Florida Senate - 2021                             CS for SB 1734
       
       
        
       By the Committee on Commerce and Tourism; and Senator Bradley
       
       
       
       
       
       577-03169-21                                          20211734c1
    1                        A bill to be entitled                      
    2         An act relating to consumer data privacy; creating s.
    3         501.172, F.S.; providing a short title; creating s.
    4         501.173, F.S.; providing a purpose; creating s.
    5         501.174, F.S.; defining terms; creating s. 501.1745,
    6         F.S.; requiring certain businesses that collect
    7         consumer personal information to provide certain
    8         information to the consumer; requiring such
    9         collection, use, retention, and sharing of such
   10         information to meet certain requirements; requiring
   11         such businesses to implement reasonable security
   12         procedures and practices; requiring such businesses to
   13         enter into an agreement with third parties under
   14         certain circumstances; creating s. 501.175, F.S.;
   15         providing that consumers have the right to direct
   16         certain businesses not to sell their personal
   17         information; providing construction; requiring such
   18         businesses to notify consumers of such right;
   19         requiring businesses to comply with such a request
   20         under certain circumstances; prohibiting businesses
   21         from selling the personal information of consumers
   22         younger than a specified age without express
   23         authorization from the consumer or the consumer’s
   24         parent or guardian under certain circumstances;
   25         providing that a business that willfully disregards a
   26         consumer’s age is deemed to have actual knowledge of
   27         the consumer’s age; requiring certain businesses to
   28         provide a specified link on their home page for
   29         consumers to opt out; providing requirements for
   30         businesses to comply with a consumer’s opt-out
   31         request; providing that consumers have the right to
   32         submit a verified request for businesses to delete or
   33         correct personal information the businesses have
   34         collected about the consumers; providing construction;
   35         providing that consumers may authorize other persons
   36         to opt out of the sale of the consumer’s personal
   37         information on the consumer’s behalf; requiring
   38         businesses to establish designated addresses through
   39         which consumers may submit verified requests;
   40         specifying requirements for consumers’ verified
   41         requests and businesses’ responses; requiring
   42         businesses to comply with previous consumer requests
   43         without requiring additional information from the
   44         consumer, under certain circumstances; requiring
   45         businesses to provide certain notices to consumers;
   46         creating s. 501.176, F.S.; providing applicability;
   47         authorizing businesses to charge consumers a
   48         reasonable fee for manifestly unfounded or excessive
   49         requests, or to refuse to complete a request under
   50         certain circumstances; providing for business
   51         liability under certain circumstances; providing
   52         construction; providing that a consumer’s rights and
   53         the obligations of a business may not adversely affect
   54         the rights and freedoms of other consumers; creating
   55         s. 501.177, F.S.; authorizing consumers to initiate
   56         civil actions for violations; providing civil
   57         remedies; requiring the Department of Legal Affairs to
   58         adopt rules and to initiate legal proceedings against
   59         a business under certain circumstances; providing
   60         civil penalties; providing an effective date.
   61          
   62  Be It Enacted by the Legislature of the State of Florida:
   63  
   64         Section 1. Section 501.172, Florida Statutes, is created to
   65  read:
   66         501.172Short title.—This act may be cited as the “Florida
   67  Privacy Protection Act.”
   68         Section 2. Section 501.173, Florida Statutes, is created to
   69  read:
   70         501.173Purpose.—This act shall be construed liberally in
   71  recognition that privacy is an important right, and consumers in
   72  this state should have the ability to share their personal
   73  information as they wish, in a way that is safe and that they
   74  understand and control.
   75         Section 3. Section 501.174, Florida Statutes, is created to
   76  read:
   77         501.174Definitions.—As used in ss. 501.172-501.177, unless
   78  the context otherwise requires, the term:
   79         (1)“Advertising and marketing” means a communication by a
   80  business or a person acting on behalf of the business through
   81  any medium intended to induce a consumer to obtain goods,
   82  services, or employment.
   83         (2)“Aggregate consumer information” means information that
   84  relates to a group or category of consumers, from which
   85  individual consumer identities have been removed, which is not
   86  linked or reasonably linkable to any consumer or household,
   87  including through a device. The term does not include one or
   88  more individual consumer records that have been de-identified.
   89         (3)“Biometric information” means an individual’s
   90  physiological, biological, or behavioral characteristics,
   91  including an individual’s deoxyribonucleic acid (DNA), which can
   92  be used, singly or in combination with each other or with other
   93  identifying data, to establish individual identity. The term
   94  includes, but is not limited to, imagery of the iris, retina,
   95  fingerprint, face, hand, or palm; vein patterns; voice
   96  recordings from which an identifier template, such as a
   97  faceprint, a minutiae template, or a voice print, can be
   98  extracted; keystroke patterns or rhythms; gait patterns or
   99  rhythms; and sleep, health, or exercise data that contain
  100  identifying information.
