Florida Senate - 2022 SB 1864
By Senator Bradley
5-01351-22 20221864__
1 A bill to be entitled
2 An act relating to consumer data privacy; creating s.
3 501.172, F.S.; providing a short title; creating s.
4 501.173, F.S.; providing a purpose; creating s.
5 501.174, F.S.; defining terms; creating s. 501.1745,
6 F.S.; requiring controllers that collect consumer
7 personal information to provide certain information to
8 the consumer; requiring such collection, use, and
9 retention of such information to meet certain
10 requirements; requiring controllers to implement
11 reasonable security procedures and practices;
12 prohibiting controllers from processing certain
13 sensitive consumer data under certain circumstances;
14 creating s. 501.175, F.S.; providing that consumers
15 have the right to opt out of the sale and processing
16 of their personal information by controllers;
17 providing requirements for a controller to comply with
18 such a request under certain circumstances;
19 prohibiting controllers from selling the personal
20 information of consumers younger than a specified age
21 without express authorization from the consumer or the
22 consumer’s parent or guardian under certain
23 circumstances; providing that businesses that
24 willfully disregard a consumer’s age are deemed to
25 have actual knowledge of the consumer’s age; providing
26 requirements for controllers to comply with a
27 consumer’s right to opt out; providing exceptions;
28 providing that consumers have the right to submit a
29 verified request for the deletion or correction of
30 their personal information; providing construction;
31 providing that consumers may authorize other persons
32 to opt out of the sale of the consumer’s personal
33 information on the consumer’s behalf; requiring
34 controllers to establish designated request addresses;
35 providing requirements for controllers to comply with
36 verified consumer requests; providing notice
37 requirements; authorizing businesses to charge
38 consumers a reasonable fee for manifestly unfounded or
39 excessive requests, or to refuse to complete a request
40 under certain circumstances; providing that
41 controllers and processors are not liable for certain
42 actions; providing that third-party controllers or
43 processors are liable for violating the act or the
44 terms of certain contractual agreements, thereby
45 resulting in a violation; providing that a consumer’s
46 rights and the obligations of a controller may not
47 adversely affect the rights and freedoms of other
48 consumers; creating s. 501.176, F.S.; providing
49 applicability; providing exceptions; defining the
50 terms “vehicle information” and “ownership
51 information”; creating s. 501.177, F.S.; providing
52 applicability; specifying violations that are
53 enforceable by the Department of Legal Affairs under
54 the Florida Deceptive and Unfair Trade Practices Act;
55 authorizing the department to grant controllers and
56 processors an opportunity to cure violations when
57 given notice by the department; providing civil
58 remedies and penalties for violations; authorizing
59 increased civil penalties for certain violations;
60 requiring the department, in conjunction and
61 consultation with the director of the Consumer Data
62 Privacy Unit, to submit a report to the Legislature by
63 a specified date; providing requirements for the
64 report; authorizing the department to adopt rules;
65 providing for jurisdiction; preempting the regulation
66 of the collection, processing, or sale of consumers’
67 personal information by a controller or processor to
68 the state; amending s. 16.53, F.S.; revising the
69 purposes for which the Legal Affairs Revolving Trust
70 Fund may be used to include enforcement of the Florida
71 Privacy Protection Act by the Attorney General;
72 requiring that attorney fees and costs recovered by
73 the Attorney General for certain actions be deposited
74 in the fund; creating s. 16.581, F.S.; creating the
75 Consumer Data Privacy Unit within the department;
76 providing for a director of the unit; providing the
77 duties of the unit; authorizing the unit to take
78 certain actions; authorizing the unit to recover
79 reasonable attorney fees and costs and penalties in
80 accordance with certain provisions; requiring such
81 moneys to be deposited in the Legal Affairs Revolving
82 Trust Fund; requiring other moneys recovered by the
83 Attorney General for penalties to be deposited into
84 the General Revenue Fund; providing an effective date.
85
86 Be It Enacted by the Legislature of the State of Florida:
87
88 Section 1. Section 501.172, Florida Statutes, is created to
89 read:
90 501.172 Short title.—This act, consisting of ss. 501.172
91 501.177, may be cited as the “Florida Privacy Protection Act.”
92 Section 2. Section 501.173, Florida Statutes, is created to
93 read:
94 501.173 Purpose.—This act recognizes that privacy is an
95 important right, and consumers in this state should have the
96 ability to share their personal information as they wish, in a
97 way that is safe and that they understand and control.
98 Section 3. Section 501.174, Florida Statutes, is created to
99 read:
100 501.174 Definitions.—As used in ss. 501.172-501.177, unless
101 the context otherwise requires, the term:
102 (1) “Affiliate” means a legal entity that controls, is
103 controlled by, or is under common control with another legal
104 entity or shares common branding with another legal entity. For
105 the purposes of this subsection, the term “control” or
106 “controlled” means the ownership of, or the power to vote, more
107 than 50 percent of the outstanding shares of any class of voting
108 security of a company; control in any manner over the election
109 of a majority of the directors or of individuals exercising
110 similar functions; or the power to exercise controlling
111 influence over the management of a company.
112 (2) “Aggregate consumer information” means information that
113 relates to a group or category of consumers from which
114 individual consumer identities have been removed and which is
115 not linked or reasonably linkable to any consumer, including
116 through a device. The term does not include one or more
117 individual consumer records that have been de-identified.
118 (3) “Authenticate” means verifying through reasonable means
119 that the consumer entitled to exercise his or her consumer
120 rights under this act is the same consumer exercising such
121 consumer rights with respect to the personal information at
122 issue.
