Florida Senate - 2021 CS for SB 1734 By the Committee on Commerce and Tourism; and Senator Bradley 577-03169-21 20211734c1 1 A bill to be entitled 2 An act relating to consumer data privacy; creating s. 3 501.172, F.S.; providing a short title; creating s. 4 501.173, F.S.; providing a purpose; creating s. 5 501.174, F.S.; defining terms; creating s. 501.1745, 6 F.S.; requiring certain businesses that collect 7 consumer personal information to provide certain 8 information to the consumer; requiring such 9 collection, use, retention, and sharing of such 10 information to meet certain requirements; requiring 11 such businesses to implement reasonable security 12 procedures and practices; requiring such businesses to 13 enter into an agreement with third parties under 14 certain circumstances; creating s. 501.175, F.S.; 15 providing that consumers have the right to direct 16 certain businesses not to sell their personal 17 information; providing construction; requiring such 18 businesses to notify consumers of such right; 19 requiring businesses to comply with such a request 20 under certain circumstances; prohibiting businesses 21 from selling the personal information of consumers 22 younger than a specified age without express 23 authorization from the consumer or the consumer’s 24 parent or guardian under certain circumstances; 25 providing that a business that willfully disregards a 26 consumer’s age is deemed to have actual knowledge of 27 the consumer’s age; requiring certain businesses to 28 provide a specified link on their home page for 29 consumers to opt out; providing requirements for 30 businesses to comply with a consumer’s opt-out 31 request; providing that consumers have the right to 32 submit a verified request for businesses to delete or 33 correct personal information the businesses have 34 collected about the consumers; providing construction; 35 providing that consumers may authorize other persons 36 to opt out of the sale of the consumer’s personal 37 information on the consumer’s behalf; requiring 38 businesses to establish designated addresses through 39 which consumers may submit verified requests; 40 specifying requirements for consumers’ verified 41 requests and businesses’ responses; requiring 42 businesses to comply with previous consumer requests 43 without requiring additional information from the 44 consumer, under certain circumstances; requiring 45 businesses to provide certain notices to consumers; 46 creating s. 501.176, F.S.; providing applicability; 47 authorizing businesses to charge consumers a 48 reasonable fee for manifestly unfounded or excessive 49 requests, or to refuse to complete a request under 50 certain circumstances; providing for business 51 liability under certain circumstances; providing 52 construction; providing that a consumer’s rights and 53 the obligations of a business may not adversely affect 54 the rights and freedoms of other consumers; creating 55 s. 501.177, F.S.; authorizing consumers to initiate 56 civil actions for violations; providing civil 57 remedies; requiring the Department of Legal Affairs to 58 adopt rules and to initiate legal proceedings against 59 a business under certain circumstances; providing 60 civil penalties; providing an effective date. 61 62 Be It Enacted by the Legislature of the State of Florida: 63 64 Section 1. Section 501.172, Florida Statutes, is created to 65 read: 66 501.172 Short title.—This act may be cited as the “Florida 67 Privacy Protection Act.” 68 Section 2. Section 501.173, Florida Statutes, is created to 69 read: 70 501.173 Purpose.—This act shall be construed liberally in 71 recognition that privacy is an important right, and consumers in 72 this state should have the ability to share their personal 73 information as they wish, in a way that is safe and that they 74 understand and control. 75 Section 3. Section 501.174, Florida Statutes, is created to 76 read: 77 501.174 Definitions.—As used in ss. 501.172-501.177, unless 78 the context otherwise requires, the term: 79 (1) “Advertising and marketing” means a communication by a 80 business or a person acting on behalf of the business through 81 any medium intended to induce a consumer to obtain goods, 82 services, or employment. 83 (2) “Aggregate consumer information” means information that 84 relates to a group or category of consumers, from which 85 individual consumer identities have been removed, which is not 86 linked or reasonably linkable to any consumer or household, 87 including through a device. The term does not include one or 88 more individual consumer records that have been de-identified. 89 (3) “Biometric information” means an individual’s 90 physiological, biological, or behavioral characteristics, 91 including an individual’s deoxyribonucleic acid (DNA), which can 92 be used, singly or in combination with each other or with other 93 identifying data, to establish individual identity. The term 94 includes, but is not limited to, imagery of the iris, retina, 95 fingerprint, face, hand, or palm; vein patterns; voice 96 recordings from which an identifier template, such as a 97 faceprint, a minutiae template, or a voice print, can be 98 extracted; keystroke patterns or rhythms; gait patterns or 99 rhythms; and sleep, health, or exercise data that contain 100 identifying information. 101 (4) “Business” means: 102 (a) A sole proprietorship, a partnership, a limited 103 liability company, a corporation, or an association or any other 104 legal entity that meets the following requirements: 105 1. Is organized or operated for the profit or financial 106 benefit of its shareholders or owners; 107 2. Does business in this state; 108 3. Collects personal information about consumers, or is the 109 entity on behalf of which such information is collected; 110 4. Determines the purposes and means of processing personal 111 information about consumers, alone or jointly with others; and 112 5. Satisfies at least one of the following thresholds: 113 a. Has global annual gross revenues in excess of $25 114 million, as adjusted in January of every odd-numbered year to 115 reflect any increase in the Consumer Price Index. 