Florida Senate - 2021 CS for CS for SB 1734
By the Committees on Rules; and Commerce and Tourism; and
Senator Bradley
595-03818-21 20211734c2
1 A bill to be entitled
2 An act relating to consumer data privacy; creating s.
3 501.172, F.S.; providing a short title; creating s.
4 501.173, F.S.; providing a purpose; creating s.
5 501.174, F.S.; defining terms; creating s. 501.1745,
6 F.S.; requiring certain businesses that collect
7 consumer personal information to provide certain
8 information to the consumer; requiring such
9 collection, use, retention, and sharing of such
10 information to meet certain requirements; requiring
11 such businesses to implement reasonable security
12 procedures and practices; requiring such businesses to
13 enter into an agreement with service providers under
14 certain circumstances; prohibiting a business from
15 processing certain sensitive consumer data under
16 certain circumstances; creating s. 501.175, F.S.;
17 providing that consumers have the right to direct
18 certain businesses not to sell their personal
19 information; providing construction; requiring such
20 businesses to notify consumers of such right;
21 requiring businesses to comply with such a request
22 under certain circumstances; prohibiting businesses
23 from selling the personal information of consumers
24 younger than a specified age without express
25 authorization from the consumer or the consumer’s
26 parent or guardian under certain circumstances;
27 providing that a business that willfully disregards a
28 consumer’s age is deemed to have actual knowledge of
29 the consumer’s age; requiring certain businesses to
30 provide a specified link on their home page for
31 consumers to opt out; providing requirements for
32 businesses to comply with a consumer’s opt-out
33 request; providing that consumers have the right to
34 submit a verified request for businesses to delete or
35 correct personal information the businesses have
36 collected about the consumers; providing construction;
37 providing that consumers may authorize other persons
38 to opt out of the sale of the consumer’s personal
39 information on the consumer’s behalf; requiring
40 businesses to establish designated addresses through
41 which consumers may submit verified requests;
42 specifying requirements for consumers’ verified
43 requests and businesses’ responses; requiring
44 businesses to comply with previous consumer requests
45 without requiring additional information from the
46 consumer, under certain circumstances; requiring
47 businesses to provide certain notices to consumers;
48 authorizing businesses to charge consumers a
49 reasonable fee for manifestly unfounded or excessive
50 requests, or to refuse to complete a request under
51 certain circumstances; providing that business and
52 service providers are not liable for certain actions;
53 providing that a consumer’s rights and the obligations
54 of a business may not adversely affect the rights and
55 freedoms of other consumers; creating s. 501.176,
56 F.S.; providing applicability; providing exceptions;
57 creating s. 501.177, F.S.; authorizing the Department
58 of Legal Affairs to adopt rules and to bring
59 appropriate legal proceedings for violations under
60 certain circumstances; providing that businesses must
61 have a specified timeframe to cure any violations;
62 providing civil remedies; providing civil penalties
63 for unintentional and intentional violations;
64 providing enhanced penalties for certain violations;
65 providing an effective date.
66
67 Be It Enacted by the Legislature of the State of Florida:
68
69 Section 1. Section 501.172, Florida Statutes, is created to
70 read:
71 501.172 Short title.—This act may be cited as the “Florida
72 Privacy Protection Act.”
73 Section 2. Section 501.173, Florida Statutes, is created to
74 read:
75 501.173 Purpose.—This act shall be construed liberally in
76 recognition that privacy is an important right, and consumers in
77 this state should have the ability to share their personal
78 information as they wish, in a way that is safe and that they
79 understand and control.
80 Section 3. Section 501.174, Florida Statutes, is created to
81 read:
82 501.174 Definitions.—As used in ss. 501.172-501.177, unless
83 the context otherwise requires, the term:
84 (1) “Advertising and marketing” means a communication by a
85 business or a person acting on behalf of the business through
86 any medium intended to induce a consumer to obtain goods,
87 services, or employment.
88 (2) “Aggregate consumer information” means information that
89 relates to a group or category of consumers, from which
90 individual consumer identities have been removed, which is not
91 linked or reasonably linkable to any consumer or household,
92 including through a device. The term does not include one or
93 more individual consumer records that have been de-identified.
94 (3) “Biometric information” means an individual’s
95 physiological, biological, or behavioral characteristics,
96 including an individual’s deoxyribonucleic acid (DNA), which can
97 be used, singly or in combination with each other or with other
98 identifying data, to establish individual identity. The term
99 includes, but is not limited to, imagery of the iris, retina,
100 fingerprint, face, hand, or palm; vein patterns; voice
101 recordings from which an identifier template, such as a
102 faceprint, a minutiae template, or a voice print, can be
103 extracted; keystroke patterns or rhythms; gait patterns or
104 rhythms; and sleep, health, or exercise data that contain
105 identifying information.
106 (4) “Business” means:
107 (a) A sole proprietorship, a partnership, a limited
108 liability company, a corporation, or an association or any other
109 legal entity that meets the following requirements:
110 1. Is organized or operated for the profit or financial
111 benefit of its shareholders or owners;
112 2. Does business in this state;
113 3. Collects personal information about consumers, or is the
114 entity on behalf of which such information is collected;
115 4. Determines the purposes and means of processing personal
116 information about consumers, alone or jointly with others; and
117 5. Satisfies either of the following thresholds:
118 a. Annually buys, sells, or shares the personal information
119 of 100,000 or more consumers, households, or devices.
