Florida Senate - 2023 COMMITTEE AMENDMENT
Bill No. CS for SB 262
Ì181372$Î181372
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
04/24/2023 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Rules (Bradley) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Section 112.23, Florida Statutes, is created to
6 read:
7 112.23 Government-directed content moderation of social
8 media platforms prohibited.—
9 (1) As used in this section, the term:
10 (a) “Governmental entity” means any state, county,
11 district, authority, or municipal officer, department, division,
12 board, bureau, commission, or other separate unit of government
13 created or established by law, including, but not limited to,
14 the Commission on Ethics, the Public Service Commission, the
15 Office of Public Counsel, and any other public or private
16 agency, person, partnership, corporation, or business entity
17 acting on behalf of any public agency.
18 (b) “Social media platform” means a form of electronic
19 communication through which users create online communities to
20 share information, ideas, personal messages, and other content.
21 (2) An officer or a salaried employee of a governmental
22 entity may not use his or her position or any state resources to
23 communicate with a social media platform to request the social
24 media platform to remove content or accounts from the social
25 media platform.
26 (3) A governmental entity, or an officer or a salaried
27 employee acting on behalf of a governmental entity, may not
28 initiate or maintain any agreements or working relationships
29 with a social media platform for the purpose of content
30 moderation.
31 (4) Subsections (2) and (3) do not apply if the
32 governmental entity or an officer or a salaried employee acting
33 on behalf of a governmental entity is acting as part of any of
34 the following:
35 (a) Routine account management of the governmental entity’s
36 account, including, but not limited to, the removal or revision
37 of the governmental entity’s content or account or
38 identification of accounts falsely posing as a governmental
39 entity, officer, or salaried employee.
40 (b) An attempt to remove content that pertains to the
41 commission of a crime or violation of this state’s public
42 records law.
43 (c) An attempt to remove an account that pertains to the
44 commission of a crime or violation of this state’s public
45 records law.
46 (d) An investigation or inquiry related to an effort to
47 prevent imminent bodily harm, loss of life, or property damage.
48 Section 2. The Division of Law Revision is directed to:
49 (1) Redesignate current parts V, VI, and VII of chapter
50 501, Florida Statutes, as parts VI, VII, and VIII of chapter
51 501, Florida Statutes, respectively; and
52 (2) Create a new part V of chapter 501, Florida Statutes,
53 consisting of ss. 501.701-501.721, Florida Statutes, entitled
54 “Data Privacy and Security.”
55 Section 3. Section 501.701, Florida Statutes, is created to
56 read:
57 501.701 Short title.—This part may be cited as the “Florida
58 Digital Bill of Rights.”
59 Section 4. Section 501.702, Florida Statutes, is created to
60 read:
61 501.702 Definitions.—As used in this part, the term:
62 (1) “Affiliate” means a legal entity that controls, is
63 controlled by, or is under common control with another legal
64 entity or that shares common branding with another legal entity.
65 For purposes of this subsection, the term “control” or
66 “controlled” means any of the following:
67 (a) The ownership of, or power to vote, more than 50
68 percent of the outstanding shares of any class of voting
69 security of a company.
70 (b) The control in any manner over the election of a
71 majority of the directors or of individuals exercising similar
72 functions.
73 (c) The power to exercise controlling influence over the
74 management of a company.
75 (2) “Aggregate consumer information” means information that
76 relates to a group or category of consumers, from which the
77 identity of an individual consumer has been removed and is not
78 reasonably capable of being directly or indirectly associated or
79 linked with any consumer, household, or device. The term does
80 not include information about a group or category of consumers
81 used to facilitate targeted advertising or the display of ads
82 online. The term does not include personal information that has
83 been deidentified.
84 (3) “Authenticate” or “authenticated” means to verify or
85 the state of having been verified, respectively, through
86 reasonable means that the consumer who is entitled to exercise
87 the consumer’s rights under s. 501.705 is the same consumer
88 exercising those consumer rights with respect to the personal
89 data at issue.
90 (4) “Biometric data” means data generated by automatic
91 measurements of an individual’s biological characteristics. The
92 term includes fingerprints, voiceprints, eye retinas or irises,
93 or other unique biological patterns or characteristics used to
94 identify a specific individual. The term does not include
95 physical or digital photographs, video or audio recordings or
96 data generated from video or audio recordings, or information
97 collected, used, or stored for health care treatment, payment,
98 or operations under the Health Insurance Portability and
99 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
100 (5) “Business associate” has the same meaning as in 45
101 C.F.R. s. 160.103 and the Health Insurance Portability and
102 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
103 (6) “Child” means an individual younger than 18 years of
104 age.
105 (7) “Consent,” when referring to a consumer, means a clear
106 affirmative act signifying a consumer’s freely given, specific,
107 informed, and unambiguous agreement to process personal data
108 relating to the consumer. The term includes a written statement,
109 including a statement written by electronic means, or any other
110 unambiguous affirmative act. The term does not include any of
111 the following:
112 (a) Acceptance of a general or broad terms of use or
113 similar document that contains descriptions of personal data
114 processing along with other, unrelated information.
115 (b) Hovering over, muting, pausing, or closing a given
116 piece of content.
117 (c) Agreement obtained through the use of dark patterns.
118 (8) “Consumer” means an individual who is a resident of or
119 is domiciled in this state acting only in an individual or
120 household context. The term does not include an individual
121 acting in a commercial or employment context.
122 (9) “Controller” means
123 (a) A sole proprietorship, partnership, limited liability
124 company, corporation, association, or legal entity that meets
125 the following requirements:
126 1. Is organized or operated for the profit or financial
127 benefit of its shareholders or owners;
128 2. Conducts business in this state;
129 3. Collects personal data about consumers, or is the entity
130 on behalf of which such information is collected;
131 4. Determines the purposes and means of processing personal
132 data about consumers alone or jointly with others;
133 5. Makes in excess of $1 billion in global gross annual
134 revenues; and
135 6. Satisfies at least one of the following:
136 a. Derives 50 percent or more of its global gross annual
137 revenues from the sale of advertisements, including providing
138 targeted advertising or the sale of ads online;
139 b. Operates a consumer smart speaker and voice command
140 component service with an integrated virtual assistant connected
141 to a cloud computing service that uses hands-free verbal
142 activation. For purposes of this sub-subparagraph, a consumer
143 smart speaker and voice command component service does not
144 include a motor vehicle or speaker or device associated with or
145 connected to a vehicle which is operated by a motor vehicle
146 manufacturer or a subsidiary or affiliate thereof; or
147 c. Operates an app store or a digital distribution platform
148 that offers at least 250,000 different software applications for
149 consumers to download and install.
150 (b) Any entity that controls or is controlled by a
151 controller. As used in this paragraph, the term “control” means:
152 1. Ownership of, or the power to vote, more than 50 percent
153 of the outstanding shares of any class of voting security of a
154 controller;
155 2. Control in any manner over the election of a majority of
156 the directors, or of individuals exercising similar functions;
157 or
158 3. The power to exercise a controlling influence over the
159 management of a company.
160 (10) “Covered entity” has the same meaning as in 45 C.F.R.
161 s. 160.103 and the Health Insurance Portability and
162 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
163 (11) “Dark pattern” means a user interface designed or
164 manipulated with the effect of substantially subverting or
165 impairing user autonomy, decisionmaking, or choice. The term
166 includes any practice the Federal Trade Commission refers to as
167 a dark pattern.
168 (12) “Decision that produces a legal or similarly
169 significant effect concerning a consumer” means a decision made
170 by a controller which results in the provision or denial by the
171 controller of any of the following:
172 (a) Financial and lending services.