123 (4) “Biometric information” means personal information
124 generated by automatic measurements of an individual’s
125 physiological, behavioral, or biological characteristics,
126 including an individual’s DNA, which identifies an individual.
127 The term does not include a physical or digital photograph; a
128 video or audio recording or data generated therefrom; or
129 information collected, used, or stored for health care
130 treatment, payment, or operations under the Health Insurance
131 Portability and Accountability Act of 1996.
132 (5) “Business purpose” means the use of personal
133 information for the controller’s operational, administrative,
134 security, or other purposes allowed for under this act, or for
135 any notice-given and consumer-approved purposes or for the
136 processor’s operational purposes, provided that the use of the
137 personal information is consistent with the requirements of this
138 act.
139 (6) “Child” means a natural person younger than 13 years of
140 age.
141 (7) “Collects,” “collected,” or “collection” means buying,
142 renting, gathering, obtaining, receiving, or accessing by any
143 means any personal information pertaining to a consumer, either
144 actively or passively or by observing the consumer’s behavior.
145 (8) “Consumer” means a natural person who resides in this
146 state to the extent he or she is acting in an individual or
147 household context. The term does not include any other natural
148 person who is a nonresident or a natural person acting in a
149 commercial or employment context.
150 (9) “Controller” means a sole proprietorship, a
151 partnership, a limited liability company, a corporation, or an
152 association or any other legal entity that meets the following
153 requirements:
154 (a) Is organized or operated for the profit or financial
155 benefit of its shareholders or owners;
156 (b) Does business in this state or provides products or
157 services targeted to the residents of this state;
158 (c) Determines the purposes and means of processing
159 personal information about consumers, alone or jointly with
160 others; and
161 (d) Satisfies either of the following thresholds:
162 1. During a calendar year, controls the processing of the
163 personal information of 100,000 or more consumers who are not
164 covered by an exception under this act; or
165 2. Controls or processes the personal information of at
166 least 25,000 consumers who are not covered by an exception under
167 this act and derives 50 percent or more of its global annual
168 revenues from selling personal information about consumers.
169 (10) “De-identified” means information that cannot
170 reasonably identify or be linked directly to a particular
171 consumer, or a device linked to such consumer, if the controller
172 or a processor that possesses such information on behalf of the
173 controller:
174 (a) Has taken reasonable measures to ensure that the
175 information cannot be associated with an individual consumer;
176 (b) Commits to maintain and use the information in a de
177 identified fashion without attempting to reidentify the
178 information; and
179 (c) Contractually prohibits downstream recipients from
180 attempting to reidentify the information.
181 (11) “Designated request address” means an e-mail address,
182 a toll-free telephone number, or a website established by a
183 controller through which a consumer may submit a verified
184 request to the controller.
185 (12) “Intentional interaction” or “intentionally
186 interacting” means that the consumer intends to interact with or
187 disclose personal information to a person through one or more
188 deliberate interactions, including visiting the person’s website
189 or purchasing a good or service from the person. The term does
190 not include hovering over, muting, pausing, or closing a given
191 piece of content.
192 (13) “Non-targeted advertising” means:
193 (a) Advertising based solely on a consumer’s activities
194 within a controller’s own, or its affiliates’, websites or
195 online applications;
196 (b) Advertisements based on the context of a consumer’s
197 current search query, visit to a website, or online application;
198 (c) Advertisements directed to a consumer in response to
199 the consumer’s request for information or feedback; or
200 (d) Processing personal information solely for measuring or
201 reporting advertising performance, reach, or frequency.
202 (14) “Personal information” means:
203 (a) Information that identifies or is linked or reasonably
204 linkable to an identified or identifiable consumer.
205 (b) The term does not include:
206 1. Information about a consumer that is lawfully made
207 available through federal, state, or local governmental records;
208 2. Information that a controller has a reasonable basis to
209 believe is lawfully made available to the general public by the
210 consumer or from widely distributed media unless the consumer
211 has restricted the information to a specific audience; or
212 3. Consumer information that is de-identified or aggregate
213 consumer information.
214 (15) “Precise geolocation data” means information from
215 technology, such as global positioning system level latitude and
216 longitude coordinates or other mechanisms, which directly
217 identifies the specific location of a natural person with
218 precision and accuracy within a radius of 1,750 feet. The term
219 does not include the information generated by the transmission
220 of communications or any information generated by or connected
221 to advanced utility metering infrastructure systems or equipment
222 for use by a utility.
223 (16) “Process” or “processing” means any operation or set
224 of operations performed on personal information or on sets of
225 personal information, regardless of whether by automated means.
226 (17) “Processor” means a natural or legal entity that
227 processes personal data on behalf of, and at the direction of, a
228 controller.
229 (18) “Profiling” means any form of automated processing
230 performed on personal data to evaluate, analyze, or predict
231 personal aspects related to an identified or identifiable
232 natural person’s economic situation, health, personal
233 preferences, interests, reliability, behavior, location, or
234 movements. The term does not include processing personal
235 information solely for the purpose of measuring or reporting
236 advertising performance, reach, or frequency.
237 (19) “Pseudonymous information” means personal information
238 that cannot be attributed to a specific natural person without
239 the use of additional information, which must be kept separate
240 at all times and must be subject to appropriate technical and
241 organizational measures to ensure that the personal data is not
242 attributed to or combined with other personal data that may
243 enable attribution to an identified or identifiable natural
244 person.
245 (20) “Security and integrity” means the ability of a:
246 (a) Network or information system, device, website, or
247 online application to detect security incidents that compromise
248 the availability, authenticity, integrity, and confidentiality
249 of stored or transmitted personal information;
250 (b) Controller to detect security incidents; resist
251 malicious, deceptive, fraudulent, or illegal actions; and help
252 prosecute those responsible for such actions; and
253 (c) Controller to ensure the physical safety of natural
254 persons.