116 b. Annually buys, sells, or shares the personal information 117 of 50,000 or more consumers, households, or devices. 118 c. Derives 50 percent or more of its global annual revenues 119 from selling or sharing personal information about consumers. 120 (b) An entity that controls or is controlled by a business 121 and that shares common branding with the business. As used in 122 this paragraph, the term: 123 1. “Common branding” means a shared name, service mark, or 124 trademark that the average consumer would understand to mean 125 that two or more entities are commonly owned. 126 2. “Control” means: 127 a. Ownership of, or the power to vote, more than 50 percent 128 of the outstanding shares of any class of voting security of a 129 business; 130 b. Control in any manner over the election of a majority of 131 the directors, or of individuals exercising similar functions; 132 or 133 c. The power to exercise a controlling influence over the 134 management of a company. 135 (c) A joint venture or partnership composed of businesses 136 in which each business has at least a 40 percent interest. For 137 the purposes of this act, the joint venture or partnership, and 138 each business that comprises the joint venture or partnership, 139 must be considered a separate, single business, except that 140 personal information in the possession of each business and 141 disclosed to the joint venture or partnership may not be shared 142 with the other business. A joint venture does not include a 143 third party that operates, hosts, or manages a website or an 144 online service on behalf of a business or processes information 145 on behalf of a business. 146 (5) “Business purpose” means the use of personal 147 information for the business’ operational or other notice-given 148 purposes or for the service provider’s operational purposes, 149 provided that the use of the personal information is reasonably 150 necessary to achieve, and proportionate to the benefit of 151 achieving, the purpose for which the personal information was 152 collected or processed or for another purpose that is compatible 153 with the context in which the personal information was 154 collected. The term includes all of the following: 155 (a) Auditing related to counting ad impressions of unique 156 visitors and verifying positioning and the quality of ad 157 impressions, and auditing compliance with this specification and 158 other standards. 159 (b) Helping to ensure security and integrity to the extent 160 that the use of the consumer’s personal information is 161 reasonably necessary for these purposes and proportionate to the 162 benefit of its use for these purposes. 163 (c) Debugging to identify and repair errors that impair 164 existing intended functionality. 165 (d) Short-term, transient use, including, but not limited 166 to, nonpersonalized advertising shown as part of a consumer’s 167 current interaction with the business, provided that the 168 consumer’s personal information is not disclosed to a third 169 party and is not used to build a profile of the consumer or to 170 otherwise alter the consumer’s experience outside his or her 171 current interaction with the business. 172 (e) Performing services on behalf of the business, 173 including maintaining or servicing accounts, providing customer 174 service, processing or fulfilling orders and transactions, 175 verifying customer information, processing payments, or 176 providing financing, analytic services, storage, or similar 177 services on behalf of the business. 178 (f) Providing advertising and marketing services, not 179 including targeted advertising, to the consumer provided that, 180 for the purpose of advertising and marketing, a service provider 181 may not combine the personal information of consumers who opt 182 out which the service provider receives from, or on behalf of, 183 the business with personal information that the service provider 184 receives from, or on behalf of, another person or persons or 185 collects from its own interaction with consumers. 186 (g) Undertaking internal research for technological 187 development and demonstration. 188 (h) Undertaking activities to verify or maintain the 189 quality or safety of a service or device that is owned, 190 manufactured, manufactured for, or controlled by the business, 191 and to improve, upgrade, or enhance the service or device that 192 is owned, manufactured, manufactured for, or controlled by the 193 business. 194 (6) “Categories” or “category” means the items of personal 195 identifying information specified as being included as personal 196 information under subsection (18). 197 (7) “Collects,” “collected,” or “collection” means buying, 198 renting, gathering, obtaining, receiving, or accessing by any 199 means any personal information pertaining to a consumer. The 200 term includes receiving information from the consumer, either 201 actively or passively, or by observing the consumer’s behavior. 202 (8) “Commercial purposes” means to advance a person’s 203 commercial or economic interests, such as by inducing another 204 person to buy, rent, lease, join, subscribe to, provide, or 205 exchange products, goods, property, information, or services or 206 enabling or effecting, directly or indirectly, a commercial 207 transaction. The term does not include engaging in speech that 208 state or federal courts have recognized as noncommercial speech, 209 including political speech and journalism. 210 (9) “Consumer” means a natural person, however identified, 211 including identification by a unique identifier, who is in this 212 state for other than a temporary or transitory purpose. The term 213 does not include any other natural person who is a nonresident. 214 (10) “De-identified” means information: 215 (a) That cannot reasonably identify, relate to, describe, 216 be associated with, or be linked directly or indirectly to a 217 particular consumer or device; 218 (b) Containing data that the business has taken reasonable 219 measures to ensure could not be reidentified; 220 (c) Containing data that the business publicly commits to 221 maintain and use in a de-identified fashion and that it does not 222 attempt to reidentify; and 223 (d) Containing data that the business contractually 224 prohibits downstream recipients from attempting to reidentify. 