173 (b) Housing, insurance, or health care services.
174 (c) Education enrollment.
175 (d) Employment opportunities.
176 (e) Criminal justice.
177 (f) Access to basic necessities, such as food and water.
178 (13) “Deidentified data” means data that cannot reasonably
179 be linked to an identified or identifiable individual or a
180 device linked to that individual.
181 (14) “Health care provider” has the same meaning as in 45
182 C.F.R. s. 160.103 and the Health Insurance Portability and
183 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
184 (15) “Health record” means any written, printed, or
185 electronically recorded material maintained by a health care
186 provider in the course of providing health care services to an
187 individual which concerns the individual and the services
188 provided. The term includes any of the following:
189 (a) The substance of any communication made by an
190 individual to a health care provider in confidence during or in
191 connection with the provision of health care services.
192 (b) Information otherwise acquired by the health care
193 provider about an individual in confidence and in connection
194 with health care services provided to the individual.
195 (16) “Identified or identifiable individual” means a
196 consumer who can be readily identified, directly or indirectly.
197 (17) “Known child” means a child under circumstances of
198 which a controller has actual knowledge of, or willfully
199 disregards, the child’s age.
200 (18) “Nonprofit organization” means any of the following:
201 (a) An organization exempt from federal taxation under s.
202 501(a) of the Internal Revenue Code of 1986 by virtue of being
203 listed as an exempt organization under s. 501(c)(3), s.
204 501(c)(4), s. 501(c)(6), or s. 501(c)(12) of that code.
205 (b) A political organization.
206 (19) “Personal data” means any information, including
207 sensitive data, which is linked or reasonably linkable to an
208 identified or identifiable individual. The term includes
209 pseudonymous data when the data is used by a controller or
210 processor in conjunction with additional information that
211 reasonably links the data to an identified or identifiable
212 individual. The term does not include deidentified data or
213 publicly available information.
214 (20) “Political organization” means a party, a committee,
215 an association, a fund, or any other organization, regardless of
216 whether incorporated, organized and operated primarily for the
217 purpose of influencing or attempting to influence any of the
218 following:
219 (a) The selection, nomination, election, or appointment of
220 an individual to a federal, state, or local public office or an
221 office in a political organization, regardless of whether the
222 individual is selected, nominated, elected, or appointed.
223 (b) The election of a presidential or vice-presidential
224 elector, regardless of whether the elector is selected,
225 nominated, elected, or appointed.
226 (21) “Postsecondary education institution” means a Florida
227 College System institution, state university, or nonpublic
228 postsecondary education institution that receives state funds.
229 (22) “Precise geolocation data” means information derived
230 from technology, including global positioning system level
231 latitude and longitude coordinates or other mechanisms, which
232 directly identifies the specific location of an individual with
233 precision and accuracy within a radius of 1,750 feet. The term
234 does not include the content of communications or any data
235 generated by or connected to an advanced utility metering
236 infrastructure system or to equipment for use by a utility.
237 (23) “Process” or “processing” means an operation or set of
238 operations performed, whether by manual or automated means, on
239 personal data or on sets of personal data, such as the
240 collection, use, storage, disclosure, analysis, deletion, or
241 modification of personal data.
242 (24) “Processor” means a person who processes personal data
243 on behalf of a controller.
244 (25) “Profiling” means any form of solely automated
245 processing performed on personal data to evaluate, analyze, or
246 predict personal aspects related to an identified or
247 identifiable individual’s economic situation, health, personal
248 preferences, interests, reliability, behavior, location, or
249 movements.
250 (26) “Protected health information” has the same meaning as
251 in 45 C.F.R. s. 160.103 and the Health Insurance Portability and
252 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
253 (27) “Pseudonymous data” means any information that cannot
254 be attributed to a specific individual without the use of
255 additional information, provided that the additional information
256 is kept separately and is subject to appropriate technical and
257 organizational measures to ensure that the personal data is not
258 attributed to an identified or identifiable individual.
259 (28) “Publicly available information” means information
260 lawfully made available through government records, or
261 information that a business has a reasonable basis for believing
262 is lawfully made available to the general public through widely
263 distributed media, by a consumer, or by a person to whom a
264 consumer has disclosed the information, unless the consumer has
265 restricted the information to a specific audience.
266 (29) “Sale of personal data” means the sharing, disclosing,
267 or transferring of personal data for monetary or other valuable
268 consideration by the controller to a third party. The term does
269 not include any of the following:
270 (a) The disclosure of personal data to a processor who
271 processes the personal data on the controller’s behalf.
272 (b) The disclosure of personal data to a third party for
273 purposes of providing a product or service requested by the
274 consumer.
275 (c) The disclosure of information that the consumer:
276 1. Intentionally made available to the general public
277 through a mass media channel; and
278 2. Did not restrict to a specific audience.
279 (d) The disclosure or transfer of personal data to a third
280 party as an asset that is part of a merger or an acquisition.
281 (30) “Search engine” means technology and systems that use
282 algorithms to sift through and index vast third-party websites
283 and content on the Internet in response to search queries
284 entered by a user. The term does not include the license of
285 search functionality for the purpose of enabling the licensee to
286 operate a third-party search engine service in circumstances
287 where the licensee does not have legal or operational control of
288 the search algorithm, the index from which results are
289 generated, or the ranking order in which the results are
290 provided.
291 (31) “Sensitive data” means a category of personal data
292 which includes any of the following:
293 (a) Personal data revealing an individual’s racial or
294 ethnic origin, religious beliefs, mental or physical health
295 diagnosis, sexual orientation, or citizenship or immigration
296 status.
297 (b) Genetic or biometric data processed for the purpose of
298 uniquely identifying an individual.
299 (c) Personal data collected from a known child.
300 (d) Precise geolocation data.
301 (32) “State agency” means any department, commission,
302 board, office, council, authority, or other agency in the
303 executive branch of state government created by the State
304 Constitution or state law. The term includes a postsecondary
305 education institution.
306 (33) “Targeted advertising” means displaying to a consumer
307 an advertisement selected based on personal data obtained from
308 that consumer’s activities over time and across nonaffiliated
309 websites or online applications to predict the consumer’s
310 preferences or interests. The term does not include any of the
311 following:
312 (a) An advertisement that is:
313 1. Based on activities within a controller’s own website or
314 online application;
315 2. Based on the context of a consumer’s current search
316 query, visit to a website, or use of an online application; or
317 3. Directed to a consumer in response to the consumer’s
318 request for information or feedback.
319 (b) The processing of personal data solely for measuring or
320 reporting advertising performance, reach, or frequency.
321 (34) “Third party” means a person, other than the consumer,
322 the controller, the processor, or an affiliate of the controller
323 or processor.
324 (35) “Trade secret” has the same meaning as in s. 812.081.
325 (36) “Voice recognition feature” means the function of a
326 device which enables the collection, recording, storage,
327 analysis, transmission, interpretation, or other use of spoken
328 words or other sounds.
329 Section 5. Section 501.703, Florida Statutes, is created to
330 read:
331 501.703 Applicability.—
332 (1) This part applies only to a person who:
333 (a) Conducts business in this state or produces a product
334 or service used by residents of this state; and
335 (b) Processes or engages in the sale of personal data.
336 (2) This part does not apply to any of the following:
337 (a) A state agency or a political subdivision of the state.
338 (b) A financial institution or data subject to Title V,
339 Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.
340 (c) A covered entity or business associate governed by the
341 privacy, security, and breach notification regulations issued by
342 the United States Department of Health and Human Services, 45
343 C.F.R. parts 160 and 164, established under the Health Insurance
344 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
345 et seq., and the Health Information Technology for Economic and
346 Clinical Health Act, Division A, Title XIII and Division B,
347 Title IV, Pub. L. No. 111-5.
348 (d) A nonprofit organization.