  101         (4)“Business” means:
  102         (a)A sole proprietorship, a partnership, a limited
  103  liability company, a corporation, or an association or any other
  104  legal entity that meets the following requirements:
  105         1.Is organized or operated for the profit or financial
  106  benefit of its shareholders or owners;
  107         2.Does business in this state;
  108         3.Collects personal information about consumers, or is the
  109  entity on behalf of which such information is collected;
  110         4.Determines the purposes and means of processing personal
  111  information about consumers, alone or jointly with others; and
  112         5.Satisfies at least one of the following thresholds:
  113         a.Has global annual gross revenues in excess of $25
  114  million, as adjusted in January of every odd-numbered year to
  115  reflect any increase in the Consumer Price Index.
  116         b.Annually buys, sells, or shares the personal information
  117  of 50,000 or more consumers, households, or devices.
  118         c.Derives 50 percent or more of its global annual revenues
  119  from selling or sharing personal information about consumers.
  120         (b)An entity that controls or is controlled by a business
  121  and that shares common branding with the business. As used in
  122  this paragraph, the term:
  123         1.“Common branding” means a shared name, service mark, or
  124  trademark that the average consumer would understand to mean
  125  that two or more entities are commonly owned.
  126         2.“Control” means:
  127         a.Ownership of, or the power to vote, more than 50 percent
  128  of the outstanding shares of any class of voting security of a
  129  business;
  130         b.Control in any manner over the election of a majority of
  131  the directors, or of individuals exercising similar functions;
  132  or
  133         c.The power to exercise a controlling influence over the
  134  management of a company.
  135         (c)A joint venture or partnership composed of businesses
  136  in which each business has at least a 40 percent interest. For
  137  the purposes of this act, the joint venture or partnership, and
  138  each business that comprises the joint venture or partnership,
  139  must be considered a separate, single business, except that
  140  personal information in the possession of each business and
  141  disclosed to the joint venture or partnership may not be shared
  142  with the other business. A joint venture does not include a
  143  third party that operates, hosts, or manages a website or an
  144  online service on behalf of a business or processes information
  145  on behalf of a business.
  146         (5)“Business purpose” means the use of personal
  147  information for the business’ operational or other notice-given
  148  purposes or for the service provider’s operational purposes,
  149  provided that the use of the personal information is reasonably
  150  necessary to achieve, and proportionate to the benefit of
  151  achieving, the purpose for which the personal information was
  152  collected or processed or for another purpose that is compatible
  153  with the context in which the personal information was
  154  collected. The term includes all of the following:
  155         (a)Auditing related to counting ad impressions of unique
  156  visitors and verifying positioning and the quality of ad
  157  impressions, and auditing compliance with this specification and
  158  other standards.
  159         (b)Helping to ensure security and integrity to the extent
  160  that the use of the consumer’s personal information is
  161  reasonably necessary for these purposes and proportionate to the
  162  benefit of its use for these purposes.
  163         (c)Debugging to identify and repair errors that impair
  164  existing intended functionality.
  165         (d)Short-term, transient use, including, but not limited
  166  to, nonpersonalized advertising shown as part of a consumer’s
  167  current interaction with the business, provided that the
  168  consumer’s personal information is not disclosed to a third
  169  party and is not used to build a profile of the consumer or to
  170  otherwise alter the consumer’s experience outside his or her
  171  current interaction with the business.
  172         (e)Performing services on behalf of the business,
  173  including maintaining or servicing accounts, providing customer
  174  service, processing or fulfilling orders and transactions,
  175  verifying customer information, processing payments, or
  176  providing financing, analytic services, storage, or similar
  177  services on behalf of the business.
  178         (f)Providing advertising and marketing services, not
  179  including targeted advertising, to the consumer provided that,
  180  for the purpose of advertising and marketing, a service provider
  181  may not combine the personal information of consumers who opt
  182  out which the service provider receives from, or on behalf of,
  183  the business with personal information that the service provider
  184  receives from, or on behalf of, another person or persons or
  185  collects from its own interaction with consumers.
  186         (g)Undertaking internal research for technological
  187  development and demonstration.
  188         (h)Undertaking activities to verify or maintain the
  189  quality or safety of a service or device that is owned,
  190  manufactured, manufactured for, or controlled by the business,
  191  and to improve, upgrade, or enhance the service or device that
  192  is owned, manufactured, manufactured for, or controlled by the
  193  business.
  194         (6)“Categories” or “category” means the items of personal
  195  identifying information specified as being included as personal
  196  information under subsection (18).
  197         (7)“Collects,” “collected,” or “collection” means buying,
  198  renting, gathering, obtaining, receiving, or accessing by any
  199  means any personal information pertaining to a consumer. The
  200  term includes receiving information from the consumer, either
  201  actively or passively, or by observing the consumer’s behavior.
  202         (8)“Commercial purposes” means to advance a person’s
  203  commercial or economic interests, such as by inducing another
  204  person to buy, rent, lease, join, subscribe to, provide, or
  205  exchange products, goods, property, information, or services or
  206  enabling or effecting, directly or indirectly, a commercial
  207  transaction. The term does not include engaging in speech that
  208  state or federal courts have recognized as noncommercial speech,
  209  including political speech and journalism.
  210         (9)“Consumer” means a natural person, however identified,
  211  including identification by a unique identifier, who is in this
  212  state for other than a temporary or transitory purpose. The term
  213  does not include any other natural person who is a nonresident.
