Florida Senate - 2021 SENATOR AMENDMENT Bill No. CS for CS for CS for HB 969 Ì891990CÎ891990 LEGISLATIVE ACTION Senate . House . . . Floor: 1/RE/2R . 04/28/2021 11:37 AM . ————————————————————————————————————————————————————————————————— ————————————————————————————————————————————————————————————————— Senator Bradley moved the following: 1 Senate Amendment (with title amendment) 2 3 Delete everything after the enacting clause 4 and insert: 5 Section 1. Section 501.172, Florida Statutes, is created to 6 read: 7 501.172 Short title.—This act may be cited as the “Florida 8 Privacy Protection Act.” 9 Section 2. Section 501.173, Florida Statutes, is created to 10 read: 11 501.173 Purpose.—This act recognizes that privacy is an 12 important right, and consumers in this state should have the 13 ability to share their personal information as they wish, in a 14 way that is safe and that they understand and control. 15 Section 3. Section 501.174, Florida Statutes, is created to 16 read: 17 501.174 Definitions.—As used in ss. 501.172-501.177, unless 18 the context otherwise requires, the term: 19 (1) “Affiliate” means a legal entity that controls, is 20 controlled by, or is under common control with another legal 21 entity or shares common branding with another legal entity. For 22 the purposes of this subsection, the term “control” or 23 “controlled” means the ownership of, or the power to vote, more 24 than 50 percent of the outstanding shares of any class of voting 25 security of a company; control in any manner over the election 26 of a majority of the directors or of individuals exercising 27 similar functions; or the power to exercise controlling 28 influence over the management of a company. 29 (2) “Aggregate consumer information” means information that 30 relates to a group or category of consumers from which 31 individual consumer identities have been removed and which is 32 not linked or reasonably linkable to any consumer, including 33 through a device. The term does not include one or more 34 individual consumer records that have been de-identified. 35 (3) “Authenticate” means verifying through reasonable means 36 that the consumer entitled to exercise his or her consumer 37 rights under this act is the same consumer exercising such 38 consumer rights with respect to the personal information at 39 issue. 40 (4) “Biometric information” means personal information 41 generated by automatic measurements of characteristics of an 42 individual’s physiological, behavioral, or biological 43 characteristics, including an individual’s DNA, which identifies 44 an individual. The term does not include a physical or digital 45 photograph; a video or audio recording or data generated 46 therefrom; or information collected, used, or stored for health 47 care treatment, payment, or operations under the Health 48 Insurance Portability and Accountability Act of 1996. 49 (5) “Business purpose” means the use of personal 50 information for the controller’s operational, administrative, 51 security, or other purposes allowed for under this act, or for 52 any notice-given and consumer-approved purposes or for the 53 processor’s operational purposes, provided that the use of the 54 personal information is consistent with the requirements of this 55 act. 56 (6)“Child” means a natural person younger than 13 years of 57 age. 58 (7) “Collects,” “collected,” or “collection” means buying, 59 renting, gathering, obtaining, receiving, or accessing by any 60 means any personal information pertaining to a consumer, either 61 actively or passively or by observing the consumer’s behavior. 62 (8) “Consumer” means a natural person who resides in this 63 state to the extent he or she is acting in an individual or 64 household context. The term does not include any other natural 65 person who is a nonresident or a natural person acting in a 66 commercial or employment context. 67 (9) “Controller” means a sole proprietorship, a 68 partnership, a limited liability company, a corporation, or an 69 association or any other legal entity that meets the following 70 requirements: 71 (a) Is organized or operated for the profit or financial 72 benefit of its shareholders or owners; 73 (b) Does business in this state or provides products or 74 services targeted to the residents of this state; 75 (c) Determines the purposes and means of processing 76 personal information about consumers, alone or jointly with 77 others; and 78 (d) Satisfies either of the following thresholds: 79 1. During a calendar year, controls the processing of the 80 personal information of 100,000 or more consumers who are not 81 covered by an exception under this act; or 82 2. Controls or processes the personal information of at 83 least 25,000 consumers who are not covered by an exception under 84 this act and derives over 50 percent or more of its global 85 annual revenues from selling personal information about 86 consumers. 87 (10) “De-identified” means information that cannot 88 reasonably identify or be linked directly to a particular 89 consumer, or a device that is linked to such consumer, if the 90 controller or a processor that possesses such information on 91 behalf of the controller: 92 (a) Has taken reasonable measures to ensure the information 93 could not be associated with an individual consumer; 94 (b) Commits to maintain and use the information in a de 95 identified fashion without attempting to reidentify the 96 information; and 97 (c) Contractually prohibits downstream recipients from 98 attempting to reidentify the information. 99 (11) “Designated request address” means an e-mail address, 100 a toll-free telephone number, or a website established by a 101 controller through which a consumer may submit a verified 102 request to the controller. 103 (12) “Intentional interaction” or “intentionally 104 interacting” means the consumer intends to interact with or 105 disclose personal information to a person through one or more 106 deliberate interactions, including visiting the person’s website 107 or purchasing a good or service from the person. The term does 108 not include hovering over, muting, pausing, or closing a given 109 piece of content. 