their rights.
482 (c) For consumers who exercise their right to opt out of
483 the sale of their personal information, refrain from selling
484 personal information the business collected about the consumer
485 as soon as reasonably possible but no longer than 2 business
486 days after receiving the request to opt out.
487 (d) For consumers who have opted out of the sale of their
488 personal information, respect the consumer’s decision to opt out
489 for at least 12 months before requesting that the consumer
490 authorize the sale of the consumer’s personal information.
491 (e) Use any personal information collected from the
492 consumer in connection with the submission of the consumer’s
493 opt-out request solely for the purposes of complying with the
494 opt-out request.
495 (f) Ensure that consumers have the right to submit a
496 verified request for certain information from a business,
497 including the sources from which the consumer’s personal
498 information was collected, the specific items of personal
499 information it has collected about the consumer, and any third
500 parties to whom the personal information was sold.
501 (6) Consumers have the right to submit a verified request
502 for the deletion of their personal information that the business
503 has collected.
504 (7) A business, or a service provider acting pursuant to
505 its contract with the business or another service provider, is
506 not required to comply with a consumer’s verified request to
507 delete the consumer’s personal information if it is necessary
508 for the business or service provider to maintain the consumer’s
509 personal information in order to do any of the following:
510 (a) Complete the transaction for which the personal
511 information was collected, fulfill the terms of a written
512 warranty or product recall conducted in accordance with federal
513 law, provide a good or service requested by the consumer, or
514 otherwise perform a contract between the business and the
515 consumer.
516 (b) Help to ensure security and integrity to the extent
517 that the use of the consumer’s personal information is
518 reasonably necessary and proportionate for those purposes.
519 (c) Debug to identify and repair errors that impair
520 existing intended functionality.
521 (d) Exercise free speech, ensure the right of another
522 consumer to exercise that consumer’s right of free speech, or
523 exercise another right provided for by law.
524 (e) Engage in public or peer-reviewed scientific,
525 historical, or statistical research that conforms or adheres to
526 all other applicable ethics and privacy laws, when the business’
527 deletion of the information is likely to render impossible or
528 seriously impair the ability to complete such research, if the
529 consumer has provided informed consent.
530 (f) Comply with a legal obligation.
531 (8) Consumers have the right to submit a verified request
532 for correction of their personal information held by a business
533 if that information is inaccurate.
534 (9) This section may not be construed to require a business
535 to comply by including the required links and text on the home
536 page that the business makes available to the public generally,
537 if:
538 (a) The business maintains a separate and additional home
539 page that is dedicated to consumers in this state and includes
540 the required links and text; and
541 (b) The business takes reasonable steps to ensure that
542 consumers in this state are directed to the home page for
543 consumers in this state and not the home page made available to
544 the public generally.
545 (10) A consumer may authorize another person to opt out of
546 the sale of the consumer’s personal information. A business
547 shall comply with an opt-out request received from a person
548 authorized by the consumer to act on the consumer’s behalf,
549 including a request received through a user-enabled global
550 privacy control, such as a browser plug-in or privacy setting,
551 device setting, or other mechanism, which communicates or
552 signals the consumer’s choice to opt out, and may not require a
553 consumer to make a verified request to opt out of the sale of
554 his or her information.
555 (11) Each business shall establish a designated request
556 address through which a consumer may submit a request to
557 exercise his or her rights under this act.
558 (12)(a) A business that receives a verified request:
559 1. For a consumer’s personal information, shall disclose to
560 the consumer any personal information about the consumer which
561 it has collected since July 1, 2022, directly or indirectly,
562 including through or by a service provider.
563 2. To correct a consumer’s inaccurate personal information,
564 shall correct the inaccurate personal information.
565 3. To delete a consumer’s personal information, shall
566 delete such personal information.
567 (b) A service provider is not required to personally comply
568 with a verified request received directly from a consumer or a
569 consumer’s authorized agent to the extent that the service
570 provider has collected personal information about the consumer
571 in its role as a service provider. A service provider shall
572 provide assistance to a business with which it has a contractual
573 relationship with respect to the business’ response to a
574 verifiable consumer request, including, but not limited to, by
575 providing to the business the consumer’s personal information in
576 the service provider’s possession which the service provider
577 obtained as a result of providing services to the business.
