Florida Senate - 2021 CS for SB 1734
By the Committee on Commerce and Tourism; and Senator Bradley
577-03169-21 20211734c1
1 A bill to be entitled
2 An act relating to consumer data privacy; creating s.
3 501.172, F.S.; providing a short title; creating s.
4 501.173, F.S.; providing a purpose; creating s.
5 501.174, F.S.; defining terms; creating s. 501.1745,
6 F.S.; requiring certain businesses that collect
7 consumer personal information to provide certain
8 information to the consumer; requiring such
9 collection, use, retention, and sharing of such
10 information to meet certain requirements; requiring
11 such businesses to implement reasonable security
12 procedures and practices; requiring such businesses to
13 enter into an agreement with third parties under
14 certain circumstances; creating s. 501.175, F.S.;
15 providing that consumers have the right to direct
16 certain businesses not to sell their personal
17 information; providing construction; requiring such
18 businesses to notify consumers of such right;
19 requiring businesses to comply with such a request
20 under certain circumstances; prohibiting businesses
21 from selling the personal information of consumers
22 younger than a specified age without express
23 authorization from the consumer or the consumer’s
24 parent or guardian under certain circumstances;
25 providing that a business that willfully disregards a
26 consumer’s age is deemed to have actual knowledge of
27 the consumer’s age; requiring certain businesses to
28 provide a specified link on their home page for
29 consumers to opt out; providing requirements for
30 businesses to comply with a consumer’s opt-out
31 request; providing that consumers have the right to
32 submit a verified request for businesses to delete or
33 correct personal information the businesses have
34 collected about the consumers; providing construction;
35 providing that consumers may authorize other persons
36 to opt out of the sale of the consumer’s personal
37 information on the consumer’s behalf; requiring
38 businesses to establish designated addresses through
39 which consumers may submit verified requests;
40 specifying requirements for consumers’ verified
41 requests and businesses’ responses; requiring
42 businesses to comply with previous consumer requests
43 without requiring additional information from the
44 consumer, under certain circumstances; requiring
45 businesses to provide certain notices to consumers;
46 creating s. 501.176, F.S.; providing applicability;
47 authorizing businesses to charge consumers a
48 reasonable fee for manifestly unfounded or excessive
49 requests, or to refuse to complete a request under
50 certain circumstances; providing for business
51 liability under certain circumstances; providing
52 construction; providing that a consumer’s rights and
53 the obligations of a business may not adversely affect
54 the rights and freedoms of other consumers; creating
55 s. 501.177, F.S.; authorizing consumers to initiate
56 civil actions for violations; providing civil
57 remedies; requiring the Department of Legal Affairs to
58 adopt rules and to initiate legal proceedings against
59 a business under certain circumstances; providing
60 civil penalties; providing an effective date.
61
62 Be It Enacted by the Legislature of the State of Florida:
63
64 Section 1. Section 501.172, Florida Statutes, is created to
65 read:
66 501.172 Short title.—This act may be cited as the “Florida
67 Privacy Protection Act.”
68 Section 2. Section 501.173, Florida Statutes, is created to
69 read:
70 501.173 Purpose.—This act shall be construed liberally in
71 recognition that privacy is an important right, and consumers in
72 this state should have the ability to share their personal
73 information as they wish, in a way that is safe and that they
74 understand and control.
75 Section 3. Section 501.174, Florida Statutes, is created to
76 read:
77 501.174 Definitions.—As used in ss. 501.172-501.177, unless
78 the context otherwise requires, the term:
79 (1) “Advertising and marketing” means a communication by a
80 business or a person acting on behalf of the business through
81 any medium intended to induce a consumer to obtain goods,
82 services, or employment.
83 (2) “Aggregate consumer information” means information that
84 relates to a group or category of consumers, from which
85 individual consumer identities have been removed, which is not
86 linked or reasonably linkable to any consumer or household,
87 including through a device. The term does not include one or
88 more individual consumer records that have been de-identified.
89 (3) “Biometric information” means an individual’s
90 physiological, biological, or behavioral characteristics,
91 including an individual’s deoxyribonucleic acid (DNA), which can
92 be used, singly or in combination with each other or with other
93 identifying data, to establish individual identity. The term
94 includes, but is not limited to, imagery of the iris, retina,
95 fingerprint, face, hand, or palm; vein patterns; voice
96 recordings from which an identifier template, such as a
97 faceprint, a minutiae template, or a voice print, can be
98 extracted; keystroke patterns or rhythms; gait patterns or
99 rhythms; and sleep, health, or exercise data that contain
100 identifying information.