110 (13) “Non-targeted advertising” means: 111 (a) Advertising based solely on a consumer’s activities 112 within a controller’s own, or its affiliate’s, websites or 113 online applications; 114 (b) Advertisements based on the context of a consumer’s 115 current search query, visit to a website, or online application; 116 (c) Advertisements directed to a consumer in response to 117 the consumer’s request for information or feedback; or 118 (d) Processing personal information solely for measuring or 119 reporting advertising performance, reach, or frequency. 120 (14) “Personal information” means: 121 (a) Information that identifies or is linked or reasonably 122 linkable to an identified or identifiable consumer. 123 (b) The term does not include: 124 1. Information about a consumer that is lawfully made 125 available through federal, state, or local governmental records; 126 2. Information that a controller has a reasonable basis to 127 believe is lawfully made available to the general public by the 128 consumer or from widely distributed media unless the consumer 129 has restricted the information to a specific audience; or 130 3. Consumer information that is de-identified or aggregate 131 consumer information. 132 (15) “Precise geolocation data” means information from 133 technology, such as global positioning system level latitude and 134 longitude coordinates or other mechanisms, that directly 135 identifies the specific location of a natural person with 136 precision and accuracy within a radius of 1,750 feet. The term 137 does not include the information generated by the transmission 138 of communications or any information generated by or connected 139 to advanced utility metering infrastructure systems or equipment 140 for use by a utility. 141 (16) “Process” or “processing” means any operation or set 142 of operations performed on personal information or on sets of 143 personal information, whether or not by automated means. 144 (17) “Processor” means a natural or legal entity that 145 processes personal data on behalf of, and at the direction of, a 146 controller. 147 (18) “Profiling” means any form of automated processing 148 performed on personal data to evaluate, analyze, or predict 149 personal aspects related to an identified or identifiable 150 natural person’s economic situation, health, personal 151 preferences, interests, reliability, behavior, location, or 152 movements. The term does not include processing personal 153 information solely for the purpose of measuring or reporting 154 advertising performance, reach, or frequency. 155 (19) “Pseudonymous information” means personal information 156 that cannot be attributed to a specific natural person without 157 the use of additional information, provided that such additional 158 information is kept separate at all times and is subject to 159 appropriate technical and organizational measures to ensure that 160 the personal data is not attributed to or combined with other 161 personal data that may enable attribution to an identified or 162 identifiable natural person. 163 (20) “Security and integrity” means the ability of a: 164 (a) Network or information system, device, website, or 165 online application to detect security incidents that compromise 166 the availability, authenticity, integrity, and confidentiality 167 of stored or transmitted personal information; 168 (b) Controller to detect security incidents; resist 169 malicious, deceptive, fraudulent, or illegal actions; and help 170 prosecute those responsible for such actions; and 171 (c) Controller to ensure the physical safety of natural 172 persons. 173 (21) “Sell” means to transfer or make available a 174 consumer’s personal information by a controller to a third party 175 in exchange for monetary or other valuable consideration, 176 including nonmonetary transactions and agreements for other 177 valuable consideration between a controller and a third party 178 for the benefit of a controller. The term does not include any 179 of the following: 180 (a) The disclosure, for a business purpose, of a consumer’s 181 personal information to a processor that processes the 182 information for the controller. 183 (b) The disclosure by a controller for the purpose of 184 providing a product or service requested or approved by a 185 consumer, or the parent of a child, of the consumer’s personal 186 information to a third-party entity. 187 (c) The disclosure or transfer of personal information to 188 an affiliate of the controller. 189 (d) The disclosure of personal information for purposes of 190 nontargeted advertising. 191 (e) The disclosure or transfer of personal information to a 192 third party as an asset that is part of a proposed or actual 193 merger, acquisition, bankruptcy, or other transaction in which 194 the third party assumes control of all or part of the 195 controller’s assets. 196 (f) The controller disclosing personal information to a law 197 enforcement or other emergency processor for the purposes of 198 providing emergency assistance to the consumer. 199 (22) “Sensitive data” means a category of personal 200 information that includes any of the following: 201 (a) Racial or ethnic origin, religious beliefs, mental or 202 physical health diagnosis, sexual orientation, or citizenship or 203 immigration status. 204 (b) Biometric information, including genetic information, 205 processed for the purpose of uniquely identifying a natural 206 person. 207 (c) Personal information collected from a known child. 208 (d) Precise geolocation data. 209 (23) “Targeted advertising” means displaying an 210 advertisement to a consumer when the advertisement is selected 211 based on personal information obtained from the consumer’s 212 activities over time and across nonaffiliated websites or online 213 applications to predict such consumer’s preferences or 214 interests. The term does not include any of the following: 215 (a) Non-targeted advertising. 216 (b) Advertisements based on the context of a consumer’s 217 current search query or visit to a website. 218 (c) Advertising directed to a consumer in response to the 219 consumer’s request for information or feedback. 220 (d) Processing personal data solely for measuring or 221 reporting advertising performance, reach, or frequency. 