225 (11) “Designated request address” means an electronic mail 226 address, a toll-free telephone number, or a website established 227 by a business through which a consumer may submit a verified 228 request to the business. 229 (12) “Device” means a physical object capable of directly 230 or indirectly connecting to the Internet. 231 (13) “Home page” means the introductory page of an Internet 232 website and any Internet web page where personal information is 233 collected. In the case of an online service, such as a mobile 234 application, the term means the application’s platform page or 235 download page; a link within the application, such as from the 236 application configuration, “about,” “information,” or settings 237 page; and any other location that allows consumers to review the 238 notices required by this act, at any time, including, but not 239 limited to, before downloading the application. 240 (14) “Household” means a person or group of persons living 241 together or sharing living quarters who are or are not related. 242 (15) “Intentional interaction” or “intentionally 243 interacting” means the consumer intends to interact with or 244 disclose personal information to a person through one or more 245 deliberate interactions, including visiting the person’s website 246 or purchasing a good or service from the person. The term does 247 not include hovering over, muting, pausing, or closing a given 248 piece of content. 249 (16) “Nonpersonalized advertising” means advertising and 250 marketing that is based solely on a consumer’s personal 251 information derived from the consumer’s current interaction with 252 the business, with the exception of the consumer’s precise 253 geolocation. 254 (17) “Person” means an individual, a proprietorship, a 255 firm, a partnership, a joint venture, a syndicate, a business 256 trust, a company, a corporation, a limited liability company, an 257 association, a committee, and any other organization or group of 258 persons acting in concert. 259 (18) “Personal information” means information that 260 identifies, relates to, describes, is reasonably capable of 261 being associated with, or could reasonably be linked, directly 262 or indirectly, with a particular consumer or household. 263 (a) The term includes, but is not limited to, all of the 264 following items of personal identifying information about a 265 consumer collected and maintained by a person or business: 266 1. A first and last name. 267 2. A home or other physical address that includes the name 268 of a street and the name of a city or town. 269 3. An electronic mail address. 270 4. A telephone number. 271 5. A social security number. 272 6. An identifier such as an alias, a unique personal 273 identifier, an online identifier, an Internet protocol address, 274 an account name, a driver license number, a passport number, or 275 other similar identifiers. 276 7. Biometric information, such as DNA or fingerprints or 277 any other biometric information collected by a business about a 278 consumer without the consumer’s knowledge. 279 8. Internet or other electronic network activity 280 information, including, but not limited to, browsing history, 281 search history, and information regarding a consumer’s 282 interaction with a website, an application, or an advertisement. 283 9. Audio, electronic, visual, thermal, olfactory, 284 geolocation, or similar information. 285 10. Professional or employment-related information. 286 11. Education information, defined as only information that 287 is not publicly available. 288 12. Inferences drawn from any information specified in this 289 paragraph which can create a profile about a consumer reflecting 290 the consumer’s preferences, characteristics, psychological 291 trends, predispositions, behavior, attitudes, intelligence, 292 abilities, and aptitudes. 293 13. Any other information that may serve as a probabilistic 294 identifier concerning a consumer which is collected from the 295 consumer through a website, an online service, or some other 296 means by the business and maintained by the business in 297 combination with an identifier in a form that, when used 298 together with the information, identifies the consumer. 299 14. Characteristics of protected classifications under 300 state or federal law. 301 15. Commercial information, including records of personal 302 property; products or services purchased, obtained, or 303 considered; or other purchasing or consuming histories or 304 tendencies. 305 16. Geolocation data. 306 (b) The term does not include: 307 1. Information about a consumer obtained from public 308 records, including information that is lawfully made available 309 from federal, state, or local governmental records; information 310 that a business has a reasonable basis to believe is lawfully 311 made available to the general public by the consumer or from 312 widely distributed media; or lawfully obtained, truthful 313 information that is a matter of public concern. 314 2. Consumer information that is de-identified or aggregate 315 consumer information that relates to a group or category of 316 consumers from which individual consumer identities have been 317 removed. 318 (19) “Probabilistic identifier” means the identification of 319 a consumer or a device to a degree of certainty more probable 320 than not, based on any categories of personal information 321 included in or similar to the items of personal identifying 322 information specified in subsection (18). 323 (20) “Processing” means any operation or set of operations 324 performed on personal information or on sets of personal 325 information, whether or not by automated means. 