Florida Senate - 2021 SENATOR AMENDMENT
Bill No. CS for CS for CS for HB 969
Ì789544GÎ789544
LEGISLATIVE ACTION
Senate . House
.
.
.
Floor: 1/AE/2R .
04/28/2021 11:36 AM .
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
Senator Bradley moved the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Section 501.172, Florida Statutes, is created to
6 read:
7 501.172 Short title.—This act may be cited as the “Florida
8 Privacy Protection Act.”
9 Section 2. Section 501.173, Florida Statutes, is created to
10 read:
11 501.173 Purpose.—This act recognizes that privacy is an
12 important right, and consumers in this state should have the
13 ability to share their personal information as they wish, in a
14 way that is safe and that they understand and control.
15 Section 3. Section 501.174, Florida Statutes, is created to
16 read:
17 501.174 Definitions.—As used in ss. 501.172-501.177, unless
18 the context otherwise requires, the term:
19 (1) “Affiliate” means a legal entity that controls, is
20 controlled by, or is under common control with another legal
21 entity or shares common branding with another legal entity. For
22 the purposes of this subsection, the term “control” or
23 “controlled” means the ownership of, or the power to vote, more
24 than 50 percent of the outstanding shares of any class of voting
25 security of a company; control in any manner over the election
26 of a majority of the directors or of individuals exercising
27 similar functions; or the power to exercise controlling
28 influence over the management of a company.
29 (2) “Aggregate consumer information” means information that
30 relates to a group or category of consumers from which
31 individual consumer identities have been removed and which is
32 not linked or reasonably linkable to any consumer, including
33 through a device. The term does not include one or more
34 individual consumer records that have been de-identified.
35 (3) “Authenticate” means verifying through reasonable means
36 that the consumer entitled to exercise his or her consumer
37 rights under this act is the same consumer exercising such
38 consumer rights with respect to the personal information at
39 issue.
40 (4) “Biometric information” means personal information
41 generated by automatic measurements of characteristics of an
42 individual’s physiological, behavioral, or biological
43 characteristics, including an individual’s DNA, which identifies
44 an individual. The term does not include a physical or digital
45 photograph; a video or audio recording or data generated
46 therefrom; or information collected, used, or stored for health
47 care treatment, payment, or operations under the Health
48 Insurance Portability and Accountability Act of 1996.
49 (5) “Business purpose” means the use of personal
50 information for the controller’s operational, administrative,
51 security, or other purposes allowed for under this act, or for
52 any notice-given and consumer-approved purposes or for the
53 processor’s operational purposes, provided that the use of the
54 personal information is consistent with the requirements of this
55 act.
56 (6) “Child” means a natural person younger than 13 years of
57 age.
58 (7) “Collects,” “collected,” or “collection” means buying,
59 renting, gathering, obtaining, receiving, or accessing by any
60 means any personal information pertaining to a consumer, either
61 actively or passively or by observing the consumer’s behavior.
62 (8) “Consumer” means a natural person who resides in this
63 state to the extent he or she is acting in an individual or
64 household context. The term does not include any other natural
65 person who is a nonresident or a natural person acting in a
66 commercial or employment context.
67 (9) “Controller” means a sole proprietorship, a
68 partnership, a limited liability company, a corporation, or an
69 association or any other legal entity that meets the following
70 requirements:
71 (a) Is organized or operated for the profit or financial
72 benefit of its shareholders or owners;
73 (b) Does business in this state or provides products or
74 services targeted to the residents of this state;
75 (c) Determines the purposes and means of processing
76 personal information about consumers, alone or jointly with
77 others; and
78 (d) Satisfies either of the following thresholds:
79 1. During a calendar year, controls the processing of the
80 personal information of 100,000 or more consumers who are not
81 covered by an exception under this act; or
82 2. Controls or processes the personal information of at
83 least 25,000 consumers who are not covered by an exception under
84 this act and derives over 50 percent or more of its global
85 annual revenues from selling personal information about
86 consumers.
87 (10) “De-identified” means information that cannot
88 reasonably identify or be linked directly to a particular
89 consumer, or a device that is linked to such consumer, if the
90 controller or a processor that possesses such information on
91 behalf of the controller:
92 (a) Has taken reasonable measures to ensure the information
93 could not be associated with an individual consumer;
94 (b) Commits to maintain and use the information in a de
95 identified fashion without attempting to reidentify the
96 information; and
97 (c) Contractually prohibits downstream recipients from
98 attempting to reidentify the information.
99 (11) “Designated request address” means an e-mail address,
100 a toll-free telephone number, or a website established by a
101 controller through which a consumer may submit a verified
102 request to the controller.
103 (12) “Intentional interaction” or “intentionally
104 interacting” means the consumer intends to interact with or
105 disclose personal information to a person through one or more
106 deliberate interactions, including visiting the person’s website
107 or purchasing a good or service from the person. The term does
108 not include hovering over, muting, pausing, or closing a given
109 piece of content.