255 (21) “Sell” means to transfer or make available a
256 consumer’s personal information by a controller to a third party
257 in exchange for monetary or other valuable consideration,
258 including nonmonetary transactions and agreements for other
259 valuable consideration between a controller and a third party
260 for the benefit of a controller. The term does not include any
261 of the following:
262 (a) The disclosure, for a business purpose, of a consumer’s
263 personal information to a processor that processes the
264 information for the controller.
265 (b) The disclosure by a controller for the purpose of
266 providing a product or service requested or approved by a
267 consumer, or the parent of a child, of the consumer’s personal
268 information to a third-party entity.
269 (c) The disclosure or transfer of personal information to
270 an affiliate of the controller.
271 (d) The disclosure of personal information for purposes of
272 nontargeted advertising.
273 (e) The disclosure or transfer of personal information to a
274 third party as an asset that is part of a proposed or actual
275 merger, acquisition, bankruptcy, or other transaction in which
276 the third party assumes control of all or part of the
277 controller’s assets.
278 (f) The controller disclosing personal information to a law
279 enforcement or other emergency processor for the purposes of
280 providing emergency assistance to the consumer.
281 (22) “Sensitive data” means a category of personal
282 information that includes any of the following:
283 (a) Racial or ethnic origin, religious beliefs, mental or
284 physical health diagnosis, sexual orientation, or citizenship or
285 immigration status.
286 (b) Biometric information, including genetic information,
287 processed for the purpose of uniquely identifying a natural
288 person.
289 (c) Personal information collected from a known child.
290 (d) Precise geolocation data.
291 (23) “Targeted advertising” means displaying an
292 advertisement to a consumer when the advertisement is selected
293 based on personal information obtained from the consumer’s
294 activities over time and across nonaffiliated websites or online
295 applications to predict such consumer’s preferences or
296 interests. The term does not include any of the following:
297 (a) Non-targeted advertising.
298 (b) Advertisements based on the context of a consumer’s
299 current search query or visit to a website.
300 (c) Advertising directed to a consumer in response to the
301 consumer’s request for information or feedback.
302 (d) Processing personal data solely for the purpose of
303 measuring or reporting advertising performance, reach, or
304 frequency.
305 (24) “Third party” means a person who is not any of the
306 following:
307 (a) The controller with which the consumer intentionally
308 interacts and which collects personal information from the
309 consumer as part of the consumer’s interaction with the
310 controller.
311 (b) A processor that processes personal information on
312 behalf of and at the direction of the controller.
313 (c) An affiliate of the controller.
314 (25) “Verified request” means a request submitted by a
315 consumer or by a consumer on behalf of the consumer’s minor
316 child for which the controller has reasonably verified the
317 authenticity of the request. The term includes a request made
318 through an established account using the controller’s
319 established security features to access the account through
320 communication features offered to consumers. The term does not
321 include a request in which the consumer or a person authorized
322 to act on the consumer’s behalf does not provide verification of
323 identify or verification of authorization to act with the
324 permission of the consumer, and the controller is not required
325 to provide information for such a request.
326 Section 4. Section 501.1745, Florida Statutes, is created
327 to read:
328 501.1745 General duties of controllers that collect
329 personal information.—
330 (1) A controller that controls the collection of a
331 consumer’s personal information that will be used for any
332 purpose other than a business purpose, at or before the point of
333 collection, shall inform consumers of the purposes for which
334 personal information is collected or used and whether that
335 information is sold. A controller may not collect additional
336 categories of personal information, or use collected personal
337 information for additional purposes that are incompatible with
338 the disclosed purpose for which the personal information was
339 collected, without providing the consumer with notice consistent
340 with this section. A controller that collects personal
341 information about, but not directly from, consumers may provide
342 the required information on its Internet home page or in its
343 online privacy policy.
344 (2) A controller’s collection, use, and retention of a
345 consumer’s personal information must be reasonably necessary to
346 achieve the purposes for which the personal information was
347 collected or processed. Such information may not be further
348 processed in a manner that is incompatible with those purposes
349 without notice to the consumer or be transferred or made
350 available to a third party in a manner inconsistent with the
351 requirements of this act.
352 (3) A controller that collects a consumer’s personal
353 information shall implement reasonable security procedures and
354 practices appropriate to the nature of the personal information
355 to protect the personal information from unauthorized or illegal
356 access, destruction, use, modification, or disclosure.
357 (4) A controller that collects a consumer’s personal
358 information and discloses it to a processor shall enter into a
359 contractual agreement with such processor which obligates the
360 processor to comply with applicable obligations under this act
361 and which prohibits downstream recipients from selling personal
362 information or retaining, using, or disclosing the personal
363 information. If a processor engages any other person to assist
364 it in processing personal information for a business purpose on
365 behalf of the controller, or if any other person engaged by the
366 processor engages another person to assist in processing
367 personal information for that business purpose, the processor or
368 person must notify the controller of that engagement and the
369 processor must prohibit downstream recipients from selling the
370 personal information or retaining, using, or disclosing the
371 personal information.
372 (5) A controller may not process sensitive data concerning
373 a consumer without obtaining the consumer’s consent or, in the
374 case of the processing of sensitive data obtained from a known
375 child, without processing such data for the purpose of
376 delivering a product or service requested by the parent of such
377 child, or in accordance with the federal Children’s Online
378 Privacy Protection Act, 15 U.S.C. s. 6501 et seq. and
379 regulations interpreting this act.