222 (24) “Third party” means a person who is not any of the 223 following: 224 (a) The controller with which the consumer intentionally 225 interacts and which collects personal information from the 226 consumer as part of the consumer’s interaction with the 227 controller. 228 (b) A processor that processes personal information on 229 behalf of and at the direction of the controller. 230 (c) An affiliate of the controller. 231 (25) “Verified request” means a request submitted by a 232 consumer or by a consumer on behalf of the consumer’s minor 233 child for which the controller has reasonably verified the 234 authenticity of the request. The term includes a request made 235 through an established account using the controller’s 236 established security features to access the account through 237 communication features offered to consumers. The term does not 238 include a request in which the consumer or a person authorized 239 to act on the consumer’s behalf does not provide verification of 240 identify or verification of authorization to act with the 241 permission of the consumer, and the controller is not required 242 to provide information for such a request. 243 Section 4. Section 501.1745, Florida Statutes, is created 244 to read: 245 501.1745 General duties of controllers that collect 246 personal information.— 247 (1) A controller that controls the collection of a 248 consumer’s personal information that will be used for any 249 purpose other than a business purpose, at or before the point of 250 collection, shall inform consumers of the purposes for which 251 personal information is collected or used and whether that 252 information is sold. A controller may not collect additional 253 categories of personal information, or use collected personal 254 information for additional purposes that are incompatible with 255 the disclosed purpose for which the personal information was 256 collected, without providing the consumer with notice consistent 257 with this section. A controller that collects personal 258 information about, but not directly from, consumers may provide 259 the required information on its Internet home page or in its 260 online privacy policy. 261 (2) A controller’s collection, use, and retention of a 262 consumer’s personal information must be reasonably necessary to 263 achieve the purposes for which the personal information was 264 collected or processed. Such information may not be further 265 processed in a manner that is incompatible with those purposes 266 without notice to the consumer or be transferred or made 267 available to a third party in a manner inconsistent with the 268 requirements of this act. 269 (3) A controller that collects a consumer’s personal 270 information shall implement reasonable security procedures and 271 practices appropriate to the nature of the personal information 272 to protect the personal information from unauthorized or illegal 273 access, destruction, use, modification, or disclosure. 274 (4) A controller that collects a consumer’s personal 275 information and discloses it to a processor shall enter into a 276 contractual agreement with such processor which obligates the 277 processor to comply with applicable obligations under this act 278 and which prohibits downstream recipients from selling personal 279 information or retaining, using, or disclosing the personal 280 information. If a processor engages any other person to assist 281 it in processing personal information for a business purpose on 282 behalf of the controller, or if any other person engaged by the 283 processor engages another person to assist in processing 284 personal information for that business purpose, the processor or 285 person must notify the controller of that engagement and the 286 processor must prohibit downstream recipients from selling the 287 personal information or retaining, using, or disclosing the 288 personal information. 289 (5) A controller may not process sensitive data concerning 290 a consumer without obtaining the consumer’s consent or, in the 291 case of the processing of sensitive data obtained from a known 292 child, without processing such data for the purpose of 293 delivering a product or service requested by the parent of such 294 child, or in accordance with the federal Children’s Online 295 Privacy Protection Act, 15 U.S.C. s. 6501 et. seq. and 296 regulations interpreting this act 297 (6) Determining whether a person is acting as a controller 298 or processor with respect to a specific activity is a fact-based 299 determination that depends upon the context in which personal 300 information is processed. A processor that continues to adhere 301 to a controller’s instructions with respect to a specific 302 processing of personal information remains a processor. 303 Section 5. Section 501.175, Florida Statutes, is created to 304 read: 305 501.175 Use of personal information; third parties; other 306 rights.— 307 (1)(a) A consumer has the right at any time to direct a 308 controller that sells personal information about the consumer 309 not to sell the consumer’s personal information. This right may 310 be referred to as the right to opt out of the sale. 311 (b) A consumer has the right at any time to opt out of the 312 processing of the consumer’s personal information for purposes 313 of targeted advertising or profiling. A controller shall provide 314 a clear and conspicuous link on the controller’s Internet home 315 page, titled “Do Not Advertise To Me,” to a web page that 316 enables a consumer to opt out of targeted advertising or 317 profiling. However, this paragraph may not be construed to 318 prohibit the controller that collected the consumer’s personal 319 information from: 320 1. Offering a different price, rate, level, quality, or 321 selection of goods or services to a consumer, including offering 322 goods or services for no fee, if the consumer has opted out of 323 targeted advertising, profiling, or the sale of his or her 324 personal information; or 325 2. Offering a loyalty, reward, premium feature, discount, 326 or club card program. 327 (c) A controller that charges or offers a different price, 328 rate, level, quality, or selection of goods or services to a 329 consumer who has opted out of targeted advertising, profiling, 330 or the sale of his or her personal information, or that offers 331 goods or services for no fee, shall ensure that such charge or 332 offer is not unjust, unreasonable, coercive, or usurious. 