110 (13) “Non-targeted advertising” means:
111 (a) Advertising based solely on a consumer’s activities
112 within a controller’s own, or its affiliate’s, websites or
113 online applications;
114 (b) Advertisements based on the context of a consumer’s
115 current search query, visit to a website, or online application;
116 (c) Advertisements directed to a consumer in response to
117 the consumer’s request for information or feedback; or
118 (d) Processing personal information solely for measuring or
119 reporting advertising performance, reach, or frequency.
120 (14) “Personal information” means:
121 (a) Information that identifies or is linked or reasonably
122 linkable to an identified or identifiable consumer.
123 (b) The term does not include:
124 1. Information about a consumer that is lawfully made
125 available through federal, state, or local governmental records;
126 2. Information that a controller has a reasonable basis to
127 believe is lawfully made available to the general public by the
128 consumer or from widely distributed media unless the consumer
129 has restricted the information to a specific audience; or
130 3. Consumer information that is de-identified or aggregate
131 consumer information.
132 (15) “Precise geolocation data” means information from
133 technology, such as global positioning system level latitude and
134 longitude coordinates or other mechanisms, that directly
135 identifies the specific location of a natural person with
136 precision and accuracy within a radius of 1,750 feet. The term
137 does not include the information generated by the transmission
138 of communications or any information generated by or connected
139 to advanced utility metering infrastructure systems or equipment
140 for use by a utility.
141 (16) “Process” or “processing” means any operation or set
142 of operations performed on personal information or on sets of
143 personal information, whether or not by automated means.
144 (17) “Processor” means a natural or legal entity that
145 processes personal data on behalf of, and at the direction of, a
146 controller.
147 (18) “Profiling” means any form of automated processing
148 performed on personal data to evaluate, analyze, or predict
149 personal aspects related to an identified or identifiable
150 natural person’s economic situation, health, personal
151 preferences, interests, reliability, behavior, location, or
152 movements. The term does not include processing personal
153 information solely for the purpose of measuring or reporting
154 advertising performance, reach, or frequency.
155 (19) “Pseudonymous information” means personal information
156 that cannot be attributed to a specific natural person without
157 the use of additional information, provided that such additional
158 information is kept separate at all times and is subject to
159 appropriate technical and organizational measures to ensure that
160 the personal data is not attributed to or combined with other
161 personal data that may enable attribution to an identified or
162 identifiable natural person.
163 (20) “Security and integrity” means the ability of a:
164 (a) Network or information system, device, website, or
165 online application to detect security incidents that compromise
166 the availability, authenticity, integrity, and confidentiality
167 of stored or transmitted personal information;
168 (b) Controller to detect security incidents; resist
169 malicious, deceptive, fraudulent, or illegal actions; and help
170 prosecute those responsible for such actions; and
171 (c) Controller to ensure the physical safety of natural
172 persons.
173 (21) “Sell” means to transfer or make available a
174 consumer’s personal information by a controller to a third party
175 in exchange for monetary or other valuable consideration,
176 including nonmonetary transactions and agreements for other
177 valuable consideration between a controller and a third party
178 for the benefit of a controller. The term does not include any
179 of the following:
180 (a) The disclosure, for a business purpose, of a consumer’s
181 personal information to a processor that processes the
182 information for the controller.
183 (b) The disclosure by a controller for the purpose of
184 providing a product or service requested or approved by a
185 consumer, or the parent of a child, of the consumer’s personal
186 information to a third-party entity.
187 (c) The disclosure or transfer of personal information to
188 an affiliate of the controller.
189 (d) The disclosure of personal information for purposes of
190 nontargeted advertising.
191 (e) The disclosure or transfer of personal information to a
192 third party as an asset that is part of a proposed or actual
193 merger, acquisition, bankruptcy, or other transaction in which
194 the third party assumes control of all or part of the
195 controller’s assets.
196 (f) The controller disclosing personal information to a law
197 enforcement or other emergency processor for the purposes of
198 providing emergency assistance to the consumer.
199 (22) “Sensitive data” means a category of personal
200 information that includes any of the following:
201 (a) Racial or ethnic origin, religious beliefs, mental or
202 physical health diagnosis, sexual orientation, or citizenship or
203 immigration status.
204 (b) Biometric information, including genetic information,
205 processed for the purpose of uniquely identifying a natural
206 person.
207 (c) Personal information collected from a known child.
208 (d) Precise geolocation data.
209 (23) “Targeted advertising” means displaying an
210 advertisement to a consumer when the advertisement is selected
211 based on personal information obtained from the consumer’s
212 activities over time and across nonaffiliated websites or online
213 applications to predict such consumer’s preferences or
214 interests. The term does not include any of the following:
215 (a) Non-targeted advertising.
216 (b) Advertisements based on the context of a consumer’s
217 current search query or visit to a website.
218 (c) Advertising directed to a consumer in response to the
219 consumer’s request for information or feedback.
220 (d) Processing personal data solely for measuring or
221 reporting advertising performance, reach, or frequency.