101 (4) “Business” means:
102 (a) A sole proprietorship, a partnership, a limited
103 liability company, a corporation, or an association or any other
104 legal entity that meets the following requirements:
105 1. Is organized or operated for the profit or financial
106 benefit of its shareholders or owners;
107 2. Does business in this state;
108 3. Collects personal information about consumers, or is the
109 entity on behalf of which such information is collected;
110 4. Determines the purposes and means of processing personal
111 information about consumers, alone or jointly with others; and
112 5. Satisfies at least one of the following thresholds:
113 a. Has global annual gross revenues in excess of $25
114 million, as adjusted in January of every odd-numbered year to
115 reflect any increase in the Consumer Price Index.
116 b. Annually buys, sells, or shares the personal information
117 of 50,000 or more consumers, households, or devices.
118 c. Derives 50 percent or more of its global annual revenues
119 from selling or sharing personal information about consumers.
120 (b) An entity that controls or is controlled by a business
121 and that shares common branding with the business. As used in
122 this paragraph, the term:
123 1. “Common branding” means a shared name, service mark, or
124 trademark that the average consumer would understand to mean
125 that two or more entities are commonly owned.
126 2. “Control” means:
127 a. Ownership of, or the power to vote, more than 50 percent
128 of the outstanding shares of any class of voting security of a
129 business;
130 b. Control in any manner over the election of a majority of
131 the directors, or of individuals exercising similar functions;
132 or
133 c. The power to exercise a controlling influence over the
134 management of a company.
135 (c) A joint venture or partnership composed of businesses
136 in which each business has at least a 40 percent interest. For
137 the purposes of this act, the joint venture or partnership, and
138 each business that comprises the joint venture or partnership,
139 must be considered a separate, single business, except that
140 personal information in the possession of each business and
141 disclosed to the joint venture or partnership may not be shared
142 with the other business. A joint venture does not include a
143 third party that operates, hosts, or manages a website or an
144 online service on behalf of a business or processes information
145 on behalf of a business.
146 (5) “Business purpose” means the use of personal
147 information for the business’ operational or other notice-given
148 purposes or for the service provider’s operational purposes,
149 provided that the use of the personal information is reasonably
150 necessary to achieve, and proportionate to the benefit of
151 achieving, the purpose for which the personal information was
152 collected or processed or for another purpose that is compatible
153 with the context in which the personal information was
154 collected. The term includes all of the following:
155 (a) Auditing related to counting ad impressions of unique
156 visitors and verifying positioning and the quality of ad
157 impressions, and auditing compliance with this specification and
158 other standards.
159 (b) Helping to ensure security and integrity to the extent
160 that the use of the consumer’s personal information is
161 reasonably necessary for these purposes and proportionate to the
162 benefit of its use for these purposes.
163 (c) Debugging to identify and repair errors that impair
164 existing intended functionality.
165 (d) Short-term, transient use, including, but not limited
166 to, nonpersonalized advertising shown as part of a consumer’s
167 current interaction with the business, provided that the
168 consumer’s personal information is not disclosed to a third
169 party and is not used to build a profile of the consumer or to
170 otherwise alter the consumer’s experience outside his or her
171 current interaction with the business.
172 (e) Performing services on behalf of the business,
173 including maintaining or servicing accounts, providing customer
174 service, processing or fulfilling orders and transactions,
175 verifying customer information, processing payments, or
176 providing financing, analytic services, storage, or similar
177 services on behalf of the business.
178 (f) Providing advertising and marketing services, not
179 including targeted advertising, to the consumer provided that,
180 for the purpose of advertising and marketing, a service provider
181 may not combine the personal information of consumers who opt
182 out which the service provider receives from, or on behalf of,
183 the business with personal information that the service provider
184 receives from, or on behalf of, another person or persons or
185 collects from its own interaction with consumers.
186 (g) Undertaking internal research for technological
187 development and demonstration.
188 (h) Undertaking activities to verify or maintain the
189 quality or safety of a service or device that is owned,
190 manufactured, manufactured for, or controlled by the business,
191 and to improve, upgrade, or enhance the service or device that
192 is owned, manufactured, manufactured for, or controlled by the
193 business.
194 (6) “Categories” or “category” means the items of personal
195 identifying information specified as being included as personal
196 information under subsection (18).
197 (7) “Collects,” “collected,” or “collection” means buying,
198 renting, gathering, obtaining, receiving, or accessing by any
199 means any personal information pertaining to a consumer. The
200 term includes receiving information from the consumer, either
201 actively or passively, or by observing the consumer’s behavior.
202 (8) “Commercial purposes” means to advance a person’s
203 commercial or economic interests, such as by inducing another
204 person to buy, rent, lease, join, subscribe to, provide, or
205 exchange products, goods, property, information, or services or
206 enabling or effecting, directly or indirectly, a commercial
207 transaction. The term does not include engaging in speech that
208 state or federal courts have recognized as noncommercial speech,
209 including political speech and journalism.
210 (9) “Consumer” means a natural person, however identified,
211 including identification by a unique identifier, who is in this
212 state for other than a temporary or transitory purpose. The term
213 does not include any other natural person who is a nonresident.
