Florida Senate - 2021 COMMITTEE AMENDMENT
Bill No. CS for SB 1734
Ì655390-Î655390
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
04/07/2021 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Rules (Bradley) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Section 501.172, Florida Statutes, is created to
6 read:
7 501.172 Short title.—This act may be cited as the “Florida
8 Privacy Protection Act.”
9 Section 2. Section 501.173, Florida Statutes, is created to
10 read:
11 501.173 Purpose.—This act shall be construed liberally in
12 recognition that privacy is an important right, and consumers in
13 this state should have the ability to share their personal
14 information as they wish, in a way that is safe and that they
15 understand and control.
16 Section 3. Section 501.174, Florida Statutes, is created to
17 read:
18 501.174 Definitions.—As used in ss. 501.172-501.177, unless
19 the context otherwise requires, the term:
20 (1) “Advertising and marketing” means a communication by a
21 business or a person acting on behalf of the business through
22 any medium intended to induce a consumer to obtain goods,
23 services, or employment.
24 (2) “Aggregate consumer information” means information that
25 relates to a group or category of consumers, from which
26 individual consumer identities have been removed, which is not
27 linked or reasonably linkable to any consumer or household,
28 including through a device. The term does not include one or
29 more individual consumer records that have been de-identified.
30 (3) “Biometric information” means an individual’s
31 physiological, biological, or behavioral characteristics,
32 including an individual’s deoxyribonucleic acid (DNA), which can
33 be used, singly or in combination with each other or with other
34 identifying data, to establish individual identity. The term
35 includes, but is not limited to, imagery of the iris, retina,
36 fingerprint, face, hand, or palm; vein patterns; voice
37 recordings from which an identifier template, such as a
38 faceprint, a minutiae template, or a voice print, can be
39 extracted; keystroke patterns or rhythms; gait patterns or
40 rhythms; and sleep, health, or exercise data that contain
41 identifying information.
42 (4) “Business” means:
43 (a) A sole proprietorship, a partnership, a limited
44 liability company, a corporation, or an association or any other
45 legal entity that meets the following requirements:
46 1. Is organized or operated for the profit or financial
47 benefit of its shareholders or owners;
48 2. Does business in this state;
49 3. Collects personal information about consumers, or is the
50 entity on behalf of which such information is collected;
51 4. Determines the purposes and means of processing personal
52 information about consumers, alone or jointly with others; and
53 5. Satisfies either of the following thresholds:
54 a. Annually buys, sells, or shares the personal information
55 of 100,000 or more consumers, households, or devices.
56 b. Derives 50 percent or more of its global annual revenues
57 from selling or sharing personal information about consumers.
58 (b) An entity that controls or is controlled by a business
59 and that shares common branding with the business. As used in
60 this paragraph, the term:
61 1. “Common branding” means a shared name, service mark, or
62 trademark that the average consumer would understand to mean
63 that two or more entities are commonly owned.
64 2. “Control” means:
65 a. Ownership of, or the power to vote, more than 50 percent
66 of the outstanding shares of any class of voting security of a
67 business;
68 b. Control in any manner over the election of a majority of
69 the directors, or of individuals exercising similar functions;
70 or
71 c. The power to exercise a controlling influence over the
72 management of a company.
73 (c) A joint venture or partnership composed of businesses
74 in which each business has at least a 40 percent interest. For
75 the purposes of this act, the joint venture or partnership, and
76 each business that comprises the joint venture or partnership,
77 must be considered a separate, single business, except that
78 personal information in the possession of each business and
79 disclosed to the joint venture or partnership may not be shared
80 with the other business. A joint venture does not include a
81 third party that operates, hosts, or manages a website or an
82 online service on behalf of a business or processes information
83 on behalf of a business.
84 (5) “Business purpose” means the use of personal
85 information for the business’ operational or other notice-given
86 purposes or for the service provider’s operational purposes,
87 provided that the use of the personal information is reasonably
88 necessary to achieve, and proportionate to the benefit of
89 achieving, the purpose for which the personal information was
90 collected or processed or for another purpose that is compatible
91 with the context in which the personal information was
92 collected. The term includes all of the following:
93 (a) Auditing related to counting ad impressions of unique
94 visitors and verifying positioning and the quality of ad
95 impressions, and auditing compliance with this specification and
96 other standards.
97 (b) Helping to ensure security and integrity to the extent
98 that the use of the consumer’s personal information is
99 reasonably necessary for these purposes and proportionate to the
100 benefit of its use for these purposes.
101 (c) Debugging to identify and repair errors that impair
102 existing intended functionality.
103 (d) Short-term, transient use, including, but not limited
104 to, nonpersonalized advertising shown as part of a consumer’s
105 current interaction with the business, provided that the
106 consumer’s personal information is not disclosed to a third
107 party and is not used to build a profile of the consumer or to
108 otherwise alter the consumer’s experience outside his or her
109 current interaction with the business.
110 (e) Performing services on behalf of the business,
111 including maintaining or servicing accounts, providing customer
112 service, processing or fulfilling orders and transactions,
113 verifying customer information, processing payments, or
114 providing financing, analytic services, storage, or similar
115 services on behalf of the business.