333 (2) A controller that sells consumers’ personal information 334 shall provide notice to consumers that the information may be 335 sold and that consumers have the right to opt out of the sale of 336 their personal information. 337 (3) A controller that sells consumers’ personal information 338 and that has received direction from a consumer not to sell the 339 consumer’s personal information or, in the case of a minor 340 consumer’s personal information, has not received consent to 341 sell the minor consumer’s personal information, is prohibited 342 from selling the consumer’s personal information after the 343 controller receives the consumer’s direction, unless the 344 consumer subsequently provides express authorization for the 345 sale of the consumer’s personal information. A controller that 346 is able to authenticate the consumer, for example, by the 347 consumer logging in, or that is otherwise reasonably able to 348 authenticate the consumer’s request must comply with the 349 consumer’s request to opt out. The controller may not require 350 the consumer to declare privacy preferences every time the 351 consumer visits the controller’s website or uses the 352 controller’s online services. 353 (4)(a) A controller may not sell the personal information 354 collected from consumers that the controller has actual 355 knowledge are younger than 16 years of age, unless: 356 1. The consumer, in the case of consumers between 13 and 16 357 years of age, has affirmatively authorized the sale of the 358 consumer’s personal information; or 359 2. The consumer’s parent or guardian, in the case of 360 consumers who are younger than 13 years of age, has 361 affirmatively authorized such sale. 362 (b) This right may be referred to as the right to opt in. 363 (c) A business that willfully disregards the consumer’s age 364 is deemed to have actual knowledge of the consumer’s age. 365 (d) A controller that complies with the verifiable parental 366 consent requirements of the Children’s Online Privacy Protection 367 Act, 15 U.S.C. s. 6501 et seq., and accompanying regulations, or 368 is providing a product or service requested by a parent or 369 guardian, shall be deemed compliant with any obligation to 370 obtain parental consent. 371 (5) A controller that is required to comply with this 372 section shall: 373 (a) Provide a clear and conspicuous link on the 374 controller’s Internet home page, titled “Do Not Sell My Personal 375 Information,” to a web page that enables a consumer to opt out 376 of the sale of the consumer’s personal information. A business 377 may not require a consumer to create an account in order to 378 direct the business not to sell the consumer’s information. 379 (b) Ensure that all individuals responsible for handling 380 consumer inquiries about the controller’s privacy practices or 381 the controller’s compliance with this section are informed of 382 all requirements of this section and how to direct consumers to 383 exercise their rights. 384 (c) For consumers who exercise their right to opt out of 385 the sale of their personal information, refrain from selling 386 personal information the controller collected about the consumer 387 as soon as reasonably possible but no longer than 10 business 388 days after receiving the request to opt out. 389 (d) Use any personal information collected from the 390 consumer in connection with the submission of the consumer’s 391 opt-out request solely for the purposes of complying with the 392 opt-out request. 393 (e) For consumers who have opted out of the sale of their 394 personal information, respect the consumer’s decision to opt out 395 for at least 12 months before requesting that the consumer 396 authorize the sale of the consumer’s personal information. 397 (f) Ensure that consumers have the right to submit a 398 verified request for certain information from a controller, 399 including the categories of sources from which the consumer’s 400 personal information was collected, the specific items of 401 personal information it has collected about the consumer, and 402 the categories of any third parties to whom the personal 403 information was sold. 404 (6) A controller, or a processor acting pursuant to its 405 contract with the controller or another processor, is not 406 required to comply with a consumer’s verified request to delete 407 the consumer’s personal information if it is necessary for the 408 controller or processor to maintain the consumer’s personal 409 information in order to do any of the following: 410 (a) Complete the transaction for which the personal 411 information was collected, fulfill the terms of a written 412 warranty or product recall conducted in accordance with federal 413 law, provide a good or service requested by the consumer, or 414 otherwise perform a contract between the business and the 415 consumer. 416 (b) Help to ensure security and integrity to the extent 417 that the use of the consumer’s personal information is 418 reasonably necessary and proportionate for those purposes. 419 (c) Debug to identify and repair errors that impair 420 existing intended functionality. 421 (d) Exercise free speech, ensure the right of another 422 consumer to exercise that consumer’s right of free speech, or 423 exercise another right provided for by law. 424 (e) Engage in public or peer-reviewed scientific, 425 historical, or statistical research that conforms or adheres to 426 all other applicable ethics and privacy laws, when the business’ 427 deletion of the information is likely to render impossible or 428 seriously impair the ability to complete such research, if the 429 consumer has provided informed consent. 430 (f) Comply with a legal obligation. 431 (7) Consumers have the right to submit a verified request 432 that personal information that has been collected from the 433 consumer be deleted. Consumers have the right to submit a 434 verified request for correction of their personal information 435 held by a controller if that information is inaccurate, taking 436 into account the nature of the personal information and the 437 purpose for processing the consumer’s personal information. 