380 (6) The determination as to whether a person is acting as a
381 controller or processor with respect to a specific activity is a
382 fact-based determination that depends upon the context in which
383 personal information is processed. A processor that continues to
384 adhere to a controller’s instructions with respect to a specific
385 processing of personal information remains a processor.
386 Section 5. Section 501.175, Florida Statutes, is created to
387 read:
388 501.175 Use of personal information; third parties; other
389 rights.—
390 (1)(a) A consumer has the right at any time to direct a
391 controller that sells personal information about the consumer
392 not to sell the consumer’s personal information. This right may
393 be referred to as the right to opt out of the sale.
394 (b) A consumer has the right at any time to opt out of the
395 processing of the consumer’s personal information for purposes
396 of targeted advertising or profiling. A controller shall provide
397 a clear and conspicuous link on the controller’s Internet home
398 page, titled “Do Not Advertise To Me,” to a web page that
399 enables a consumer to opt out of targeted advertising or
400 profiling. However, this paragraph may not be construed to
401 prohibit the controller that collected the consumer’s personal
402 information from:
403 1. Offering a different price, rate, level, quality, or
404 selection of goods or services to a consumer, including offering
405 goods or services for no fee, if the consumer has opted out of
406 targeted advertising, profiling, or the sale of his or her
407 personal information; or
408 2. Offering a loyalty, reward, premium feature, discount,
409 or club card program.
410 (c) A controller that charges or offers a different price,
411 rate, level, quality, or selection of goods or services to a
412 consumer who has opted out of targeted advertising, profiling,
413 or the sale of his or her personal information, or that offers
414 goods or services for no fee, shall ensure that such charge or
415 offer is not unjust, unreasonable, coercive, or usurious.
416 (2) A controller that sells consumers’ personal information
417 shall provide notice to consumers that the information may be
418 sold and that consumers have the right to opt out of the sale of
419 their personal information.
420 (3) A controller that sells consumers’ personal information
421 and that has received direction from a consumer not to sell the
422 consumer’s personal information or, in the case of a minor
423 consumer’s personal information, has not received consent to
424 sell the minor consumer’s personal information, is prohibited
425 from selling the consumer’s personal information after the
426 controller receives the consumer’s direction, unless the
427 consumer subsequently provides express authorization for the
428 sale of the consumer’s personal information. A controller that
429 is able to authenticate the consumer by the consumer logging in
430 or any other means, or that is otherwise reasonably able to
431 authenticate the consumer’s request must comply with the
432 consumer’s request to opt out. The controller may not require
433 the consumer to declare privacy preferences every time the
434 consumer visits the controller’s website or uses the
435 controller’s online services.
436 (4)(a) A controller may not sell the personal information
437 collected from consumers that the controller has actual
438 knowledge are 16 years of age or younger, unless:
439 1. The consumer, in the case of consumers who are 13 years
440 of age up to 16 years of age, has affirmatively authorized the
441 sale of the consumer’s personal information; or
442 2. The consumer’s parent or guardian, in the case of
443 consumers who are younger than 13 years of age, has
444 affirmatively authorized such sale.
445 (b) This right may be referred to as the right to opt in.
446 (c) A business that willfully disregards the consumer’s age
447 is deemed to have actual knowledge of the consumer’s age.
448 (d) A controller that complies with the verifiable parental
449 consent requirements of the Children’s Online Privacy Protection
450 Act, 15 U.S.C. s. 6501 et seq., and accompanying regulations, or
451 is providing a product or service requested by a parent or
452 guardian, is deemed compliant with any obligation to obtain
453 parental consent.
454 (5) A controller required to comply with this section
455 shall:
456 (a) Provide a clear and conspicuous link on the
457 controller’s Internet home page, titled “Do Not Sell My Personal
458 Information,” to a web page that enables a consumer to opt out
459 of the sale of the consumer’s personal information. A business
460 may not require a consumer to create an account in order to
461 direct the business not to sell the consumer’s information.
462 (b) Ensure that all individuals responsible for handling
463 consumer inquiries about the controller’s privacy practices or
464 the controller’s compliance with this section are informed of
465 all requirements of this section and how to direct consumers to
466 exercise their rights.
467 (c) For consumers who exercise their right to opt out of
468 the sale of their personal information, refrain from selling
469 personal information the controller collected about the consumer
470 as soon as reasonably possible but no longer than 10 business
471 days after receiving the request to opt out.
472 (d) Use any personal information collected from the
473 consumer in connection with the submission of the consumer’s
474 opt-out request solely for the purposes of complying with the
475 opt-out request.
476 (e) For consumers who have opted out of the sale of their
477 personal information, respect the consumer’s decision to opt out
478 for at least 12 months before requesting that the consumer
479 authorize the sale of the consumer’s personal information.
480 (f) Ensure that consumers have the right to submit a
481 verified request for certain information from a controller,
482 including the categories of sources from which the consumer’s
483 personal information was collected, the specific items of
484 personal information it has collected about the consumer, and
485 the categories of any third parties to whom the personal
486 information was sold.
487 (6) Consumers have the right to submit a verified request
488 that personal information that has been collected from the
489 consumer be deleted. Consumers have the right to submit a
490 verified request for correction of their personal information
491 held by a controller if that information is inaccurate, taking
492 into account the nature of the personal information and the
493 purpose for processing the consumer’s personal information.