116 (f) Providing advertising and marketing services, not
117 including targeted advertising, to the consumer provided that,
118 for the purpose of advertising and marketing, a service provider
119 may not combine the personal information of consumers who opt
120 out which the service provider receives from, or on behalf of,
121 the business with personal information that the service provider
122 receives from, or on behalf of, another person or persons or
123 collects from its own interaction with consumers.
124 (g) Undertaking internal research for technological
125 development and demonstration.
126 (h) Undertaking activities to verify or maintain the
127 quality or safety of a service or device that is owned,
128 manufactured, manufactured for, or controlled by the business,
129 and to improve, upgrade, or enhance the service or device that
130 is owned, manufactured, manufactured for, or controlled by the
131 business.
132 (6) “Categories” or “category” means the items of personal
133 identifying information specified as being included as personal
134 information under subsection (18).
135 (7) “Collects,” “collected,” or “collection” means buying,
136 renting, gathering, obtaining, receiving, or accessing by any
137 means any personal information pertaining to a consumer. The
138 term includes receiving information from the consumer, either
139 actively or passively, or by observing the consumer’s behavior.
140 (8) “Commercial purposes” means to advance a person’s
141 commercial or economic interests, such as by inducing another
142 person to buy, rent, lease, join, subscribe to, provide, or
143 exchange products, goods, property, information, or services or
144 enabling or effecting, directly or indirectly, a commercial
145 transaction. The term does not include engaging in speech that
146 state or federal courts have recognized as noncommercial speech,
147 including political speech and journalism.
148 (9) “Consumer” means a natural person, however identified,
149 including identification by a unique identifier, who is in this
150 state for other than a temporary or transitory purpose. The term
151 does not include any other natural person who is a nonresident.
152 (10) “De-identified” means information:
153 (a) That cannot reasonably identify, relate to, describe,
154 be associated with, or be linked directly or indirectly to a
155 particular consumer or device;
156 (b) Containing data that the business has taken reasonable
157 measures to ensure could not be reidentified;
158 (c) Containing data that the business publicly commits to
159 maintain and use in a de-identified fashion and that it does not
160 attempt to reidentify; and
161 (d) Containing data that the business contractually
162 prohibits downstream recipients from attempting to reidentify.
163 (11) “Designated request address” means an electronic mail
164 address, a toll-free telephone number, or a website established
165 by a business through which a consumer may submit a verified
166 request to the business.
167 (12) “Device” means a physical object capable of directly
168 or indirectly connecting to the Internet.
169 (13) “Home page” means the introductory page of an Internet
170 website and any Internet web page where personal information is
171 collected. In the case of an online service, such as a mobile
172 application, the term means the application’s platform page or
173 download page; a link within the application, such as from the
174 application configuration, “about,” “information,” or settings
175 page; and any other location that allows consumers to review the
176 notices required by this act, at any time, including, but not
177 limited to, before downloading the application.
178 (14) “Household” means a person or group of persons living
179 together or sharing living quarters who are or are not related.
180 (15) “Intentional interaction” or “intentionally
181 interacting” means the consumer intends to interact with or
182 disclose personal information to a person through one or more
183 deliberate interactions, including visiting the person’s website
184 or purchasing a good or service from the person. The term does
185 not include hovering over, muting, pausing, or closing a given
186 piece of content.
187 (16) “Nonpersonalized advertising” means advertising and
188 marketing that is based solely on a consumer’s personal
189 information derived from the consumer’s current interaction with
190 the business, with the exception of the consumer’s precise
191 geolocation.
192 (17) “Person” means an individual, a proprietorship, a
193 firm, a partnership, a joint venture, a syndicate, a business
194 trust, a company, a corporation, a limited liability company, an
195 association, a committee, and any other organization or group of
196 persons acting in concert.
197 (18) “Personal information” means information that
198 identifies, relates to, describes, is reasonably capable of
199 being associated with, or could reasonably be linked, directly
200 or indirectly, with a particular consumer or household.
201 (a) The term includes, but is not limited to, all of the
202 following items of personal identifying information about a
203 consumer collected and maintained by a person or business:
204 1. A first and last name.
205 2. A home or other physical address that includes the name
206 of a street and the name of a city or town.
207 3. An electronic mail address.
208 4. A telephone number.
209 5. A social security number.
210 6. An identifier such as an alias, a unique personal
211 identifier, an online identifier, an Internet protocol address,
212 an account name, a driver license number, a passport number, or
213 other similar identifiers.
214 7. Biometric information, such as DNA or fingerprints or
215 any other biometric information collected by a business about a
216 consumer without the consumer’s knowledge.
217 8. Internet or other electronic network activity
218 information, including, but not limited to, browsing history,
219 search history, and information regarding a consumer’s
220 interaction with a website, an application, or an advertisement.
221 9. Audio, electronic, visual, thermal, olfactory,
222 geolocation, or similar information.
223 10. Professional or employment-related information.
224 11. Education information, defined as only information that
225 is not publicly available.
226 12. Inferences drawn from any information specified in this
227 paragraph which can create a profile about a consumer reflecting
228 the consumer’s preferences, characteristics, psychological
229 trends, predispositions, behavior, attitudes, intelligence,
230 abilities, and aptitudes.