349 (e) A postsecondary education institution.
350 (3) This part does not apply to the processing of personal
351 data by a person in the course of a purely personal or household
352 activity.
353 (4) A controller or processor that complies with the
354 authenticated parental consent requirements of the Children’s
355 Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq., with
356 respect to data collected online, is considered to be in
357 compliance with any requirement to obtain parental consent under
358 this part.
359 Section 6. Section 501.704, Florida Statutes, is created to
360 read:
361 501.704 Exemptions.—All of the following information is
362 exempt from this part:
363 (1) Protected health information under the Health Insurance
364 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
365 et seq.
366 (2) Health records.
367 (3) Patient identifying information for purposes of 42
368 U.S.C. s. 290dd-2.
369 (4) Identifiable private information:
370 (a) For purposes of the federal policy for the protection
371 of human subjects under 45 C.F.R. part 46;
372 (b) Collected as part of human subjects research under the
373 good clinical practice guidelines issued by the International
374 Council for Harmonisation of Technical Requirements for
375 Pharmaceuticals for Human Use or the protection of human
376 subjects under 21 C.F.R. parts 50 and 56; or
377 (c) That is personal data used or shared in research
378 conducted in accordance with this part or other research
379 conducted in accordance with applicable law.
380 (5) Information and documents created for purposes of the
381 Health Care Quality Improvement Act of 1986, 42 U.S.C. ss. 11101
382 et seq.
383 (6) Patient safety work product for purposes of the Patient
384 Safety and Quality Improvement Act of 2005, 42 U.S.C. ss. 299b
385 21 et seq.
386 (7) Information derived from any of the health care-related
387 information listed in this section which is deidentified in
388 accordance with the requirements for deidentification under the
389 Health Insurance Portability and Accountability Act of 1996, 42
390 U.S.C. ss. 1320d et seq.
391 (8) Information originating from, and intermingled to be
392 indistinguishable with, or information treated in the same
393 manner as, information exempt under this section which is
394 maintained by a covered entity or business associate as defined
395 by the Health Insurance Portability and Accountability Act of
396 1996, 42 U.S.C. ss. 1320d et seq. or by a program or a qualified
397 service organization as defined by 42 U.S.C. s. 290dd-2.
398 (9) Information included in a limited data set as described
399 by 45 C.F.R. s. 164.514(e), to the extent that the information
400 is used, disclosed, and maintained in the manner specified by 45
401 C.F.R. s. 164.514(e).
402 (10) Information used only for public health activities and
403 purposes as described in 45 C.F.R. s. 164.512.
404 (11) Information collected or used only for public health
405 activities and purposes as authorized by the Health Insurance
406 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
407 et seq.
408 (12) The collection, maintenance, disclosure, sale,
409 communication, or use of any personal data bearing on a
410 consumer’s creditworthiness, credit standing, credit capacity,
411 character, general reputation, personal characteristics, or mode
412 of living by a consumer reporting agency or furnisher that
413 provides information for use in a consumer report, or by a user
414 of a consumer report, but only to the extent that the activity
415 is regulated by and authorized under the Fair Credit Reporting
416 Act, 15 U.S.C. ss. 1681 et seq.
417 (13) Personal data collected, processed, sold, or disclosed
418 in compliance with the Driver’s Privacy Protection Act of 1994,
419 18 U.S.C. ss. 2721 et seq.
420 (14) Personal data regulated by the Family Educational
421 Rights and Privacy Act of 1974, 20 U.S.C. s. 1232g.
422 (15) Personal data collected, processed, sold, or disclosed
423 in compliance with the Farm Credit Act of 1971, 12 U.S.C. ss.
424 2001 et seq.
425 (16) Data processed or maintained in the course of an
426 individual applying to, being employed by, or acting as an agent
427 or independent contractor of a controller, processor, or third
428 party, to the extent that the data is collected and used within
429 the context of that role.
430 (17) Data processed or maintained as the emergency contact
431 information of an individual under this part which is used for
432 emergency contact purposes.
433 (18) Data that is processed or maintained and that is
434 necessary to retain to administer benefits for another
435 individual which relates to an individual described in
436 subsection (16) and which is used for the purposes of
437 administering those benefits.
438 (19) Personal data collected and transmitted which is
439 necessary for the sole purpose of sharing such personal data
440 with a financial service provider solely to facilitate short
441 term, transactional payment processing for the purchase of
442 products or services.
443 (20) Personal data collected, processed, sold, or disclosed
444 in relation to price, route, or service as those terms are used
445 in the Airline Deregulation Act, 49 U.S.C. ss. 40101 et seq., by
446 entities subject to that act, to the extent the provisions of
447 this act are preempted by 49 U.S.C. s. 41713.
448 (21) Personal data shared between a manufacturer of a
449 tangible product and authorized third-party distributors or
450 vendors of the product, as long as such personal data is used
451 solely for advertising, marketing, or servicing the product that
452 is acquired directly through such manufacturer and such
453 authorized third-party distributors or vendors. Such personal
454 data may not be sold or shared unless otherwise authorized under
455 this part.
456 Section 7. Section 501.705, Florida Statutes, is created to
457 read:
458 501.705 Consumer rights.—
459 (1) A consumer is entitled to exercise the consumer rights
460 authorized by this section at any time by submitting a request
461 to a controller which specifies the consumer rights that the
462 consumer wishes to exercise. With respect to the processing of
463 personal data belonging to a known child, a parent or legal
464 guardian of the child may exercise these rights on behalf of the
465 child.
466 (2) A controller shall comply with an authenticated
467 consumer request to exercise any of the following rights:
468 (a) To confirm whether a controller is processing the
469 consumer’s personal data and to access the personal data.
470 (b) To correct inaccuracies in the consumer’s personal
471 data, taking into account the nature of the personal data and
472 the purposes of the processing of the consumer’s personal data.
473 (c) To delete any or all personal data provided by or
474 obtained about the consumer.
475 (d) To obtain a copy of the consumer’s personal data in a
476 portable and, to the extent technically feasible, readily usable
477 format if the data is available in a digital format.
478 (e) To opt out of the processing of the personal data for
479 purposes of:
480 1. Targeted advertising;
481 2. The sale of personal data; or
482 3. Profiling in furtherance of a decision that produces a
483 legal or similarly significant effect concerning a consumer.
484 (f) To opt out of the collection of sensitive data,
485 including precise geolocation data, or the processing of such
486 data.
487 (g) To opt out of the collection of personal data collected
488 through the operation of a voice recognition feature.
489 Section 8. Section 501.706, Florida Statutes, is created to
490 read:
491 501.706 Controller response to consumer requests.—
492 (1) Except as otherwise provided by this part, a controller
493 shall comply with a request submitted by a consumer to exercise
494 the consumer’s rights pursuant to s. 501.705, as provided in
495 this section.
496 (2) A controller shall respond to the consumer request
497 without undue delay, which may not be later than 45 days after
498 the date of receipt of the request. The controller may extend
499 the response period once by an additional 15 days when
500 reasonably necessary, taking into account the complexity and
501 number of the consumer’s requests, so long as the controller
502 informs the consumer of the extension within the initial 45-day
503 response period, together with the reason for the extension.