326 (21) “Profiling” means any form of automated processing 327 performed on personal data to evaluate, analyze, or predict 328 personal aspects related to an identified or identifiable 329 natural person’s economic situation, health, personal 330 preferences, interests, reliability, behavior, location, or 331 movements. 332 (22)(a) “Sale” or “sell” means the sale, rental, release, 333 disclosure, dissemination, making available, loaning, sharing, 334 transferring, or other communication, orally, in writing, or by 335 electronic or other means, of a consumer’s personal information 336 by a business to a third party for monetary or other tangible or 337 intangible consideration or for any commercial purpose. 338 (b) The term does not include any of the following: 339 1. The disclosure, for a business purpose, of personal 340 information by a business to a service provider who processes 341 the personal information on behalf of the business. 342 2. The disclosure, for the purposes of providing a product 343 or service requested by the consumer, of personal information by 344 a business to another business resulting from the consumer’s 345 intentional interaction. 346 (23) “Security and integrity” means the ability of a: 347 (a) Network or information system to detect security 348 incidents that compromise the availability, authenticity, 349 integrity, and confidentiality of stored or transmitted personal 350 information. 351 (b) Business to detect security incidents; to resist 352 malicious, deceptive, fraudulent, or illegal actions; and to 353 help prosecute those responsible for such actions. 354 (c) Business to ensure the physical safety of natural 355 persons. 356 (24) “Service provider” means a person who processes 357 personal information on behalf of a business to whom the 358 business discloses a consumer’s personal information for a 359 business purpose pursuant to a written or electronic contract if 360 the contract prohibits the person from: 361 (a) Selling the information; 362 (b) Retaining, using, or disclosing the personal 363 information for any purpose other than the business purposes 364 specified in the contract, including a prohibition on retaining, 365 using, or disclosing the personal information for a commercial 366 purpose other than the business purposes specified in the 367 contract with the business; 368 (c) Combining the personal information that the service 369 provider receives from or on behalf of the business with 370 personal information that the service provider receives from or 371 on behalf of another person or persons or collects from its own 372 interaction with consumers, provided that the service provider 373 may combine personal information to perform a business purpose; 374 and 375 (d) Retaining, using, or disclosing the information outside 376 of the direct business relationship between the service provider 377 and the business. 378 (25) “Targeted advertising” means displaying an 379 advertisement to a consumer when the advertisement is selected 380 based on personal data obtained from a consumer’s activities 381 over time and across businesses, websites, or online 382 applications other than the business, website, or online 383 application with which the consumer is intentionally 384 interacting, to predict such consumer’s preferences or 385 interests. The term does not include nonpersonalized 386 advertising. 387 (26) “Third party” means a person who is not any of the 388 following: 389 (a) The business with which the consumer intentionally 390 interacts which collects personal information from the consumer 391 as part of the consumer’s current interaction with the business. 392 (b) A service provider to the business. 393 (27) “Unique identifier” or “unique personal identifier” 394 means a persistent identifier that can be used to recognize a 395 consumer, a family, or a device linked to a consumer or family 396 over time and across different services, including, but not 397 limited to, a device identifier; an Internet protocol address; 398 cookies, beacons, pixel tags, mobile ad identifiers, or similar 399 technology; a customer number, unique pseudonym, or user alias; 400 telephone numbers; or other forms of persistent or probabilistic 401 identifiers that can be used to identify a particular consumer 402 or device that is linked to a consumer or family. For purposes 403 of this subsection, the term “family” means a custodial parent 404 or guardian and any minor children of which the parent or 405 guardian has custody. 406 (28) “Verified request” means a request submitted by a 407 consumer, by a consumer on behalf of the consumer’s minor child, 408 or by a natural person or a person registered with the Secretary 409 of State, who is authorized by the consumer to act on the 410 consumer’s behalf, to a business for which the business can 411 reasonably verify the authenticity of the request. 412 Section 4. Section 501.1745, Florida Statutes, is created 413 to read: 414 501.1745 General duties of businesses that collect personal 415 information.— 416 (1) A business that controls the collection of a consumer’s 417 personal information that will be used for any purpose other 418 than a business purpose, at or before the point of collection, 419 shall inform consumers of all of the following: 420 (a) The purposes for which each category of personal 421 information is collected or used and whether that information is 422 sold. A business may not collect additional categories of 423 personal information, or use collected personal information for 424 additional purposes that are incompatible with the disclosed 425 purpose for which the personal information was collected, 426 without providing the consumer with notice consistent with this 427 section. 428 (b) The length of time the business intends to retain each 429 category of personal information or, if that is not possible, 430 the criteria used to determine such period, provided that a 431 business may not retain a consumer’s personal information for 432 each disclosed purpose for which the personal information was 433 collected for longer than is reasonably necessary for that 434 disclosed purpose. 