  214         (10)“De-identified” means information:
  215         (a)That cannot reasonably identify, relate to, describe,
  216  be associated with, or be linked directly or indirectly to a
  217  particular consumer or device;
  218         (b)Containing data that the business has taken reasonable
  219  measures to ensure could not be reidentified;
  220         (c)Containing data that the business publicly commits to
  221  maintain and use in a de-identified fashion and that it does not
  222  attempt to reidentify; and
  223         (d)Containing data that the business contractually
  224  prohibits downstream recipients from attempting to reidentify.
  225         (11)“Designated request address” means an electronic mail
  226  address, a toll-free telephone number, or a website established
  227  by a business through which a consumer may submit a verified
  228  request to the business.
  229         (12) “Device” means a physical object capable of directly
  230  or indirectly connecting to the Internet.
  231         (13)“Home page” means the introductory page of an Internet
  232  website and any Internet web page where personal information is
  233  collected. In the case of an online service, such as a mobile
  234  application, the term means the application’s platform page or
  235  download page; a link within the application, such as from the
  236  application configuration, “about,” “information, or settings
  237  page; and any other location that allows consumers to review the
  238  notices required by this act, at any time, including, but not
  239  limited to, before downloading the application.
  240         (14)“Household” means a person or group of persons living
  241  together or sharing living quarters who are or are not related.
  242         (15)“Intentional interaction” or “intentionally
  243  interacting” means the consumer intends to interact with or
  244  disclose personal information to a person through one or more
  245  deliberate interactions, including visiting the person’s website
  246  or purchasing a good or service from the person. The term does
  247  not include hovering over, muting, pausing, or closing a given
  248  piece of content.
  249         (16)Nonpersonalized advertising” means advertising and
  250  marketing that is based solely on a consumer’s personal
  251  information derived from the consumer’s current interaction with
  252  the business, with the exception of the consumer’s precise
  253  geolocation.
  254         (17)“Person” means an individual, a proprietorship, a
  255  firm, a partnership, a joint venture, a syndicate, a business
  256  trust, a company, a corporation, a limited liability company, an
  257  association, a committee, and any other organization or group of
  258  persons acting in concert.
  259         (18)“Personal information” means information that
  260  identifies, relates to, describes, is reasonably capable of
  261  being associated with, or could reasonably be linked, directly
  262  or indirectly, with a particular consumer or household.
  263         (a)The term includes, but is not limited to, all of the
  264  following items of personal identifying information about a
  265  consumer collected and maintained by a person or business:
  266         1.A first and last name.
  267         2.A home or other physical address that includes the name
  268  of a street and the name of a city or town.
  269         3.An electronic mail address.
  270         4.A telephone number.
  271         5.A social security number.
  272         6.An identifier such as an alias, a unique personal
  273  identifier, an online identifier, an Internet protocol address,
  274  an account name, a driver license number, a passport number, or
  275  other similar identifiers.
  276         7.Biometric information, such as DNA or fingerprints or
  277  any other biometric information collected by a business about a
  278  consumer without the consumer’s knowledge.
  279         8.Internet or other electronic network activity
  280  information, including, but not limited to, browsing history,
  281  search history, and information regarding a consumer’s
  282  interaction with a website, an application, or an advertisement.
  283         9.Audio, electronic, visual, thermal, olfactory,
  284  geolocation, or similar information.
  285         10.Professional or employment-related information.
  286         11.Education information, defined as only information that
  287  is not publicly available.
  288         12.Inferences drawn from any information specified in this
  289  paragraph which can create a profile about a consumer reflecting
  290  the consumer’s preferences, characteristics, psychological
  291  trends, predispositions, behavior, attitudes, intelligence,
  292  abilities, and aptitudes.
  293         13.Any other information that may serve as a probabilistic
  294  identifier concerning a consumer which is collected from the
  295  consumer through a website, an online service, or some other
  296  means by the business and maintained by the business in
  297  combination with an identifier in a form that, when used
  298  together with the information, identifies the consumer.
  299         14.Characteristics of protected classifications under
  300  state or federal law.
  301         15.Commercial information, including records of personal
  302  property; products or services purchased, obtained, or
  303  considered; or other purchasing or consuming histories or
  304  tendencies.
  305         16.Geolocation data.
  306         (b)The term does not include:
  307         1.Information about a consumer obtained from public
  308  records, including information that is lawfully made available
  309  from federal, state, or local governmental records; information
  310  that a business has a reasonable basis to believe is lawfully
  311  made available to the general public by the consumer or from
  312  widely distributed media; or lawfully obtained, truthful
  313  information that is a matter of public concern.
  314         2.Consumer information that is de-identified or aggregate
  315  consumer information that relates to a group or category of
  316  consumers from which individual consumer identities have been
  317  removed.
  318         (19)“Probabilistic identifier” means the identification of
  319  a consumer or a device to a degree of certainty more probable
  320  than not, based on any categories of personal information
  321  included in or similar to the items of personal identifying
  322  information specified in subsection (18).