504 (3) If a controller cannot take action regarding the
505 consumer’s request, the controller must inform the consumer
506 without undue delay, which may not be later than 45 days after
507 the date of receipt of the request, of the justification for the
508 inability to take action on the request and provide instructions
509 on how to appeal the decision in accordance with s. 501.707. A
510 controller is not required to comply with a consumer request
511 submitted under s. 501.705 if the controller cannot authenticate
512 the request. However, the controller must make a reasonable
513 effort to request that the consumer provide additional
514 information reasonably necessary to authenticate the consumer
515 and the consumer’s request. If a controller maintains a self
516 service mechanism to allow a consumer to correct certain
517 personal data, the controller may deny the consumer’s request
518 and require the consumer to correct his or her own personal data
519 through such mechanism.
520 (4) A controller must provide the consumer with notice
521 within 60 days after the request is received that the controller
522 has complied with the consumer’s request as required in this
523 section.
524 (5) A controller shall provide information or take action
525 in response to a consumer request free of charge, at least twice
526 annually per consumer. If a request from a consumer is
527 manifestly unfounded, excessive, or repetitive, the controller
528 may charge the consumer a reasonable fee to cover the
529 administrative costs of complying with the request or may
530 decline to act on the request. The controller bears the burden
531 of demonstrating for purposes of this subsection that a request
532 is manifestly unfounded, excessive, or repetitive.
533 (6) A controller who has obtained personal data about a
534 consumer from a source other than the consumer is considered in
535 compliance with a consumer’s request to delete that personal
536 data pursuant to s. 501.705(2)(c), by doing any of the
537 following:
538 (a) Deleting the personal data, retaining a record of the
539 deletion request and the minimum data necessary for the purpose
540 of ensuring that the consumer’s personal data remains deleted
541 from the business’s records, and not using the retained data for
542 any other purpose under this part.
543 (b) Opting the consumer out of the processing of that
544 personal data for any purpose other than a purpose exempt under
545 this part.
546 Section 9. Section 501.707, Florida Statutes, is created to
547 read:
548 501.707 Appeal.—
549 (1) A controller shall establish a process for a consumer
550 to appeal the controller’s refusal to take action on a request
551 within a reasonable period of time after the consumer’s receipt
552 of the decision under s. 501.706(3).
553 (2) The appeal process must be conspicuously available and
554 similar to the process for initiating action to exercise
555 consumer rights by submitting a request under s. 501.705.
556 (3) A controller shall inform the consumer in writing of
557 any action taken or not taken in response to an appeal under
558 this section within 60 days after the date of receipt of the
559 appeal, including a written explanation of the reason or reasons
560 for the decision.
561 Section 10. Section 501.708, Florida Statutes, is created
562 to read:
563 501.708 Waiver or limitation of consumer rights
564 prohibited.—Any provision of a contract or agreement which
565 waives or limits in any way a consumer right described by s.
566 501.705, s. 501.706, or s. 501.707 is contrary to public policy
567 and is void and unenforceable.
568 Section 11. Section 501.709, Florida Statutes, is created
569 to read:
570 501.709 Submitting consumer requests.—
571 (1) A controller shall establish two or more methods to
572 enable consumers to submit a request to exercise their consumer
573 rights under this part. The methods must be secure, reliable,
574 and clearly and conspicuously accessible. The methods must take
575 all of the following into account:
576 (a) The ways in which consumers normally interact with the
577 controller.
578 (b) The necessity for secure and reliable communications of
579 these requests.
580 (c) The ability of the controller to authenticate the
581 identity of the consumer making the request.
582 (2) A controller may not require a consumer to create a new
583 account to exercise the consumer’s rights under this part but
584 may require a consumer to use an existing account.
585 (3) A controller shall provide a mechanism on its website
586 for a consumer to submit a request for information required to
587 be disclosed under this part. A controller that operates
588 exclusively online and has a direct relationship with a consumer
589 from whom the controller collects personal data may also provide
590 an e-mail address for the submission of requests.
591 Section 12. Section 501.71, Florida Statutes, is created to
592 read:
593 501.71 Controller duties.—
594 (1) A controller shall:
595 (a) Limit the collection of personal data to data that is
596 adequate, relevant, and reasonably necessary in relation to the
597 purposes for which it is processed, as disclosed to the
598 consumer; and
599 (b) For purposes of protecting the confidentiality,
600 integrity, and accessibility of personal data, establish,
601 implement, and maintain reasonable administrative, technical,
602 and physical data security practices appropriate to the volume
603 and nature of the personal data at issue.
604 (2) A controller may not do any of the following:
605 (a) Except as otherwise provided by this part, process
606 personal data for a purpose that is neither reasonably necessary
607 nor compatible with the purpose for which the personal data is
608 processed, as disclosed to the consumer, unless the controller
609 obtains the consumer’s consent.
610 (b) Process personal data in violation of state or federal
611 laws that prohibit unlawful discrimination against consumers.
612 (c) Discriminate against a consumer for exercising any of
613 the consumer rights contained in this part, including by denying
614 goods or services, charging different prices or rates for goods
615 or services, or providing a different level of quality of goods
616 or services to the consumer. A controller may offer financial
617 incentives, including payments to consumers as compensation, for
618 processing of personal data if the consumer gives the controller
619 prior consent that clearly describes the material terms of the
620 financial incentive program and provided that such incentive
621 practices are not unjust, unreasonable, coercive, or usurious in
622 nature. The consent may be revoked by the consumer at any time.
623 (d) Process the sensitive data of a consumer without
624 obtaining the consumer’s consent, or, in the case of processing
625 the sensitive data of a known child, without processing that
626 data with the affirmative authorization for such processing by a
627 known child who is between 13 and 18 years of age or in
628 accordance with the Children’s Online Privacy Protection Act, 15
629 U.S.C. ss. 6501 et seq. for a known child under the age of 13.
630 (3) Paragraph (2)(c) may not be construed to require a
631 controller to provide a product or service that requires the
632 personal data of a consumer which the controller does not
633 collect or maintain or to prohibit a controller from offering a
634 different price, rate, level, quality, or selection of goods or
635 services to a consumer, including offering goods or services for
636 no fee, if the consumer has exercised the consumer’s right to
637 opt out under s. 501.705(2) or the offer is related to a
638 consumer’s voluntary participation in a bona fide loyalty,
639 rewards, premium features, discounts, or club card program.
640 (4) A controller that operates a search engine shall make
641 available, in an easily accessible location on the webpage which
642 does not require a consumer to log in or register to read, an
643 up-to-date plain language description of the main parameters
644 that are individually or collectively the most significant in
645 determining ranking and the relative importance of those main
646 parameters, including the prioritization or deprioritization of
647 political partisanship or political ideology in search results.
648 Algorithms are not required to be disclosed nor is any other
649 information that, with reasonable certainty, would enable
650 deception of or harm to consumers through the manipulation of
651 search results.
652 Section 13. Section 501.711, Florida Statutes, is created
653 to read:
654 501.711 Privacy notices.—
655 (1) A controller shall provide consumers with a reasonably
656 accessible and clear privacy notice, updated at least annually,
657 that includes all of the following information:
658 (a) The categories of personal data processed by the
659 controller, including, if applicable, any sensitive data
660 processed by the controller.
661 (b) The purpose of processing personal data.
662 (c) How consumers may exercise their rights under s.
663 501.705(2), including the process by which a consumer may appeal
664 a controller’s decision with regard to the consumer’s request.
665 (d) If applicable, the categories of personal data that the
666 controller shares with third parties.
667 (e) If applicable, the categories of third parties with
668 whom the controller shares personal data.
669 (f) A description of the methods specified in s. 501.709,
670 by which consumers can submit requests to exercise their
671 consumer rights under this part.
672 (2) If a controller engages in the sale of personal data
673 that is sensitive data, the controller must provide the
674 following notice: “NOTICE: This website may sell your sensitive
675 personal data.” The notice must be posted in accordance with
676 subsection (1).