231 13. Any other information that may serve as a probabilistic
232 identifier concerning a consumer which is collected from the
233 consumer through a website, an online service, or some other
234 means by the business and maintained by the business in
235 combination with an identifier in a form that, when used
236 together with the information, identifies the consumer.
237 14. Characteristics of protected classifications under
238 state or federal law.
239 15. Commercial information, including records of personal
240 property; products or services purchased, obtained, or
241 considered; or other purchasing or consuming histories or
242 tendencies.
243 16. Geolocation data.
244 (b) The term does not include:
245 1. Information about a consumer obtained from public
246 records, including information that is lawfully made available
247 from federal, state, or local governmental records; information
248 that a business has a reasonable basis to believe is lawfully
249 made available to the general public by the consumer or from
250 widely distributed media; or lawfully obtained, truthful
251 information that is a matter of public concern.
252 2. Consumer information that is de-identified or aggregate
253 consumer information that relates to a group or category of
254 consumers from which individual consumer identities have been
255 removed.
256 (19) “Probabilistic identifier” means the identification of
257 a consumer or a device to a degree of certainty more probable
258 than not, based on any categories of personal information
259 included in or similar to the items of personal identifying
260 information specified in subsection (18).
261 (20) “Processing” means any operation or set of operations
262 performed on personal information or on sets of personal
263 information, whether or not by automated means.
264 (21) “Profiling” means any form of automated processing
265 performed on personal data to evaluate, analyze, or predict
266 personal aspects related to an identified or identifiable
267 natural person’s economic situation, health, personal
268 preferences, interests, reliability, behavior, location, or
269 movements.
270 (22)(a) “Sale” or “sell” means the sale, rental, release,
271 disclosure, dissemination, making available, loaning, sharing,
272 transferring, or other communication, orally, in writing, or by
273 electronic or other means, of a consumer’s personal information
274 by a business to a third party for monetary or other tangible or
275 intangible consideration or for any commercial purpose.
276 (b) The term does not include any of the following:
277 1. The disclosure, for a business purpose, of personal
278 information by a business to a service provider who processes
279 the personal information on behalf of the business.
280 2. The disclosure, for the purposes of providing a product
281 or service requested by the consumer, of personal information by
282 a business to another business resulting from the consumer’s
283 intentional interaction.
284 (23) “Security and integrity” means the ability of a:
285 (a) Network or information system to detect security
286 incidents that compromise the availability, authenticity,
287 integrity, and confidentiality of stored or transmitted personal
288 information.
289 (b) Business to detect security incidents; to resist
290 malicious, deceptive, fraudulent, or illegal actions; and to
291 help prosecute those responsible for such actions.
292 (c) Business to ensure the physical safety of natural
293 persons.
294 (24) “Service provider” means a person who processes
295 personal information on behalf of a business to whom the
296 business discloses a consumer’s personal information for a
297 business purpose pursuant to a written or electronic contract if
298 the contract prohibits the person from:
299 (a) Selling the information;
300 (b) Retaining, using, or disclosing the personal
301 information for any purpose other than the business purposes
302 specified in the contract, including a prohibition on retaining,
303 using, or disclosing the personal information for a commercial
304 purpose other than the business purposes specified in the
305 contract with the business;
306 (c) Combining the personal information that the service
307 provider receives from or on behalf of the business with
308 personal information that the service provider receives from or
309 on behalf of another person or persons or collects from its own
310 interaction with consumers, provided that the service provider
311 may combine personal information to perform a business purpose;
312 and
313 (d) Retaining, using, or disclosing the information outside
314 of the direct business relationship between the service provider
315 and the business.
316 (25) “Targeted advertising” means displaying an
317 advertisement to a consumer when the advertisement is selected
318 based on personal data obtained from a consumer’s activities
319 over time and across businesses, websites, or online
320 applications other than the business, website, or online
321 application with which the consumer is intentionally
322 interacting, to predict such consumer’s preferences or
323 interests. The term does not include nonpersonalized
324 advertising.
325 (26) “Third party” means a person who is not any of the
326 following:
327 (a) The business with which the consumer intentionally
328 interacts which collects personal information from the consumer
329 as part of the consumer’s current interaction with the business.
330 (b) A service provider to the business.
331 (27) “Unique identifier” or “unique personal identifier”
332 means a persistent identifier that can be used to recognize a
333 consumer, a family, or a device linked to a consumer or family
334 over time and across different services, including, but not
335 limited to, a device identifier; an Internet protocol address;
336 cookies, beacons, pixel tags, mobile ad identifiers, or similar
337 technology; a customer number, unique pseudonym, or user alias;
338 telephone numbers; or other forms of persistent or probabilistic
339 identifiers that can be used to identify a particular consumer
340 or device that is linked to a consumer or family. For purposes
341 of this subsection, the term “family” means a custodial parent
342 or guardian and any minor children of which the parent or
343 guardian has custody.
344 (28) “Verified request” means a request submitted by a
345 consumer, by a consumer on behalf of the consumer’s minor child,
346 or by a natural person or a person registered with the Secretary
347 of State, who is authorized by the consumer to act on the
348 consumer’s behalf, to a business for which the business can
349 reasonably verify the authenticity of the request.