120 b. Derives 50 percent or more of its global annual revenues
121 from selling or sharing personal information about consumers.
122 (b) An entity that controls or is controlled by a business
123 and that shares common branding with the business. As used in
124 this paragraph, the term:
125 1. “Common branding” means a shared name, service mark, or
126 trademark that the average consumer would understand to mean
127 that two or more entities are commonly owned.
128 2. “Control” means:
129 a. Ownership of, or the power to vote, more than 50 percent
130 of the outstanding shares of any class of voting security of a
131 business;
132 b. Control in any manner over the election of a majority of
133 the directors, or of individuals exercising similar functions;
134 or
135 c. The power to exercise a controlling influence over the
136 management of a company.
137 (c) A joint venture or partnership composed of businesses
138 in which each business has at least a 40 percent interest. For
139 the purposes of this act, the joint venture or partnership, and
140 each business that comprises the joint venture or partnership,
141 must be considered a separate, single business, except that
142 personal information in the possession of each business and
143 disclosed to the joint venture or partnership may not be shared
144 with the other business. A joint venture does not include a
145 third party that operates, hosts, or manages a website or an
146 online service on behalf of a business or processes information
147 on behalf of a business.
148 (5) “Business purpose” means the use of personal
149 information for the business’ operational or other notice-given
150 purposes or for the service provider’s operational purposes,
151 provided that the use of the personal information is reasonably
152 necessary to achieve, and proportionate to the benefit of
153 achieving, the purpose for which the personal information was
154 collected or processed or for another purpose that is compatible
155 with the context in which the personal information was
156 collected. The term includes all of the following:
157 (a) Auditing related to counting ad impressions of unique
158 visitors and verifying positioning and the quality of ad
159 impressions, and auditing compliance with this specification and
160 other standards.
161 (b) Helping to ensure security and integrity to the extent
162 that the use of the consumer’s personal information is
163 reasonably necessary for these purposes and proportionate to the
164 benefit of its use for these purposes.
165 (c) Debugging to identify and repair errors that impair
166 existing intended functionality.
167 (d) Short-term, transient use, including, but not limited
168 to, nonpersonalized advertising shown as part of a consumer’s
169 current interaction with the business, provided that the
170 consumer’s personal information is not disclosed to a third
171 party and is not used to build a profile of the consumer or to
172 otherwise alter the consumer’s experience outside his or her
173 current interaction with the business.
174 (e) Performing services on behalf of the business,
175 including maintaining or servicing accounts, providing customer
176 service, processing or fulfilling orders and transactions,
177 verifying customer information, processing payments, or
178 providing financing, analytic services, storage, or similar
179 services on behalf of the business.
180 (f) Providing advertising and marketing services, not
181 including targeted advertising, to the consumer provided that,
182 for the purpose of advertising and marketing, a service provider
183 may not combine the personal information of consumers who opt
184 out which the service provider receives from, or on behalf of,
185 the business with personal information that the service provider
186 receives from, or on behalf of, another person or persons or
187 collects from its own interaction with consumers.
188 (g) Undertaking internal research for technological
189 development and demonstration.
190 (h) Undertaking activities to verify or maintain the
191 quality or safety of a service or device that is owned,
192 manufactured, manufactured for, or controlled by the business,
193 and to improve, upgrade, or enhance the service or device that
194 is owned, manufactured, manufactured for, or controlled by the
195 business.
196 (6) “Categories” or “category” means the items of personal
197 identifying information specified as being included as personal
198 information under subsection (18).
199 (7) “Collects,” “collected,” or “collection” means buying,
200 renting, gathering, obtaining, receiving, or accessing by any
201 means any personal information pertaining to a consumer. The
202 term includes receiving information from the consumer, either
203 actively or passively, or by observing the consumer’s behavior.
204 (8) “Commercial purposes” means to advance a person’s
205 commercial or economic interests, such as by inducing another
206 person to buy, rent, lease, join, subscribe to, provide, or
207 exchange products, goods, property, information, or services or
208 enabling or effecting, directly or indirectly, a commercial
209 transaction. The term does not include engaging in speech that
210 state or federal courts have recognized as noncommercial speech,
211 including political speech and journalism.
212 (9) “Consumer” means a natural person, however identified,
213 including identification by a unique identifier, who is in this
214 state for other than a temporary or transitory purpose. The term
215 does not include any other natural person who is a nonresident.
216 (10) “De-identified” means information:
217 (a) That cannot reasonably identify, relate to, describe,
218 be associated with, or be linked directly or indirectly to a
219 particular consumer or device;
220 (b) Containing data that the business has taken reasonable
221 measures to ensure could not be reidentified;
222 (c) Containing data that the business publicly commits to
223 maintain and use in a de-identified fashion and that it does not
224 attempt to reidentify; and
225 (d) Containing data that the business contractually
226 prohibits downstream recipients from attempting to reidentify.