214 (10) “De-identified” means information:
215 (a) That cannot reasonably identify, relate to, describe,
216 be associated with, or be linked directly or indirectly to a
217 particular consumer or device;
218 (b) Containing data that the business has taken reasonable
219 measures to ensure could not be reidentified;
220 (c) Containing data that the business publicly commits to
221 maintain and use in a de-identified fashion and that it does not
222 attempt to reidentify; and
223 (d) Containing data that the business contractually
224 prohibits downstream recipients from attempting to reidentify.
225 (11) “Designated request address” means an electronic mail
226 address, a toll-free telephone number, or a website established
227 by a business through which a consumer may submit a verified
228 request to the business.
229 (12) “Device” means a physical object capable of directly
230 or indirectly connecting to the Internet.
231 (13) “Home page” means the introductory page of an Internet
232 website and any Internet web page where personal information is
233 collected. In the case of an online service, such as a mobile
234 application, the term means the application’s platform page or
235 download page; a link within the application, such as from the
236 application configuration, “about,” “information,” or settings
237 page; and any other location that allows consumers to review the
238 notices required by this act, at any time, including, but not
239 limited to, before downloading the application.
240 (14) “Household” means a person or group of persons living
241 together or sharing living quarters who are or are not related.
242 (15) “Intentional interaction” or “intentionally
243 interacting” means the consumer intends to interact with or
244 disclose personal information to a person through one or more
245 deliberate interactions, including visiting the person’s website
246 or purchasing a good or service from the person. The term does
247 not include hovering over, muting, pausing, or closing a given
248 piece of content.
249 (16) “Nonpersonalized advertising” means advertising and
250 marketing that is based solely on a consumer’s personal
251 information derived from the consumer’s current interaction with
252 the business, with the exception of the consumer’s precise
253 geolocation.
254 (17) “Person” means an individual, a proprietorship, a
255 firm, a partnership, a joint venture, a syndicate, a business
256 trust, a company, a corporation, a limited liability company, an
257 association, a committee, and any other organization or group of
258 persons acting in concert.
259 (18) “Personal information” means information that
260 identifies, relates to, describes, is reasonably capable of
261 being associated with, or could reasonably be linked, directly
262 or indirectly, with a particular consumer or household.
263 (a) The term includes, but is not limited to, all of the
264 following items of personal identifying information about a
265 consumer collected and maintained by a person or business:
266 1. A first and last name.
267 2. A home or other physical address that includes the name
268 of a street and the name of a city or town.
269 3. An electronic mail address.
270 4. A telephone number.
271 5. A social security number.
272 6. An identifier such as an alias, a unique personal
273 identifier, an online identifier, an Internet protocol address,
274 an account name, a driver license number, a passport number, or
275 other similar identifiers.
276 7. Biometric information, such as DNA or fingerprints or
277 any other biometric information collected by a business about a
278 consumer without the consumer’s knowledge.
279 8. Internet or other electronic network activity
280 information, including, but not limited to, browsing history,
281 search history, and information regarding a consumer’s
282 interaction with a website, an application, or an advertisement.
283 9. Audio, electronic, visual, thermal, olfactory,
284 geolocation, or similar information.
285 10. Professional or employment-related information.
286 11. Education information, defined as only information that
287 is not publicly available.
288 12. Inferences drawn from any information specified in this
289 paragraph which can create a profile about a consumer reflecting
290 the consumer’s preferences, characteristics, psychological
291 trends, predispositions, behavior, attitudes, intelligence,
292 abilities, and aptitudes.
293 13. Any other information that may serve as a probabilistic
294 identifier concerning a consumer which is collected from the
295 consumer through a website, an online service, or some other
296 means by the business and maintained by the business in
297 combination with an identifier in a form that, when used
298 together with the information, identifies the consumer.
299 14. Characteristics of protected classifications under
300 state or federal law.
301 15. Commercial information, including records of personal
302 property; products or services purchased, obtained, or
303 considered; or other purchasing or consuming histories or
304 tendencies.
305 16. Geolocation data.
306 (b) The term does not include:
307 1. Information about a consumer obtained from public
308 records, including information that is lawfully made available
309 from federal, state, or local governmental records; information
310 that a business has a reasonable basis to believe is lawfully
311 made available to the general public by the consumer or from
312 widely distributed media; or lawfully obtained, truthful
313 information that is a matter of public concern.
314 2. Consumer information that is de-identified or aggregate
315 consumer information that relates to a group or category of
316 consumers from which individual consumer identities have been
317 removed.
318 (19) “Probabilistic identifier” means the identification of
319 a consumer or a device to a degree of certainty more probable
320 than not, based on any categories of personal information
321 included in or similar to the items of personal identifying
322 information specified in subsection (18).