222 (24) “Third party” means a person who is not any of the
223 following:
224 (a) The controller with which the consumer intentionally
225 interacts and which collects personal information from the
226 consumer as part of the consumer’s interaction with the
227 controller.
228 (b) A processor that processes personal information on
229 behalf of and at the direction of the controller.
230 (c) An affiliate of the controller.
231 (25) “Verified request” means a request submitted by a
232 consumer or by a consumer on behalf of the consumer’s minor
233 child for which the controller has reasonably verified the
234 authenticity of the request. The term includes a request made
235 through an established account using the controller’s
236 established security features to access the account through
237 communication features offered to consumers. The term does not
238 include a request in which the consumer or a person authorized
239 to act on the consumer’s behalf does not provide verification of
240 identify or verification of authorization to act with the
241 permission of the consumer, and the controller is not required
242 to provide information for such a request.
243 Section 4. Section 501.1745, Florida Statutes, is created
244 to read:
245 501.1745 General duties of controllers that collect
246 personal information.—
247 (1) A controller that controls the collection of a
248 consumer’s personal information that will be used for any
249 purpose other than a business purpose, at or before the point of
250 collection, shall inform consumers of the purposes for which
251 personal information is collected or used and whether that
252 information is sold. A controller may not collect additional
253 categories of personal information, or use collected personal
254 information for additional purposes that are incompatible with
255 the disclosed purpose for which the personal information was
256 collected, without providing the consumer with notice consistent
257 with this section. A controller that collects personal
258 information about, but not directly from, consumers may provide
259 the required information on its Internet home page or in its
260 online privacy policy.
261 (2) A controller’s collection, use, and retention of a
262 consumer’s personal information must be reasonably necessary to
263 achieve the purposes for which the personal information was
264 collected or processed. Such information may not be further
265 processed in a manner that is incompatible with those purposes
266 without notice to the consumer or be transferred or made
267 available to a third party in a manner inconsistent with the
268 requirements of this act.
269 (3) A controller that collects a consumer’s personal
270 information shall implement reasonable security procedures and
271 practices appropriate to the nature of the personal information
272 to protect the personal information from unauthorized or illegal
273 access, destruction, use, modification, or disclosure.
274 (4) A controller that collects a consumer’s personal
275 information and discloses it to a processor shall enter into a
276 contractual agreement with such processor which obligates the
277 processor to comply with applicable obligations under this act
278 and which prohibits downstream recipients from selling personal
279 information or retaining, using, or disclosing the personal
280 information. If a processor engages any other person to assist
281 it in processing personal information for a business purpose on
282 behalf of the controller, or if any other person engaged by the
283 processor engages another person to assist in processing
284 personal information for that business purpose, the processor or
285 person must notify the controller of that engagement and the
286 processor must prohibit downstream recipients from selling the
287 personal information or retaining, using, or disclosing the
288 personal information.
289 (5) A controller may not process sensitive data concerning
290 a consumer without obtaining the consumer’s consent or, in the
291 case of the processing of sensitive data obtained from a known
292 child, without processing such data for the purpose of
293 delivering a product or service requested by the parent of such
294 child, or in accordance with the federal Children’s Online
295 Privacy Protection Act, 15 U.S.C. s. 6501 et. seq. and
296 regulations interpreting this act.
297 (6) Determining whether a person is acting as a controller
298 or processor with respect to a specific activity is a fact-based
299 determination that depends upon the context in which personal
300 information is processed. A processor that continues to adhere
301 to a controller’s instructions with respect to a specific
302 processing of personal information remains a processor.
303 Section 5. Section 501.175, Florida Statutes, is created to
304 read:
305 501.175 Use of personal information; third parties; other
306 rights.—
307 (1)(a) A consumer has the right at any time to direct a
308 controller that sells personal information about the consumer
309 not to sell the consumer’s personal information. This right may
310 be referred to as the right to opt out of the sale.
311 (b) A consumer has the right at any time to opt out of the
312 processing of the consumer’s personal information for purposes
313 of targeted advertising or profiling. A controller shall provide
314 a clear and conspicuous link on the controller’s Internet home
315 page, titled “Do Not Advertise To Me,” to a web page that
316 enables a consumer to opt out of targeted advertising or
317 profiling. However, this paragraph may not be construed to
318 prohibit the controller that collected the consumer’s personal
319 information from:
320 1. Offering a different price, rate, level, quality, or
321 selection of goods or services to a consumer, including offering
322 goods or services for no fee, if the consumer has opted out of
323 targeted advertising, profiling, or the sale of his or her
324 personal information; or
325 2. Offering a loyalty, reward, premium feature, discount,
326 or club card program.
327 (c) A controller that charges or offers a different price,
328 rate, level, quality, or selection of goods or services to a
329 consumer who has opted out of targeted advertising, profiling,
330 or the sale of his or her personal information, or that offers
331 goods or services for no fee, shall ensure that such charge or
332 offer is not unjust, unreasonable, coercive, or usurious.