227 (11) “Designated request address” means an electronic mail
228 address, a toll-free telephone number, or a website established
229 by a business through which a consumer may submit a verified
230 request to the business.
231 (12) “Device” means a physical object capable of directly
232 or indirectly connecting to the Internet.
233 (13) “Home page” means the introductory page of an Internet
234 website and any Internet web page where personal information is
235 collected. In the case of an online service, such as a mobile
236 application, the term means the application’s platform page or
237 download page; a link within the application, such as from the
238 application configuration, “about,” “information,” or settings
239 page; and any other location that allows consumers to review the
240 notices required by this act, at any time, including, but not
241 limited to, before downloading the application.
242 (14) “Household” means a person or group of persons living
243 together or sharing living quarters who are or are not related.
244 (15) “Intentional interaction” or “intentionally
245 interacting” means the consumer intends to interact with or
246 disclose personal information to a person through one or more
247 deliberate interactions, including visiting the person’s website
248 or purchasing a good or service from the person. The term does
249 not include hovering over, muting, pausing, or closing a given
250 piece of content.
251 (16) “Nonpersonalized advertising” means advertising and
252 marketing that is based solely on a consumer’s personal
253 information derived from the consumer’s current interaction with
254 the business, with the exception of the consumer’s precise
255 geolocation.
256 (17) “Person” means an individual, a proprietorship, a
257 firm, a partnership, a joint venture, a syndicate, a business
258 trust, a company, a corporation, a limited liability company, an
259 association, a committee, and any other organization or group of
260 persons acting in concert.
261 (18) “Personal information” means information that
262 identifies, relates to, describes, is reasonably capable of
263 being associated with, or could reasonably be linked, directly
264 or indirectly, with a particular consumer or household.
265 (a) The term includes, but is not limited to, all of the
266 following items of personal identifying information about a
267 consumer collected and maintained by a person or business:
268 1. A first and last name.
269 2. A home or other physical address that includes the name
270 of a street and the name of a city or town.
271 3. An electronic mail address.
272 4. A telephone number.
273 5. A social security number.
274 6. An identifier such as an alias, a unique personal
275 identifier, an online identifier, an Internet protocol address,
276 an account name, a driver license number, a passport number, or
277 other similar identifiers.
278 7. Biometric information, such as DNA or fingerprints or
279 any other biometric information collected by a business about a
280 consumer without the consumer’s knowledge.
281 8. Internet or other electronic network activity
282 information, including, but not limited to, browsing history,
283 search history, and information regarding a consumer’s
284 interaction with a website, an application, or an advertisement.
285 9. Audio, electronic, visual, thermal, olfactory,
286 geolocation, or similar information.
287 10. Professional or employment-related information.
288 11. Education information, defined as only information that
289 is not publicly available.
290 12. Inferences drawn from any information specified in this
291 paragraph which can create a profile about a consumer reflecting
292 the consumer’s preferences, characteristics, psychological
293 trends, predispositions, behavior, attitudes, intelligence,
294 abilities, and aptitudes.
295 13. Any other information that may serve as a probabilistic
296 identifier concerning a consumer which is collected from the
297 consumer through a website, an online service, or some other
298 means by the business and maintained by the business in
299 combination with an identifier in a form that, when used
300 together with the information, identifies the consumer.
301 14. Characteristics of protected classifications under
302 state or federal law.
303 15. Commercial information, including records of personal
304 property; products or services purchased, obtained, or
305 considered; or other purchasing or consuming histories or
306 tendencies.
307 16. Geolocation data.
308 (b) The term does not include:
309 1. Information about a consumer obtained from public
310 records, including information that is lawfully made available
311 from federal, state, or local governmental records; information
312 that a business has a reasonable basis to believe is lawfully
313 made available to the general public by the consumer or from
314 widely distributed media; or lawfully obtained, truthful
315 information that is a matter of public concern.
316 2. Consumer information that is de-identified or aggregate
317 consumer information that relates to a group or category of
318 consumers from which individual consumer identities have been
319 removed.
320 (19) “Probabilistic identifier” means the identification of
321 a consumer or a device to a degree of certainty more probable
322 than not, based on any categories of personal information
323 included in or similar to the items of personal identifying
324 information specified in subsection (18).
325 (20) “Processing” means any operation or set of operations
326 performed on personal information or on sets of personal
327 information, whether or not by automated means.
328 (21) “Profiling” means any form of automated processing
329 performed on personal data to evaluate, analyze, or predict
330 personal aspects related to an identified or identifiable
331 natural person’s economic situation, health, personal
332 preferences, interests, reliability, behavior, location, or
333 movements.
334 (22) “Security and integrity” means the ability of a:
335 (a) Network or information system to detect security
336 incidents that compromise the availability, authenticity,
337 integrity, and confidentiality of stored or transmitted personal
338 information.
339 (b) Business to detect security incidents; to resist
340 malicious, deceptive, fraudulent, or illegal actions; and to
341 help prosecute those responsible for such actions.
342 (c) Business to ensure the physical safety of natural
343 persons.