494 (7) A controller, or a processor acting pursuant to its
495 contract with the controller or another processor, is not
496 required to comply with a consumer’s verified request to delete
497 the consumer’s personal information if it is necessary for the
498 controller or processor to maintain the consumer’s personal
499 information in order to do any of the following:
500 (a) Complete the transaction for which the personal
501 information was collected, fulfill the terms of a written
502 warranty or product recall conducted in accordance with federal
503 law, provide a good or service requested by the consumer, or
504 otherwise perform a contract between the business and the
505 consumer.
506 (b) Help to ensure security and integrity to the extent
507 that the use of the consumer’s personal information is
508 reasonably necessary and proportionate for those purposes.
509 (c) Debug to identify and repair errors that impair
510 existing intended functionality.
511 (d) Exercise free speech, ensure the right of another
512 consumer to exercise that consumer’s right of free speech, or
513 exercise another right provided for by law.
514 (e) Engage in public or peer-reviewed scientific,
515 historical, or statistical research that conforms or adheres to
516 all other applicable ethics and privacy laws, when the business’
517 deletion of the information is likely to render impossible or
518 seriously impair the ability to complete such research, if the
519 consumer has provided informed consent.
520 (f) Comply with a legal obligation.
521 (8) This section may not be construed to require a
522 controller to comply by reidentifying or otherwise linking
523 information that is not maintained in a manner that would be
524 considered personal information; retaining any personal
525 information about a consumer if, in the ordinary course of
526 business, that information would not be retained; maintaining
527 information in identifiable, linkable, or associable form; or
528 collecting, obtaining, retaining, or accessing any data or
529 technology in order to be capable of linking or associating a
530 verifiable consumer request with personal information.
531 (9) A consumer may authorize another person to opt out of
532 the sale of the consumer’s personal information. A controller
533 shall comply with an opt-out request received from a person
534 authorized by the consumer to act on the consumer’s behalf,
535 including a request received through a user-enabled global
536 privacy control, such as a browser plug-in or privacy setting,
537 device setting, or other mechanism, which communicates or
538 signals the consumer’s choice to opt out, and may not require a
539 consumer to make a verified request to opt out of the sale of
540 his or her information.
541 (10) Each controller shall establish a designated request
542 address through which a consumer may submit a request to
543 exercise his or her rights under this act.
544 (11)(a) A controller that receives a verified request:
545 1. For a consumer’s personal information shall disclose to
546 the consumer any personal information about the consumer which
547 it has collected since January 1, 2023, directly or indirectly,
548 including such information obtained through or by a processor.
549 2. To correct a consumer’s inaccurate personal information
550 shall correct the inaccurate personal information, taking into
551 account the nature of the personal information and the purpose
552 for processing the consumer’s personal information.
553 3. To delete a consumer’s personal information shall delete
554 such personal information collected from the consumer.
555 (b) A processor is not required to personally comply with a
556 verified request received directly from a consumer, but the
557 processor must notify a controller of such a request within 10
558 days after receiving the request. The time period required for a
559 controller to comply with a verified request as provided in
560 paragraph (d) commences beginning from the time the processor
561 notifies the controller of the verified request. A processor
562 shall provide reasonable assistance to a controller with which
563 it has a contractual relationship with respect to the
564 controller’s response to a verifiable consumer request,
565 including, but not limited to, by providing to the controller
566 the consumer’s personal information in the processor’s
567 possession which the processor obtained as a result of providing
568 services to the controller.
569 (c) At the direction of the controller, a processor shall
570 correct inaccurate personal information or delete personal
571 information, or enable the controller to do the same.
572 (d) A controller shall comply with a verified request
573 submitted by a consumer to access, correct, or delete personal
574 information within 45 days after the date the request is
575 submitted. A controller may extend such period by up to 45 days
576 if the controller, in good faith, determines that such an
577 extension is reasonably necessary. A controller that extends the
578 period shall notify the consumer of the necessity of an
579 extension.
580 (e) A consumer’s rights under this subsection do not apply
581 to pseudonymous information in cases in which the controller is
582 able to demonstrate that all information necessary to identify
583 the consumer is kept separate at all times and is subject to
584 effective technical and organizational controls that prevent the
585 controller from accessing or combining such information.
586 (12) A controller shall comply with a consumer’s previous
587 expressed decision to opt out of the sale of his or her personal
588 information without requiring the consumer to take any
589 additional action if the controller is able to identify the
590 consumer through a login protocol or any other process the
591 controller uses to identify consumers and the consumer has
592 previously exercised his or her right to opt out of the sale of
593 his or her personal information.
594 (13) A controller shall make available, in a manner
595 reasonably accessible to consumers whose personal information
596 the controller collects through its website or online service, a
597 notice that does all of the following:
598 (a) Identifies the categories of personal information that
599 the controller collects through its website or online service
600 about consumers who use or visit the website or online service
601 and the categories of third parties to whom the controller may
602 disclose such personal information.
603 (b) Provides a description of the process, if applicable,
604 for a consumer who uses or visits the website or online service
605 to review and request changes to any of his or her personal
606 information collected from the consumer through the website or
607 online service.
608 (c) Describes the process by which the controller notifies
609 consumers who use or visit the website or online service of
610 material changes to the notice.
611 (d) Discloses whether a third party may collect personal
612 information about a consumer’s online activities over time and
613 across different websites or online services when the consumer
614 uses the controller’s website or online service.
615 (e) States the effective date of the notice.
616 (14) If a request from a consumer is manifestly unfounded
617 or excessive, in particular because of the request’s repetitive
618 character, a controller may either charge a reasonable fee,
619 taking into account the administrative costs of providing the
620 information or communication or taking the action requested, or
621 refuse to act on the request and notify the consumer of the
622 reason for refusing the request. The controller bears the burden
623 of demonstrating that any verified consumer request is
624 manifestly unfounded or excessive.