435 (2) A business’ collection, use, retention, and sharing of 436 a consumer’s personal information must be reasonably necessary 437 to achieve, and proportionate to the benefit of achieving, the 438 purposes for which the personal information was collected or 439 processed, and such information may not be further processed in 440 a manner that is incompatible with those purposes. 441 (3) A business that collects a consumer’s personal 442 information shall implement reasonable security procedures and 443 practices appropriate to the nature of the personal information 444 to protect the personal information from unauthorized or illegal 445 access, destruction, use, modification, or disclosure. 446 (4) A business that collects a consumer’s personal 447 information and sells that personal information to a third party 448 or discloses it to a service provider for a business purpose 449 shall enter into an agreement with such third party or service 450 provider which obligates the third party or service provider to 451 comply with applicable obligations under this act and obligates 452 those persons to provide the same level of privacy protection as 453 is required by this act. If a service provider engages any other 454 person to assist it in processing personal information for a 455 business purpose on behalf of the business, or if any other 456 person engaged by the service provider engages another person to 457 assist in processing personal information for that business 458 purpose, the provider or person must notify the business of that 459 engagement, and the engagement must be pursuant to a written 460 contract that includes the prohibitions described in s. 461 501.174(23) and a certification made by the person receiving the 462 personal information that he or she understands the restrictions 463 under this act and will comply with them. 464 Section 5. Section 501.175, Florida Statutes, is created to 465 read: 466 501.175 Use of personal information; third parties; other 467 rights.— 468 (1)(a) A consumer has the right, at any time, to direct a 469 business that sells personal information about the consumer not 470 to sell the consumer’s personal information. This right may be 471 referred to as the right to opt out of the sale. 472 (b) As part of the right to opt out of the sale of his or 473 her personal information, a consumer has the right, at any time, 474 to opt out of the processing of the consumer’s personal data for 475 purposes of targeted advertising or profiling. However, this 476 paragraph may not be construed to prohibit the business that 477 collected the consumer’s personal information from: 478 1. Offering a different price, rate, level, quality, or 479 selection of goods or services to a consumer, including offering 480 goods or services for no fee, if the consumer has opted out of 481 targeted advertising or the sale of his or her personal 482 information; or 483 2. Offering a loyalty, reward, premium feature, discount, 484 or club card program. 485 (c) A business that charges or offers a different price, 486 rate, level, quality, or selection of goods or services to a 487 consumer who has opted out of targeted advertising or the sale 488 of his or her personal information, or that offers goods or 489 services for no fee, shall ensure that such charge or offer is: 490 1. Reasonably related to the value provided to the business 491 by the consumer’s data; and 492 2. Not unjust, unreasonable, coercive, or usurious. 493 (2) A business that sells consumers’ personal information 494 shall provide notice to consumers that the information may be 495 sold and that consumers have the right to opt out of the sale of 496 their personal information. 497 (3) A business that sells consumer information and that has 498 received direction from a consumer not to sell the consumer’s 499 personal information or, in the case of a minor consumer’s 500 personal information, has not received consent to sell the minor 501 consumer’s personal information, is prohibited from selling the 502 consumer’s personal information after the business receives the 503 consumer’s direction, unless the consumer subsequently provides 504 express authorization for the sale of the consumer’s personal 505 information. A business that is able to authenticate the 506 consumer, for example, by the consumer logging in, or that uses 507 some other unique identifier for the consumer, must comply with 508 any privacy preferences the consumer previously directed. The 509 business may not require the consumer to declare privacy 510 preferences every time the consumer visits the business’ website 511 or uses the business’ online services. 512 (4)(a) Notwithstanding subsection (1), a business may not 513 sell the personal information of consumers if the business has 514 actual knowledge that the consumer is younger than 16 years of 515 age, unless: 516 1. The consumer, in the case of consumers between 13 and 16 517 years of age, has affirmatively authorized the sale of the 518 consumer’s personal information; or 519 2. The consumer’s parent or guardian, in the case of 520 consumers who are younger than 13 years of age, has 521 affirmatively authorized the sale of the consumer’s personal 522 information. 523 (b) This right may be referred to as the right to opt in. 524 (c) A business that willfully disregards the consumer’s age 525 is deemed to have actual knowledge of the consumer’s age. 526 (5) A business that is required to comply with this section 527 shall, in a form that is reasonably accessible to consumers, do 528 all of the following: 529 (a) Provide a clear and conspicuous link on the business’ 530 Internet home page, titled “Do Not Sell My Personal 531 Information,” to a web page that enables a consumer or a person 532 authorized by the consumer to opt out of the sale of the 533 consumer’s personal information. A business may not require a 534 consumer to create an account in order to direct the business 535 not to sell the consumer’s information. 