  323         (20)“Processing” means any operation or set of operations
  324  performed on personal information or on sets of personal
  325  information, whether or not by automated means.
  326         (21)“Profiling” means any form of automated processing
  327  performed on personal data to evaluate, analyze, or predict
  328  personal aspects related to an identified or identifiable
  329  natural person’s economic situation, health, personal
  330  preferences, interests, reliability, behavior, location, or
  331  movements.
  332         (22)(a)“Sale” or “sell” means the sale, rental, release,
  333  disclosure, dissemination, making available, loaning, sharing,
  334  transferring, or other communication, orally, in writing, or by
  335  electronic or other means, of a consumer’s personal information
  336  by a business to a third party for monetary or other tangible or
  337  intangible consideration or for any commercial purpose.
  338         (b)The term does not include any of the following:
  339         1.The disclosure, for a business purpose, of personal
  340  information by a business to a service provider who processes
  341  the personal information on behalf of the business.
  342         2.The disclosure, for the purposes of providing a product
  343  or service requested by the consumer, of personal information by
  344  a business to another business resulting from the consumer’s
  345  intentional interaction.
  346         (23)“Security and integrity” means the ability of a:
  347         (a)Network or information system to detect security
  348  incidents that compromise the availability, authenticity,
  349  integrity, and confidentiality of stored or transmitted personal
  350  information.
  351         (b)Business to detect security incidents; to resist
  352  malicious, deceptive, fraudulent, or illegal actions; and to
  353  help prosecute those responsible for such actions.
  354         (c)Business to ensure the physical safety of natural
  355  persons.
  356         (24)“Service provider” means a person who processes
  357  personal information on behalf of a business to whom the
  358  business discloses a consumer’s personal information for a
  359  business purpose pursuant to a written or electronic contract if
  360  the contract prohibits the person from:
  361         (a)Selling the information;
  362         (b)Retaining, using, or disclosing the personal
  363  information for any purpose other than the business purposes
  364  specified in the contract, including a prohibition on retaining,
  365  using, or disclosing the personal information for a commercial
  366  purpose other than the business purposes specified in the
  367  contract with the business;
  368         (c)Combining the personal information that the service
  369  provider receives from or on behalf of the business with
  370  personal information that the service provider receives from or
  371  on behalf of another person or persons or collects from its own
  372  interaction with consumers, provided that the service provider
  373  may combine personal information to perform a business purpose;
  374  and
  375         (d)Retaining, using, or disclosing the information outside
  376  of the direct business relationship between the service provider
  377  and the business.
  378         (25)“Targeted advertising” means displaying an
  379  advertisement to a consumer when the advertisement is selected
  380  based on personal data obtained from a consumer’s activities
  381  over time and across businesses, websites, or online
  382  applications other than the business, website, or online
  383  application with which the consumer is intentionally
  384  interacting, to predict such consumer’s preferences or
  385  interests. The term does not include nonpersonalized
  386  advertising.
  387         (26)“Third party” means a person who is not any of the
  388  following:
  389         (a)The business with which the consumer intentionally
  390  interacts which collects personal information from the consumer
  391  as part of the consumer’s current interaction with the business.
  392         (b)A service provider to the business.
  393         (27)“Unique identifier” or “unique personal identifier”
  394  means a persistent identifier that can be used to recognize a
  395  consumer, a family, or a device linked to a consumer or family
  396  over time and across different services, including, but not
  397  limited to, a device identifier; an Internet protocol address;
  398  cookies, beacons, pixel tags, mobile ad identifiers, or similar
  399  technology; a customer number, unique pseudonym, or user alias;
  400  telephone numbers; or other forms of persistent or probabilistic
  401  identifiers that can be used to identify a particular consumer
  402  or device that is linked to a consumer or family. For purposes
  403  of this subsection, the term “family” means a custodial parent
  404  or guardian and any minor children of which the parent or
  405  guardian has custody.
  406         (28)“Verified request” means a request submitted by a
  407  consumer, by a consumer on behalf of the consumer’s minor child,
  408  or by a natural person or a person registered with the Secretary
  409  of State, who is authorized by the consumer to act on the
  410  consumer’s behalf, to a business for which the business can
  411  reasonably verify the authenticity of the request.
  412         Section 4. Section 501.1745, Florida Statutes, is created
  413  to read:
  414         501.1745General duties of businesses that collect personal
  415  information.—
  416         (1)A business that controls the collection of a consumer’s
  417  personal information that will be used for any purpose other
  418  than a business purpose, at or before the point of collection,
  419  shall inform consumers of all of the following:
  420         (a)The purposes for which each category of personal
  421  information is collected or used and whether that information is
  422  sold. A business may not collect additional categories of
  423  personal information, or use collected personal information for
  424  additional purposes that are incompatible with the disclosed
  425  purpose for which the personal information was collected,
  426  without providing the consumer with notice consistent with this
  427  section.
  428         (b)The length of time the business intends to retain each
  429  category of personal information or, if that is not possible,
  430  the criteria used to determine such period, provided that a
  431  business may not retain a consumer’s personal information for
  432  each disclosed purpose for which the personal information was
  433  collected for longer than is reasonably necessary for that
  434  disclosed purpose.