323 (20) “Processing” means any operation or set of operations
324 performed on personal information or on sets of personal
325 information, whether or not by automated means.
326 (21) “Profiling” means any form of automated processing
327 performed on personal data to evaluate, analyze, or predict
328 personal aspects related to an identified or identifiable
329 natural person’s economic situation, health, personal
330 preferences, interests, reliability, behavior, location, or
331 movements.
332 (22)(a) “Sale” or “sell” means the sale, rental, release,
333 disclosure, dissemination, making available, loaning, sharing,
334 transferring, or other communication, orally, in writing, or by
335 electronic or other means, of a consumer’s personal information
336 by a business to a third party for monetary or other tangible or
337 intangible consideration or for any commercial purpose.
338 (b) The term does not include any of the following:
339 1. The disclosure, for a business purpose, of personal
340 information by a business to a service provider who processes
341 the personal information on behalf of the business.
342 2. The disclosure, for the purposes of providing a product
343 or service requested by the consumer, of personal information by
344 a business to another business resulting from the consumer’s
345 intentional interaction.
346 (23) “Security and integrity” means the ability of a:
347 (a) Network or information system to detect security
348 incidents that compromise the availability, authenticity,
349 integrity, and confidentiality of stored or transmitted personal
350 information.
351 (b) Business to detect security incidents; to resist
352 malicious, deceptive, fraudulent, or illegal actions; and to
353 help prosecute those responsible for such actions.
354 (c) Business to ensure the physical safety of natural
355 persons.
356 (24) “Service provider” means a person who processes
357 personal information on behalf of a business to whom the
358 business discloses a consumer’s personal information for a
359 business purpose pursuant to a written or electronic contract if
360 the contract prohibits the person from:
361 (a) Selling the information;
362 (b) Retaining, using, or disclosing the personal
363 information for any purpose other than the business purposes
364 specified in the contract, including a prohibition on retaining,
365 using, or disclosing the personal information for a commercial
366 purpose other than the business purposes specified in the
367 contract with the business;
368 (c) Combining the personal information that the service
369 provider receives from or on behalf of the business with
370 personal information that the service provider receives from or
371 on behalf of another person or persons or collects from its own
372 interaction with consumers, provided that the service provider
373 may combine personal information to perform a business purpose;
374 and
375 (d) Retaining, using, or disclosing the information outside
376 of the direct business relationship between the service provider
377 and the business.
378 (25) “Targeted advertising” means displaying an
379 advertisement to a consumer when the advertisement is selected
380 based on personal data obtained from a consumer’s activities
381 over time and across businesses, websites, or online
382 applications other than the business, website, or online
383 application with which the consumer is intentionally
384 interacting, to predict such consumer’s preferences or
385 interests. The term does not include nonpersonalized
386 advertising.
387 (26) “Third party” means a person who is not any of the
388 following:
389 (a) The business with which the consumer intentionally
390 interacts which collects personal information from the consumer
391 as part of the consumer’s current interaction with the business.
392 (b) A service provider to the business.
393 (27) “Unique identifier” or “unique personal identifier”
394 means a persistent identifier that can be used to recognize a
395 consumer, a family, or a device linked to a consumer or family
396 over time and across different services, including, but not
397 limited to, a device identifier; an Internet protocol address;
398 cookies, beacons, pixel tags, mobile ad identifiers, or similar
399 technology; a customer number, unique pseudonym, or user alias;
400 telephone numbers; or other forms of persistent or probabilistic
401 identifiers that can be used to identify a particular consumer
402 or device that is linked to a consumer or family. For purposes
403 of this subsection, the term “family” means a custodial parent
404 or guardian and any minor children of which the parent or
405 guardian has custody.
406 (28) “Verified request” means a request submitted by a
407 consumer, by a consumer on behalf of the consumer’s minor child,
408 or by a natural person or a person registered with the Secretary
409 of State, who is authorized by the consumer to act on the
410 consumer’s behalf, to a business for which the business can
411 reasonably verify the authenticity of the request.
412 Section 4. Section 501.1745, Florida Statutes, is created
413 to read:
414 501.1745 General duties of businesses that collect personal
415 information.—
416 (1) A business that controls the collection of a consumer’s
417 personal information that will be used for any purpose other
418 than a business purpose, at or before the point of collection,
419 shall inform consumers of all of the following:
420 (a) The purposes for which each category of personal
421 information is collected or used and whether that information is
422 sold. A business may not collect additional categories of
423 personal information, or use collected personal information for
424 additional purposes that are incompatible with the disclosed
425 purpose for which the personal information was collected,
426 without providing the consumer with notice consistent with this
427 section.
428 (b) The length of time the business intends to retain each
429 category of personal information or, if that is not possible,
430 the criteria used to determine such period, provided that a
431 business may not retain a consumer’s personal information for
432 each disclosed purpose for which the personal information was
433 collected for longer than is reasonably necessary for that
434 disclosed purpose.