625 (15) A controller that discloses personal information to a
626 processor is not liable under this act if the processor
627 receiving the personal information uses it in violation of the
628 restrictions set forth in the act, provided that, at the time of
629 disclosing the personal information, the controller does not
630 have actual knowledge or reason to believe that the processor
631 intends to commit such a violation. A processor is likewise not
632 liable under this act for the obligations of a controller for
633 which it processes personal information as set forth in this
634 act.
635 (16) A controller or processor that discloses personal
636 information to a third-party controller or processor in
637 compliance with the requirements of this act is not in violation
638 of this chapter if the third-party controller or processor that
639 receives and processes such personal information is in violation
640 of this act, provided that, at the time of disclosing the
641 personal information, the disclosing controller or processor did
642 not have actual knowledge that the recipient intended to commit
643 a violation. A third-party controller or processor that violates
644 this act, or violates the terms of a contractual agreement with
645 a controller or processor which results in a violation of this
646 act, is deemed to have violated the requirements of this act and
647 is subject to the enforcement actions otherwise provided against
648 a controller pursuant to s. 501.177. A third-party controller or
649 processor receiving personal information from a controller or
650 processor in compliance with the requirements of this act is not
651 in violation of this act for noncompliance of the controller or
652 processor from which it receives such personal data.
653 (17) The rights afforded to consumers and the obligations
654 imposed on a controller in this act may not adversely affect the
655 rights and freedoms of other consumers. Notwithstanding
656 subsection (7), a verified request for specific items of
657 personal information, to delete a consumer’s personal
658 information, or to correct inaccurate personal information does
659 not extend to personal information about the consumer which
660 belongs to, or which the controller maintains on behalf of,
661 another natural person.
662 Section 6. Section 501.176, Florida Statutes, is created to
663 read:
664 501.176 Applicability; exclusions.—
665 (1) The obligations imposed on a controller or processor by
666 this act do not restrict a controller’s or processor’s ability
667 to do any of the following:
668 (a) Comply with federal, state, or local laws, rules, or
669 regulations.
670 (b) Comply with a civil, criminal, or regulatory inquiry or
671 an investigation, a subpoena, or a summons by federal, state,
672 local, or other governmental authorities.
673 (c) Cooperate with law enforcement agencies concerning
674 conduct or activity that the controller or processor reasonably
675 and in good faith believes may violate federal, state, or local
676 laws, rules, or regulations.
677 (d) Exercise, investigate, establish, prepare for, or
678 defend legal claims.
679 (e) Collect, use, retain, sell, or disclose consumer
680 personal information to:
681 1. Conduct internal research to develop, improve, or repair
682 products, services, or technology;
683 2. Effectuate a product recall or provide a warranty for
684 products or services;
685 3. Identify or repair technical errors that impair existing
686 or intended functionality;
687 4. Perform internal operations that are reasonably aligned
688 with the expectations of the consumer or reasonably anticipated
689 based on the consumer’s existing relationship with the
690 controller or that are otherwise compatible with processing data
691 in furtherance of the provision of a product or service
692 specifically requested by a consumer or a parent of a child, or
693 the performance of a contract to which the consumer is a party;
694 5. Provide a product or service specifically requested by a
695 consumer or a parent of a child; perform a contract to which the
696 consumer or parent is a party, including fulfilling the terms of
697 a written warranty; or take steps at the request of the consumer
698 before entering into a contract;
699 6. Take steps to protect an interest that is essential for
700 the life or physical safety of the consumer or of another
701 natural person, and where the processing cannot be manifestly
702 based on another legal basis;
703 7. Prevent, detect, protect against, or respond to security
704 incidents, identity theft, fraud, harassment, malicious or
705 deceptive activities, or any illegal activity, and prosecute
706 those responsible for that activity;
707 8. Preserve the integrity or security of information
708 technology systems;
709 9. Investigate, report, or prosecute those responsible for
710 any illegal, malicious, harmful, deceptive, or otherwise harmful
711 activities;
712 10. Engage in public or peer-reviewed scientific or
713 statistical research in the public interest that adheres to all
714 other applicable ethics and privacy laws and, if applicable, is
715 approved, monitored, and governed by an institutional review
716 board, or similar independent oversight entity that determines
717 if the information is likely to provide substantial benefits
718 that do not exclusively accrue to the controller, if the
719 expected benefits of the research outweigh the privacy risks,
720 and if the controller has implemented reasonable safeguards to
721 mitigate privacy risks associated with research, including any
722 risks associated with reidentification; or
723 11. Assist another controller, processor, or third party
724 with any of the obligations under this subsection.
725 (2) This act does not apply to any of the following:
726 (a) A controller that collects, processes, or discloses the
727 personal information of its employees, owners, directors,
728 officers, beneficiaries, job applicants, interns, or volunteers,
729 so long as the controller is collecting or disclosing such
730 information only to the extent reasonable and necessary within
731 the scope of the role the controller has in relation to each
732 class of listed individuals. For purposes of this section the
733 term “personal information” includes employment benefit
734 information.
735 (b) Personal information that is part of a written or
736 verbal communication or a transaction between the controller or
737 processor and the consumer, when the consumer is a natural
738 person who is acting as an employee, owner, director, officer,
739 or contractor of a company, partnership, sole proprietorship,
740 nonprofit, or government agency and whose communications or
741 transaction with the business occur solely within the context of
742 the business conducting due diligence regarding, or providing or
743 receiving a product or service to or from such company,
744 partnership, sole proprietorship, nonprofit, or government
745 agency.