350 Section 4. Section 501.1745, Florida Statutes, is created
351 to read:
352 501.1745 General duties of businesses that collect personal
353 information.—
354 (1)(a) A business that controls the collection of a
355 consumer’s personal information that will be used for any
356 purpose other than a business purpose, at or before the point of
357 collection, shall inform consumers of all of the following:
358 1. The purposes for which each category of personal
359 information is collected or used and whether that information is
360 sold. A business may not collect additional categories of
361 personal information, or use collected personal information for
362 additional purposes that are incompatible with the disclosed
363 purpose for which the personal information was collected,
364 without providing the consumer with notice consistent with this
365 section.
366 2. The length of time the business intends to retain each
367 category of personal information or, if that is not possible,
368 the criteria used to determine such period, provided that a
369 business may not retain a consumer’s personal information for
370 each disclosed purpose for which the personal information was
371 collected for longer than is reasonably necessary for that
372 disclosed purpose.
373 (b) A business that collects personal information about,
374 but not directly from, consumers may provide the required
375 information on its Internet home page or in its online privacy
376 policy.
377 (2) A business’ collection, use, retention, and sharing of
378 a consumer’s personal information must be reasonably necessary
379 to achieve, and proportionate to the benefit of achieving, the
380 purposes for which the personal information was collected or
381 processed, and such information may not be further processed in
382 a manner that is incompatible with those purposes.
383 (3) A business that collects a consumer’s personal
384 information shall implement reasonable security procedures and
385 practices appropriate to the nature of the personal information
386 to protect the personal information from unauthorized or illegal
387 access, destruction, use, modification, or disclosure.
388 (4) A business that collects a consumer’s personal
389 information and discloses it to a service provider for a
390 business purpose shall enter into an agreement with such service
391 provider which obligates the service provider to comply with
392 applicable obligations under this act and to provide the same
393 level of privacy protection as is required by this act. If a
394 service provider engages any other person to assist it in
395 processing personal information for a business purpose on behalf
396 of the business, or if any other person engaged by the service
397 provider engages another person to assist in processing personal
398 information for that business purpose, the provider or person
399 must notify the business of that engagement, and the engagement
400 must be pursuant to a written contract that includes the
401 prohibitions described in s. 501.174(23) and a certification
402 made by the person receiving the personal information that he or
403 she understands the restrictions under this act and will comply
404 with them.
405 (5) A business may not process sensitive data concerning a
406 consumer without obtaining the consumer’s consent or, in the
407 case of the processing of sensitive data concerning a known
408 child, without processing such data in accordance with the
409 federal Children’s Online Privacy Protection Act, 15 U.S.C. s.
410 6501 et. seq.
411 Section 5. Section 501.175, Florida Statutes, is created to
412 read:
413 501.175 Use of personal information; third parties; other
414 rights.—
415 (1)(a) A consumer has the right, at any time, to direct a
416 business that sells personal information about the consumer not
417 to sell the consumer’s personal information. This right may be
418 referred to as the right to opt out of the sale.
419 (b) As part of the right to opt out of the sale of his or
420 her personal information, a consumer has the right, at any time,
421 to opt out of the processing of the consumer’s personal data for
422 purposes of targeted advertising or profiling. However, this
423 paragraph may not be construed to prohibit the business that
424 collected the consumer’s personal information from:
425 1. Offering a different price, rate, level, quality, or
426 selection of goods or services to a consumer, including offering
427 goods or services for no fee, if the consumer has opted out of
428 targeted advertising or the sale of his or her personal
429 information; or
430 2. Offering a loyalty, reward, premium feature, discount,
431 or club card program.
432 (c) A business that charges or offers a different price,
433 rate, level, quality, or selection of goods or services to a
434 consumer who has opted out of targeted advertising or the sale
435 of his or her personal information, or that offers goods or
436 services for no fee, shall ensure that such charge or offer is:
437 1. Reasonably related to the value provided to the business
438 by the consumer’s data; and
439 2. Not unjust, unreasonable, coercive, or usurious.
440 (2) A business that sells consumers’ personal information
441 shall provide notice to consumers that the information may be
442 sold and that consumers have the right to opt out of the sale of
443 their personal information.
444 (3) A business that sells consumer information and that has
445 received direction from a consumer not to sell the consumer’s
446 personal information or, in the case of a minor consumer’s
447 personal information, has not received consent to sell the minor
448 consumer’s personal information, is prohibited from selling the
449 consumer’s personal information after the business receives the
450 consumer’s direction, unless the consumer subsequently provides
451 express authorization for the sale of the consumer’s personal
452 information. A business that is able to authenticate the
453 consumer, for example, by the consumer logging in, or that uses
454 some other unique identifier for the consumer, must comply with
455 any privacy preferences the consumer previously directed. The
456 business may not require the consumer to declare privacy
457 preferences every time the consumer visits the business’ website
458 or uses the business’ online services.