677 (3) If a controller engages in the sale of personal data
678 that is biometric data, the controller must provide the
679 following notice: “NOTICE: This website may sell your biometric
680 personal data.” The notice must be posted in accordance with
681 subsection (1).
682 (4) If a controller sells personal data to third parties or
683 processes personal data for targeted advertising, the controller
684 must clearly and conspicuously disclose that process and the
685 manner in which a consumer may exercise the right to opt out of
686 that process.
687 (5) A controller may not collect additional categories of
688 personal information or use personal information collected for
689 additional purposes without providing the consumer with notice
690 consistent with this section.
691 Section 14. Section 501.712, Florida Statutes, is created
692 to read:
693 501.712 Duties of processor.—
694 (1) A processor shall adhere to the instructions of a
695 controller and shall assist the controller in meeting or
696 complying with the controller’s duties under this section and
697 the requirements of this part, including the following:
698 (a) Assisting the controller in responding to consumer
699 rights requests submitted pursuant to ss. 501.705 and 501.709,
700 by using appropriate technical and organizational measures, as
701 reasonably practicable, taking into account the nature of
702 processing and the information available to the processor.
703 (b) Assisting the controller with regard to complying with
704 the requirement relating to the security of processing personal
705 data and to the notification of a breach of security of the
706 processor’s system under s. 501.171, taking into account the
707 nature of processing and the information available to the
708 processor.
709 (c) Providing necessary information to enable the
710 controller to conduct and document data protection assessments
711 under s. 501.713.
712 (2) A contract between a controller and a processor governs
713 the processor’s data processing procedures with respect to
714 processing performed on behalf of the controller. The contract
715 must include all of the following information:
716 (a) Clear instructions for processing data.
717 (b) The nature and purpose of processing.
718 (c) The type of data subject to processing.
719 (d) The duration of processing.
720 (e) The rights and obligations of both parties.
721 (f) A requirement that the processor:
722 1. Ensure that each person processing personal data is
723 subject to a duty of confidentiality with respect to the data;
724 2. At the controller’s direction, delete or return all
725 personal data to the controller as requested after the provision
726 of the service is completed, unless retention of the personal
727 data is required by law;
728 3. Make available to the controller, upon reasonable
729 request, all information in the processor’s possession necessary
730 to demonstrate the processor’s compliance with this part;
731 4. Allow, and cooperate with, reasonable assessments by the
732 controller or the controller’s designated assessor; and
733 5. Engage any subcontractor pursuant to a written contract
734 that requires the subcontractor to meet the requirements of the
735 processor with respect to the personal data.
736 (3) Notwithstanding subparagraph (2)(f)4., a processor may
737 arrange for a qualified and independent assessor to conduct an
738 assessment of the processor’s policies and technical and
739 organizational measures in support of the requirements under
740 this part using an appropriate and accepted control standard or
741 framework and assessment procedure. The processor shall provide
742 a report of the assessment to the controller upon request.
743 (4) This section may not be construed to relieve a
744 controller or a processor from the liabilities imposed on the
745 controller or processor by virtue of its role in the processing
746 relationship as described by this part.
747 (5) A determination as to whether a person is acting as a
748 controller or processor with respect to a specific processing of
749 data is a fact-based determination that depends on the context
750 in which personal data is to be processed. A processor that
751 continues to adhere to a controller’s instructions with respect
752 to a specific processing of personal data remains in the role of
753 a processor.
754 Section 15. Section 501.713, Florida Statutes, is created
755 to read:
756 501.713 Data protection assessments.—
757 (1) A controller shall conduct and document a data
758 protection assessment of each of the following processing
759 activities involving personal data:
760 (a) The processing of personal data for purposes of
761 targeted advertising.
762 (b) The sale of personal data.
763 (c) The processing of personal data for purposes of
764 profiling if the profiling presents a reasonably foreseeable
765 risk of:
766 1. Unfair or deceptive treatment of or unlawful disparate
767 impact on consumers;
768 2. Financial, physical, or reputational injury to
769 consumers;
770 3. A physical or other intrusion on the solitude or
771 seclusion, or the private affairs or concerns, of consumers, if
772 the intrusion would be offensive to a reasonable person; or
773 4. Other substantial injury to consumers.
774 (d) The processing of sensitive data.
775 (e) Any processing activities involving personal data which
776 present a heightened risk of harm to consumers.
777 (2) A data protection assessment conducted under subsection
778 (1) must do all of the following:
779 (a) Identify and weigh the direct or indirect benefits that
780 may flow from the processing to the controller, the consumer,
781 other stakeholders, and the public against the potential risks
782 to the rights of the consumer associated with that processing,
783 as mitigated by safeguards that can be employed by the
784 controller to reduce such risks.
785 (b) Factor into the assessment:
786 1. The use of deidentified data;
787 2. The reasonable expectations of consumers;
788 3. The context of the processing; and
789 4. The relationship between the controller and the consumer
790 whose personal data will be processed.
791 (3) The disclosure of a data protection assessment in
792 compliance with a request from the Attorney General pursuant to
793 s. 501.72 does not constitute a waiver of attorney-client
794 privilege or work product protection with respect to the
795 assessment and any information contained in the assessment.
796 (4) A single data protection assessment may address a
797 comparable set of processing operations which include similar
798 activities.
799 (5) A data protection assessment conducted by a controller
800 for the purpose of compliance with any other law or regulation
801 may constitute compliance with the requirements of this section
802 if the assessment has a reasonably comparable scope and effect.
803 (6) This section applies only to processing activities
804 generated on or after July 1, 2023.
805 Section 16. Section 501.714, Florida Statutes, is created
806 to read:
807 501.714 Deidentified data, pseudonymous data, and aggregate
808 consumer information.—
809 (1) A controller in possession of deidentified data shall
810 do all of the following:
811 (a) Take reasonable measures to ensure that the data cannot
812 be associated with an individual.
813 (b) Maintain and use the data in deidentified form. A
814 controller may not attempt to reidentify the data, except that
815 the controller may attempt to reidentify the data solely for the
816 purpose of determining whether its deidentification processes
817 satisfy the requirements of this section.
818 (c) Contractually obligate any recipient of the
819 deidentified data to comply with this part.
820 (d) Implement business processes to prevent the inadvertent
821 release of deidentified data.
822 (2) This part may not be construed to require a controller
823 or processor to do any of the following:
824 (a) Reidentify deidentified data or pseudonymous data.
825 (b) Maintain data in an identifiable form or obtain,
826 retain, or access any data or technology for the purpose of
827 allowing the controller or processor to associate a consumer
828 request with personal data.
829 (c) Comply with an authenticated consumer rights request
830 under s. 501.705 if the controller:
831 1. Is not reasonably capable of associating the request
832 with the personal data or it would be unreasonably burdensome
833 for the controller to associate the request with the personal
834 data;
835 2. Does not use the personal data to recognize or respond
836 to the specific consumer who is the subject of the personal data
837 or associate the personal data with other personal data about
838 the same specific consumer; and
839 3. Does not sell the personal data to a third party or
840 otherwise voluntarily disclose the personal data to a third
841 party other than a processor, except as otherwise authorized by
842 this section.
843 (3) The consumer rights enumerated under s. 501.705(2), and
844 controller duties imposed under s. 501.71, do not apply to
845 pseudonymous data or aggregate consumer information in cases in
846 which the controller is able to demonstrate that any information
847 necessary to identify the consumer is kept separate and is
848 subject to effective technical and organizational controls that
849 prevent the controller from accessing the information.