  435         (2)A business’ collection, use, retention, and sharing of
  436  a consumer’s personal information must be reasonably necessary
  437  to achieve, and proportionate to the benefit of achieving, the
  438  purposes for which the personal information was collected or
  439  processed, and such information may not be further processed in
  440  a manner that is incompatible with those purposes.
  441         (3)A business that collects a consumer’s personal
  442  information shall implement reasonable security procedures and
  443  practices appropriate to the nature of the personal information
  444  to protect the personal information from unauthorized or illegal
  445  access, destruction, use, modification, or disclosure.
  446         (4)A business that collects a consumer’s personal
  447  information and sells that personal information to a third party
  448  or discloses it to a service provider for a business purpose
  449  shall enter into an agreement with such third party or service
  450  provider which obligates the third party or service provider to
  451  comply with applicable obligations under this act and obligates
  452  those persons to provide the same level of privacy protection as
  453  is required by this act. If a service provider engages any other
  454  person to assist it in processing personal information for a
  455  business purpose on behalf of the business, or if any other
  456  person engaged by the service provider engages another person to
  457  assist in processing personal information for that business
  458  purpose, the provider or person must notify the business of that
  459  engagement, and the engagement must be pursuant to a written
  460  contract that includes the prohibitions described in s.
  461  501.174(23) and a certification made by the person receiving the
  462  personal information that he or she understands the restrictions
  463  under this act and will comply with them.
  464         Section 5. Section 501.175, Florida Statutes, is created to
  465  read:
  466         501.175Use of personal information; third parties; other
  467  rights.—
  468         (1)(a)A consumer has the right, at any time, to direct a
  469  business that sells personal information about the consumer not
  470  to sell the consumer’s personal information. This right may be
  471  referred to as the right to opt out of the sale.
  472         (b)As part of the right to opt out of the sale of his or
  473  her personal information, a consumer has the right, at any time,
  474  to opt out of the processing of the consumer’s personal data for
  475  purposes of targeted advertising or profiling. However, this
  476  paragraph may not be construed to prohibit the business that
  477  collected the consumer’s personal information from:
  478         1.Offering a different price, rate, level, quality, or
  479  selection of goods or services to a consumer, including offering
  480  goods or services for no fee, if the consumer has opted out of
  481  targeted advertising or the sale of his or her personal
  482  information; or
  483         2.Offering a loyalty, reward, premium feature, discount,
  484  or club card program.
  485         (c)A business that charges or offers a different price,
  486  rate, level, quality, or selection of goods or services to a
  487  consumer who has opted out of targeted advertising or the sale
  488  of his or her personal information, or that offers goods or
  489  services for no fee, shall ensure that such charge or offer is:
  490         1.Reasonably related to the value provided to the business
  491  by the consumer’s data; and
  492         2.Not unjust, unreasonable, coercive, or usurious.
  493         (2)A business that sells consumers’ personal information
  494  shall provide notice to consumers that the information may be
  495  sold and that consumers have the right to opt out of the sale of
  496  their personal information.
  497         (3)A business that sells consumer information and that has
  498  received direction from a consumer not to sell the consumer’s
  499  personal information or, in the case of a minor consumer’s
  500  personal information, has not received consent to sell the minor
  501  consumer’s personal information, is prohibited from selling the
  502  consumer’s personal information after the business receives the
  503  consumer’s direction, unless the consumer subsequently provides
  504  express authorization for the sale of the consumer’s personal
  505  information. A business that is able to authenticate the
  506  consumer, for example, by the consumer logging in, or that uses
  507  some other unique identifier for the consumer, must comply with
  508  any privacy preferences the consumer previously directed. The
  509  business may not require the consumer to declare privacy
  510  preferences every time the consumer visits the business website
  511  or uses the business online services.
  512         (4)(a)Notwithstanding subsection (1), a business may not
  513  sell the personal information of consumers if the business has
  514  actual knowledge that the consumer is younger than 16 years of
  515  age, unless:
  516         1.The consumer, in the case of consumers between 13 and 16
  517  years of age, has affirmatively authorized the sale of the
  518  consumer’s personal information; or
  519         2.The consumer’s parent or guardian, in the case of
  520  consumers who are younger than 13 years of age, has
  521  affirmatively authorized the sale of the consumer’s personal
  522  information.
  523         (b)This right may be referred to as the right to opt in.
  524         (c)A business that willfully disregards the consumer’s age
  525  is deemed to have actual knowledge of the consumer’s age.
  526         (5)A business that is required to comply with this section
  527  shall, in a form that is reasonably accessible to consumers, do
  528  all of the following:
  529         (a)Provide a clear and conspicuous link on the business’
  530  Internet home page, titled “Do Not Sell My Personal
  531  Information,” to a web page that enables a consumer or a person
  532  authorized by the consumer to opt out of the sale of the
  533  consumer’s personal information. A business may not require a
  534  consumer to create an account in order to direct the business
  535  not to sell the consumer’s information.