435 (2) A business’ collection, use, retention, and sharing of
436 a consumer’s personal information must be reasonably necessary
437 to achieve, and proportionate to the benefit of achieving, the
438 purposes for which the personal information was collected or
439 processed, and such information may not be further processed in
440 a manner that is incompatible with those purposes.
441 (3) A business that collects a consumer’s personal
442 information shall implement reasonable security procedures and
443 practices appropriate to the nature of the personal information
444 to protect the personal information from unauthorized or illegal
445 access, destruction, use, modification, or disclosure.
446 (4) A business that collects a consumer’s personal
447 information and sells that personal information to a third party
448 or discloses it to a service provider for a business purpose
449 shall enter into an agreement with such third party or service
450 provider which obligates the third party or service provider to
451 comply with applicable obligations under this act and obligates
452 those persons to provide the same level of privacy protection as
453 is required by this act. If a service provider engages any other
454 person to assist it in processing personal information for a
455 business purpose on behalf of the business, or if any other
456 person engaged by the service provider engages another person to
457 assist in processing personal information for that business
458 purpose, the provider or person must notify the business of that
459 engagement, and the engagement must be pursuant to a written
460 contract that includes the prohibitions described in s.
461 501.174(23) and a certification made by the person receiving the
462 personal information that he or she understands the restrictions
463 under this act and will comply with them.
464 Section 5. Section 501.175, Florida Statutes, is created to
465 read:
466 501.175 Use of personal information; third parties; other
467 rights.—
468 (1)(a) A consumer has the right, at any time, to direct a
469 business that sells personal information about the consumer not
470 to sell the consumer’s personal information. This right may be
471 referred to as the right to opt out of the sale.
472 (b) As part of the right to opt out of the sale of his or
473 her personal information, a consumer has the right, at any time,
474 to opt out of the processing of the consumer’s personal data for
475 purposes of targeted advertising or profiling. However, this
476 paragraph may not be construed to prohibit the business that
477 collected the consumer’s personal information from:
478 1. Offering a different price, rate, level, quality, or
479 selection of goods or services to a consumer, including offering
480 goods or services for no fee, if the consumer has opted out of
481 targeted advertising or the sale of his or her personal
482 information; or
483 2. Offering a loyalty, reward, premium feature, discount,
484 or club card program.
485 (c) A business that charges or offers a different price,
486 rate, level, quality, or selection of goods or services to a
487 consumer who has opted out of targeted advertising or the sale
488 of his or her personal information, or that offers goods or
489 services for no fee, shall ensure that such charge or offer is:
490 1. Reasonably related to the value provided to the business
491 by the consumer’s data; and
492 2. Not unjust, unreasonable, coercive, or usurious.
493 (2) A business that sells consumers’ personal information
494 shall provide notice to consumers that the information may be
495 sold and that consumers have the right to opt out of the sale of
496 their personal information.
497 (3) A business that sells consumer information and that has
498 received direction from a consumer not to sell the consumer’s
499 personal information or, in the case of a minor consumer’s
500 personal information, has not received consent to sell the minor
501 consumer’s personal information, is prohibited from selling the
502 consumer’s personal information after the business receives the
503 consumer’s direction, unless the consumer subsequently provides
504 express authorization for the sale of the consumer’s personal
505 information. A business that is able to authenticate the
506 consumer, for example, by the consumer logging in, or that uses
507 some other unique identifier for the consumer, must comply with
508 any privacy preferences the consumer previously directed. The
509 business may not require the consumer to declare privacy
510 preferences every time the consumer visits the business’ website
511 or uses the business’ online services.
512 (4)(a) Notwithstanding subsection (1), a business may not
513 sell the personal information of consumers if the business has
514 actual knowledge that the consumer is younger than 16 years of
515 age, unless:
516 1. The consumer, in the case of consumers between 13 and 16
517 years of age, has affirmatively authorized the sale of the
518 consumer’s personal information; or
519 2. The consumer’s parent or guardian, in the case of
520 consumers who are younger than 13 years of age, has
521 affirmatively authorized the sale of the consumer’s personal
522 information.
523 (b) This right may be referred to as the right to opt in.
524 (c) A business that willfully disregards the consumer’s age
525 is deemed to have actual knowledge of the consumer’s age.
526 (5) A business that is required to comply with this section
527 shall, in a form that is reasonably accessible to consumers, do
528 all of the following:
529 (a) Provide a clear and conspicuous link on the business’
530 Internet home page, titled “Do Not Sell My Personal
531 Information,” to a web page that enables a consumer or a person
532 authorized by the consumer to opt out of the sale of the
533 consumer’s personal information. A business may not require a
534 consumer to create an account in order to direct the business
535 not to sell the consumer’s information.