850 (4) A controller that discloses pseudonymous data,
851 deidentified data, or aggregate consumer information shall
852 exercise reasonable oversight to monitor compliance with any
853 contractual commitments to which the data or information is
854 subject and shall take appropriate steps to address any breach
855 of the contractual commitments.
856 Section 17. Section 501.715, Florida Statutes, is created
857 to read:
858 501.715 Requirements for sensitive data.—
859 (1) A person who meets the requirements of s.
860 501.702(9)(a)1, (a)2., and (a)3. for the definition of a
861 controller may not engage in the sale of personal data that is
862 sensitive data without receiving prior consent from the consumer
863 or, if the sensitive data is of a known child, without
864 processing that data with the affirmative authorization for such
865 processing by a known child who is between 13 and 18 years of
866 age or in accordance with the Children’s Online Privacy
867 Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child
868 under the age of 13.
869 (2) A person in subsection (1) who engages in the sale of
870 personal data that is sensitive data must provide the following
871 notice: “NOTICE: This website may sell your sensitive personal
872 data.”
873 (3) A person who violates this section is subject to the
874 penalty imposed under s. 501.72.
875 Section 18. Section 501.716, Florida Statutes, is created
876 to read:
877 501.716 Exemptions for certain uses of consumer personal
878 data.—
879 (1) This part may not be construed to restrict a
880 controller’s or processor’s ability to do any of the following:
881 (a) Comply with federal or state laws, rules, or
882 regulations.
883 (b) Comply with a civil, criminal, or regulatory inquiry,
884 investigation, subpoena, or summons by federal, state, local, or
885 other governmental authorities.
886 (c) Investigate, establish, exercise, prepare for, or
887 defend legal claims.
888 (d) Provide a product or service specifically requested by
889 a consumer or the parent or guardian of a child, perform a
890 contract to which the consumer is a party, including fulfilling
891 the terms of a written warranty, or take steps at the request of
892 the consumer before entering into a contract.
893 (e) Take immediate steps to protect an interest that is
894 essential for the life or physical safety of the consumer or of
895 another individual and in which the processing cannot be
896 manifestly based on another legal basis.
897 (f) Prevent, detect, protect against, or respond to
898 security incidents, identity theft, fraud, harassment, malicious
899 or deceptive activities, or any illegal activity.
900 (g) Preserve the integrity or security of systems or
901 investigate, report, or prosecute those responsible for breaches
902 of system security.
903 (h) Engage in public or peer-reviewed scientific or
904 statistical research in the public interest which adheres to all
905 other applicable ethics and privacy laws and is approved,
906 monitored, and governed by an institutional review board or
907 similar independent oversight entity that determines:
908 1. Whether the deletion of the information is likely to
909 provide substantial benefits that do not exclusively accrue to
910 the controller;
911 2. Whether the expected benefits of the research outweigh
912 the privacy risks; and
913 3. Whether the controller has implemented reasonable
914 safeguards to mitigate privacy risks associated with research,
915 including any risks associated with reidentification.
916 (i) Assist another controller, processor, or third party in
917 complying with the requirements of this part.
918 (j) Disclose personal data disclosed when a consumer uses
919 or directs the controller to intentionally disclose information
920 to a third party or uses the controller to intentionally
921 interact with a third party. An intentional interaction occurs
922 when the consumer intends to interact with the third party, by
923 one or more deliberate interactions. Hovering over, muting,
924 pausing, or closing a given piece of content does not constitute
925 a consumer’s intent to interact with a third party.
926 (k) Transfer personal data to a third party as an asset
927 that is part of a merger, an acquisition, a bankruptcy, or other
928 transaction in which the third party assumes control of all or
929 part of the controller, provided that the information is used or
930 shared in a manner consistent with this part. If a third party
931 materially alters how it uses or shares the personal data of a
932 consumer in a manner that is materially inconsistent with the
933 commitments or promises made at the time of collection, it must
934 provide prior notice of the new or changed practice to the
935 consumer. The notice must be sufficiently prominent and robust
936 to ensure that consumers can easily exercise choices consistent
937 with this part.
938 (2) This part may not be construed to prevent a controller
939 or processor from providing personal data concerning a consumer
940 to a person covered by an evidentiary privilege under the laws
941 of this state as part of a privileged communication.
942 (3) This part may not be construed as imposing a
943 requirement on controllers and processors which adversely
944 affects the rights or freedoms of any person, including the
945 right of free speech.
946 (4) This part may not be construed as requiring a
947 controller, processor, third party, or consumer to disclose a
948 trade secret.
949 Section 19. Section 501.717, Florida Statutes, is created
950 to read:
951 501.717 Collection, use, or retention of data for certain
952 purposes.—
953 (1) The requirements imposed on controllers and processors
954 under this part may not restrict a controller’s or processor’s
955 ability to collect, use, or retain data to do any of the
956 following:
957 (a) Conduct internal research to develop, improve, or
958 repair products, services, or technology.
959 (b) Effect a product recall.
960 (c) Identify and repair technical errors that impair
961 existing or intended functionality.
962 (d) Perform internal operations that are:
963 1. Reasonably aligned with the expectations of the
964 consumer;
965 2. Reasonably anticipated based on the consumer’s existing
966 relationship with the controller; or
967 3. Otherwise compatible with processing data in furtherance
968 of the provision of a product or service specifically requested
969 by a consumer or the performance of a contract to which the
970 consumer is a party.
971 (2) A requirement imposed on a controller or processor
972 under this part does not apply if compliance with the
973 requirement by the controller or processor, as applicable, would
974 violate an evidentiary privilege under the laws of this state.
975 Section 20. Section 501.718, Florida Statutes, is created
976 to read:
977 501.718 Disclosure of personal data to third-party
978 controller or processor.—
979 (1) A controller or processor that discloses personal data
980 to a third-party controller or processor in compliance with the
981 requirements of this part does not violate this part if the
982 third-party controller or processor that receives and processes
983 that personal data violates this part, provided that, at the
984 time of the data’s disclosure, the disclosing controller or
985 processor could not have reasonably known that the recipient
986 intended to commit a violation.
987 (2) A third-party controller or processor receiving
988 personal data from a controller or processor in compliance with
989 the requirements of this part may not be held liable for
990 violations of this part committed by the controller or processor
991 from which the third-party controller or processor receives the
992 personal data.
993 Section 21. Section 501.719, Florida Statutes, is created
994 to read:
995 501.719 Processing of certain personal data by controller
996 or other person.—
997 (1) Personal data processed by a controller pursuant to ss.
998 501.716, 501.717, and 501.718 may not be processed for any
999 purpose other than those specified in those sections. Personal
1000 data processed by a controller pursuant to ss. 501.716, 501.717,
1001 and 501.718 may be processed to the extent that the processing
1002 of the data is:
1003 (a) Reasonably necessary and proportionate to the purposes
1004 specified in ss. 501.716, 501.717, and 501.718; and
1005 (b) Adequate, relevant, and limited to what is necessary in
1006 relation to the purposes specified in ss. 501.716, 501.717, and
1007 501.718.
1008 (c) Done to assist another controller, processor, or third
1009 party with any of the purposes specified in s. 501.716, s.
1010 501.717, or s. 501.718.
1011 (2) A controller or processor that collects, uses, or
1012 retains personal data for the purposes specified in s.
1013 501.717(1) must take into account the nature and purpose of such
1014 collection, use, or retention. Such personal data is subject to
1015 reasonable administrative, technical, and physical measures to
1016 protect its confidentiality, integrity, and accessibility and to
1017 reduce reasonably foreseeable risks of harm to consumers
1018 relating to the collection, use, or retention of personal data.