  536         (b)Ensure that all individuals responsible for handling
  537  consumer inquiries about the business’ privacy practices or the
  538  business’ compliance with this section are informed of all
  539  requirements of this section and how to direct consumers to
  540  exercise their rights.
  541         (c)For consumers who exercise their right to opt out of
  542  the sale of their personal information, refrain from selling
  543  personal information the business collected about the consumer
  544  as soon as reasonably possible but no longer than 2 business
  545  days after receiving the request to opt out.
  546         (d)For consumers who have opted out of the sale of their
  547  personal information, respect the consumer’s decision to opt out
  548  for at least 12 months before requesting that the consumer
  549  authorize the sale of the consumer’s personal information.
  550         (e)Use any personal information collected from the
  551  consumer in connection with the submission of the consumer’s
  552  opt-out request solely for the purposes of complying with the
  553  opt-out request.
  554         (f)Ensure that consumers have the right to submit a
  555  verified request for certain information from a business,
  556  including the sources from which the consumer’s personal
  557  information was collected, the specific items of personal
  558  information it has collected about the consumer, and any third
  559  parties to whom the personal information was sold.
  560         (6)Consumers have the right to submit a verified request
  561  for the deletion of their personal information that the business
  562  has collected.
  563         (7)A business, or a service provider acting pursuant to
  564  its contract with the business or another service provider, is
  565  not required to comply with a consumer’s verified request to
  566  delete the consumer’s personal information if it is necessary
  567  for the business or service provider to maintain the consumer’s
  568  personal information in order to do any of the following:
  569         (a)Complete the transaction for which the personal
  570  information was collected, fulfill the terms of a written
  571  warranty or product recall conducted in accordance with federal
  572  law, provide a good or service requested by the consumer, or
  573  otherwise perform a contract between the business and the
  574  consumer.
  575         (b)Help to ensure security and integrity to the extent
  576  that the use of the consumer’s personal information is
  577  reasonably necessary and proportionate for those purposes.
  578         (c)Debug to identify and repair errors that impair
  579  existing intended functionality.
  580         (d)Exercise free speech, ensure the right of another
  581  consumer to exercise that consumer’s right of free speech, or
  582  exercise another right provided for by law.
  583         (e)Engage in public or peer-reviewed scientific,
  584  historical, or statistical research that conforms or adheres to
  585  all other applicable ethics and privacy laws, when the business’
  586  deletion of the information is likely to render impossible or
  587  seriously impair the ability to complete such research, if the
  588  consumer has provided informed consent.
  589         (f)Comply with a legal obligation.
  590         (8)Consumers have the right to submit a verified request
  591  for correction of their personal information held by a business
  592  if that information is inaccurate.
  593         (9)This section may not be construed to require a business
  594  to comply by including the required links and text on the home
  595  page that the business makes available to the public generally,
  596  if:
  597         (a)The business maintains a separate and additional home
  598  page that is dedicated to consumers in this state and includes
  599  the required links and text; and
  600         (b)The business takes reasonable steps to ensure that
  601  consumers in this state are directed to the home page for
  602  consumers in this state and not the home page made available to
  603  the public generally.
  604         (10)A consumer may authorize another person to opt out of
  605  the sale of the consumer’s personal information. A business
  606  shall comply with an opt-out request received from a person
  607  authorized by the consumer to act on the consumer’s behalf,
  608  including a request received through a user-enabled global
  609  privacy control, such as a browser plug-in or privacy setting,
  610  device setting, or other mechanism, which communicates or
  611  signals the consumer’s choice to opt out, and may not require a
  612  consumer to make a verified request to opt out of the sale of
  613  his or her information.
  614         (11)Each business shall establish a designated request
  615  address through which a consumer may submit a request to
  616  exercise his or her rights under this act.
  617         (12)(a)A business that receives a verified request:
  618         1.For a consumer’s personal information, shall disclose to
  619  the consumer any personal information about the consumer which
  620  it has collected since July 1, 2022, directly or indirectly,
  621  including through or by a service provider.
  622         2.To correct a consumer’s inaccurate personal information,
  623  shall correct the inaccurate personal information.
  624         3.To delete a consumer’s personal information, shall
  625  delete such personal information.
  626         (b)A service provider is not required to personally comply
  627  with a verified request received directly from a consumer or a
  628  consumer’s authorized agent to the extent that the service
  629  provider has collected personal information about the consumer
  630  in its role as a service provider. A service provider shall
  631  provide assistance to a business with which it has a contractual
  632  relationship with respect to the business’ response to a
  633  verifiable consumer request, including, but not limited to, by
  634  providing to the business the consumer’s personal information in
  635  the service provider’s possession which the service provider
  636  obtained as a result of providing services to the business.
  637         (c)At the direction of the business, a service provider
  638  shall correct inaccurate personal information, or delete
  639  personal information, or enable the business to do the same, and
  640  shall notify any service providers who may have accessed such
  641  personal information from or through the service provider, to
  642  correct or delete the consumer’s personal information, as
  643  applicable.