459 (4)(a) Notwithstanding subsection (1), a business may not
460 sell the personal information of consumers if the business has
461 actual knowledge that the consumer is younger than 16 years of
462 age, unless:
463 1. The consumer, in the case of consumers between 13 and 16
464 years of age, has affirmatively authorized the sale of the
465 consumer’s personal information; or
466 2. The consumer’s parent or guardian, in the case of
467 consumers who are younger than 13 years of age, has
468 affirmatively authorized the sale of the consumer’s personal
469 information.
470 (b) This right may be referred to as the right to opt in.
471 (c) A business that willfully disregards the consumer’s age
472 is deemed to have actual knowledge of the consumer’s age.
473 (d) A business that complies with the verifiable parental
474 consent requirements of the Children’s Online Privacy Protection
475 Act, 15 U.S.C. s. 6501 et seq., shall be deemed compliant with
476 any obligation to obtain parental consent.
477 (5) A business that is required to comply with this section
478 shall, in a form that is reasonably accessible to consumers, do
479 all of the following:
480 (a) Provide a clear and conspicuous link on the business’
481 Internet home page, titled “Do Not Sell My Personal
482 Information,” to a web page that enables a consumer or a person
483 authorized by the consumer to opt out of the sale of the
484 consumer’s personal information. A business may not require a
485 consumer to create an account in order to direct the business
486 not to sell the consumer’s information.
487 (b) Ensure that all individuals responsible for handling
488 consumer inquiries about the business’ privacy practices or the
489 business’ compliance with this section are informed of all
490 requirements of this section and how to direct consumers to
491 exercise their rights.
492 (c) For consumers who exercise their right to opt out of
493 the sale of their personal information, refrain from selling
494 personal information the business collected about the consumer
495 as soon as reasonably possible but no longer than 2 business
496 days after receiving the request to opt out.
497 (d) For consumers who have opted out of the sale of their
498 personal information, respect the consumer’s decision to opt out
499 for at least 12 months before requesting that the consumer
500 authorize the sale of the consumer’s personal information.
501 (e) Use any personal information collected from the
502 consumer in connection with the submission of the consumer’s
503 opt-out request solely for the purposes of complying with the
504 opt-out request.
505 (f) Ensure that consumers have the right to submit a
506 verified request for certain information from a business,
507 including the categories of sources from which the consumer’s
508 personal information was collected, the specific items of
509 personal information it has collected about the consumer, and
510 the categories of any third parties to whom the personal
511 information was sold.
512 (6) Consumers have the right to submit a verified request
513 that personal information that has been collected from the
514 consumer be deleted. A business shall notify a third party to
515 delete any consumer information bought or sold.
516 (7) A business, or a service provider acting pursuant to
517 its contract with the business or another service provider, is
518 not required to comply with a consumer’s verified request to
519 delete the consumer’s personal information if it is necessary
520 for the business or service provider to maintain the consumer’s
521 personal information in order to do any of the following:
522 (a) Complete the transaction for which the personal
523 information was collected, fulfill the terms of a written
524 warranty or product recall conducted in accordance with federal
525 law, provide a good or service requested by the consumer, or
526 otherwise perform a contract between the business and the
527 consumer.
528 (b) Help to ensure security and integrity to the extent
529 that the use of the consumer’s personal information is
530 reasonably necessary and proportionate for those purposes.
531 (c) Debug to identify and repair errors that impair
532 existing intended functionality.
533 (d) Exercise free speech, ensure the right of another
534 consumer to exercise that consumer’s right of free speech, or
535 exercise another right provided for by law.
536 (e) Engage in public or peer-reviewed scientific,
537 historical, or statistical research that conforms or adheres to
538 all other applicable ethics and privacy laws, when the business’
539 deletion of the information is likely to render impossible or
540 seriously impair the ability to complete such research, if the
541 consumer has provided informed consent.
542 (f) Comply with a legal obligation.
543 (8) Consumers have the right to submit a verified request
544 for correction of their personal information held by a business
545 if that information is inaccurate.
546 (9) This section may not be construed to require a business
547 to comply by doing any of the following:
548 (a) Including any required links and text on the home page
549 that the business makes available to the public generally, if:
550 1. The business maintains a separate and additional home
551 page that is dedicated to consumers in this state and includes
552 the required links and text; and
553 2. The business takes reasonable steps to ensure that
554 consumers in this state are directed to the home page for
555 consumers in this state and not the home page made available to
556 the public generally.
557 (b) Reidentifying or otherwise linking information that is
558 not maintained in a manner that would be considered personal
559 information; retaining any personal information about a consumer
560 if, in the ordinary course of business, that information would
561 not be retained; maintaining information in identifiable,
562 linkable, or associable form; or collecting, obtaining,
563 retaining, or accessing any data or technology in order to be
564 capable of linking or associating a verifiable consumer request
565 with personal information.
566 (10) A consumer may authorize another person to opt out of
567 the sale of the consumer’s personal information. A business
568 shall comply with an opt-out request received from a person
569 authorized by the consumer to act on the consumer’s behalf,
570 including a request received through a user-enabled global
571 privacy control, such as a browser plug-in or privacy setting,
572 device setting, or other mechanism, which communicates or
573 signals the consumer’s choice to opt out, and may not require a
574 consumer to make a verified request to opt out of the sale of
575 his or her information.