578 (c) At the direction of the business, a service provider
579 shall correct inaccurate personal information, or delete
580 personal information, or enable the business to do the same, and
581 shall notify any service providers who may have accessed such
582 personal information from or through the service provider, to
583 correct or delete the consumer’s personal information, as
584 applicable.
585 (d) A business shall comply with a verified request
586 submitted by a consumer to access, correct, or delete personal
587 information within 30 days after the date the request is
588 submitted. A business may extend such period by up to 30 days if
589 the business, in good faith, determines that such an extension
590 is reasonably necessary. A business that extends the period
591 shall notify the consumer of the necessity of an extension.
592 (13) A business shall comply with a consumer’s previous
593 expressed decision to opt out of the sale of his or her personal
594 information without requiring the consumer to take any
595 additional action if:
596 (a) The business is able to identify the consumer through a
597 login protocol or any other process the business uses to
598 identify consumers and the consumer has previously exercised his
599 or her right to opt out of the sale of his or her personal
600 information; or
601 (b) The business is aware of the consumer’s desire to opt
602 out of the sale of his or her personal information through the
603 use of a user-enabled global privacy control, such as a browser,
604 browser instruction, plug-in or privacy setting, device setting,
605 application, service, or other mechanism, which communicates or
606 signals the consumer’s choice to opt out.
607 (14) A business shall make available, in a manner
608 reasonably accessible to consumers whose personal information
609 the business collects through its website or online service, a
610 notice that does all of the following:
611 (a) Identifies the categories of personal information that
612 the business collects through its website or online service
613 about consumers who use or visit the website or online service
614 and the categories of third parties with whom the business may
615 share such personal information.
616 (b) Provides a description of the process, if applicable,
617 for a consumer who uses or visits the website or online service
618 to review and request changes to any of his or her personal
619 information that is collected through the website or online
620 service.
621 (c) Describes the process by which the business notifies
622 consumers who use or visit the website or online service of
623 material changes to the notice.
624 (d) Discloses whether a third party may collect personal
625 information about a consumer’s online activities over time and
626 across different websites or online services when the consumer
627 uses the business’ website or online service.
628 (e) States the effective date of the notice.
629 Section 6. Section 501.176, Florida Statutes, is created to
630 read:
631 501.176 Exclusions.—
632 (1) The obligations imposed on a business by this act do
633 not restrict a business’ ability to do any of the following:
634 (a) Comply with federal, state, or local laws.
635 (b) Comply with a civil, criminal, or regulatory inquiry or
636 an investigation, a subpoena, or a summons by federal, state, or
637 local authorities.
638 (c) Cooperate with law enforcement agencies concerning
639 conduct or activity that the business, service provider, or
640 third party reasonably and in good faith believes may violate
641 federal, state, or local law.
642 (d) Exercise or defend legal claims.
643 (e) Collect, use, retain, sell, or disclose consumer
644 information that is de-identified or in the aggregate consumer
645 information that relates to a group or category of consumers
646 from which individual consumer identities have been removed.
647 (f) Collect or sell a consumer’s personal information if
648 every aspect of that commercial conduct takes place wholly
649 outside of this state. For purposes of this act, commercial
650 conduct takes place wholly outside of this state if the business
651 collected that information while the consumer was outside of
652 this state, no part of the sale of the consumer’s personal
653 information occurred in this state, and no personal information
654 collected while the consumer was in this state is sold. This
655 paragraph does not permit a business to store, including on a
656 device, personal information about a consumer when the consumer
657 is in this state and then to collect that personal information
658 when the consumer and stored personal information are outside of
659 this state.
660 (2) This act does not apply to any of the following:
661 (a) A business that collects or discloses the personal
662 information of the business’ employees, applicants, interns, or
663 volunteers so long as the business is collecting or disclosing
664 such information within the scope of its role as an employer.
665 (b) Health information that is collected by a covered
666 entity or business associate governed by the privacy, security,
667 and breach notification rules issued by the United States
668 Department of Health and Human Services in 45 C.F.R. parts 160
669 and 164.
670 (c) A covered entity governed by the privacy, security, and
671 breach notification rules issued by the United States Department
672 of Health and Human Services in 45 C.F.R. parts 160 and 164, to
673 the extent the provider or covered entity maintains patient
674 information in the same manner as medical information or
675 protected health information as described in paragraph (b).