333 (2) A controller that sells consumers’ personal information
334 shall provide notice to consumers that the information may be
335 sold and that consumers have the right to opt out of the sale of
336 their personal information.
337 (3) A controller that sells consumers’ personal information
338 and that has received direction from a consumer not to sell the
339 consumer’s personal information or, in the case of a minor
340 consumer’s personal information, has not received consent to
341 sell the minor consumer’s personal information, is prohibited
342 from selling the consumer’s personal information after the
343 controller receives the consumer’s direction, unless the
344 consumer subsequently provides express authorization for the
345 sale of the consumer’s personal information. A controller that
346 is able to authenticate the consumer, for example, by the
347 consumer logging in, or that is otherwise reasonably able to
348 authenticate the consumer’s request must comply with the
349 consumer’s request to opt out. The controller may not require
350 the consumer to declare privacy preferences every time the
351 consumer visits the controller’s website or uses the
352 controller’s online services.
353 (4)(a) A controller may not sell the personal information
354 collected from consumers that the controller has actual
355 knowledge are younger than 16 years of age, unless:
356 1. The consumer, in the case of consumers between 13 and 16
357 years of age, has affirmatively authorized the sale of the
358 consumer’s personal information; or
359 2. The consumer’s parent or guardian, in the case of
360 consumers who are younger than 13 years of age, has
361 affirmatively authorized such sale.
362 (b) This right may be referred to as the right to opt in.
363 (c) A business that willfully disregards the consumer’s age
364 is deemed to have actual knowledge of the consumer’s age.
365 (d) A controller that complies with the verifiable parental
366 consent requirements of the Children’s Online Privacy Protection
367 Act, 15 U.S.C. s. 6501 et seq., and accompanying regulations, or
368 is providing a product or service requested by a parent or
369 guardian, shall be deemed compliant with any obligation to
370 obtain parental consent.
371 (5) A controller that is required to comply with this
372 section shall:
373 (a) Provide a clear and conspicuous link on the
374 controller’s Internet home page, titled “Do Not Sell My Personal
375 Information,” to a web page that enables a consumer to opt out
376 of the sale of the consumer’s personal information. A business
377 may not require a consumer to create an account in order to
378 direct the business not to sell the consumer’s information.
379 (b) Ensure that all individuals responsible for handling
380 consumer inquiries about the controller’s privacy practices or
381 the controller’s compliance with this section are informed of
382 all requirements of this section and how to direct consumers to
383 exercise their rights.
384 (c) For consumers who exercise their right to opt out of
385 the sale of their personal information, refrain from selling
386 personal information the controller collected about the consumer
387 as soon as reasonably possible but no longer than 10 business
388 days after receiving the request to opt out.
389 (d) Use any personal information collected from the
390 consumer in connection with the submission of the consumer’s
391 opt-out request solely for the purposes of complying with the
392 opt-out request.
393 (e) For consumers who have opted out of the sale of their
394 personal information, respect the consumer’s decision to opt out
395 for at least 12 months before requesting that the consumer
396 authorize the sale of the consumer’s personal information.
397 (f) Ensure that consumers have the right to submit a
398 verified request for certain information from a controller,
399 including the categories of sources from which the consumer’s
400 personal information was collected, the specific items of
401 personal information it has collected about the consumer, and
402 the categories of any third parties to whom the personal
403 information was sold.
404 (6) Consumers have the right to submit a verified request
405 that personal information that has been collected from the
406 consumer be deleted. Consumers have the right to submit a
407 verified request for correction of their personal information
408 held by a controller if that information is inaccurate, taking
409 into account the nature of the personal information and the
410 purpose for processing the consumer’s personal information.
411 (7) A controller, or a processor acting pursuant to its
412 contract with the controller or another processor, is not
413 required to comply with a consumer’s verified request to delete
414 the consumer’s personal information if it is necessary for the
415 controller or processor to maintain the consumer’s personal
416 information in order to do any of the following:
417 (a) Complete the transaction for which the personal
418 information was collected, fulfill the terms of a written
419 warranty or product recall conducted in accordance with federal
420 law, provide a good or service requested by the consumer, or
421 otherwise perform a contract between the business and the
422 consumer.
423 (b) Help to ensure security and integrity to the extent
424 that the use of the consumer’s personal information is
425 reasonably necessary and proportionate for those purposes.
426 (c) Debug to identify and repair errors that impair
427 existing intended functionality.
428 (d) Exercise free speech, ensure the right of another
429 consumer to exercise that consumer’s right of free speech, or
430 exercise another right provided for by law.
431 (e) Engage in public or peer-reviewed scientific,
432 historical, or statistical research that conforms or adheres to
433 all other applicable ethics and privacy laws, when the business’
434 deletion of the information is likely to render impossible or
435 seriously impair the ability to complete such research, if the
436 consumer has provided informed consent.
437 (f) Comply with a legal obligation.