1019 (3) A controller or processor shall adopt and implement a
1020 retention schedule that prohibits the use or retention of
1021 personal data not subject to an exemption by the controller or
1022 processor after the satisfaction of the initial purpose for
1023 which such information was collected or obtained, after the
1024 expiration or termination of the contract pursuant to which the
1025 information was collected or obtained, or 2 years after the
1026 consumer’s last interaction with the controller or processor.
1027 This subsection does not apply to personal data reasonably used
1028 or retained to do any of the following:
1029 (a) Provide a good or service requested by the consumer, or
1030 reasonably anticipate the request of such good or service within
1031 the context of a controller’s ongoing business relationship with
1032 the consumer.
1033 (b) Debug to identify and repair errors that impair
1034 existing intended functionality.
1035 (c) Enable solely internal uses that are reasonably aligned
1036 with the expectations of the consumer based on the consumer’s
1037 relationship with the controller or that are compatible with the
1038 context in which the consumer provided the information.
1039 (4) A controller or processor that processes personal data
1040 pursuant to ss. 501.716, 501.717, and 501.718 bears the burden
1041 of demonstrating that the processing of the personal data
1042 qualifies for the exemption and complies with the requirements
1043 of this section.
1044 Section 22. Section 501.72, Florida Statutes, is created to
1045 read:
1046 501.72 Enforcement and implementation by the Department of
1047 Legal Affairs.—
1048 (1) A violation of this part is an unfair and deceptive
1049 trade practice actionable under part II of this chapter solely
1050 by the Department of Legal Affairs. If the department has reason
1051 to believe that a person is in violation of this section, the
1052 department may, as the enforcing authority, bring an action
1053 against such person for an unfair or deceptive act or practice.
1054 For the purpose of bringing an action pursuant to this section,
1055 ss. 501.211 and 501.212 do not apply. In addition to other
1056 remedies under part II of this chapter, the department may
1057 collect a civil penalty of up to $50,000 per violation. Civil
1058 penalties may be tripled for any of the following violations:
1059 (a) A violation involving a Florida consumer who is a known
1060 child. A controller that willfully disregards the consumer’s age
1061 is deemed to have actual knowledge of the consumer’s age.
1062 (b) Failure to delete or correct the consumer’s personal
1063 data pursuant to this section after receiving an authenticated
1064 consumer request or directions from a controller to delete or
1065 correct such personal data, unless an exception to the
1066 requirements to delete or correct such personal data under this
1067 section applies.
1068 (c) Continuing to sell or share the consumer’s personal
1069 data after the consumer chooses to opt out under this part.
1070 (2) After the department has notified a person in writing
1071 of an alleged violation, the department may grant a 45-day
1072 period to cure the alleged violation and issue a letter of
1073 guidance. The 45-day cure period does not apply to an alleged
1074 violation of paragraph (1)(a). The department may consider the
1075 number and frequency of violations, the substantial likelihood
1076 of injury to the public, and the safety of persons or property
1077 in determining whether to grant 45 calendar days to cure and the
1078 issuance of a letter of guidance. If the alleged violation is
1079 cured to the satisfaction of the department and proof of such
1080 cure is provided to the department, the department may not bring
1081 an action for the alleged violation but in its discretion may
1082 issue a letter of guidance that indicates that the person will
1083 not be offered a 45-day cure period for any future violations.
1084 If the person fails to cure the alleged violation within 45
1085 calendar days, the department may bring an action against such
1086 person for the alleged violation.
1087 (3) Any action brought by the department may be brought
1088 only on behalf of a Florida consumer.
1089 (4) By February 1 of each year, the department shall make a
1090 report publicly available on the department’s website describing
1091 any actions taken by the department to enforce this section. The
1092 report must include statistics and relevant information
1093 detailing all of the following:
1094 (a) The number of complaints received and the categories or
1095 types of violations alleged by the complainant.
1096 (b) The number and type of enforcement actions taken and
1097 the outcomes of such actions, including the amount of penalties
1098 issued and collected.
1099 (c) The number of complaints resolved without the need for
1100 litigation.
1101 (d) For the report due February 1, 2024, the status of the
1102 development and implementation of rules to implement this
1103 section.
1104 (5) The department shall adopt rules to implement this
1105 section, including standards for authenticated consumer
1106 requests, enforcement, data security, and authorized persons who
1107 may act on a consumer’s behalf.
1108 (6) The department may collaborate and cooperate with other
1109 enforcement authorities of the Federal Government or other state
1110 governments concerning consumer data privacy issues and consumer
1111 data privacy investigations if such enforcement authorities have
1112 restrictions governing confidentiality at least as stringent as
1113 the restrictions provided in this section.
1114 (7) Liability for a tort, contract claim, or consumer
1115 protection claim unrelated to an action brought under this
1116 section does not arise solely from the failure of a person to
1117 comply with this part.
1118 (8) This part does not establish a private cause of action.
1119 (9) The department may employ or use the legal services of
1120 outside counsel and the investigative services of outside
1121 personnel to fulfill the obligations of this section.
1122 (10) For purposes of bringing an action pursuant to this
1123 section, any person who meets the definition of controller as
1124 defined in this part who collects, shares, or sells the personal
1125 data of Florida consumers is considered to be engaged in both
1126 substantial and not isolated activities within this state and
1127 operating, conducting, engaging in, or carrying on a business,
1128 and doing business in this state, and is, therefore, subject to
1129 the jurisdiction of the courts of this state.
1130 Section 23. Section 501.721, Florida Statutes, is created
1131 to read:
1132 501.721 Preemption.—This part is a matter of statewide
1133 concern and supersedes all rules, regulations, codes,
1134 ordinances, and other laws adopted by a city, county, city and
1135 county, municipality, or local agency regarding the collection,
1136 processing, sharing, or sale of consumer personal data by a
1137 controller or processor. The regulation of the collection,
1138 processing, sharing, or sale of consumer personal data by a
1139 controller or processor is preempted to the state.
1140 Section 24. Paragraph (g) of subsection (1) of section
1141 501.171, Florida Statutes, is amended to read:
1142 501.171 Security of confidential personal information.—
1143 (1) DEFINITIONS.—As used in this section, the term:
1144 (g)1. “Personal information” means either of the following:
1145 a. An individual’s first name or first initial and last
1146 name in combination with any one or more of the following data
1147 elements for that individual:
1148 (I) A social security number;
1149 (II) A driver license or identification card number,
1150 passport number, military identification number, or other
1151 similar number issued on a government document used to verify
1152 identity;
1153 (III) A financial account number or credit or debit card
1154 number, in combination with any required security code, access
1155 code, or password that is necessary to permit access to an
1156 individual’s financial account;
1157 (IV) Any information regarding an individual’s medical
1158 history, mental or physical condition, or medical treatment or
1159 diagnosis by a health care professional; or
1160 (V) An individual’s health insurance policy number or
1161 subscriber identification number and any unique identifier used
1162 by a health insurer to identify the individual;
1163 (VI) An individual’s biometric data as defined in s.
1164 501.702; or
1165 (VII) Any information regarding an individual’s
1166 geolocation.
1167 b. A user name or e-mail address, in combination with a
1168 password or security question and answer that would permit
1169 access to an online account.
1170 2. The term does not include information about an
1171 individual that has been made publicly available by a federal,
1172 state, or local governmental entity. The term also does not
1173 include information that is encrypted, secured, or modified by
1174 any other method or technology that removes elements that
1175 personally identify an individual or that otherwise renders the
1176 information unusable.