536 (b) Ensure that all individuals responsible for handling
537 consumer inquiries about the business’ privacy practices or the
538 business’ compliance with this section are informed of all
539 requirements of this section and how to direct consumers to
540 exercise their rights.
541 (c) For consumers who exercise their right to opt out of
542 the sale of their personal information, refrain from selling
543 personal information the business collected about the consumer
544 as soon as reasonably possible but no longer than 2 business
545 days after receiving the request to opt out.
546 (d) For consumers who have opted out of the sale of their
547 personal information, respect the consumer’s decision to opt out
548 for at least 12 months before requesting that the consumer
549 authorize the sale of the consumer’s personal information.
550 (e) Use any personal information collected from the
551 consumer in connection with the submission of the consumer’s
552 opt-out request solely for the purposes of complying with the
553 opt-out request.
554 (f) Ensure that consumers have the right to submit a
555 verified request for certain information from a business,
556 including the sources from which the consumer’s personal
557 information was collected, the specific items of personal
558 information it has collected about the consumer, and any third
559 parties to whom the personal information was sold.
560 (6) Consumers have the right to submit a verified request
561 for the deletion of their personal information that the business
562 has collected.
563 (7) A business, or a service provider acting pursuant to
564 its contract with the business or another service provider, is
565 not required to comply with a consumer’s verified request to
566 delete the consumer’s personal information if it is necessary
567 for the business or service provider to maintain the consumer’s
568 personal information in order to do any of the following:
569 (a) Complete the transaction for which the personal
570 information was collected, fulfill the terms of a written
571 warranty or product recall conducted in accordance with federal
572 law, provide a good or service requested by the consumer, or
573 otherwise perform a contract between the business and the
574 consumer.
575 (b) Help to ensure security and integrity to the extent
576 that the use of the consumer’s personal information is
577 reasonably necessary and proportionate for those purposes.
578 (c) Debug to identify and repair errors that impair
579 existing intended functionality.
580 (d) Exercise free speech, ensure the right of another
581 consumer to exercise that consumer’s right of free speech, or
582 exercise another right provided for by law.
583 (e) Engage in public or peer-reviewed scientific,
584 historical, or statistical research that conforms or adheres to
585 all other applicable ethics and privacy laws, when the business’
586 deletion of the information is likely to render impossible or
587 seriously impair the ability to complete such research, if the
588 consumer has provided informed consent.
589 (f) Comply with a legal obligation.
590 (8) Consumers have the right to submit a verified request
591 for correction of their personal information held by a business
592 if that information is inaccurate.
593 (9) This section may not be construed to require a business
594 to comply by including the required links and text on the home
595 page that the business makes available to the public generally,
596 if:
597 (a) The business maintains a separate and additional home
598 page that is dedicated to consumers in this state and includes
599 the required links and text; and
600 (b) The business takes reasonable steps to ensure that
601 consumers in this state are directed to the home page for
602 consumers in this state and not the home page made available to
603 the public generally.
604 (10) A consumer may authorize another person to opt out of
605 the sale of the consumer’s personal information. A business
606 shall comply with an opt-out request received from a person
607 authorized by the consumer to act on the consumer’s behalf,
608 including a request received through a user-enabled global
609 privacy control, such as a browser plug-in or privacy setting,
610 device setting, or other mechanism, which communicates or
611 signals the consumer’s choice to opt out, and may not require a
612 consumer to make a verified request to opt out of the sale of
613 his or her information.
614 (11) Each business shall establish a designated request
615 address through which a consumer may submit a request to
616 exercise his or her rights under this act.
617 (12)(a) A business that receives a verified request:
618 1. For a consumer’s personal information, shall disclose to
619 the consumer any personal information about the consumer which
620 it has collected since July 1, 2022, directly or indirectly,
621 including through or by a service provider.
622 2. To correct a consumer’s inaccurate personal information,
623 shall correct the inaccurate personal information.
624 3. To delete a consumer’s personal information, shall
625 delete such personal information.
626 (b) A service provider is not required to personally comply
627 with a verified request received directly from a consumer or a
628 consumer’s authorized agent to the extent that the service
629 provider has collected personal information about the consumer
630 in its role as a service provider. A service provider shall
631 provide assistance to a business with which it has a contractual
632 relationship with respect to the business’ response to a
633 verifiable consumer request, including, but not limited to, by
634 providing to the business the consumer’s personal information in
635 the service provider’s possession which the service provider
636 obtained as a result of providing services to the business.
637 (c) At the direction of the business, a service provider
638 shall correct inaccurate personal information, or delete
639 personal information, or enable the business to do the same, and
640 shall notify any service providers who may have accessed such
641 personal information from or through the service provider, to
642 correct or delete the consumer’s personal information, as
643 applicable.
644 (d) A business shall comply with a verified request
645 submitted by a consumer to access, correct, or delete personal
646 information within 30 days after the date the request is
647 submitted. A business may extend such period by up to 30 days if
648 the business, in good faith, determines that such an extension
649 is reasonably necessary. A business that extends the period
650 shall notify the consumer of the necessity of an extension.