438 (8) This section may not be construed to require a
439 controller to comply by reidentifying or otherwise linking
440 information that is not maintained in a manner that would be
441 considered personal information; retaining any personal
442 information about a consumer if, in the ordinary course of
443 business, that information would not be retained; maintaining
444 information in identifiable, linkable, or associable form; or
445 collecting, obtaining, retaining, or accessing any data or
446 technology in order to be capable of linking or associating a
447 verifiable consumer request with personal information.
448 (9) A consumer may authorize another person to opt out of
449 the sale of the consumer’s personal information. A controller
450 shall comply with an opt-out request received from a person
451 authorized by the consumer to act on the consumer’s behalf,
452 including a request received through a user-enabled global
453 privacy control, such as a browser plug-in or privacy setting,
454 device setting, or other mechanism, which communicates or
455 signals the consumer’s choice to opt out, and may not require a
456 consumer to make a verified request to opt out of the sale of
457 his or her information.
458 (10) Each controller shall establish a designated request
459 address through which a consumer may submit a request to
460 exercise his or her rights under this act.
461 (11)(a) A controller that receives a verified request:
462 1. For a consumer’s personal information shall disclose to
463 the consumer any personal information about the consumer which
464 it has collected since January 1, 2023, directly or indirectly,
465 including through or by a processor.
466 2. To correct a consumer’s inaccurate personal information
467 shall correct the inaccurate personal information, taking into
468 account the nature of the personal information and the purpose
469 for processing the consumer’s personal information.
470 3. To delete a consumer’s personal information shall delete
471 such personal information collected from the consumer.
472 (b) A processor is not required to personally comply with a
473 verified request received directly from a consumer, but the
474 processor must notify a controller of such a request within 10
475 days after receiving the request. The time period required for a
476 controller to comply with a verified request as provided in
477 paragraph (d) commences beginning from the time the processor
478 notifies the controller of the verified request. A processor
479 shall provide reasonable assistance to a controller with which
480 it has a contractual relationship with respect to the
481 controller’s response to a verifiable consumer request,
482 including, but not limited to, by providing to the controller
483 the consumer’s personal information in the processor’s
484 possession which the processor obtained as a result of providing
485 services to the controller.
486 (c) At the direction of the controller, a processor shall
487 correct inaccurate personal information or delete personal
488 information, or enable the controller to do the same.
489 (d) A controller shall comply with a verified request
490 submitted by a consumer to access, correct, or delete personal
491 information within 45 days after the date the request is
492 submitted. A controller may extend such period by up to 45 days
493 if the controller, in good faith, determines that such an
494 extension is reasonably necessary. A controller that extends the
495 period shall notify the consumer of the necessity of an
496 extension.
497 (e) A consumer’s rights under this subsection do not apply
498 to pseudonymous information in cases where the controller is
499 able to demonstrate that all information necessary to identify
500 the consumer is kept separate at all times and is subject to
501 effective technical and organizational controls that prevent the
502 controller from accessing or combining such information.
503 (12) A controller shall comply with a consumer’s previous
504 expressed decision to opt out of the sale of his or her personal
505 information without requiring the consumer to take any
506 additional action if the controller is able to identify the
507 consumer through a login protocol or any other process the
508 controller uses to identify consumers and the consumer has
509 previously exercised his or her right to opt out of the sale of
510 his or her personal information.
511 (13) A controller shall make available, in a manner
512 reasonably accessible to consumers whose personal information
513 the controller collects through its website or online service, a
514 notice that does all of the following:
515 (a) Identifies the categories of personal information that
516 the controller collects through its website or online service
517 about consumers who use or visit the website or online service
518 and the categories of third parties to whom the controller may
519 disclose such personal information.
520 (b) Provides a description of the process, if applicable,
521 for a consumer who uses or visits the website or online service
522 to review and request changes to any of his or her personal
523 information that is collected from the consumer through the
524 website or online service.
525 (c) Describes the process by which the controller notifies
526 consumers who use or visit the website or online service of
527 material changes to the notice.
528 (d) Discloses whether a third party may collect personal
529 information about a consumer’s online activities over time and
530 across different websites or online services when the consumer
531 uses the controller’s website or online service.
532 (e) States the effective date of the notice.
533 (14) If a request from a consumer is manifestly unfounded
534 or excessive, in particular because of the request’s repetitive
535 character, a controller may either charge a reasonable fee,
536 taking into account the administrative costs of providing the
537 information or communication or taking the action requested, or
538 refuse to act on the request and notify the consumer of the
539 reason for refusing the request. The controller bears the burden
540 of demonstrating that any verified consumer request is
541 manifestly unfounded or excessive.
542 (15) A controller that discloses personal information to a
543 processor is not liable under this act if the processor
544 receiving the personal information uses it in violation of the
545 restrictions set forth in the act, provided that, at the time of
546 disclosing the personal information, the controller does not
547 have actual knowledge or reason to believe that the processor
548 intends to commit such a violation. A processor is likewise not
549 liable under this act for the obligations of a controller for
550 which it processes personal information as set forth in this
551 act.