576 (11) Each business shall establish a designated request
577 address through which a consumer may submit a request to
578 exercise his or her rights under this act.
579 (12)(a) A business that receives a verified request:
580 1. For a consumer’s personal information shall disclose to
581 the consumer any personal information about the consumer which
582 it has collected since July 1, 2022, directly or indirectly,
583 including through or by a service provider.
584 2. To correct a consumer’s inaccurate personal information
585 shall correct the inaccurate personal information.
586 3. To delete a consumer’s personal information shall delete
587 such personal information.
588 (b) A service provider is not required to personally comply
589 with a verified request received directly from a consumer or a
590 consumer’s authorized agent to the extent that the service
591 provider has collected personal information about the consumer
592 in its role as a service provider. A service provider shall
593 provide assistance to a business with which it has a contractual
594 relationship with respect to the business’ response to a
595 verifiable consumer request, including, but not limited to, by
596 providing to the business the consumer’s personal information in
597 the service provider’s possession which the service provider
598 obtained as a result of providing services to the business.
599 (c) At the direction of the business, a service provider
600 shall correct inaccurate personal information or delete personal
601 information, or enable the business to do the same, and shall
602 direct any service providers who may have accessed such personal
603 information from or through the service provider to correct or
604 delete the consumer’s personal information, as applicable.
605 (d) A business shall comply with a verified request
606 submitted by a consumer to access, correct, or delete personal
607 information within 30 days after the date the request is
608 submitted. A business may extend such period by up to 30 days if
609 the business, in good faith, determines that such an extension
610 is reasonably necessary. A business that extends the period
611 shall notify the consumer of the necessity of an extension.
612 (13) A business shall comply with a consumer’s previous
613 expressed decision to opt out of the sale of his or her personal
614 information without requiring the consumer to take any
615 additional action if:
616 (a) The business is able to identify the consumer through a
617 login protocol or any other process the business uses to
618 identify consumers and the consumer has previously exercised his
619 or her right to opt out of the sale of his or her personal
620 information; or
621 (b) The business is aware of the consumer’s desire to opt
622 out of the sale of his or her personal information through the
623 use of a user-enabled global privacy control, such as a browser,
624 browser instruction, plug-in or privacy setting, device setting,
625 application, service, or other mechanism, which communicates or
626 signals the consumer’s choice to opt out.
627 (14) A business shall make available, in a manner
628 reasonably accessible to consumers whose personal information
629 the business collects through its website or online service, a
630 notice that does all of the following:
631 (a) Identifies the categories of personal information that
632 the business collects through its website or online service
633 about consumers who use or visit the website or online service
634 and the categories of third parties with whom the business may
635 share such personal information.
636 (b) Provides a description of the process, if applicable,
637 for a consumer who uses or visits the website or online service
638 to review and request changes to any of his or her personal
639 information that is collected through the website or online
640 service.
641 (c) Describes the process by which the business notifies
642 consumers who use or visit the website or online service of
643 material changes to the notice.
644 (d) Discloses whether a third party may collect personal
645 information about a consumer’s online activities over time and
646 across different websites or online services when the consumer
647 uses the business’ website or online service.
648 (e) States the effective date of the notice.
649 (15) If a request from a consumer is manifestly unfounded
650 or excessive, in particular because of the request’s repetitive
651 character, a business may either charge a reasonable fee, taking
652 into account the administrative costs of providing the
653 information or communication or taking the action requested, or
654 refuse to act on the request and notify the consumer of the
655 reason for refusing the request. The business bears the burden
656 of demonstrating that any verified consumer request is
657 manifestly unfounded or excessive.
658 (16) A business that discloses personal information to a
659 service provider is not liable under this act if the service
660 provider receiving the personal information uses it in violation
661 of the restrictions set forth in the act, provided that, at the
662 time of disclosing the personal information, the business does
663 not have actual knowledge, or reason to believe, that the
664 service provider intends to commit such a violation. A service
665 provider is likewise not liable under this act for the
666 obligations of a business for which it provides services as set
667 forth in this act.
668 (17) The rights afforded to consumers and the obligations
669 imposed on a business in this act may not adversely affect the
670 rights and freedoms of other consumers. Notwithstanding
671 subsection (7), a verified request for specific items of
672 personal information, to delete a consumer’s personal
673 information, or to correct inaccurate personal information does
674 not extend to personal information about the consumer which
675 belongs to, or which the business maintains on behalf of,
676 another natural person.
677 Section 6. Section 501.176, Florida Statutes, is created to
678 read:
679 501.176 Scope; exclusions.—
680 (1) The obligations imposed on a business by this act do
681 not restrict a business’ ability to do any of the following:
682 (a) Comply with federal, state, or local laws.
683 (b) Comply with a civil, criminal, or regulatory inquiry or
684 an investigation, a subpoena, or a summons by federal, state, or
685 local authorities.
686 (c) Cooperate with law enforcement agencies concerning
687 conduct or activity that the business, service provider, or
688 third party reasonably and in good faith believes may violate
689 federal, state, or local law.
690 (d) Exercise or defend legal claims.