344 (23) “Sell” means to sell, rent, release, disclose,
345 disseminate, make available, transfer, or otherwise communicate
346 orally, in writing, or by electronic or other means a consumer’s
347 personal information by a business to another business or a
348 third party for monetary or other valuable consideration. The
349 term does not include:
350 (a) The disclosure by a business, for a business purpose,
351 of a consumer’s personal information to another business or
352 third-party entity that processes the information for the
353 business; or
354 (b) The disclosure by a business, for the purpose of
355 providing a product or service requested or approved by a
356 consumer, of the consumer’s personal information to another
357 business or third-party entity.
358 (24) “Service provider” means a person who processes
359 personal information on behalf of a business to whom the
360 business discloses a consumer’s personal information for a
361 business purpose pursuant to a written or electronic contract if
362 the contract prohibits the person from:
363 (a) Selling the information;
364 (b) Retaining, using, or disclosing the personal
365 information for any purpose other than the business purposes
366 specified in the contract, including a prohibition on retaining,
367 using, or disclosing the personal information for a commercial
368 purpose other than the business purposes specified in the
369 contract with the business;
370 (c) Combining the personal information that the service
371 provider receives from or on behalf of the business with
372 personal information that the service provider receives from or
373 on behalf of another person or persons or collects from its own
374 interaction with consumers, provided that the service provider
375 may combine personal information to perform a business purpose;
376 and
377 (d) Retaining, using, or disclosing the information outside
378 of the direct business relationship between the service provider
379 and the business.
380 (25) “Targeted advertising” means displaying an
381 advertisement to a consumer when the advertisement is selected
382 based on personal data obtained from a consumer’s activities
383 over time and across businesses, websites, or online
384 applications other than the business, website, or online
385 application with which the consumer is intentionally
386 interacting, to predict such consumer’s preferences or
387 interests. The term does not include nonpersonalized
388 advertising.
389 (26) “Third party” means a person who is not any of the
390 following:
391 (a) The business with which the consumer intentionally
392 interacts which collects personal information from the consumer
393 as part of the consumer’s current interaction with the business.
394 (b) A service provider to the business.
395 (27) “Unique identifier” or “unique personal identifier”
396 means a persistent identifier that can be used to recognize a
397 consumer, a family, or a device linked to a consumer or family
398 over time and across different services, including, but not
399 limited to, a device identifier; an Internet protocol address;
400 cookies, beacons, pixel tags, mobile ad identifiers, or similar
401 technology; a customer number, unique pseudonym, or user alias;
402 telephone numbers; or other forms of persistent or probabilistic
403 identifiers that can be used to identify a particular consumer
404 or device that is linked to a consumer or family. For purposes
405 of this subsection, the term “family” means a custodial parent
406 or guardian and any minor children of which the parent or
407 guardian has custody.
408 (28) “Verified request” means a request submitted by a
409 consumer, by a consumer on behalf of the consumer’s minor child,
410 or by a natural person or a person registered with the Secretary
411 of State, who is authorized by the consumer to act on the
412 consumer’s behalf, to a business for which the business can
413 reasonably verify the authenticity of the request.
414 Section 4. Section 501.1745, Florida Statutes, is created
415 to read:
416 501.1745 General duties of businesses that collect personal
417 information.—
418 (1)(a) A business that controls the collection of a
419 consumer’s personal information that will be used for any
420 purpose other than a business purpose, at or before the point of
421 collection, shall inform consumers of all of the following:
422 1. The purposes for which each category of personal
423 information is collected or used and whether that information is
424 sold. A business may not collect additional categories of
425 personal information, or use collected personal information for
426 additional purposes that are incompatible with the disclosed
427 purpose for which the personal information was collected,
428 without providing the consumer with notice consistent with this
429 section.
430 2. The length of time the business intends to retain each
431 category of personal information or, if that is not possible,
432 the criteria used to determine such period, provided that a
433 business may not retain a consumer’s personal information for
434 each disclosed purpose for which the personal information was
435 collected for longer than is reasonably necessary for that
436 disclosed purpose.
437 (b) A business that collects personal information about,
438 but not directly from, consumers may provide the required
439 information on its Internet home page or in its online privacy
440 policy.
441 (2) A business’ collection, use, retention, and sharing of
442 a consumer’s personal information must be reasonably necessary
443 to achieve, and proportionate to the benefit of achieving, the
444 purposes for which the personal information was collected or
445 processed, and such information may not be further processed in
446 a manner that is incompatible with those purposes.
447 (3) A business that collects a consumer’s personal
448 information shall implement reasonable security procedures and
449 practices appropriate to the nature of the personal information
450 to protect the personal information from unauthorized or illegal
451 access, destruction, use, modification, or disclosure.
452 (4) A business that collects a consumer’s personal
453 information and discloses it to a service provider for a
454 business purpose shall enter into an agreement with such service
455 provider which obligates the service provider to comply with
456 applicable obligations under this act and to provide the same
457 level of privacy protection as is required by this act. If a
458 service provider engages any other person to assist it in
459 processing personal information for a business purpose on behalf
460 of the business, or if any other person engaged by the service
461 provider engages another person to assist in processing personal
462 information for that business purpose, the provider or person
463 must notify the business of that engagement, and the engagement
464 must be pursuant to a written contract that includes the
465 prohibitions described in s. 501.174(24) and a certification
466 made by the person receiving the personal information that he or
467 she understands the restrictions under this act and will comply
468 with them.