676 (d) Information collected as part of a clinical trial
677 subject to the Federal Policy for the Protection of Human
678 Subjects pursuant to good clinical practice guidelines issued by
679 the International Council for Harmonisation of Technical
680 Requirements for Pharmaceuticals for Human Use or pursuant to
681 human subject protection requirements of the United States Food
682 and Drug Administration.
683 (e) The sale of personal information to or from a consumer
684 reporting agency if that information is to be reported in or
685 used to generate a consumer report as defined by 15 U.S.C. s.
686 1681(a), and if the use of that information is limited by the
687 federal Fair Credit Reporting Act, 15 U.S.C. s. 1681 et seq.
688 (f) Personal information collected, processed, sold, or
689 disclosed pursuant to the federal Gramm-Leach-Bliley Act, 12
690 U.S.C. s. 24(a) et seq. and implementing regulations.
691 (g) Personal information collected, processed, sold, or
692 disclosed pursuant to the federal Driver’s Privacy Protection
693 Act of 1994, 18 U.S.C. s. 2721 et seq.;
694 (h) Education information covered by the federal Family
695 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34
696 C.F.R. part 99.
697 (i) Personal information collected, processed, sold, or
698 disclosed in relation to price, route, or service as those terms
699 are used in the federal Airline Deregulation Act, 49 U.S.C. s.
700 40101 et seq., by entities subject to the federal Airline
701 Deregulation Act, to the extent the provisions of this act are
702 preempted by s. 41713 of the federal Airline Deregulation Act.
703 (j) Vehicle information or ownership information retained
704 or shared between a new motor vehicle dealer and the vehicle’s
705 manufacturer if the vehicle or ownership information is shared
706 for the purpose of effectuating, or in anticipation of
707 effectuating, a vehicle repair covered by a vehicle warranty or
708 a recall conducted pursuant to 49 U.S.C. s. 30118-30120,
709 provided that the new motor vehicle dealer or vehicle
710 manufacturer with which that vehicle information or ownership
711 information is shared does not sell, share, or use that
712 information for any other purpose. As used in this paragraph,
713 the term “vehicle information” means the vehicle information
714 number, make, model, year, and odometer reading, and the term
715 “ownership information” means the name or names of the
716 registered owner or owners and the contact information for the
717 owner or owners.
718 (3) If a request from a consumer is manifestly unfounded or
719 excessive, in particular because of the request’s repetitive
720 character, a business may either charge a reasonable fee, taking
721 into account the administrative costs of providing the
722 information or communication or taking the action requested, or
723 refuse to act on the request and notify the consumer of the
724 reason for refusing the request. The business bears the burden
725 of demonstrating that any verified consumer request is
726 manifestly unfounded or excessive.
727 (4) A business that discloses personal information to a
728 service provider is not liable under this act if the service
729 provider receiving the personal information uses it in violation
730 of the restrictions set forth in the act, provided that, at the
731 time of disclosing the personal information, the business does
732 not have actual knowledge, or reason to believe, that the
733 service provider intends to commit such a violation. A service
734 provider is likewise not liable under this act for the
735 obligations of a business for which it provides services as set
736 forth in this act.
737 (5) This act may not be construed to require a business to
738 reidentify or otherwise link information that is not maintained
739 in a manner that would be considered personal information;
740 retain any personal information about a consumer if, in the
741 ordinary course of business, that information would not be
742 retained; maintain information in identifiable, linkable, or
743 associable form; or collect, obtain, retain, or access any data
744 or technology in order to be capable of linking or associating a
745 verifiable consumer request with personal information.
746 (6) The rights afforded to consumers and the obligations
747 imposed on a business in this act may not adversely affect the
748 rights and freedoms of other consumers. Notwithstanding s.
749 501.175(7), a verified request for specific items of personal
750 information, to delete a consumer’s personal information, or to
751 correct inaccurate personal information does not extend to
752 personal information about the consumer which belongs to, or
753 which the business maintains on behalf of, another natural
754 person.
755 Section 7. Section 501.177, Florida Statutes, is created to
756 read:
757 501.177 Civil actions; private right of action; attorney
758 general; rules.—
759 (1) If any business violates any provision of this act, the
760 consumer may initiate a civil action for any of the following:
761 (a) Recovery of damages of at least $100 and not more than
762 $750 per consumer per incident or actual damages, whichever is
763 greater.