691 (e) Collect, use, retain, sell, or disclose consumer
692 information that is de-identified or in the aggregate consumer
693 information that relates to a group or category of consumers
694 from which individual consumer identities have been removed.
695 (f) Collect or sell a consumer’s personal information if
696 every aspect of that commercial conduct takes place wholly
697 outside of this state. For purposes of this act, commercial
698 conduct takes place wholly outside of this state if the business
699 collected that information while the consumer was outside of
700 this state, no part of the sale of the consumer’s personal
701 information occurred in this state, and no personal information
702 collected while the consumer was in this state is sold. This
703 paragraph does not permit a business to store, including on a
704 device, personal information about a consumer when the consumer
705 is in this state and then to collect that personal information
706 when the consumer and stored personal information are outside of
707 this state.
708 (2) This act does not apply to any of the following:
709 (a) A business that collects or discloses the personal
710 information of its employees, owners, directors, officers, job
711 applicants, interns, or volunteers, so long as the business is
712 collecting or disclosing such information only to the extent
713 reasonable and necessary within the scope of the role the
714 business has in relation to each class of listed individuals.
715 (b) A business that enters into a contract with an
716 independent contractor and collects or discloses personal
717 information about the contractor reasonably necessary to either
718 enter into or to fulfill the contract when the contracted
719 services would not defeat the purposes of this act.
720 (c) Protected health information for purposes of the
721 federal Health Insurance Portability and Accountability Act of
722 1996 and related regulations, and patient identifying
723 information for purposes of 42 C.F.R. part 2, established
724 pursuant to 42 U.S.C. s. 290dd-2.
725 (d) A covered entity or business associate governed by the
726 privacy, security, and breach notification rules issued by the
727 United States Department of Health and Human Services in 45
728 C.F.R. parts 160 and 164, or a program or a qualified service
729 program defined in 42 C.F.R. part 2, to the extent the covered
730 entity, business associate, or program maintains personal
731 information in the same manner as medical information or
732 protected health information as described in paragraph (c).
733 (e) Identifiable private information collected for purposes
734 of research as defined in 45 C.F.R. s. 164.501 conducted in
735 accordance with the Federal Policy for the Protection of Human
736 Subjects for purposes of 45 C.F.R. part 46, the good clinical
737 practice guidelines issued by the International Council for
738 Harmonisation of Technical Requirements for Pharmaceuticals for
739 Human Use, or the Protection for Human Subjects for purposes of
740 21 C.F.R. parts 50 and 56; or personal information used or
741 shared in research conducted in accordance with one or more of
742 these standards.
743 (f) Information and documents created for purposes of the
744 federal Health Care Quality Improvement Act of 1986 and related
745 regulations, or patient safety work product for purposes of 42
746 C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21
747 through 299b-26.
748 (g) Information that is de-identified in accordance with 45
749 C.F.R. part 164 and that is derived from individually
750 identifiable health information, as described in the Health
751 Insurance Portability and Accountability Act of 1996, or
752 identifiable personal information, consistent with the Federal
753 Policy for the Protection of Human Subjects or the human subject
754 protection requirements of the United States Food and Drug
755 Administration or the good clinical practice guidelines issued
756 by the International Council for Harmonisation.
757 (h) Information collected as part of a clinical trial
758 subject to the Federal Policy for the Protection of Human
759 Subjects pursuant to good clinical practice guidelines issued by
760 the International Council for Harmonisation of Technical
761 Requirements for Pharmaceuticals for Human Use or pursuant to
762 human subject protection requirements of the United States Food
763 and Drug Administration.
764 (i) The sale of personal information to or from a consumer
765 reporting agency if that information is to be reported in or
766 used to generate a consumer report as defined by 15 U.S.C. s.
767 1681(a), and if the use of that information is limited by the
768 federal Fair Credit Reporting Act, 15 U.S.C. s. 1681 et seq.
769 (j) Personal information collected, processed, sold, or
770 disclosed pursuant to the federal Gramm-Leach-Bliley Act, 15
771 U.S.C. s. 6801 et seq. and implementing regulations.
772 (k) Personal information collected, processed, sold, or
773 disclosed pursuant to the Farm Credit Act of 1971, as amended in
774 12 U.S.C. s. 2001-2279cc and implementing regulations.
775 (l) Personal information collected, processed, sold, or
776 disclosed pursuant to the federal Driver’s Privacy Protection
777 Act of 1994, 18 U.S.C. s. 2721 et seq.
778 (m) Education information covered by the federal Family
779 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34
780 C.F.R. part 99.
781 (n) Personal information collected, processed, sold, or
782 disclosed in relation to price, route, or service as those terms
783 are used in the federal Airline Deregulation Act, 49 U.S.C. s.
784 40101 et seq., by entities subject to the federal Airline
785 Deregulation Act, to the extent the provisions of this act are
786 preempted by s. 41713 of the federal Airline Deregulation Act.