469 (5) A business may not process sensitive data concerning a
470 consumer without obtaining the consumer’s consent or, in the
471 case of the processing of sensitive data concerning a known
472 child, without processing such data in accordance with the
473 federal Children’s Online Privacy Protection Act, 15 U.S.C. s.
474 6501 et. seq.
475 Section 5. Section 501.175, Florida Statutes, is created to
476 read:
477 501.175 Use of personal information; third parties; other
478 rights.—
479 (1)(a) A consumer has the right, at any time, to direct a
480 business that sells personal information about the consumer not
481 to sell the consumer’s personal information. This right may be
482 referred to as the right to opt out of the sale.
483 (b) As part of the right to opt out of the sale of his or
484 her personal information, a consumer has the right, at any time,
485 to opt out of the processing of the consumer’s personal data for
486 purposes of targeted advertising or profiling. However, this
487 paragraph may not be construed to prohibit the business that
488 collected the consumer’s personal information from:
489 1. Offering a different price, rate, level, quality, or
490 selection of goods or services to a consumer, including offering
491 goods or services for no fee, if the consumer has opted out of
492 targeted advertising or the sale of his or her personal
493 information; or
494 2. Offering a loyalty, reward, premium feature, discount,
495 or club card program.
496 (c) A business that charges or offers a different price,
497 rate, level, quality, or selection of goods or services to a
498 consumer who has opted out of targeted advertising or the sale
499 of his or her personal information, or that offers goods or
500 services for no fee, shall ensure that such charge or offer is:
501 1. Reasonably related to the value provided to the business
502 by the consumer’s data; and
503 2. Not unjust, unreasonable, coercive, or usurious.
504 (2) A business that sells consumers’ personal information
505 shall provide notice to consumers that the information may be
506 sold and that consumers have the right to opt out of the sale of
507 their personal information.
508 (3) A business that sells consumer information and that has
509 received direction from a consumer not to sell the consumer’s
510 personal information or, in the case of a minor consumer’s
511 personal information, has not received consent to sell the minor
512 consumer’s personal information, is prohibited from selling the
513 consumer’s personal information after the business receives the
514 consumer’s direction, unless the consumer subsequently provides
515 express authorization for the sale of the consumer’s personal
516 information. A business that is able to authenticate the
517 consumer, for example, by the consumer logging in, or that uses
518 some other unique identifier for the consumer, must comply with
519 any privacy preferences the consumer previously directed. The
520 business may not require the consumer to declare privacy
521 preferences every time the consumer visits the business’ website
522 or uses the business’ online services.
523 (4)(a) Notwithstanding subsection (1), a business may not
524 sell the personal information of consumers if the business has
525 actual knowledge that the consumer is younger than 16 years of
526 age, unless:
527 1. The consumer, in the case of consumers between 13 and 16
528 years of age, has affirmatively authorized the sale of the
529 consumer’s personal information; or
530 2. The consumer’s parent or guardian, in the case of
531 consumers who are younger than 13 years of age, has
532 affirmatively authorized the sale of the consumer’s personal
533 information.
534 (b) This right may be referred to as the right to opt in.
535 (c) A business that willfully disregards the consumer’s age
536 is deemed to have actual knowledge of the consumer’s age.
537 (d) A business that complies with the verifiable parental
538 consent requirements of the Children’s Online Privacy Protection
539 Act, 15 U.S.C. s. 6501 et seq., shall be deemed compliant with
540 any obligation to obtain parental consent.
541 (5) A business that is required to comply with this section
542 shall, in a form that is reasonably accessible to consumers, do
543 all of the following:
544 (a) Provide a clear and conspicuous link on the business’
545 Internet home page, titled “Do Not Sell My Personal
546 Information,” to a web page that enables a consumer or a person
547 authorized by the consumer to opt out of the sale of the
548 consumer’s personal information. A business may not require a
549 consumer to create an account in order to direct the business
550 not to sell the consumer’s information.
551 (b) Ensure that all individuals responsible for handling
552 consumer inquiries about the business’ privacy practices or the
553 business’ compliance with this section are informed of all
554 requirements of this section and how to direct consumers to
555 exercise their rights.
556 (c) For consumers who exercise their right to opt out of
557 the sale of their personal information, refrain from selling
558 personal information the business collected about the consumer
559 as soon as reasonably possible but no longer than 2 business
560 days after receiving the request to opt out.
561 (d) For consumers who have opted out of the sale of their
562 personal information, respect the consumer’s decision to opt out
563 for at least 12 months before requesting that the consumer
564 authorize the sale of the consumer’s personal information.
565 (e) Use any personal information collected from the
566 consumer in connection with the submission of the consumer’s
567 opt-out request solely for the purposes of complying with the
568 opt-out request.
569 (f) Ensure that consumers have the right to submit a
570 verified request for certain information from a business,
571 including the categories of sources from which the consumer’s
572 personal information was collected, the specific items of
573 personal information it has collected about the consumer, and
574 the categories of any third parties to whom the personal
575 information was sold.
576 (6) Consumers have the right to submit a verified request
577 that personal information that has been collected from the
578 consumer be deleted. A business shall notify a third party to
579 delete any consumer information bought or sold.