536 (b) Ensure that all individuals responsible for handling 537 consumer inquiries about the business’ privacy practices or the 538 business’ compliance with this section are informed of all 539 requirements of this section and how to direct consumers to 540 exercise their rights. 541 (c) For consumers who exercise their right to opt out of 542 the sale of their personal information, refrain from selling 543 personal information the business collected about the consumer 544 as soon as reasonably possible but no longer than 2 business 545 days after receiving the request to opt out. 546 (d) For consumers who have opted out of the sale of their 547 personal information, respect the consumer’s decision to opt out 548 for at least 12 months before requesting that the consumer 549 authorize the sale of the consumer’s personal information. 550 (e) Use any personal information collected from the 551 consumer in connection with the submission of the consumer’s 552 opt-out request solely for the purposes of complying with the 553 opt-out request. 554 (f) Ensure that consumers have the right to submit a 555 verified request for certain information from a business, 556 including the sources from which the consumer’s personal 557 information was collected, the specific items of personal 558 information it has collected about the consumer, and any third 559 parties to whom the personal information was sold. 560 (6) Consumers have the right to submit a verified request 561 for the deletion of their personal information that the business 562 has collected. 563 (7) A business, or a service provider acting pursuant to 564 its contract with the business or another service provider, is 565 not required to comply with a consumer’s verified request to 566 delete the consumer’s personal information if it is necessary 567 for the business or service provider to maintain the consumer’s 568 personal information in order to do any of the following: 569 (a) Complete the transaction for which the personal 570 information was collected, fulfill the terms of a written 571 warranty or product recall conducted in accordance with federal 572 law, provide a good or service requested by the consumer, or 573 otherwise perform a contract between the business and the 574 consumer. 575 (b) Help to ensure security and integrity to the extent 576 that the use of the consumer’s personal information is 577 reasonably necessary and proportionate for those purposes. 578 (c) Debug to identify and repair errors that impair 579 existing intended functionality. 580 (d) Exercise free speech, ensure the right of another 581 consumer to exercise that consumer’s right of free speech, or 582 exercise another right provided for by law. 583 (e) Engage in public or peer-reviewed scientific, 584 historical, or statistical research that conforms or adheres to 585 all other applicable ethics and privacy laws, when the business’ 586 deletion of the information is likely to render impossible or 587 seriously impair the ability to complete such research, if the 588 consumer has provided informed consent. 589 (f) Comply with a legal obligation. 590 (8) Consumers have the right to submit a verified request 591 for correction of their personal information held by a business 592 if that information is inaccurate. 593 (9) This section may not be construed to require a business 594 to comply by including the required links and text on the home 595 page that the business makes available to the public generally, 596 if: 597 (a) The business maintains a separate and additional home 598 page that is dedicated to consumers in this state and includes 599 the required links and text; and 600 (b) The business takes reasonable steps to ensure that 601 consumers in this state are directed to the home page for 602 consumers in this state and not the home page made available to 603 the public generally. 604 (10) A consumer may authorize another person to opt out of 605 the sale of the consumer’s personal information. A business 606 shall comply with an opt-out request received from a person 607 authorized by the consumer to act on the consumer’s behalf, 608 including a request received through a user-enabled global 609 privacy control, such as a browser plug-in or privacy setting, 610 device setting, or other mechanism, which communicates or 611 signals the consumer’s choice to opt out, and may not require a 612 consumer to make a verified request to opt out of the sale of 613 his or her information. 614 (11) Each business shall establish a designated request 615 address through which a consumer may submit a request to 616 exercise his or her rights under this act. 617 (12)(a) A business that receives a verified request: 618 1. For a consumer’s personal information, shall disclose to 619 the consumer any personal information about the consumer which 620 it has collected since July 1, 2022, directly or indirectly, 621 including through or by a service provider. 622 2. To correct a consumer’s inaccurate personal information, 623 shall correct the inaccurate personal information. 624 3. To delete a consumer’s personal information, shall 625 delete such personal information. 626 (b) A service provider is not required to personally comply 627 with a verified request received directly from a consumer or a 628 consumer’s authorized agent to the extent that the service 629 provider has collected personal information about the consumer 630 in its role as a service provider. A service provider shall 631 provide assistance to a business with which it has a contractual 632 relationship with respect to the business’ response to a 633 verifiable consumer request, including, but not limited to, by 634 providing to the business the consumer’s personal information in 635 the service provider’s possession which the service provider 636 obtained as a result of providing services to the business. 637 (c) At the direction of the business, a service provider 638 shall correct inaccurate personal information, or delete 639 personal information, or enable the business to do the same, and 640 shall notify any service providers who may have accessed such 641 personal information from or through the service provider, to 642 correct or delete the consumer’s personal information, as 643 applicable. 