  644         (d)A business shall comply with a verified request
  645  submitted by a consumer to access, correct, or delete personal
  646  information within 30 days after the date the request is
  647  submitted. A business may extend such period by up to 30 days if
  648  the business, in good faith, determines that such an extension
  649  is reasonably necessary. A business that extends the period
  650  shall notify the consumer of the necessity of an extension.
  651         (13)A business shall comply with a consumer’s previous
  652  expressed decision to opt out of the sale of his or her personal
  653  information without requiring the consumer to take any
  654  additional action if:
  655         (a)The business is able to identify the consumer through a
  656  login protocol or any other process the business uses to
  657  identify consumers and the consumer has previously exercised his
  658  or her right to opt out of the sale of his or her personal
  659  information; or
  660         (b)The business is aware of the consumer’s desire to opt
  661  out of the sale of his or her personal information through the
  662  use of a user-enabled global privacy control, such as a browser,
  663  browser instruction, plug-in or privacy setting, device setting,
  664  application, service, or other mechanism, which communicates or
  665  signals the consumer’s choice to opt out.
  666         (14)A business shall make available, in a manner
  667  reasonably accessible to consumers whose personal information
  668  the business collects through its website or online service, a
  669  notice that does all of the following:
  670         (a)Identifies the categories of personal information that
  671  the business collects through its website or online service
  672  about consumers who use or visit the website or online service
  673  and the categories of third parties with whom the business may
  674  share such personal information.
  675         (b)Provides a description of the process, if applicable,
  676  for a consumer who uses or visits the website or online service
  677  to review and request changes to any of his or her personal
  678  information that is collected through the website or online
  679  service.
  680         (c)Describes the process by which the business notifies
  681  consumers who use or visit the website or online service of
  682  material changes to the notice.
  683         (d)Discloses whether a third party may collect personal
  684  information about a consumer’s online activities over time and
  685  across different websites or online services when the consumer
  686  uses the business’ website or online service.
  687         (e)States the effective date of the notice.
  688         Section 6. Section 501.176, Florida Statutes, is created to
  689  read:
  690         501.176Exclusions.—
  691         (1)The obligations imposed on a business by this act do
  692  not restrict a business’ ability to do any of the following:
  693         (a)Comply with federal, state, or local laws.
  694         (b) Comply with a civil, criminal, or regulatory inquiry or
  695  an investigation, a subpoena, or a summons by federal, state, or
  696  local authorities.
  697         (c) Cooperate with law enforcement agencies concerning
  698  conduct or activity that the business, service provider, or
  699  third party reasonably and in good faith believes may violate
  700  federal, state, or local law.
  701         (d) Exercise or defend legal claims.
  702         (e) Collect, use, retain, sell, or disclose consumer
  703  information that is de-identified or in the aggregate consumer
  704  information that relates to a group or category of consumers
  705  from which individual consumer identities have been removed.
  706         (f) Collect or sell a consumer’s personal information if
  707  every aspect of that commercial conduct takes place wholly
  708  outside of this state. For purposes of this act, commercial
  709  conduct takes place wholly outside of this state if the business
  710  collected that information while the consumer was outside of
  711  this state, no part of the sale of the consumer’s personal
  712  information occurred in this state, and no personal information
  713  collected while the consumer was in this state is sold. This
  714  paragraph does not permit a business to store, including on a
  715  device, personal information about a consumer when the consumer
  716  is in this state and then to collect that personal information
  717  when the consumer and stored personal information are outside of
  718  this state.
  719         (2)This act does not apply to any of the following:
  720         (a)A business that collects or discloses the personal
  721  information of the business’ employees, applicants, interns, or
  722  volunteers so long as the business is collecting or disclosing
  723  such information within the scope of its role as an employer.
  724         (b)Health information that is collected by a covered
  725  entity or business associate governed by the privacy, security,
  726  and breach notification rules issued by the United States
  727  Department of Health and Human Services in 45 C.F.R. parts 160
  728  and 164.
  729         (c)A covered entity governed by the privacy, security, and
  730  breach notification rules issued by the United States Department
  731  of Health and Human Services in 45 C.F.R. parts 160 and 164, to
  732  the extent the provider or covered entity maintains patient
  733  information in the same manner as medical information or
  734  protected health information as described in paragraph (b).
  735         (d)Information collected as part of a clinical trial
  736  subject to the Federal Policy for the Protection of Human
  737  Subjects pursuant to good clinical practice guidelines issued by
  738  the International Council for Harmonisation of Technical
  739  Requirements for Pharmaceuticals for Human Use or pursuant to
  740  human subject protection requirements of the United States Food
  741  and Drug Administration.
  742         (e)The sale of personal information to or from a consumer
  743  reporting agency if that information is to be reported in or
  744  used to generate a consumer report as defined by 15 U.S.C. s.
  745  1681(a), and if the use of that information is limited by the
  746  federal Fair Credit Reporting Act, 15 U.S.C. s. 1681 et seq.