438 (8) This section may not be construed to require a 439 controller to comply by reidentifying or otherwise linking 440 information that is not maintained in a manner that would be 441 considered personal information; retaining any personal 442 information about a consumer if, in the ordinary course of 443 business, that information would not be retained; maintaining 444 information in identifiable, linkable, or associable form; or 445 collecting, obtaining, retaining, or accessing any data or 446 technology in order to be capable of linking or associating a 447 verifiable consumer request with personal information. 448 (9) A consumer may authorize another person to opt out of 449 the sale of the consumer’s personal information. A controller 450 shall comply with an opt-out request received from a person 451 authorized by the consumer to act on the consumer’s behalf, 452 including a request received through a user-enabled global 453 privacy control, such as a browser plug-in or privacy setting, 454 device setting, or other mechanism, which communicates or 455 signals the consumer’s choice to opt out, and may not require a 456 consumer to make a verified request to opt out of the sale of 457 his or her information. 458 (10) Each controller shall establish a designated request 459 address through which a consumer may submit a request to 460 exercise his or her rights under this act. 461 (11)(a) A controller that receives a verified request: 462 1. For a consumer’s personal information shall disclose to 463 the consumer any personal information about the consumer which 464 it has collected since January 1, 2023, directly or indirectly, 465 including through or by a processor. 466 2. To correct a consumer’s inaccurate personal information 467 shall correct the inaccurate personal information, taking into 468 account the nature of the personal information and the purpose 469 for processing the consumer’s personal information. 470 3. To delete a consumer’s personal information shall delete 471 such personal information collected from the consumer. 472 (b) A processor is not required to personally comply with a 473 verified request received directly from a consumer, but the 474 processor must notify a controller of such a request within 10 475 days after receiving the request. The time period required for a 476 controller to comply with a verified request as provided in 477 paragraph (d) commences beginning from the time the processor 478 notifies the controller of the verified request. A processor 479 shall provide reasonable assistance to a controller with which 480 it has a contractual relationship with respect to the 481 controller’s response to a verifiable consumer request, 482 including, but not limited to, by providing to the controller 483 the consumer’s personal information in the processor’s 484 possession which the processor obtained as a result of providing 485 services to the controller. 486 (c) At the direction of the controller, a processor shall 487 correct inaccurate personal information or delete personal 488 information, or enable the controller to do the same. 489 (d) A controller shall comply with a verified request 490 submitted by a consumer to access, correct, or delete personal 491 information within 45 days after the date the request is 492 submitted. A controller may extend such period by up to 45 days 493 if the controller, in good faith, determines that such an 494 extension is reasonably necessary. A controller that extends the 495 period shall notify the consumer of the necessity of an 496 extension. 497 (e) A consumer’s rights under this subsection do not apply 498 to pseudonymous information in cases where the controller is 499 able to demonstrate that all information necessary to identify 500 the consumer is kept separate at all times and is subject to 501 effective technical and organizational controls that prevent the 502 controller from accessing or combining such information. 503 (12) A controller shall comply with a consumer’s previous 504 expressed decision to opt out of the sale of his or her personal 505 information without requiring the consumer to take any 506 additional action if the controller is able to identify the 507 consumer through a login protocol or any other process the 508 controller uses to identify consumers and the consumer has 509 previously exercised his or her right to opt out of the sale of 510 his or her personal information. 511 (13) A controller shall make available, in a manner 512 reasonably accessible to consumers whose personal information 513 the controller collects through its website or online service, a 514 notice that does all of the following: 515 (a) Identifies the categories of personal information that 516 the controller collects through its website or online service 517 about consumers who use or visit the website or online service 518 and the categories of third parties to whom the controller may 519 disclose such personal information. 520 (b) Provides a description of the process, if applicable, 521 for a consumer who uses or visits the website or online service 522 to review and request changes to any of his or her personal 523 information that is collected from the consumer through the 524 website or online service. 525 (c) Describes the process by which the controller notifies 526 consumers who use or visit the website or online service of 527 material changes to the notice. 528 (d) Discloses whether a third party may collect personal 529 information about a consumer’s online activities over time and 530 across different websites or online services when the consumer 531 uses the controller’s website or online service. 532 (e) States the effective date of the notice. 533 (14) If a request from a consumer is manifestly unfounded 534 or excessive, in particular because of the request’s repetitive 535 character, a controller may either charge a reasonable fee, 536 taking into account the administrative costs of providing the 537 information or communication or taking the action requested, or 538 refuse to act on the request and notify the consumer of the 539 reason for refusing the request. The controller bears the burden 540 of demonstrating that any verified consumer request is 541 manifestly unfounded or excessive. 