644 (d) A business shall comply with a verified request 645 submitted by a consumer to access, correct, or delete personal 646 information within 30 days after the date the request is 647 submitted. A business may extend such period by up to 30 days if 648 the business, in good faith, determines that such an extension 649 is reasonably necessary. A business that extends the period 650 shall notify the consumer of the necessity of an extension. 651 (13) A business shall comply with a consumer’s previous 652 expressed decision to opt out of the sale of his or her personal 653 information without requiring the consumer to take any 654 additional action if: 655 (a) The business is able to identify the consumer through a 656 login protocol or any other process the business uses to 657 identify consumers and the consumer has previously exercised his 658 or her right to opt out of the sale of his or her personal 659 information; or 660 (b) The business is aware of the consumer’s desire to opt 661 out of the sale of his or her personal information through the 662 use of a user-enabled global privacy control, such as a browser, 663 browser instruction, plug-in or privacy setting, device setting, 664 application, service, or other mechanism, which communicates or 665 signals the consumer’s choice to opt out. 666 (14) A business shall make available, in a manner 667 reasonably accessible to consumers whose personal information 668 the business collects through its website or online service, a 669 notice that does all of the following: 670 (a) Identifies the categories of personal information that 671 the business collects through its website or online service 672 about consumers who use or visit the website or online service 673 and the categories of third parties with whom the business may 674 share such personal information. 675 (b) Provides a description of the process, if applicable, 676 for a consumer who uses or visits the website or online service 677 to review and request changes to any of his or her personal 678 information that is collected through the website or online 679 service. 680 (c) Describes the process by which the business notifies 681 consumers who use or visit the website or online service of 682 material changes to the notice. 683 (d) Discloses whether a third party may collect personal 684 information about a consumer’s online activities over time and 685 across different websites or online services when the consumer 686 uses the business’ website or online service. 687 (e) States the effective date of the notice. 688 Section 6. Section 501.176, Florida Statutes, is created to 689 read: 690 501.176 Exclusions.— 691 (1) The obligations imposed on a business by this act do 692 not restrict a business’ ability to do any of the following: 693 (a) Comply with federal, state, or local laws. 694 (b) Comply with a civil, criminal, or regulatory inquiry or 695 an investigation, a subpoena, or a summons by federal, state, or 696 local authorities. 697 (c) Cooperate with law enforcement agencies concerning 698 conduct or activity that the business, service provider, or 699 third party reasonably and in good faith believes may violate 700 federal, state, or local law. 701 (d) Exercise or defend legal claims. 702 (e) Collect, use, retain, sell, or disclose consumer 703 information that is de-identified or in the aggregate consumer 704 information that relates to a group or category of consumers 705 from which individual consumer identities have been removed. 706 (f) Collect or sell a consumer’s personal information if 707 every aspect of that commercial conduct takes place wholly 708 outside of this state. For purposes of this act, commercial 709 conduct takes place wholly outside of this state if the business 710 collected that information while the consumer was outside of 711 this state, no part of the sale of the consumer’s personal 712 information occurred in this state, and no personal information 713 collected while the consumer was in this state is sold. This 714 paragraph does not permit a business to store, including on a 715 device, personal information about a consumer when the consumer 716 is in this state and then to collect that personal information 717 when the consumer and stored personal information are outside of 718 this state. 719 (2) This act does not apply to any of the following: 720 (a) A business that collects or discloses the personal 721 information of the business’ employees, applicants, interns, or 722 volunteers so long as the business is collecting or disclosing 723 such information within the scope of its role as an employer. 724 (b) Health information that is collected by a covered 725 entity or business associate governed by the privacy, security, 726 and breach notification rules issued by the United States 727 Department of Health and Human Services in 45 C.F.R. parts 160 728 and 164. 729 (c) A covered entity governed by the privacy, security, and 730 breach notification rules issued by the United States Department 731 of Health and Human Services in 45 C.F.R. parts 160 and 164, to 732 the extent the provider or covered entity maintains patient 733 information in the same manner as medical information or 734 protected health information as described in paragraph (b). 735 (d) Information collected as part of a clinical trial 736 subject to the Federal Policy for the Protection of Human 737 Subjects pursuant to good clinical practice guidelines issued by 738 the International Council for Harmonisation of Technical 739 Requirements for Pharmaceuticals for Human Use or pursuant to 740 human subject protection requirements of the United States Food 741 and Drug Administration. 742 (e) The sale of personal information to or from a consumer 743 reporting agency if that information is to be reported in or 744 used to generate a consumer report as defined by 15 U.S.C. s. 745 1681(a), and if the use of that information is limited by the 746 federal Fair Credit Reporting Act, 15 U.S.C. s. 1681 et seq. 747 (f) Personal information collected, processed, sold, or 748 disclosed pursuant to the federal Gramm-Leach-Bliley Act, 12 749 U.S.C. s. 24(a) et seq. and implementing regulations. 