580 (7) A business, or a service provider acting pursuant to
581 its contract with the business or another service provider, is
582 not required to comply with a consumer’s verified request to
583 delete the consumer’s personal information if it is necessary
584 for the business or service provider to maintain the consumer’s
585 personal information in order to do any of the following:
586 (a) Complete the transaction for which the personal
587 information was collected, fulfill the terms of a written
588 warranty or product recall conducted in accordance with federal
589 law, provide a good or service requested by the consumer, or
590 otherwise perform a contract between the business and the
591 consumer.
592 (b) Help to ensure security and integrity to the extent
593 that the use of the consumer’s personal information is
594 reasonably necessary and proportionate for those purposes.
595 (c) Debug to identify and repair errors that impair
596 existing intended functionality.
597 (d) Exercise free speech, ensure the right of another
598 consumer to exercise that consumer’s right of free speech, or
599 exercise another right provided for by law.
600 (e) Engage in public or peer-reviewed scientific,
601 historical, or statistical research that conforms or adheres to
602 all other applicable ethics and privacy laws, when the business’
603 deletion of the information is likely to render impossible or
604 seriously impair the ability to complete such research, if the
605 consumer has provided informed consent.
606 (f) Comply with a legal obligation.
607 (8) Consumers have the right to submit a verified request
608 for correction of their personal information held by a business
609 if that information is inaccurate.
610 (9) This section may not be construed to require a business
611 to comply by doing any of the following:
612 (a) Including any required links and text on the home page
613 that the business makes available to the public generally, if:
614 1. The business maintains a separate and additional home
615 page that is dedicated to consumers in this state and includes
616 the required links and text; and
617 2. The business takes reasonable steps to ensure that
618 consumers in this state are directed to the home page for
619 consumers in this state and not the home page made available to
620 the public generally.
621 (b) Reidentifying or otherwise linking information that is
622 not maintained in a manner that would be considered personal
623 information; retaining any personal information about a consumer
624 if, in the ordinary course of business, that information would
625 not be retained; maintaining information in identifiable,
626 linkable, or associable form; or collecting, obtaining,
627 retaining, or accessing any data or technology in order to be
628 capable of linking or associating a verifiable consumer request
629 with personal information.
630 (10) A consumer may authorize another person to opt out of
631 the sale of the consumer’s personal information. A business
632 shall comply with an opt-out request received from a person
633 authorized by the consumer to act on the consumer’s behalf,
634 including a request received through a user-enabled global
635 privacy control, such as a browser plug-in or privacy setting,
636 device setting, or other mechanism, which communicates or
637 signals the consumer’s choice to opt out, and may not require a
638 consumer to make a verified request to opt out of the sale of
639 his or her information.
640 (11) Each business shall establish a designated request
641 address through which a consumer may submit a request to
642 exercise his or her rights under this act.
643 (12)(a) A business that receives a verified request:
644 1. For a consumer’s personal information shall disclose to
645 the consumer any personal information about the consumer which
646 it has collected since July 1, 2022, directly or indirectly,
647 including through or by a service provider.
648 2. To correct a consumer’s inaccurate personal information
649 shall correct the inaccurate personal information.
650 3. To delete a consumer’s personal information shall delete
651 such personal information.
652 (b) A service provider is not required to personally comply
653 with a verified request received directly from a consumer or a
654 consumer’s authorized agent to the extent that the service
655 provider has collected personal information about the consumer
656 in its role as a service provider. A service provider shall
657 provide assistance to a business with which it has a contractual
658 relationship with respect to the business’ response to a
659 verifiable consumer request, including, but not limited to, by
660 providing to the business the consumer’s personal information in
661 the service provider’s possession which the service provider
662 obtained as a result of providing services to the business.
663 (c) At the direction of the business, a service provider
664 shall correct inaccurate personal information or delete personal
665 information, or enable the business to do the same, and shall
666 direct any service providers who may have accessed such personal
667 information from or through the service provider to correct or
668 delete the consumer’s personal information, as applicable.
669 (d) A business shall comply with a verified request
670 submitted by a consumer to access, correct, or delete personal
671 information within 30 days after the date the request is
672 submitted. A business may extend such period by up to 30 days if
673 the business, in good faith, determines that such an extension
674 is reasonably necessary. A business that extends the period
675 shall notify the consumer of the necessity of an extension.
676 (13) A business shall comply with a consumer’s previous
677 expressed decision to opt out of the sale of his or her personal
678 information without requiring the consumer to take any
679 additional action if:
680 (a) The business is able to identify the consumer through a
681 login protocol or any other process the business uses to
682 identify consumers and the consumer has previously exercised his
683 or her right to opt out of the sale of his or her personal
684 information; or
685 (b) The business is aware of the consumer’s desire to opt
686 out of the sale of his or her personal information through the
687 use of a user-enabled global privacy control, such as a browser,
688 browser instruction, plug-in or privacy setting, device setting,
689 application, service, or other mechanism, which communicates or
690 signals the consumer’s choice to opt out.