552 (16) A controller or processor that discloses personal
553 information to a third-party controller or processor in
554 compliance with the requirements of this act is not in violation
555 of this chapter if the third-party controller or processor that
556 receives and processes such personal information is in violation
557 of this act, provided that, at the time of disclosing the
558 personal information, the disclosing controller or processor did
559 not have actual knowledge that the recipient intended to commit
560 a violation. A third-party controller or processor that violates
561 this act, or violates the terms of a contractual agreement with
562 a controller or processor which results in a violation of this
563 act, is deemed to have violated the requirements of this act and
564 is subject to the enforcement actions otherwise provided against
565 a controller pursuant to s. 501.177. A third-party controller or
566 processor receiving personal information from a controller or
567 processor in compliance with the requirements of this act is not
568 in violation of this act for noncompliance of the controller or
569 processor from which it receives such personal data.
570 (17) The rights afforded to consumers and the obligations
571 imposed on a controller in this act may not adversely affect the
572 rights and freedoms of other consumers. Notwithstanding
573 subsection (7), a verified request for specific items of
574 personal information, to delete a consumer’s personal
575 information, or to correct inaccurate personal information does
576 not extend to personal information about the consumer which
577 belongs to, or which the controller maintains on behalf of,
578 another natural person.
579 Section 6. Section 501.176, Florida Statutes, is created to
580 read:
581 501.176 Applicability; exclusions.—
582 (1) The obligations imposed on a controller or processor by
583 this act do not restrict a controller’s or processor’s ability
584 to do any of the following:
585 (a) Comply with federal, state, or local laws, rules, or
586 regulations.
587 (b) Comply with a civil, criminal, or regulatory inquiry or
588 an investigation, a subpoena, or a summons by federal, state,
589 local, or other governmental authorities.
590 (c) Cooperate with law enforcement agencies concerning
591 conduct or activity that the controller or processor reasonably
592 and in good faith believes may violate federal, state, or local
593 laws, rules, or regulations.
594 (d) Exercise, investigate, establish, prepare for, or
595 defend legal claims.
596 (e) Collect, use, retain, sell, or disclose consumer
597 personal information to:
598 1. Conduct internal research to develop, improve, or repair
599 products, services, or technology;
600 2. Effectuate a product recall or provide a warranty for
601 products or services;
602 3. Identify or repair technical errors that impair existing
603 or intended functionality;
604 4. Perform internal operations that are reasonably aligned
605 with the expectations of the consumer or reasonably anticipated
606 based on the consumer’s existing relationship with the
607 controller or are otherwise compatible with processing data in
608 furtherance of the provision of a product or service
609 specifically requested by a consumer or a parent of a child, or
610 the performance of a contract to which the consumer is a party;
611 5. Provide a product or service specifically requested by a
612 consumer or a parent of a child; perform a contract to which the
613 consumer or parent is a party, including fulfilling the terms of
614 a written warranty; or take steps at the request of the consumer
615 before entering into a contract;
616 6. Take steps to protect an interest that is essential for
617 the life or physical safety of the consumer or of another
618 natural person, and where the processing cannot be manifestly
619 based on another legal basis;
620 7. Prevent, detect, protect against, or respond to security
621 incidents, identity theft, fraud, harassment, malicious or
622 deceptive activities, or any illegal activity, and prosecute
623 those responsible for that activity;
624 8. Preserve the integrity or security of information
625 technology systems;
626 9. Investigate, report, or prosecute those responsible for
627 any illegal, malicious, harmful, deceptive, or otherwise harmful
628 activities;
629 10. Engage in public or peer-reviewed scientific or
630 statistical research in the public interest that adheres to all
631 other applicable ethics and privacy laws and, if applicable, is
632 approved, monitored, and governed by an institutional review
633 board, or similar independent oversight entity that determines
634 if the information is likely to provide substantial benefits
635 that do not exclusively accrue to the controller, if the
636 expected benefits of the research outweigh the privacy risks,
637 and if the controller has implemented reasonable safeguards to
638 mitigate privacy risks associated with research, including any
639 risks associated with reidentification; or
640 11. Assist another controller, processor, or third party
641 with any of the obligations under this subsection.
642 (2) This act does not apply to any of the following:
643 (a) A controller that collects, processes, or discloses the
644 personal information of its employees, owners, directors,
645 officers, beneficiaries, job applicants, interns, or volunteers,
646 so long as the controller is collecting or disclosing such
647 information only to the extent reasonable and necessary within
648 the scope of the role the controller has in relation to each
649 class of listed individuals. For purposes of this section the
650 term “personal information” includes employment benefit
651 information.
652 (b) Personal information that is part of a written or
653 verbal communication or a transaction between the controller or
654 processor and the consumer, where the consumer is a natural
655 person who is acting as an employee, owner, director, officer,
656 or contractor of a company, partnership, sole proprietorship,
657 non-profit, or government agency and whose communications or
658 transaction with the business occur solely within the context of
659 the business conducting due diligence regarding, or providing or
660 receiving a product or service to or from such company,
661 partnership, sole proprietorship, non-profit, or government
662 agency.