1177 Section 25. Subsection (1) of section 16.53, Florida
1178 Statutes, is amended, and subsection (8) is added to that
1179 section, to read:
1180 16.53 Legal Affairs Revolving Trust Fund.—
1181 (1) There is created in the State Treasury the Legal
1182 Affairs Revolving Trust Fund, from which the Legislature may
1183 appropriate funds for the purpose of funding investigation,
1184 prosecution, and enforcement by the Attorney General of the
1185 provisions of the Racketeer Influenced and Corrupt Organization
1186 Act, the Florida Deceptive and Unfair Trade Practices Act, the
1187 Florida False Claims Act, or state or federal antitrust laws, or
1188 part V of chapter 501.
1189 (8) All moneys recovered by the Attorney General for
1190 attorney fees, costs, and penalties in an action for a violation
1191 of part V of chapter 501 must be deposited in the trust fund.
1192 Section 26. This act shall take effect July 1, 2023
1193
1194 ================= T I T L E A M E N D M E N T ================
1195 And the title is amended as follows:
1196 Delete everything before the enacting clause
1197 and insert:
1198 A bill to be entitled
1199 An act relating to technology transparency; creating
1200 s. 112.23, F.S.; defining terms; prohibiting officers
1201 or salaried employees of governmental entities from
1202 using their positions or state resources to make
1203 certain requests of social media platforms;
1204 prohibiting governmental entities from initiating or
1205 maintaining agreements or working relationships with
1206 social media platforms under a specified circumstance;
1207 providing exceptions; providing directives to the
1208 Division of Law Revision; creating s. 501.701, F.S.;
1209 providing a short title; creating s. 501.702, F.S.;
1210 defining terms; creating s. 501.703, F.S.; providing
1211 applicability; creating s. 501.704, F.S.; providing
1212 exemptions; creating s. 501.705, F.S.; providing that
1213 a consumer may submit requests to controllers to
1214 exercise specified rights; requiring controllers to
1215 comply with certain authenticated consumer requests;
1216 creating s. 501.706, F.S.; providing timeframes within
1217 which controllers must respond to consumer requests;
1218 providing notice requirements for controllers that
1219 cannot take action regarding a consumer’s request;
1220 providing that controllers are not required to comply
1221 with certain consumer requests; providing notice
1222 requirements for controllers’ compliance with consumer
1223 requests; requiring responses to consumer requests to
1224 be made free of charge; providing exceptions;
1225 specifying the methods by which controllers may be
1226 considered to be in compliance with consumer requests
1227 for the controller to delete their personal data;
1228 creating s. 501.707, F.S.; requiring controllers to
1229 establish a process for consumers to appeal the
1230 controller’s refusal to take action on the consumer’s
1231 request within a specified timeframe; providing
1232 requirements for such process; creating s. 501.708,
1233 F.S.; providing that contracts or agreements that
1234 waive or limit specified consumer rights are void and
1235 unenforceable; creating s. 501.709, F.S.; requiring
1236 controllers to establish methods for submitting
1237 consumer requests; prohibiting controllers from
1238 requiring consumers to create new accounts to exercise
1239 their consumer rights; requiring controllers to
1240 provide a certain mechanism on their websites for
1241 consumers to submit certain requests; creating s.
1242 501.71, F.S.; requiring controllers to limit the
1243 collection of personal data according to certain
1244 parameters; requiring controllers to establish,
1245 implement, and maintain specified practices regarding
1246 personal data; prohibiting controllers from taking
1247 certain actions regarding a consumer’s personal data;
1248 prohibiting controllers from discriminating against
1249 consumers exercising their consumer rights; providing
1250 construction; requiring a controller that operates a
1251 search engine to make certain information available on
1252 its webpage; creating s. 501.711, F.S.; requiring
1253 controllers to provide consumers with privacy notices
1254 that meet certain requirements; requiring controllers
1255 that engage in the sale of sensitive or biometric
1256 personal data to provide notices that meet certain
1257 requirements; requiring controllers that sell personal
1258 data or process personal data for targeted advertising
1259 to disclose certain information; prohibiting
1260 controllers from collecting additional categories of
1261 personal information or using such information for
1262 additional purposes without providing specified
1263 notice; creating s. 501.712, F.S.; requiring
1264 processors to adhere to controller instructions and to
1265 assist the controller in meeting or complying with
1266 certain requirements; providing requirements for
1267 contracts between controllers and processors regarding
1268 data processing procedures; providing construction;
1269 providing that the determination of whether a person
1270 is acting as a controller or processor is a fact-based
1271 determination; creating s. 501.713, F.S.; requiring
1272 controllers to conduct and document data protection
1273 assessments of specified processing activities
1274 involving personal data; providing requirements for
1275 such assessments; providing applicability; creating s.
1276 501.714, F.S.; requiring controllers in possession of
1277 deidentified data to take certain actions; providing
1278 construction; providing that specified consumer rights
1279 and controller duties do not apply to pseudonymous
1280 data or aggregate consumer information under certain
1281 circumstances; requiring controllers that disclose
1282 pseudonymous data, deidentified data, or aggregate
1283 consumer information to exercise reasonable oversight
1284 and take appropriate steps to address breaches of
1285 contractual agreements; creating s. 501.715, F.S.;
1286 requiring certain persons to receive consumer consent
1287 before engaging in the sale of sensitive personal
1288 data; requiring a specified notice; providing for
1289 penalties; creating s. 501.716, F.S.; providing
1290 exemptions for specified controller or processor uses
1291 of consumer personal data; providing that controllers
1292 or processors may provide personal data concerning a
1293 consumer to certain covered persons; creating s.
1294 501.717, F.S.; authorizing controllers and processors
1295 to collect, use, or retain data for specified
1296 purposes; providing that certain requirements do not
1297 apply if such compliance would violate certain laws;
1298 creating s. 501.718, F.S.; providing circumstances
1299 under which processors are not in violation of this
1300 act for the disclosure of personal data to a third
1301 party controller or processor; providing that third
1302 party controllers or processors that comply with this
1303 part are not liable for violations committed by
1304 controllers or processors from whom they receive
1305 personal data; creating s. 501.719, F.S.; providing
1306 requirements for the processing of certain personal
1307 data by controllers; requiring controllers and
1308 processors to adopt and implement a retention schedule
1309 that meets certain requirements; requiring controllers
1310 or processors that process certain personal data to
1311 demonstrate that such processing qualifies for a
1312 specified exemption; creating s. 501.72, F.S.;
1313 authorizing the Department of Legal Affairs to bring
1314 an action under the Florida Deceptive and Unfair Trade
1315 Practices Act for violations of the act; providing for
1316 civil penalties; providing for enhanced civil
1317 penalties for certain violations; authorizing the
1318 department to grant a specified timeframe within which
1319 a an alleged violation may be cured; providing an
1320 exception; providing certain factors the department
1321 may take into consideration; requiring the department
1322 to make a report regarding certain enforcement actions
1323 publicly available on the department’s website;
1324 providing requirements for the report; requiring the
1325 department to adopt rules; authorizing the department
1326 to collaborate and cooperate with specified
1327 enforcement authorities; specifying that the act does
1328 not create a private cause of action; authorizing the
1329 department to employ or use outside legal counsel for
1330 specified purposes; providing for jurisdiction;
1331 creating s. 501.721, F.S.; declaring that the act is a
1332 matter of statewide concern; preempting the
1333 collection, processing, sharing, and sale of consumer
1334 personal data to the state; amending s. 501.171, F.S.;
1335 revising the definition of the term “personal
1336 information”; amending s. 16.53, F.S.; requiring that
1337 certain attorney fees, costs, and penalties recovered
1338 by the Attorney General be deposited in the Legal
1339 Affairs Revolving Trust Fund; providing an effective
1340 date.