542 (15) A controller that discloses personal information to a 543 processor is not liable under this act if the processor 544 receiving the personal information uses it in violation of the 545 restrictions set forth in the act, provided that, at the time of 546 disclosing the personal information, the controller does not 547 have actual knowledge or reason to believe that the processor 548 intends to commit such a violation. A processor is likewise not 549 liable under this act for the obligations of a controller for 550 which it processes personal information as set forth in this 551 act. 552 (16) A controller or processor that discloses personal 553 information to a third-party controller or processor in 554 compliance with the requirements of this act is not in violation 555 of this chapter if the third-party controller or processor that 556 receives and processes such personal information is in violation 557 of this act, provided that, at the time of disclosing the 558 personal information, the disclosing controller or processor did 559 not have actual knowledge that the recipient intended to commit 560 a violation. A third-party controller or processor that violates 561 this act, or violates the terms of a contractual agreement with 562 a controller or processor which results in a violation of this 563 act, is deemed to have violated the requirements of this act and 564 is subject to the enforcement actions otherwise provided against 565 a controller pursuant to s. 501.177. A third-party controller or 566 processor receiving personal information from a controller or 567 processor in compliance with the requirements of this act is not 568 in violation of this act for noncompliance of the controller or 569 processor from which it receives such personal data. 570 (17) The rights afforded to consumers and the obligations 571 imposed on a controller in this act may not adversely affect the 572 rights and freedoms of other consumers. Notwithstanding 573 subsection (6), a verified request for specific items of 574 personal information, to delete a consumer’s personal 575 information, or to correct inaccurate personal information does 576 not extend to personal information about the consumer which 577 belongs to, or which the controller maintains on behalf of, 578 another natural person. 579 Section 6. Section 501.176, Florida Statutes, is created to 580 read: 581 501.176 Applicability; exclusions.— 582 (1) The obligations imposed on a controller or processor by 583 this act do not restrict a controller’s or processor’s ability 584 to do any of the following: 585 (a) Comply with federal, state, or local laws, rules, or 586 regulations. 587 (b) Comply with a civil, criminal, or regulatory inquiry or 588 an investigation, a subpoena, or a summons by federal, state, 589 local, or other governmental authorities. 590 (c) Cooperate with law enforcement agencies concerning 591 conduct or activity that the controller or processor reasonably 592 and in good faith believes may violate federal, state, or local 593 laws, rules, or regulations. 594 (d) Exercise, investigate, establish, prepare for, or 595 defend legal claims. 596 (e) Collect, use, retain, sell, or disclose consumer 597 personal information to: 598 1. Conduct internal research to develop, improve, or repair 599 products, services, or technology; 600 2. Effectuate a product recall or provide a warranty for 601 products or services; 602 3. Identify or repair technical errors that impair existing 603 or intended functionality; 604 4. Perform internal operations that are reasonably aligned 605 with the expectations of the consumer or reasonably anticipated 606 based on the consumer’s existing relationship with the 607 controller or are otherwise compatible with processing data in 608 furtherance of the provision of a product or service 609 specifically requested by a consumer or a parent of a child, or 610 the performance of a contract to which the consumer is a party; 611 5. Provide a product or service specifically requested by a 612 consumer or a parent of a child; perform a contract to which the 613 consumer or parent is a party, including fulfilling the terms of 614 a written warranty; or take steps at the request of the consumer 615 before entering into a contract; 616 6. Take steps to protect an interest that is essential for 617 the life or physical safety of the consumer or of another 618 natural person, and where the processing cannot be manifestly 619 based on another legal basis; 620 7. Prevent, detect, protect against, or respond to security 621 incidents, identity theft, fraud, harassment, malicious or 622 deceptive activities, or any illegal activity, and prosecute 623 those responsible for that activity; 624 8. Preserve the integrity or security of information 625 technology systems; 626 9. Investigate, report, or prosecute those responsible for 627 any illegal, malicious, harmful, deceptive, or otherwise harmful 628 activities; 629 10. Engage in public or peer-reviewed scientific or 630 statistical research in the public interest that adheres to all 631 other applicable ethics and privacy laws and, if applicable, is 632 approved, monitored, and governed by an institutional review 633 board, or similar independent oversight entity that determines 634 if the information is likely to provide substantial benefits 635 that do not exclusively accrue to the controller, if the 636 expected benefits of the research outweigh the privacy risks, 637 and if the controller has implemented reasonable safeguards to 638 mitigate privacy risks associated with research, including any 639 risks associated with reidentification; or 640 11. Assist another controller, processor, or third party 641 with any of the obligations under this subsection. 642 (2) This act does not apply to any of the following: 643 (a) A controller that collects, processes, or discloses the 644 personal information of its employees, owners, directors, 645 officers, beneficiaries, job applicants, interns, or volunteers, 646 so long as the controller is collecting or disclosing such 647 information only to the extent reasonable and necessary within 648 the scope of the role the controller has in relation to each 649 class of listed individuals. For purposes of this section the 650 term “personal information” includes employment benefit 651 information. 