663 (c) A business, service provider, or third party that
664 collects the personal information of an individual:
665 1. Who applies to, is or was previously employed by, or
666 acts as an agent of the business, service provider, or third
667 party, to the extent that the personal information is collected
668 and used in a manner related to or arising from the individual’s
669 employment status; or
670 2. To administer benefits for another individual and the
671 personal information is used to administer those benefits.
672 (d) A business that enters into a contract with an
673 independent contractor and collects or discloses personal
674 information about the contractor reasonably necessary to either
675 enter into or to fulfill the contract when the contracted
676 services would not defeat the purposes of this act.
677 (e) Protected health information for purposes of the
678 federal Health Insurance Portability and Accountability Act of
679 1996 and related regulations, and patient identifying
680 information for purposes of 42 C.F.R. part 2, established
681 pursuant to 42 U.S.C. s. 290dd-2.
682 (f) A covered entity or business associate governed by the
683 privacy, security, and breach notification rules issued by the
684 United States Department of Health and Human Services in 45
685 C.F.R. parts 160 and 164, or a program or a qualified service
686 program defined in 42 C.F.R. part 2, to the extent the covered
687 entity, business associate, or program maintains personal
688 information in the same manner as medical information or
689 protected health information as described in paragraph (e).
690 (g) Identifiable private information collected for purposes
691 of research as defined in 45 C.F.R. s. 164.501 which is
692 conducted in accordance with the Federal Policy for the
693 Protection of Human Subjects for purposes of 45 C.F.R. part 46,
694 the good clinical practice guidelines issued by the
695 International Council for Harmonisation of Technical
696 Requirements for Pharmaceuticals for Human Use, or the
697 Protection for Human Subjects for purposes of 21 C.F.R. parts 50
698 and 56; or personal information used or shared in research
699 conducted in accordance with one or more of these standards, or
700 another applicable protocol.
701 (h) Information and documents created for purposes of the
702 federal Health Care Quality Improvement Act of 1986 and related
703 regulations, or patient safety work product for purposes of 42
704 C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21
705 through 299b-26.
706 (i) Information that is de-identified in accordance with 45
707 C.F.R. part 164 and that is derived from individually
708 identifiable health information, as described in the Health
709 Insurance Portability and Accountability Act of 1996, or
710 identifiable personal information, consistent with the Federal
711 Policy for the Protection of Human Subjects or the human subject
712 protection requirements of the United States Food and Drug
713 Administration or the good clinical practice guidelines issued
714 by the International Council for Harmonisation.
715 (j) Information collected as part of a clinical trial
716 subject to the Federal Policy for the Protection of Human
717 Subjects pursuant to good clinical practice guidelines issued by
718 the International Council for Harmonisation of Technical
719 Requirements for Pharmaceuticals for Human Use or pursuant to
720 human subject protection requirements of the United States Food
721 and Drug Administration, or another protocol.
722 (k) Personal information collected, processed, sold, or
723 disclosed pursuant to the federal Fair Credit Reporting Act, 15
724 U.S.C. s. 1681 et seq.
725 (l) Personal information collected, processed, sold, or
726 disclosed pursuant to, or a financial institution to the extent
727 regulated by, the federal Gramm-Leach-Bliley Act, 15 U.S.C. s.
728 6801 et seq. and implementing regulations.
729 (m) Personal information collected, processed, sold, or
730 disclosed pursuant to the Farm Credit Act of 1971, as amended in
731 12 U.S.C. s. 2001-2279cc and implementing regulations.
732 (n) Personal information collected, processed, sold, or
733 disclosed pursuant to the federal Driver’s Privacy Protection
734 Act of 1994, 18 U.S.C. s. 2721 et seq.
735 (o) Education information covered by the federal Family
736 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34
737 C.F.R. part 99.
738 (p) Personal information collected, processed, sold, or
739 disclosed in relation to price, route, or service as those terms
740 are used in the federal Airline Deregulation Act, 49 U.S.C. s.
741 40101 et seq., by entities subject to the federal Airline
742 Deregulation Act, to the extent this act is preempted by s.
743 41713 of the federal Airline Deregulation Act.
744 (q) Vehicle information or ownership information retained
745 or shared between a new motor vehicle dealer, distributor, or
746 the vehicle’s manufacturer if the vehicle or ownership
747 information is shared for the purpose of effectuating, or in
748 anticipation of effectuating, a vehicle repair covered by a
749 vehicle warranty or a recall conducted pursuant to 49 U.S.C. s.
750 30118-30120, provided that the new motor vehicle dealer,
751 distributor, or vehicle manufacturer with which that vehicle
752 information or ownership information is shared does not sell,
753 share, or use that information for any other purpose. As used in
754 this paragraph, the term “vehicle information” means the vehicle
755 identification number, make, model, year, and odometer reading,
756 and the term “ownership information” means the name or names of
757 the registered owner or owners and the contact information for
758 the owner or owners.
