or1160 (V) An individual’s health insurance policy number or 1161 subscriber identification number and any unique identifier used 1162 by a health insurer to identify the individual; 1163 (VI) An individual’s biometric data as defined in s. 1164 501.702; or 1165 (VII) Any information regarding an individual’s 1166 geolocation. 1167 b. A user name or e-mail address, in combination with a 1168 password or security question and answer that would permit 1169 access to an online account. 1170 2. The term does not include information about an 1171 individual that has been made publicly available by a federal, 1172 state, or local governmental entity. The term also does not 1173 include information that is encrypted, secured, or modified by 1174 any other method or technology that removes elements that 1175 personally identify an individual or that otherwise renders the 1176 information unusable. 1177 Section 25. Subsection (1) of section 16.53, Florida 1178 Statutes, is amended, and subsection (8) is added to that 1179 section, to read: 1180 16.53 Legal Affairs Revolving Trust Fund.— 1181 (1) There is created in the State Treasury the Legal 1182 Affairs Revolving Trust Fund, from which the Legislature may 1183 appropriate funds for the purpose of funding investigation, 1184 prosecution, and enforcement by the Attorney General of the 1185 provisions of the Racketeer Influenced and Corrupt Organization 1186 Act, the Florida Deceptive and Unfair Trade Practices Act, the 1187 Florida False Claims Act, orstate or federal antitrust laws, or 1188 part V of chapter 501. 1189 (8) All moneys recovered by the Attorney General for 1190 attorney fees, costs, and penalties in an action for a violation 1191 of part V of chapter 501 must be deposited in the trust fund. 1192 Section 26. This act shall take effect July 1, 2023 1193 1194 ================= T I T L E A M E N D M E N T ================ 1195 And the title is amended as follows: 1196 Delete everything before the enacting clause 1197 and insert: 1198 A bill to be entitled 1199 An act relating to technology transparency; creating 1200 s. 112.23, F.S.; defining terms; prohibiting officers 1201 or salaried employees of governmental entities from 1202 using their positions or state resources to make 1203 certain requests of social media platforms; 1204 prohibiting governmental entities from initiating or 1205 maintaining agreements or working relationships with 1206 social media platforms under a specified circumstance; 1207 providing exceptions; providing directives to the 1208 Division of Law Revision; creating s. 501.701, F.S.; 1209 providing a short title; creating s. 501.702, F.S.; 1210 defining terms; creating s. 501.703, F.S.; providing 1211 applicability; creating s. 501.704, F.S.; providing 1212 exemptions; creating s. 501.705, F.S.; providing that 1213 a consumer may submit requests to controllers to 1214 exercise specified rights; requiring controllers to 1215 comply with certain authenticated consumer requests; 1216 creating s. 501.706, F.S.; providing timeframes within 1217 which controllers must respond to consumer requests; 1218 providing notice requirements for controllers that 1219 cannot take action regarding a consumer’s request; 1220 providing that controllers are not required to comply 1221 with certain consumer requests; providing notice 1222 requirements for controllers’ compliance with consumer 1223 requests; requiring responses to consumer requests to 1224 be made free of charge; providing exceptions; 1225 specifying the methods by which controllers may be 1226 considered to be in compliance with consumer requests 1227 for the controller to delete their personal data; 1228 creating s. 501.707, F.S.; requiring controllers to 1229 establish a process for consumers to appeal the 1230 controller’s refusal to take action on the consumer’s 1231 request within a specified timeframe; providing 1232 requirements for such process; creating s. 501.708, 1233 F.S.; providing that contracts or agreements that 1234 waive or limit specified consumer rights are void and 1235 unenforceable; creating s. 501.709, F.S.; requiring 1236 controllers to establish methods for submitting 1237 consumer requests; prohibiting controllers from 1238 requiring consumers to create new accounts to exercise 1239 their consumer rights; requiring controllers to 1240 provide a certain mechanism on their websites for 1241 consumers to submit certain requests; creating s. 1242 501.71, F.S.; requiring controllers to limit the 1243 collection of personal data according to certain 1244 parameters; requiring controllers to establish, 1245 implement, and maintain specified practices regarding 1246 personal data; prohibiting controllers from taking 1247 certain actions regarding a consumer’s personal data; 1248 prohibiting controllers from discriminating against 1249 consumers exercising their consumer rights; providing 1250 construction; requiring a controller that operates a 1251 search engine to make certain