750 (g) Personal information collected, processed, sold, or 751 disclosed pursuant to the federal Driver’s Privacy Protection 752 Act of 1994, 18 U.S.C. s. 2721 et seq.; 753 (h) Education information covered by the federal Family 754 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34 755 C.F.R. part 99. 756 (i) Personal information collected, processed, sold, or 757 disclosed in relation to price, route, or service as those terms 758 are used in the federal Airline Deregulation Act, 49 U.S.C. s. 759 40101 et seq., by entities subject to the federal Airline 760 Deregulation Act, to the extent the provisions of this act are 761 preempted by s. 41713 of the federal Airline Deregulation Act. 762 (j) Vehicle information or ownership information retained 763 or shared between a new motor vehicle dealer and the vehicle’s 764 manufacturer if the vehicle or ownership information is shared 765 for the purpose of effectuating, or in anticipation of 766 effectuating, a vehicle repair covered by a vehicle warranty or 767 a recall conducted pursuant to 49 U.S.C. s. 30118-30120, 768 provided that the new motor vehicle dealer or vehicle 769 manufacturer with which that vehicle information or ownership 770 information is shared does not sell, share, or use that 771 information for any other purpose. As used in this paragraph, 772 the term “vehicle information” means the vehicle information 773 number, make, model, year, and odometer reading, and the term 774 “ownership information” means the name or names of the 775 registered owner or owners and the contact information for the 776 owner or owners. 777 (3) If a request from a consumer is manifestly unfounded or 778 excessive, in particular because of the request’s repetitive 779 character, a business may either charge a reasonable fee, taking 780 into account the administrative costs of providing the 781 information or communication or taking the action requested, or 782 refuse to act on the request and notify the consumer of the 783 reason for refusing the request. The business bears the burden 784 of demonstrating that any verified consumer request is 785 manifestly unfounded or excessive. 786 (4) A business that discloses personal information to a 787 service provider is not liable under this act if the service 788 provider receiving the personal information uses it in violation 789 of the restrictions set forth in the act, provided that, at the 790 time of disclosing the personal information, the business does 791 not have actual knowledge, or reason to believe, that the 792 service provider intends to commit such a violation. A service 793 provider is likewise not liable under this act for the 794 obligations of a business for which it provides services as set 795 forth in this act. 796 (5) This act may not be construed to require a business to 797 reidentify or otherwise link information that is not maintained 798 in a manner that would be considered personal information; 799 retain any personal information about a consumer if, in the 800 ordinary course of business, that information would not be 801 retained; maintain information in identifiable, linkable, or 802 associable form; or collect, obtain, retain, or access any data 803 or technology in order to be capable of linking or associating a 804 verifiable consumer request with personal information. 805 (6) The rights afforded to consumers and the obligations 806 imposed on a business in this act may not adversely affect the 807 rights and freedoms of other consumers. Notwithstanding s. 808 501.175(7), a verified request for specific items of personal 809 information, to delete a consumer’s personal information, or to 810 correct inaccurate personal information does not extend to 811 personal information about the consumer which belongs to, or 812 which the business maintains on behalf of, another natural 813 person. 814 Section 7. Section 501.177, Florida Statutes, is created to 815 read: 816 501.177 Civil actions; private right of action; attorney 817 general; rules.— 818 (1) If any business violates any provision of this act, the 819 consumer may initiate a civil action for any of the following: 820 (a) Recovery of damages of at least $100 and not more than 821 $750 per consumer per incident or actual damages, whichever is 822 greater. 823 (b) Injunctive or declaratory relief. 824 (c) Reasonable costs of enforcement, including a reasonable 825 attorney fee and costs. 826 (d) Any other relief deemed appropriate by the court. 827 (2) In assessing the amount of statutory damages, the court 828 shall consider any one or more of the relevant circumstances 829 presented by any of the parties to the case, including, but not 830 limited to, the nature and seriousness of the misconduct, the 831 number of violations, the persistence of the misconduct, the 832 length of time over which the misconduct occurred, the 833 willfulness of the defendant’s misconduct, and the defendant’s 834 assets, liabilities, and net worth. 835 (3)(a) The Department of Legal Affairs shall adopt rules to 836 enforce this act. If the department has reason to believe that a 837 business, directly or indirectly, has violated or is violating 838 this section, the department may institute an appropriate legal 839 proceeding against the business. 840 (b) The trial court, upon a showing that any business, 841 directly or indirectly, has violated or is violating this act, 842 may take any of the following actions: 843 1. Issue a temporary or permanent injunction. 844 2. Impose a civil penalty not to exceed $5,000 for each 845 violation. If the violation involves a consumer who was 16 years 846 of age or younger at the time of the violation, the court may 847 triple the civil penalty. 848 3. Award reasonable costs of enforcement, including a 849 reasonable attorney fee and costs. 850 4. Grant such other relief as the court may deem 851 appropriate. 852 Section 8. This act shall take effect January 1, 2022.