651 (13) A business shall comply with a consumer’s previous
652 expressed decision to opt out of the sale of his or her personal
653 information without requiring the consumer to take any
654 additional action if:
655 (a) The business is able to identify the consumer through a
656 login protocol or any other process the business uses to
657 identify consumers and the consumer has previously exercised his
658 or her right to opt out of the sale of his or her personal
659 information; or
660 (b) The business is aware of the consumer’s desire to opt
661 out of the sale of his or her personal information through the
662 use of a user-enabled global privacy control, such as a browser,
663 browser instruction, plug-in or privacy setting, device setting,
664 application, service, or other mechanism, which communicates or
665 signals the consumer’s choice to opt out.
666 (14) A business shall make available, in a manner
667 reasonably accessible to consumers whose personal information
668 the business collects through its website or online service, a
669 notice that does all of the following:
670 (a) Identifies the categories of personal information that
671 the business collects through its website or online service
672 about consumers who use or visit the website or online service
673 and the categories of third parties with whom the business may
674 share such personal information.
675 (b) Provides a description of the process, if applicable,
676 for a consumer who uses or visits the website or online service
677 to review and request changes to any of his or her personal
678 information that is collected through the website or online
679 service.
680 (c) Describes the process by which the business notifies
681 consumers who use or visit the website or online service of
682 material changes to the notice.
683 (d) Discloses whether a third party may collect personal
684 information about a consumer’s online activities over time and
685 across different websites or online services when the consumer
686 uses the business’ website or online service.
687 (e) States the effective date of the notice.
688 Section 6. Section 501.176, Florida Statutes, is created to
689 read:
690 501.176 Exclusions.—
691 (1) The obligations imposed on a business by this act do
692 not restrict a business’ ability to do any of the following:
693 (a) Comply with federal, state, or local laws.
694 (b) Comply with a civil, criminal, or regulatory inquiry or
695 an investigation, a subpoena, or a summons by federal, state, or
696 local authorities.
697 (c) Cooperate with law enforcement agencies concerning
698 conduct or activity that the business, service provider, or
699 third party reasonably and in good faith believes may violate
700 federal, state, or local law.
701 (d) Exercise or defend legal claims.
702 (e) Collect, use, retain, sell, or disclose consumer
703 information that is de-identified or in the aggregate consumer
704 information that relates to a group or category of consumers
705 from which individual consumer identities have been removed.
706 (f) Collect or sell a consumer’s personal information if
707 every aspect of that commercial conduct takes place wholly
708 outside of this state. For purposes of this act, commercial
709 conduct takes place wholly outside of this state if the business
710 collected that information while the consumer was outside of
711 this state, no part of the sale of the consumer’s personal
712 information occurred in this state, and no personal information
713 collected while the consumer was in this state is sold. This
714 paragraph does not permit a business to store, including on a
715 device, personal information about a consumer when the consumer
716 is in this state and then to collect that personal information
717 when the consumer and stored personal information are outside of
718 this state.
719 (2) This act does not apply to any of the following:
720 (a) A business that collects or discloses the personal
721 information of the business’ employees, applicants, interns, or
722 volunteers so long as the business is collecting or disclosing
723 such information within the scope of its role as an employer.
724 (b) Health information that is collected by a covered
725 entity or business associate governed by the privacy, security,
726 and breach notification rules issued by the United States
727 Department of Health and Human Services in 45 C.F.R. parts 160
728 and 164.
729 (c) A covered entity governed by the privacy, security, and
730 breach notification rules issued by the United States Department
731 of Health and Human Services in 45 C.F.R. parts 160 and 164, to
732 the extent the provider or covered entity maintains patient
733 information in the same manner as medical information or
734 protected health information as described in paragraph (b).
735 (d) Information collected as part of a clinical trial
736 subject to the Federal Policy for the Protection of Human
737 Subjects pursuant to good clinical practice guidelines issued by
738 the International Council for Harmonisation of Technical
739 Requirements for Pharmaceuticals for Human Use or pursuant to
740 human subject protection requirements of the United States Food
741 and Drug Administration.
742 (e) The sale of personal information to or from a consumer
743 reporting agency if that information is to be reported in or
744 used to generate a consumer report as defined by 15 U.S.C. s.
745 1681(a), and if the use of that information is limited by the
746 federal Fair Credit Reporting Act, 15 U.S.C. s. 1681 et seq.