652 (b) Personal information that is part of a written or 653 verbal communication or a transaction between the controller or 654 processor and the consumer, where the consumer is a natural 655 person who is acting as an employee, owner, director, officer, 656 or contractor of a company, partnership, sole proprietorship, 657 non-profit, or government agency and whose communications or 658 transaction with the business occur solely within the context of 659 the business conducting due diligence regarding, or providing or 660 receiving a product or service to or from such company, 661 partnership, sole proprietorship, non-profit, or government 662 agency. 663 (c) A business, service provider, or third party that 664 collects the personal information of an individual: 665 1. Who applies to, is or was previously employed by, or 666 acts as an agent of the business, service provider, or third 667 party, to the extent that the personal information is collected 668 and used in a manner related to or arising from the individual’s 669 employment status; or 670 2. To administer benefits for another individual and the 671 personal information is used to administer those benefits. 672 (d) A business that enters into a contract with an 673 independent contractor and collects or discloses personal 674 information about the contractor reasonably necessary to either 675 enter into or to fulfill the contract when the contracted 676 services would not defeat the purposes of this act. 677 (e) Protected health information for purposes of the 678 federal Health Insurance Portability and Accountability Act of 679 1996 and related regulations, and patient identifying 680 information for purposes of 42 C.F.R. part 2, established 681 pursuant to 42 U.S.C. s. 290dd-2. 682 (f) A covered entity or business associate governed by the 683 privacy, security, and breach notification rules issued by the 684 United States Department of Health and Human Services in 45 685 C.F.R. parts 160 and 164, or a program or a qualified service 686 program defined in 42 C.F.R. part 2, to the extent the covered 687 entity, business associate, or program maintains personal 688 information in the same manner as medical information or 689 protected health information as described in paragraph (e). 690 (g) Identifiable private information collected for purposes 691 of research as defined in 45 C.F.R. s. 164.501 which is 692 conducted in accordance with the Federal Policy for the 693 Protection of Human Subjects for purposes of 45 C.F.R. part 46, 694 the good clinical practice guidelines issued by the 695 International Council for Harmonisation of Technical 696 Requirements for Pharmaceuticals for Human Use, or the 697 Protection for Human Subjects for purposes of 21 C.F.R. parts 50 698 and 56; or personal information used or shared in research 699 conducted in accordance with one or more of these standards, or 700 another applicable protocol. 701 (h) Information and documents created for purposes of the 702 federal Health Care Quality Improvement Act of 1986 and related 703 regulations, or patient safety work product for purposes of 42 704 C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21 705 through 299b-26. 706 (i) Information that is de-identified in accordance with 45 707 C.F.R. part 164 and that is derived from individually 708 identifiable health information, as described in the Health 709 Insurance Portability and Accountability Act of 1996, or 710 identifiable personal information, consistent with the Federal 711 Policy for the Protection of Human Subjects or the human subject 712 protection requirements of the United States Food and Drug 713 Administration or the good clinical practice guidelines issued 714 by the International Council for Harmonisation. 715 (j) Information collected as part of a clinical trial 716 subject to the Federal Policy for the Protection of Human 717 Subjects pursuant to good clinical practice guidelines issued by 718 the International Council for Harmonisation of Technical 719 Requirements for Pharmaceuticals for Human Use or pursuant to 720 human subject protection requirements of the United States Food 721 and Drug Administration, or another protocol. 722 (k) Personal information collected, processed, sold, or 723 disclosed pursuant to the federal Fair Credit Reporting Act, 15 724 U.S.C. s. 1681 et seq. 725 (l) Personal information collected, processed, sold, or 726 disclosed pursuant to, or a financial institution to the extent 727 regulated by, the federal Gramm-Leach-Bliley Act, 15 U.S.C. s. 728 6801 et seq. and implementing regulations. 729 (m) Personal information collected, processed, sold, or 730 disclosed pursuant to the Farm Credit Act of 1971, as amended in 731 12 U.S.C. s. 2001-2279cc and implementing regulations. 732 (n) Personal information collected, processed, sold, or 733 disclosed pursuant to the federal Driver’s Privacy Protection 734 Act of 1994, 18 U.S.C. s. 2721 et seq. 735 (o) Education information covered by the federal Family 736 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34 737 C.F.R. part 99. 738 (p) Personal information collected, processed, sold, or 739 disclosed in relation to price, route, or service as those terms 740 are used in the federal Airline Deregulation Act, 49 U.S.C. s. 741 40101 et seq., by entities subject to the federal Airline 742 Deregulation Act, to the extent this act is preempted by s. 743 41713 of the federal Airline Deregulation Act. 744 (q) Vehicle information or ownership information retained 745 or shared between a new motor vehicle dealer, distributor, or 746 the vehicle’s manufacturer if the vehicle or ownership 747 information is shared for the purpose of effectuating, or in 748 anticipation of effectuating, a vehicle repair covered by a 749 vehicle warranty or a recall conducted pursuant to 49 U.S.C. s. 750 30118-30120, provided that the new motor vehicle dealer, 751 distributor, or vehicle manufacturer with which that vehicle 752 information or ownership information is shared does not sell, 753 share, or use that information for any other purpose. As used in 754 this paragraph, the term “vehicle information” means the vehicle 755 identification number, make, model, year, and odometer reading, 756 and the term “ownership information” means the name or names of 757 the registered owner or owners and the contact information for 758 the owner or owners. 