691 (14) A business shall make available, in a manner
692 reasonably accessible to consumers whose personal information
693 the business collects through its website or online service, a
694 notice that does all of the following:
695 (a) Identifies the categories of personal information that
696 the business collects through its website or online service
697 about consumers who use or visit the website or online service
698 and the categories of third parties with whom the business may
699 share such personal information.
700 (b) Provides a description of the process, if applicable,
701 for a consumer who uses or visits the website or online service
702 to review and request changes to any of his or her personal
703 information that is collected through the website or online
704 service.
705 (c) Describes the process by which the business notifies
706 consumers who use or visit the website or online service of
707 material changes to the notice.
708 (d) Discloses whether a third party may collect personal
709 information about a consumer’s online activities over time and
710 across different websites or online services when the consumer
711 uses the business’ website or online service.
712 (e) States the effective date of the notice.
713 (15) If a request from a consumer is manifestly unfounded
714 or excessive, in particular because of the request’s repetitive
715 character, a business may either charge a reasonable fee, taking
716 into account the administrative costs of providing the
717 information or communication or taking the action requested, or
718 refuse to act on the request and notify the consumer of the
719 reason for refusing the request. The business bears the burden
720 of demonstrating that any verified consumer request is
721 manifestly unfounded or excessive.
722 (16) A business that discloses personal information to a
723 service provider is not liable under this act if the service
724 provider receiving the personal information uses it in violation
725 of the restrictions set forth in the act, provided that, at the
726 time of disclosing the personal information, the business does
727 not have actual knowledge, or reason to believe, that the
728 service provider intends to commit such a violation. A service
729 provider is likewise not liable under this act for the
730 obligations of a business for which it provides services as set
731 forth in this act.
732 (17) The rights afforded to consumers and the obligations
733 imposed on a business in this act may not adversely affect the
734 rights and freedoms of other consumers. Notwithstanding
735 subsection (7), a verified request for specific items of
736 personal information, to delete a consumer’s personal
737 information, or to correct inaccurate personal information does
738 not extend to personal information about the consumer which
739 belongs to, or which the business maintains on behalf of,
740 another natural person.
741 Section 6. Section 501.176, Florida Statutes, is created to
742 read:
743 501.176 Scope; exclusions.—
744 (1) The obligations imposed on a business by this act do
745 not restrict a business’ ability to do any of the following:
746 (a) Comply with federal, state, or local laws.
747 (b) Comply with a civil, criminal, or regulatory inquiry or
748 an investigation, a subpoena, or a summons by federal, state, or
749 local authorities.
750 (c) Cooperate with law enforcement agencies concerning
751 conduct or activity that the business, service provider, or
752 third party reasonably and in good faith believes may violate
753 federal, state, or local law.
754 (d) Exercise or defend legal claims.
755 (e) Collect, use, retain, sell, or disclose consumer
756 information that is de-identified or in the aggregate consumer
757 information that relates to a group or category of consumers
758 from which individual consumer identities have been removed.
759 (f) Collect or sell a consumer’s personal information if
760 every aspect of that commercial conduct takes place wholly
761 outside of this state. For purposes of this act, commercial
762 conduct takes place wholly outside of this state if the business
763 collected that information while the consumer was outside of
764 this state, no part of the sale of the consumer’s personal
765 information occurred in this state, and no personal information
766 collected while the consumer was in this state is sold. This
767 paragraph does not permit a business to store, including on a
768 device, personal information about a consumer when the consumer
769 is in this state and then to collect that personal information
770 when the consumer and stored personal information are outside of
771 this state.
772 (2) This act does not apply to any of the following:
773 (a) A business that collects or discloses the personal
774 information of its employees, owners, directors, officers, job
775 applicants, interns, or volunteers, so long as the business is
776 collecting or disclosing such information only to the extent
777 reasonable and necessary within the scope of the role the
778 business has in relation to each class of listed individuals.
779 (b) A business, service provider, or third party that
780 collects the personal information of an individual:
781 1. Who applies to, is or was previously employed by, or
782 acts as an agent of the business, service provider, or third
783 party, to the extent that the personal information is collected
784 and used in a manner related to or arising from the individual’s
785 employment status; or
786 2. To administer benefits for another individual and the
787 personal information is used to administer those benefits.
788 (c) A business that enters into a contract with an
789 independent contractor and collects or discloses personal
790 information about the contractor reasonably necessary to either
791 enter into or to fulfill the contract when the contracted
792 services would not defeat the purposes of this act.
793 (d) Protected health information for purposes of the
794 federal Health Insurance Portability and Accountability Act of
795 1996 and related regulations, and patient identifying
796 information for purposes of 42 C.F.R. part 2, established
797 pursuant to 42 U.S.C. s. 290dd-2.
798 (e) A covered entity or business associate governed by the
799 privacy, security, and breach notification rules issued by the
800 United States Department of Health and Human Services in 45
801 C.F.R. parts 160 and 164, or a program or a qualified service
802 program defined in 42 C.F.R. part 2, to the extent the covered
803 entity, business associate, or program maintains personal
804 information in the same manner as medical information or
805 protected health information as described in paragraph (d).