746 (c) A business, service provider, or third party that
747 collects the personal information of an individual:
748 1. Who applies to, is or was previously employed by, or
749 acts as an agent of the business, service provider, or third
750 party, to the extent that the personal information is collected
751 and used in a manner related to or arising from the individual’s
752 employment status; or
753 2. To administer benefits for another individual and the
754 personal information is used to administer those benefits.
755 (d) A business that enters into a contract with an
756 independent contractor and collects or discloses personal
757 information about the contractor reasonably necessary to either
758 enter into or to fulfill the contract when the contracted
759 services would not defeat the purposes of this act.
760 (e) Protected health information for purposes of the
761 federal Health Insurance Portability and Accountability Act of
762 1996 and related regulations, and patient identifying
763 information for purposes of 42 C.F.R. part 2, established
764 pursuant to 42 U.S.C. s. 290dd-2.
765 (f) A covered entity or business associate governed by the
766 privacy, security, and breach notification rules issued by the
767 United States Department of Health and Human Services in 45
768 C.F.R. parts 160 and 164, or a program or a qualified service
769 program defined in 42 C.F.R. part 2, to the extent that the
770 covered entity, business associate, or program maintains
771 personal information in the same manner as medical information
772 or protected health information as described in paragraph (e).
773 (g) Identifiable private information collected for purposes
774 of research as defined in 45 C.F.R. s. 164.501 which is
775 conducted in accordance with the Federal Policy for the
776 Protection of Human Subjects for purposes of 45 C.F.R. part 46,
777 the good clinical practice guidelines issued by the
778 International Council for Harmonisation of Technical
779 Requirements for Pharmaceuticals for Human Use, or the
780 Protection for Human Subjects for purposes of 21 C.F.R. parts 50
781 and 56; or personal information used or shared in research
782 conducted in accordance with one or more of these standards, or
783 another applicable protocol.
784 (h) Information and documents created for purposes of the
785 federal Health Care Quality Improvement Act of 1986 and related
786 regulations, or patient safety work product for purposes of 42
787 C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21
788 through 299b-26.
789 (i) Information de-identified in accordance with 45 C.F.R.
790 part 164 and derived from individually identifiable health
791 information, as described in the federal Health Insurance
792 Portability and Accountability Act of 1996, or identifiable
793 personal information, consistent with the Federal Policy for the
794 Protection of Human Subjects or the human subject protection
795 requirements of the United States Food and Drug Administration
796 or the good clinical practice guidelines issued by the
797 International Council for Harmonisation of Technical
798 Requirements for Pharmaceuticals for Human Use.
799 (j) Information collected as part of a clinical trial
800 subject to the Federal Policy for the Protection of Human
801 Subjects pursuant to good clinical practice guidelines issued by
802 the International Council for Harmonisation of Technical
803 Requirements for Pharmaceuticals for Human Use or pursuant to
804 human subject protection requirements of the United States Food
805 and Drug Administration, or another protocol.
806 (k) Personal information collected, processed, sold, or
807 disclosed pursuant to the federal Fair Credit Reporting Act, 15
808 U.S.C. s. 1681 et seq.
809 (l) Personal information collected, processed, sold, or
810 disclosed pursuant to, or a financial institution to the extent
811 regulated by, the federal Gramm-Leach-Bliley Act, 15 U.S.C. s.
812 6801 et seq. and implementing regulations.
813 (m) Personal information collected, processed, sold, or
814 disclosed pursuant to the Farm Credit Act of 1971, as amended in
815 12 U.S.C. s. 2001-2279cc and implementing regulations.
816 (n) Personal information collected, processed, sold, or
817 disclosed pursuant to the federal Driver’s Privacy Protection
818 Act of 1994, 18 U.S.C. s. 2721 et seq.
819 (o) Education information covered by the federal Family
820 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34
821 C.F.R. part 99.
822 (p) Personal information collected, processed, sold, or
823 disclosed in relation to price, route, or service as those terms
824 are used in the federal Airline Deregulation Act, 49 U.S.C. s.
825 40101 et seq., by entities subject to the federal Airline
826 Deregulation Act, to the extent this act is preempted by s.
827 41713 of the federal Airline Deregulation Act.
828 (q) Vehicle information or ownership information retained
829 or shared between a new motor vehicle dealer, a distributor, or
830 the vehicle’s manufacturer if the vehicle or ownership
831 information is shared for the purpose of effectuating, or in
832 anticipation of effectuating, a vehicle repair covered by a
833 vehicle warranty or a recall conducted pursuant to 49 U.S.C. s.
834 30118-30120, provided that the new motor vehicle dealer,
835 distributor, or vehicle manufacturer with which that vehicle
836 information or ownership information is shared does not sell,
837 share, or use that information for any other purpose. As used in
838 this paragraph, the term “vehicle information” means the vehicle
839 identification number, make, model, year, and odometer reading,
840 and the term “ownership information” means the name or names of
841 the registered owner or owners and the contact information for
842 the owner or owners.
843 Section 7. Section 501.177, Florida Statutes, is created to
844 read:
845 501.177 Enforcement; preemption.—
846 (1) ENFORCEMENT.—
847 (a) This subsection and subsection (2) apply only to
848 controllers and processors that sell the personal information of
849 consumers to third parties and that are subject to the
850 requirements of this act.
851 (b) This act does not establish a private cause of action.
852 (c) The following are unfair and deceptive trade practices
853 actionable under part II of this chapter solely by the
854 Department of Legal Affairs against a controller or processor:
855 1. Failure to delete or correct a consumer’s personal
856 information pursuant to this act after receiving from a
857 controller a verifiable consumer request or directions to delete
858 or correct, unless the controller or processor qualifies for an
859 exception to the requirements to delete or correct under this
860 act; and
861 2. Continuing to sell a consumer’s personal information
862 after the consumer chooses to opt out or selling the personal
863 information of a consumer age 16 or younger without obtaining
864 the consent required by this act.