787 (o) Vehicle information or ownership information retained
788 or shared between a new motor vehicle dealer and the vehicle’s
789 manufacturer if the vehicle or ownership information is shared
790 for the purpose of effectuating, or in anticipation of
791 effectuating, a vehicle repair covered by a vehicle warranty or
792 a recall conducted pursuant to 49 U.S.C. s. 30118-30120,
793 provided that the new motor vehicle dealer or vehicle
794 manufacturer with which that vehicle information or ownership
795 information is shared does not sell, share, or use that
796 information for any other purpose. As used in this paragraph,
797 the term “vehicle information” means the vehicle information
798 number, make, model, year, and odometer reading, and the term
799 “ownership information” means the name or names of the
800 registered owner or owners and the contact information for the
801 owner or owners.
802 Section 7. Section 501.177, Florida Statutes, is created to
803 read:
804 501.177 Enforcement; attorney general; rules.—
805 (1) The Department of Legal Affairs may adopt rules to
806 implement this section. If the department has reason to believe
807 that any business, service provider, or other person or entity
808 is in violation of this act and that proceedings would be in the
809 public interest, the department may institute an appropriate
810 legal proceeding against such party.
811 (2) After the department has notified a business in writing
812 of an alleged violation, the department may grant the business a
813 30-day period to cure the alleged violation. The department may
814 consider the number of violations, the substantial likelihood of
815 injury to the public, or the safety of persons or property when
816 determining whether to grant 30 days to cure an alleged
817 violation. If the business cures the alleged violation to the
818 satisfaction of the department and provides proof of such cure
819 to the department, the department may issue a letter of guidance
820 to the business which indicates that the business will not be
821 offered a 30-day cure period for any future violations. If the
822 business fails to cure the violation within 30 days, the
823 department may bring an action against the business for the
824 alleged violation.
825 (3) The trial court, upon a showing that any business,
826 service provider, or other person or entity is in violation of
827 this act, may take any of the following actions:
828 (a) Issue a temporary or permanent injunction.
829 (b) Impose a civil penalty of not more than $2,500 for each
830 unintentional violation or $7,500 for each intentional
831 violation. Such fines may be tripled if the violation involves a
832 consumer who is 16 years of age or younger.
833 (c) Award reasonable costs of enforcement, including
834 reasonable attorney fees and costs.
835 (d) Grant such other relief as the court may deem
836 appropriate.
837 Section 8. This act shall take effect July 1, 2022.
838
839 ================= T I T L E A M E N D M E N T ================
840 And the title is amended as follows:
841 Delete everything before the enacting clause
842 and insert:
843 A bill to be entitled
844 An act relating to consumer data privacy; creating s.
845 501.172, F.S.; providing a short title; creating s.
846 501.173, F.S.; providing a purpose; creating s.
847 501.174, F.S.; defining terms; creating s. 501.1745,
848 F.S.; requiring certain businesses that collect
849 consumer personal information to provide certain
850 information to the consumer; requiring such
851 collection, use, retention, and sharing of such
852 information to meet certain requirements; requiring
853 such businesses to implement reasonable security
854 procedures and practices; requiring such businesses to
855 enter into an agreement with service providers under
856 certain circumstances; prohibiting a business from
857 processing certain sensitive consumer data under
858 certain circumstances; creating s. 501.175, F.S.;
859 providing that consumers have the right to direct
860 certain businesses not to sell their personal
861 information; providing construction; requiring such
862 businesses to notify consumers of such right;
863 requiring businesses to comply with such a request
864 under certain circumstances; prohibiting businesses
865 from selling the personal information of consumers
866 younger than a specified age without express
867 authorization from the consumer or the consumer’s
868 parent or guardian under certain circumstances;
869 providing that a business that willfully disregards a
870 consumer’s age is deemed to have actual knowledge of
871 the consumer’s age; requiring certain businesses to
872 provide a specified link on their home page for
873 consumers to opt out; providing requirements for
874 businesses to comply with a consumer’s opt-out
875 request; providing that consumers have the right to
876 submit a verified request for businesses to delete or
877 correct personal information the businesses have
878 collected about the consumers; providing construction;
879 providing that consumers may authorize other persons
880 to opt out of the sale of the consumer’s personal
881 information on the consumer’s behalf; requiring
882 businesses to establish designated addresses through
883 which consumers may submit verified requests;
884 specifying requirements for consumers’ verified
885 requests and businesses’ responses; requiring
886 businesses to comply with previous consumer requests
887 without requiring additional information from the
888 consumer, under certain circumstances; requiring
889 businesses to provide certain notices to consumers;
890 authorizing businesses to charge consumers a
891 reasonable fee for manifestly unfounded or excessive
892 requests, or to refuse to complete a request under
893 certain circumstances; providing that business and
894 service providers are not liable for certain actions;
895 providing that a consumer’s rights and the obligations
896 of a business may not adversely affect the rights and
897 freedoms of other consumers; creating s. 501.176,
898 F.S.; providing applicability; providing exceptions;
899 creating s. 501.177, F.S.; authorizing the Department
900 of Legal Affairs to adopt rules and to bring
901 appropriate legal proceedings for violations under
902 certain circumstances; providing that businesses must
903 have a specified timeframe to cure any violations;
904 providing civil remedies; providing civil penalties
905 for unintentional and intentional violations;
906 providing enhanced penalties for certain violations;
907 providing an effective date.