information available on 1252 its webpage; creating s. 501.711, F.S.; requiring 1253 controllers to provide consumers with privacy notices 1254 that meet certain requirements; requiring controllers 1255 that engage in the sale of sensitive or biometric 1256 personal data to provide notices that meet certain 1257 requirements; requiring controllers that sell personal 1258 data or process personal data for targeted advertising 1259 to disclose certain information; prohibiting 1260 controllers from collecting additional categories of 1261 personal information or using such information for 1262 additional purposes without providing specified 1263 notice; creating s. 501.712, F.S.; requiring 1264 processors to adhere to controller instructions and to 1265 assist the controller in meeting or complying with 1266 certain requirements; providing requirements for 1267 contracts between controllers and processors regarding 1268 data processing procedures; providing construction; 1269 providing that the determination of whether a person 1270 is acting as a controller or processor is a fact-based 1271 determination; creating s. 501.713, F.S.; requiring 1272 controllers to conduct and document data protection 1273 assessments of specified processing activities 1274 involving personal data; providing requirements for 1275 such assessments; providing applicability; creating s. 1276 501.714, F.S.; requiring controllers in possession of 1277 deidentified data to take certain actions; providing 1278 construction; providing that specified consumer rights 1279 and controller duties do not apply to pseudonymous 1280 data or aggregate consumer information under certain 1281 circumstances; requiring controllers that disclose 1282 pseudonymous data, deidentified data, or aggregate 1283 consumer information to exercise reasonable oversight 1284 and take appropriate steps to address breaches of 1285 contractual agreements; creating s. 501.715, F.S.; 1286 requiring certain persons to receive consumer consent 1287 before engaging in the sale of sensitive personal 1288 data; requiring a specified notice; providing for 1289 penalties; creating s. 501.716, F.S.; providing 1290 exemptions for specified controller or processor uses 1291 of consumer personal data; providing that controllers 1292 or processors may provide personal data concerning a 1293 consumer to certain covered persons; creating s. 1294 501.717, F.S.; authorizing controllers and processors 1295 to collect, use, or retain data for specified 1296 purposes; providing that certain requirements do not 1297 apply if such compliance would violate certain laws; 1298 creating s. 501.718, F.S.; providing circumstances 1299 under which processors are not in violation of this 1300 act for the disclosure of personal data to a third 1301 party controller or processor; providing that third 1302 party controllers or processors that comply with this 1303 part are not liable for violations committed by 1304 controllers or processors from whom they receive 1305 personal data; creating s. 501.719, F.S.; providing 1306 requirements for the processing of certain personal 1307 data by controllers; requiring controllers and 1308 processors to adopt and implement a retention schedule 1309 that meets certain requirements; requiring controllers 1310 or processors that process certain personal data to 1311 demonstrate that such processing qualifies for a 1312 specified exemption; creating s. 501.72, F.S.; 1313 authorizing the Department of Legal Affairs to bring 1314 an action under the Florida Deceptive and Unfair Trade 1315 Practices Act for violations of the act; providing for 1316 civil penalties; providing for enhanced civil 1317 penalties for certain violations; authorizing the 1318 department to grant a specified timeframe within which 1319 a an alleged violation may be cured; providing an 1320 exception; providing certain factors the department 1321 may take into consideration; requiring the department 1322 to make a report regarding certain enforcement actions 1323 publicly available on the department’s website; 1324 providing requirements for the report; requiring the 1325 department to adopt rules; authorizing the department 1326 to collaborate and cooperate with specified 1327 enforcement authorities; specifying that the act does 1328 not create a private cause of action; authorizing the 1329 department to employ or use outside legal counsel for 1330 specified purposes; providing for jurisdiction; 1331 creating s. 501.721, F.S.; declaring that the act is a 1332 matter of statewide concern; preempting the 1333 collection, processing, sharing, and sale of consumer 1334 personal data to the state; amending s. 501.171, F.S.; 1335 revising the definition of the term “personal 1336 information”; amending s. 16.53, F.S.; requiring that 1337 certain attorney fees, costs, and penalties recovered 1338 by the Attorney General be deposited in the Legal 1339 Affairs Revolving Trust Fund; providing an effective 1340 date.