806 (f) Identifiable private information collected for purposes
807 of research as defined in 45 C.F.R. s. 164.501 conducted in
808 accordance with the Federal Policy for the Protection of Human
809 Subjects for purposes of 45 C.F.R. part 46, the good clinical
810 practice guidelines issued by the International Council for
811 Harmonisation of Technical Requirements for Pharmaceuticals for
812 Human Use, or the Protection for Human Subjects for purposes of
813 21 C.F.R. parts 50 and 56; or personal information used or
814 shared in research conducted in accordance with one or more of
815 these standards.
816 (g) Information and documents created for purposes of the
817 federal Health Care Quality Improvement Act of 1986 and related
818 regulations, or patient safety work product for purposes of 42
819 C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21
820 through 299b-26.
821 (h) Information that is de-identified in accordance with 45
822 C.F.R. part 164 and that is derived from individually
823 identifiable health information, as described in the Health
824 Insurance Portability and Accountability Act of 1996, or
825 identifiable personal information, consistent with the Federal
826 Policy for the Protection of Human Subjects or the human subject
827 protection requirements of the United States Food and Drug
828 Administration or the good clinical practice guidelines issued
829 by the International Council for Harmonisation.
830 (i) Information collected as part of a clinical trial
831 subject to the Federal Policy for the Protection of Human
832 Subjects pursuant to good clinical practice guidelines issued by
833 the International Council for Harmonisation of Technical
834 Requirements for Pharmaceuticals for Human Use or pursuant to
835 human subject protection requirements of the United States Food
836 and Drug Administration.
837 (j) The sale of personal information to or from a consumer
838 reporting agency if that information is to be reported in or
839 used to generate a consumer report as defined by 15 U.S.C. s.
840 1681(a), and if the use of that information is limited by the
841 federal Fair Credit Reporting Act, 15 U.S.C. s. 1681 et seq.
842 (k) Personal information collected, processed, sold, or
843 disclosed pursuant to the federal Gramm-Leach-Bliley Act, 15
844 U.S.C. s. 6801 et seq. and implementing regulations.
845 (l) Personal information collected, processed, sold, or
846 disclosed pursuant to the Farm Credit Act of 1971, as amended in
847 12 U.S.C. s. 2001-2279cc and implementing regulations.
848 (m) Personal information collected, processed, sold, or
849 disclosed pursuant to the federal Driver’s Privacy Protection
850 Act of 1994, 18 U.S.C. s. 2721 et seq.
851 (n) Education information covered by the federal Family
852 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34
853 C.F.R. part 99.
854 (o) Personal information collected, processed, sold, or
855 disclosed in relation to price, route, or service as those terms
856 are used in the federal Airline Deregulation Act, 49 U.S.C. s.
857 40101 et seq., by entities subject to the federal Airline
858 Deregulation Act, to the extent the provisions of this act are
859 preempted by s. 41713 of the federal Airline Deregulation Act.
860 (p) Vehicle information or ownership information retained
861 or shared between a new motor vehicle dealer and the vehicle’s
862 manufacturer if the vehicle or ownership information is shared
863 for the purpose of effectuating, or in anticipation of
864 effectuating, a vehicle repair covered by a vehicle warranty or
865 a recall conducted pursuant to 49 U.S.C. s. 30118-30120,
866 provided that the new motor vehicle dealer or vehicle
867 manufacturer with which that vehicle information or ownership
868 information is shared does not sell, share, or use that
869 information for any other purpose. As used in this paragraph,
870 the term “vehicle information” means the vehicle information
871 number, make, model, year, and odometer reading, and the term
872 “ownership information” means the name or names of the
873 registered owner or owners and the contact information for the
874 owner or owners.
875 Section 7. Section 501.177, Florida Statutes, is created to
876 read:
877 501.177 Enforcement; Attorney General; rules.—
878 (1) The Department of Legal Affairs may adopt rules to
879 implement this section. If the department has reason to believe
880 that any business, service provider, or other person or entity
881 is in violation of this act and that proceedings would be in the
882 public interest, the department may institute an appropriate
883 legal proceeding against such party.
884 (2) After the department has notified a business in writing
885 of an alleged violation, the department may grant the business a
886 30-day period to cure the alleged violation. The department may
887 consider the number of violations, the substantial likelihood of
888 injury to the public, or the safety of persons or property when
889 determining whether to grant 30 days to cure an alleged
890 violation. If the business cures the alleged violation to the
891 satisfaction of the department and provides proof of such cure
892 to the department, the department may issue a letter of guidance
893 to the business which indicates that the business will not be
894 offered a 30-day cure period for any future violations. If the
895 business fails to cure the violation within 30 days, the
896 department may bring an action against the business for the
897 alleged violation.
898 (3) The trial court, upon a showing that any business,
899 service provider, or other person or entity is in violation of
900 this act, may take any of the following actions:
901 (a) Issue a temporary or permanent injunction.
902 (b) Impose a civil penalty of not more than $2,500 for each
903 unintentional violation or $7,500 for each intentional
904 violation. Such fines may be tripled if the violation involves a
905 consumer who is 16 years of age or younger.
906 (c) Award reasonable costs of enforcement, including
907 reasonable attorney fees and costs.
908 (d) Grant such other relief as the court may deem
909 appropriate.
910 Section 8. This act shall take effect July 1, 2022.