747 (f) Personal information collected, processed, sold, or
748 disclosed pursuant to the federal Gramm-Leach-Bliley Act, 12
749 U.S.C. s. 24(a) et seq. and implementing regulations.
750 (g) Personal information collected, processed, sold, or
751 disclosed pursuant to the federal Driver’s Privacy Protection
752 Act of 1994, 18 U.S.C. s. 2721 et seq.;
753 (h) Education information covered by the federal Family
754 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34
755 C.F.R. part 99.
756 (i) Personal information collected, processed, sold, or
757 disclosed in relation to price, route, or service as those terms
758 are used in the federal Airline Deregulation Act, 49 U.S.C. s.
759 40101 et seq., by entities subject to the federal Airline
760 Deregulation Act, to the extent the provisions of this act are
761 preempted by s. 41713 of the federal Airline Deregulation Act.
762 (j) Vehicle information or ownership information retained
763 or shared between a new motor vehicle dealer and the vehicle’s
764 manufacturer if the vehicle or ownership information is shared
765 for the purpose of effectuating, or in anticipation of
766 effectuating, a vehicle repair covered by a vehicle warranty or
767 a recall conducted pursuant to 49 U.S.C. s. 30118-30120,
768 provided that the new motor vehicle dealer or vehicle
769 manufacturer with which that vehicle information or ownership
770 information is shared does not sell, share, or use that
771 information for any other purpose. As used in this paragraph,
772 the term “vehicle information” means the vehicle information
773 number, make, model, year, and odometer reading, and the term
774 “ownership information” means the name or names of the
775 registered owner or owners and the contact information for the
776 owner or owners.
777 (3) If a request from a consumer is manifestly unfounded or
778 excessive, in particular because of the request’s repetitive
779 character, a business may either charge a reasonable fee, taking
780 into account the administrative costs of providing the
781 information or communication or taking the action requested, or
782 refuse to act on the request and notify the consumer of the
783 reason for refusing the request. The business bears the burden
784 of demonstrating that any verified consumer request is
785 manifestly unfounded or excessive.
786 (4) A business that discloses personal information to a
787 service provider is not liable under this act if the service
788 provider receiving the personal information uses it in violation
789 of the restrictions set forth in the act, provided that, at the
790 time of disclosing the personal information, the business does
791 not have actual knowledge, or reason to believe, that the
792 service provider intends to commit such a violation. A service
793 provider is likewise not liable under this act for the
794 obligations of a business for which it provides services as set
795 forth in this act.
796 (5) This act may not be construed to require a business to
797 reidentify or otherwise link information that is not maintained
798 in a manner that would be considered personal information;
799 retain any personal information about a consumer if, in the
800 ordinary course of business, that information would not be
801 retained; maintain information in identifiable, linkable, or
802 associable form; or collect, obtain, retain, or access any data
803 or technology in order to be capable of linking or associating a
804 verifiable consumer request with personal information.
805 (6) The rights afforded to consumers and the obligations
806 imposed on a business in this act may not adversely affect the
807 rights and freedoms of other consumers. Notwithstanding s.
808 501.175(7), a verified request for specific items of personal
809 information, to delete a consumer’s personal information, or to
810 correct inaccurate personal information does not extend to
811 personal information about the consumer which belongs to, or
812 which the business maintains on behalf of, another natural
813 person.
814 Section 7. Section 501.177, Florida Statutes, is created to
815 read:
816 501.177 Civil actions; private right of action; attorney
817 general; rules.—
818 (1) If any business violates any provision of this act, the
819 consumer may initiate a civil action for any of the following:
820 (a) Recovery of damages of at least $100 and not more than
821 $750 per consumer per incident or actual damages, whichever is
822 greater.
823 (b) Injunctive or declaratory relief.
824 (c) Reasonable costs of enforcement, including a reasonable
825 attorney fee and costs.
826 (d) Any other relief deemed appropriate by the court.
827 (2) In assessing the amount of statutory damages, the court
828 shall consider any one or more of the relevant circumstances
829 presented by any of the parties to the case, including, but not
830 limited to, the nature and seriousness of the misconduct, the
831 number of violations, the persistence of the misconduct, the
832 length of time over which the misconduct occurred, the
833 willfulness of the defendant’s misconduct, and the defendant’s
834 assets, liabilities, and net worth.
835 (3)(a) The Department of Legal Affairs shall adopt rules to
836 enforce this act. If the department has reason to believe that a
837 business, directly or indirectly, has violated or is violating
838 this section, the department may institute an appropriate legal
839 proceeding against the business.
840 (b) The trial court, upon a showing that any business,
841 directly or indirectly, has violated or is violating this act,
842 may take any of the following actions:
843 1. Issue a temporary or permanent injunction.
844 2. Impose a civil penalty not to exceed $5,000 for each
845 violation. If the violation involves a consumer who was 16 years
846 of age or younger at the time of the violation, the court may
847 triple the civil penalty.
848 3. Award reasonable costs of enforcement, including a
849 reasonable attorney fee and costs.
850 4. Grant such other relief as the court may deem
851 appropriate.
852 Section 8. This act shall take effect January 1, 2022.