759 Section 7. Section 501.177, Florida Statutes, is created to
760 read:
761 501.177 Enforcement; Attorney General; preemption.—
762 (1) The Department of Legal Affairs may adopt rules to
763 implement this section. If the department has reason to believe
764 that any controller, processor, or other person or entity is in
765 violation of this act and that proceedings would be in the
766 public interest, the department may institute an appropriate
767 legal proceeding against such party.
768 (2) After the department has notified a controller in
769 writing of an alleged violation of this act, the Attorney
770 General may at his her discretion, before initiating a
771 proceeding under this section, grant the controller a 30-day
772 period to cure the alleged violation. The Attorney General may
773 consider the number of violations, the substantial likelihood of
774 injury to the public, or the safety of persons or property when
775 determining whether to grant 30 days to cure an alleged
776 violation. If the controller cures the alleged violation to the
777 satisfaction of the Attorney General and provides proof of such
778 cure to the Attorney General, the Attorney General may either
779 extend the cure period or issue a letter of guidance to the
780 controller which indicates that the controller will not be
781 offered a 30-day cure period for any future violations. If the
782 controller fails to cure the violation within 30 days, the
783 Attorney General may bring an action against the controller for
784 the alleged violation.
785 (3) The trial court, upon a showing that any controller,
786 processor, or other person or entity is in violation of this
787 act, may take any of the following actions:
788 (a) Issue a temporary or permanent injunction.
789 (b) Impose a civil penalty of not more than $2,500 for each
790 violation.
791 (c) Award reasonable costs of enforcement, including
792 reasonable attorney fees and costs.
793 (4) This act is a matter of statewide concern and
794 supersedes and preempts to the state all rules, regulations,
795 codes, ordinances, and other laws adopted by a city, county,
796 city and county, municipality, or local agency regarding the
797 collection, processing, or sale of consumers’ personal
798 information by a controller or processor.
799 (5) Any reference to federal law or statute in this act
800 shall be deemed to include any accompanying rules or regulations
801 or exemptions thereto. Further, this enactment is declaratory of
802 existing law.
803 Section 8. This act shall take effect July 1, 2023.
804
805 ================= T I T L E A M E N D M E N T ================
806 And the title is amended as follows:
807 Delete everything before the enacting clause
808 and insert:
809 A bill to be entitled
810 An act relating to consumer data privacy; creating s.
811 501.172, F.S.; providing a short title; creating s.
812 501.173, F.S.; providing a purpose; creating s.
813 501.174, F.S.; defining terms; creating s. 501.1745,
814 F.S.; requiring controllers that collect consumer
815 personal information to provide certain information to
816 the consumer; requiring such collection, use, and
817 retention of such information to meet certain
818 requirements; requiring controllers to implement
819 reasonable security procedures and practices;
820 prohibiting controllers from processing certain
821 sensitive consumer data under certain circumstances;
822 creating s. 501.175, F.S.; providing that consumers
823 have the right to opt out of the sale and processing
824 of their personal information by controllers;
825 providing requirements for a controller to comply with
826 such a request under certain circumstances;
827 prohibiting controllers from selling the personal
828 information of consumers younger than a specified age
829 without express authorization from the consumer or the
830 consumer’s parent or guardian under certain
831 circumstances; providing that controllers that
832 willfully disregard a consumer’s age are deemed to
833 have actual knowledge of the consumer’s age; providing
834 requirements for controllers to comply with a
835 consumer’s right to opt out; providing exceptions;
836 providing that consumers have the right to submit a
837 verified request for the deletion or correction of
838 their personal information; providing construction;
839 providing that consumers may authorize other persons
840 to opt out of the sale of the consumer’s personal
841 information on the consumer’s behalf; requiring
842 controllers to establish designated request addresses;
843 providing requirements for controllers to comply with
844 verified consumer requests; authorizing businesses to
845 charge consumers a reasonable fee for manifestly
846 unfounded or excessive requests, or to refuse to
847 complete a request under certain circumstances;
848 providing that controllers and processors are not
849 liable for certain actions; providing that third-party
850 controllers or processors are liable for violating the
851 act or the terms of certain contractual agreements,
852 thereby resulting in a violation; providing that a
853 consumer’s rights and the obligations of a controller
854 may not adversely affect the rights and freedoms of
855 other consumers; creating s. 501.176, F.S.; providing
856 applicability; providing exceptions; creating s.
857 501.177, F.S.; authorizing the Department of Legal
858 Affairs to adopt rules and to bring appropriate legal
859 proceedings for violations under certain
860 circumstances; authorizing the Attorney General to
861 grant controllers an opportunity to cure violations
862 when given notice by the department; providing civil
863 remedies and penalties for violations; preempting the
864 regulation of the collection, processing, or sale of
865 consumers’ personal information by a controller or
866 processor to the state; providing applicability;
867 providing an effective date.