865 (d) If the department has reason to believe that a
866 controller or processor has committed an act described in
867 paragraph (c), the department, as the enforcement authority, may
868 bring an action against such controller or processor. For the
869 purpose of bringing an action pursuant to this act, ss. 501.211
870 and 501.212 do not apply. Civil penalties may be tripled if the
871 violation involves a consumer who the controller or processor
872 has actual knowledge is 16 years of age or younger.
873 (e) After the department has notified a controller or
874 processor in writing of an alleged violation, the department, at
875 its discretion, may grant to the controller or processor a 45
876 day period to cure the alleged violation. The department may
877 consider the number of violations, the substantial likelihood of
878 injury to the public, or the safety of persons or property when
879 determining whether to grant the 45-day cure period. If the
880 controller or processor provides proof to the department that
881 the violation has been cured to the satisfaction of the
882 department, the department may issue a letter of guidance that
883 indicates that the controller or processor will not be offered a
884 45-day cure period for any future violations. If the controller
885 or processor fails to cure the violation within 45 days, the
886 department may bring an action against the controller or
887 processor for the alleged violation.
888 (f) A court may grant the following relief in an action
889 brought pursuant to this act by the department:
890 1. Actual damages to a consumer.
891 2. Injunctive or declaratory relief.
892 (g) Liability for a tort, contract claim, or consumer
893 protection claim which is unrelated to an action by the
894 department does not arise solely from the failure of a
895 controller or processor to comply with this act and evidence of
896 such noncompliance may only be used as the basis to prove a
897 cause of action under this section.
898 (h) By each February 1, the department, in conjunction and
899 consultation with the director of the Consumer Data Privacy
900 Unit, shall submit a report to the President of the Senate and
901 the Speaker of the House of Representatives describing any
902 actions taken by the department to enforce this act. The report
903 must include statistics and relevant information detailing all
904 of the following:
905 1. The number of complaints received.
906 2. The number of complaints investigated.
907 3. The number and type of enforcement actions taken and the
908 outcomes of such actions.
909 4. The number of complaints resolved without the need for
910 litigation.
911 5. The status of the development and implementation of
912 rules to implement this act.
913 (i) The department may adopt rules to implement this act.
914 (2) JURISDICTION.—For purposes of bringing an action in
915 accordance with this section, any person that meets the
916 definition of a controller that collects or sells the personal
917 information of Florida consumers, is considered to be both
918 engaged in substantial and not isolated activities within this
919 state and operating, conducting, engaging in, or carrying on a
920 business, and doing business in this state, and therefore is
921 subject to the jurisdiction of the courts of this state.
922 (3) PREEMPTION.—This section is a matter of statewide
923 concern and supersedes and preempts to the state all rules,
924 regulations, codes, ordinances, and other laws adopted by a
925 city, county, city and county, municipality, or local agency
926 regarding the collection, processing, or sale of consumers’
927 personal information by a controller or processor.
928 Section 8. Subsection (1) of section 16.53, Florida
929 Statutes, is amended, and subsection (8) is added to that
930 section, to read:
931 16.53 Legal Affairs Revolving Trust Fund.—
932 (1) There is created in the State Treasury the Legal
933 Affairs Revolving Trust Fund, from which the Legislature may
934 appropriate funds for the purpose of funding investigation,
935 prosecution, and enforcement by the Attorney General of the
936 provisions of the Racketeer Influenced and Corrupt Organization
937 Act, the Florida Deceptive and Unfair Trade Practices Act, the
938 Florida False Claims Act, or state or federal antitrust laws, or
939 the Florida Privacy Protection Act.
940 (8) All moneys recovered by the Attorney General for
941 attorney fees and costs in an action for violation of the
942 Florida Privacy Protection Act must be deposited in the fund.
943 Section 9. Section 16.581, Florida Statutes, is created to
944 read:
945 16.581 Consumer Data Privacy Unit.—
946 (1) There is created in the Department of Legal Affairs the
947 Consumer Data Privacy Unit, which shall be headed by a director
948 who is fully accountable to the Attorney General, who shall
949 assign the director such powers, duties, responsibilities, and
950 functions as are necessary to ensure the greatest possible
951 coordination, efficiency, and effectiveness of the unit in
952 protecting the personal information of residents of this state.
953 (2) The unit shall serve as legal counsel in any suit or
954 other legal action initiated in connection with the Florida
955 Privacy Protection Act.
956 (3) The unit may investigate and initiate actions
957 authorized by the Florida Privacy Protection Act.
958 (4) If, by its own inquiry or as a result of complaints,
959 the unit has reason to believe that there has been a violation
960 of the Florida Privacy Protection Act, the unit may administer
961 oaths and affirmations, subpoena witnesses or matter, and
962 collect evidence.
963 (5) The unit may refer any criminal violations so uncovered
964 to the appropriate prosecuting authority.
965 (6) The unit may recover reasonable attorney fees and costs
966 and penalties in accordance with part II of chapter 501 in any
967 action for violation of consumer data privacy provisions in the
968 Florida Privacy Protection Act. Such attorney fees and costs
969 collected must be deposited in the Legal Affairs Revolving Trust
970 Fund.
971 (7) All moneys recovered by the Attorney General for
972 penalties in an action for violation of the Florida Privacy
973 Protection Act must be deposited in the General Revenue Fund.
974 Section 10. This act shall take effect December 31, 2022.