759 Section 7. Section 501.177, Florida Statutes, is created to 760 read: 761 501.177 Enforcement; Attorney General; preemption.— 762 (1) The Department of Legal Affairs may adopt rules to 763 implement this section. If the department has reason to believe 764 that any controller, processor, or other person or entity is in 765 violation of this act and that proceedings would be in the 766 public interest, the department may institute an appropriate 767 legal proceeding against such party. 768 (2) After the department has notified a controller in 769 writing of an alleged violation of this act, the Attorney 770 General may at his her discretion, before initiating a 771 proceeding under this section, grant the controller a 30-day 772 period to cure the alleged violation. The Attorney General may 773 consider the number of violations, the substantial likelihood of 774 injury to the public, or the safety of persons or property when 775 determining whether to grant 30 days to cure an alleged 776 violation. If the controller cures the alleged violation to the 777 satisfaction of the Attorney General and provides proof of such 778 cure to the Attorney General, the Attorney General may either 779 extend the cure period or issue a letter of guidance to the 780 controller which indicates that the controller will not be 781 offered a 30-day cure period for any future violations. If the 782 controller fails to cure the violation within 30 days, the 783 Attorney General may bring an action against the controller for 784 the alleged violation. 785 (3) The trial court, upon a showing that any controller, 786 processor, or other person or entity is in violation of this 787 act, may take any of the following actions: 788 (a) Issue a temporary or permanent injunction. 789 (b) Impose a civil penalty of not more than $2,500 for each 790 violation. 791 (c) Award reasonable costs of enforcement, including 792 reasonable attorney fees and costs. 793 (4) This act is a matter of statewide concern and 794 supersedes and preempts to the state all rules, regulations, 795 codes, ordinances, and other laws adopted by a city, county, 796 city and county, municipality, or local agency regarding the 797 collection, processing, or sale of consumers’ personal 798 information by a controller or processor. 799 (5) Any reference to federal law or statute in this act 800 shall be deemed to include any accompanying rules or regulations 801 or exemptions thereto. Further, this enactment is declaratory of 802 existing law. 803 Section 8. This act shall take effect July 1, 2023. 804 805 ================= T I T L E A M E N D M E N T ================ 806 And the title is amended as follows: 807 Delete everything before the enacting clause 808 and insert: 809 A bill to be entitled 810 An act relating to consumer data privacy; creating s. 811 501.172, F.S.; providing a short title; creating s. 812 501.173, F.S.; providing a purpose; creating s. 813 501.174, F.S.; defining terms; creating s. 501.1745, 814 F.S.; requiring controllers that collect consumer 815 personal information to provide certain information to 816 the consumer; requiring such collection, use, and 817 retention of such information to meet certain 818 requirements; requiring controllers to implement 819 reasonable security procedures and practices; 820 prohibiting controllers from processing certain 821 sensitive consumer data under certain circumstances; 822 creating s. 501.175, F.S.; providing that consumers 823 have the right to opt out of the sale and processing 824 of their personal information by controllers; proving 825 requirements for a controller to comply with such a 826 request under certain circumstances; prohibiting 827 controllers from selling the personal information of 828 consumers younger than a specified age without express 829 authorization from the consumer or the consumer’s 830 parent or guardian under certain circumstances; 831 providing that controllers that willfully disregard a 832 consumer’s age are deemed to have actual knowledge of 833 the consumer’s age; providing requirements for 834 controllers to comply with a consumer’s right to opt 835 out; providing exceptions; providing that consumers 836 have the right to submit a verified request for the 837 deletion or correction of their personal information; 838 providing construction; providing that consumers may 839 authorize other persons to opt out of the sale of the 840 consumer’s personal information on the consumer’s 841 behalf; requiring controllers to establish designated 842 request addresses; providing requirements for 843 controllers to comply with verified consumer requests; 844 authorizing businesses to charge consumers a 845 reasonable fee for manifestly unfounded or excessive 846 requests, or to refuse to complete a request under 847 certain circumstances; providing that controllers and 848 processors are not liable for certain actions; 849 providing that third-party controllers or processors 850 are liable for violating the act or the terms of 851 certain contractual agreements, thereby resulting in a 852 violation; providing that a consumer’s rights and the 853 obligations of a controller may not adversely affect 854 the rights and freedoms of other consumers; creating 855 s. 501.176, F.S.; providing applicability; providing 856 exceptions; creating s. 501.177, F.S.; authorizing the 857 Department of Legal Affairs to adopt rules and to 858 bring appropriate legal proceedings for violations 859 under certain circumstances; authorizing the Attorney 860 General to grant controllers an opportunity to cure 861 violations when given notice by the department; 862 providing civil remedies and penalties for violations; 863 preempting the regulation of the collection, 864 processing, or sale of consumers’ personal information 865 by a controller or processor to the state; providing 866 applicability; providing an effective date.