  747         (f)Personal information collected, processed, sold, or
  748  disclosed pursuant to the federal Gramm-Leach-Bliley Act, 12
  749  U.S.C. s. 24(a) et seq. and implementing regulations.
  750         (g)Personal information collected, processed, sold, or
  751  disclosed pursuant to the federal Driver’s Privacy Protection
  752  Act of 1994, 18 U.S.C. s. 2721 et seq.;
  753         (h)Education information covered by the federal Family
  754  Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34
  755  C.F.R. part 99.
  756         (i)Personal information collected, processed, sold, or
  757  disclosed in relation to price, route, or service as those terms
  758  are used in the federal Airline Deregulation Act, 49 U.S.C. s.
  759  40101 et seq., by entities subject to the federal Airline
  760  Deregulation Act, to the extent the provisions of this act are
  761  preempted by s. 41713 of the federal Airline Deregulation Act.
  762         (j)Vehicle information or ownership information retained
  763  or shared between a new motor vehicle dealer and the vehicle’s
  764  manufacturer if the vehicle or ownership information is shared
  765  for the purpose of effectuating, or in anticipation of
  766  effectuating, a vehicle repair covered by a vehicle warranty or
  767  a recall conducted pursuant to 49 U.S.C. s. 30118-30120,
  768  provided that the new motor vehicle dealer or vehicle
  769  manufacturer with which that vehicle information or ownership
  770  information is shared does not sell, share, or use that
  771  information for any other purpose. As used in this paragraph,
  772  the term “vehicle information” means the vehicle information
  773  number, make, model, year, and odometer reading, and the term
  774  “ownership information” means the name or names of the
  775  registered owner or owners and the contact information for the
  776  owner or owners.
  777         (3) If a request from a consumer is manifestly unfounded or
  778  excessive, in particular because of the request’s repetitive
  779  character, a business may either charge a reasonable fee, taking
  780  into account the administrative costs of providing the
  781  information or communication or taking the action requested, or
  782  refuse to act on the request and notify the consumer of the
  783  reason for refusing the request. The business bears the burden
  784  of demonstrating that any verified consumer request is
  785  manifestly unfounded or excessive.
  786         (4) A business that discloses personal information to a
  787  service provider is not liable under this act if the service
  788  provider receiving the personal information uses it in violation
  789  of the restrictions set forth in the act, provided that, at the
  790  time of disclosing the personal information, the business does
  791  not have actual knowledge, or reason to believe, that the
  792  service provider intends to commit such a violation. A service
  793  provider is likewise not liable under this act for the
  794  obligations of a business for which it provides services as set
  795  forth in this act.
  796         (5) This act may not be construed to require a business to
  797  reidentify or otherwise link information that is not maintained
  798  in a manner that would be considered personal information;
  799  retain any personal information about a consumer if, in the
  800  ordinary course of business, that information would not be
  801  retained; maintain information in identifiable, linkable, or
  802  associable form; or collect, obtain, retain, or access any data
  803  or technology in order to be capable of linking or associating a
  804  verifiable consumer request with personal information.
  805         (6) The rights afforded to consumers and the obligations
  806  imposed on a business in this act may not adversely affect the
  807  rights and freedoms of other consumers. Notwithstanding s.
  808  501.175(7), a verified request for specific items of personal
  809  information, to delete a consumer’s personal information, or to
  810  correct inaccurate personal information does not extend to
  811  personal information about the consumer which belongs to, or
  812  which the business maintains on behalf of, another natural
  813  person.
  814         Section 7. Section 501.177, Florida Statutes, is created to
  815  read:
  816         501.177Civil actions; private right of action; attorney
  817  general; rules.—
  818         (1)If any business violates any provision of this act, the
  819  consumer may initiate a civil action for any of the following:
  820         (a)Recovery of damages of at least $100 and not more than
  821  $750 per consumer per incident or actual damages, whichever is
  822  greater.
  823         (b)Injunctive or declaratory relief.
  824         (c)Reasonable costs of enforcement, including a reasonable
  825  attorney fee and costs.
  826         (d)Any other relief deemed appropriate by the court.
  827         (2)In assessing the amount of statutory damages, the court
  828  shall consider any one or more of the relevant circumstances
  829  presented by any of the parties to the case, including, but not
  830  limited to, the nature and seriousness of the misconduct, the
  831  number of violations, the persistence of the misconduct, the
  832  length of time over which the misconduct occurred, the
  833  willfulness of the defendant’s misconduct, and the defendant’s
  834  assets, liabilities, and net worth.
  835         (3)(a)The Department of Legal Affairs shall adopt rules to
  836  enforce this act. If the department has reason to believe that a
  837  business, directly or indirectly, has violated or is violating
  838  this section, the department may institute an appropriate legal
  839  proceeding against the business.
  840         (b)The trial court, upon a showing that any business,
  841  directly or indirectly, has violated or is violating this act,
  842  may take any of the following actions:
  843         1.Issue a temporary or permanent injunction.
  844         2.Impose a civil penalty not to exceed $5,000 for each
  845  violation. If the violation involves a consumer who was 16 years
  846  of age or younger at the time of the violation, the court may
  847  triple the civil penalty.
  848         3.Award reasonable costs of enforcement, including a
  849  reasonable attorney fee and costs.
  850         4.Grant such other relief as the court may deem
  851  appropriate.
  852         Section 8. This act shall take effect January 1, 2022.