764 (b) Injunctive or declaratory relief.
765 (c) Reasonable costs of enforcement, including a reasonable
766 attorney fee and costs.
767 (d) Any other relief deemed appropriate by the court.
768 (2) In assessing the amount of statutory damages, the court
769 shall consider any one or more of the relevant circumstances
770 presented by any of the parties to the case, including, but not
771 limited to, the nature and seriousness of the misconduct, the
772 number of violations, the persistence of the misconduct, the
773 length of time over which the misconduct occurred, the
774 willfulness of the defendant’s misconduct, and the defendant’s
775 assets, liabilities, and net worth.
776 (3)(a) The Department of Legal Affairs shall adopt rules to
777 enforce this act. If the department has reason to believe that a
778 business, directly or indirectly, has violated or is violating
779 this section, the department may institute an appropriate legal
780 proceeding against the business.
781 (b) The trial court, upon a showing that any business,
782 directly or indirectly, has violated or is violating this act,
783 may take any of the following actions:
784 1. Issue a temporary or permanent injunction.
785 2. Impose a civil penalty not to exceed $5,000 for each
786 violation. If the violation involves a consumer who was 16 years
787 of age or younger at the time of the violation, the court may
788 triple the civil penalty.
789 3. Award reasonable costs of enforcement, including a
790 reasonable attorney fee and costs.
791 4. Grant such other relief as the court may deem
792 appropriate.
793 Section 8. This act shall take effect January 1, 2022.
794
795 ================= T I T L E A M E N D M E N T ================
796 And the title is amended as follows:
797 Delete everything before the enacting clause
798 and insert:
799 A bill to be entitled
800 An act relating to consumer data privacy; creating s.
801 501.172, F.S.; providing a short title; creating s.
802 501.173, F.S.; providing a purpose; creating s.
803 501.174, F.S.; defining terms; creating s. 501.1745,
804 F.S.; requiring certain businesses that collect
805 consumer personal information to provide certain
806 information to the consumer; requiring such
807 collection, use, retention, and sharing of such
808 information to meet certain requirements; requiring
809 such businesses to implement reasonable security
810 procedures and practices; requiring such businesses to
811 enter into an agreement with third parties under
812 certain circumstances; creating s. 501.175, F.S.;
813 providing that consumers have the right to direct
814 certain businesses not to sell their personal
815 information; providing construction; requiring such
816 businesses to notify consumers of such right;
817 requiring businesses to comply with such a request
818 under certain circumstances; prohibiting businesses
819 from selling the personal information of consumers
820 younger than a specified age without express
821 authorization from the consumer or the consumer’s
822 parent or guardian under certain circumstances;
823 providing that a business that willfully disregards a
824 consumer’s age is deemed to have actual knowledge of
825 the consumer’s age; requiring certain businesses to
826 provide a specified link on their home page for
827 consumers to opt out; providing requirements for
828 businesses to comply with a consumer’s opt-out
829 request; providing that consumers have the right to
830 submit a verified request for businesses to delete or
831 correct personal information the businesses have
832 collected about the consumers; providing construction;
833 providing that consumers may authorize other persons
834 to opt out of the sale of the consumer’s personal
835 information on the consumer’s behalf; requiring
836 businesses to establish designated addresses through
837 which consumers may submit verified requests;
838 specifying requirements for consumers’ verified
839 requests and businesses’ responses; requiring
840 businesses to comply with previous consumer requests
841 without requiring additional information from the
842 consumer, under certain circumstances; requiring
843 businesses to provide certain notices to consumers;
844 creating s. 501.176, F.S.; providing applicability;
845 authorizing businesses to charge consumers a
846 reasonable fee for manifestly unfounded or excessive
847 requests, or to refuse to complete a request under
848 certain circumstances; providing for business
849 liability under certain circumstances; providing
850 construction; providing that a consumer’s rights and
851 the obligations of a business may not adversely affect
852 the rights and freedoms of other consumers; creating
853 s. 501.177, F.S.; authorizing consumers to initiate
854 civil actions for violations; providing civil
855 remedies; requiring the Department of Legal Affairs to
856 adopt rules and to initiate legal proceedings against
857 a business under certain circumstances; providing
858 civil penalties; providing an effective date.