Florida Senate - 2023                          SENATOR AMENDMENT
       Bill No. CS/CS/SB 262, 1st Eng.
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                 Floor: AD/RM          .            Floor: C            
             05/04/2023 05:19 PM       .      05/04/2023 06:26 PM       

       Senator Bradley moved the following:
    1         Senate Amendment to House Amendment (703943) (with title
    2  amendment)
    4         Delete lines 7 - 185
    5  and insert:
    6  that consumer’s activities over time across affiliated or
    7  unaffiliated websites and online applications used to predict
    8  the consumer’s preferences or interests. The term does not
    9  include an advertisement that is:
   10         (a) Based on the context of a consumer’s current search
   11  query on the controller’s own website or online application; or
   12         (b) Directed to a consumer search query on the controller’s
   13  own website or online application in response to the consumer’s
   14  request for information or feedback.
   15         (34) “Third party” means a person, other than the consumer,
   16  the controller, the processor, or an affiliate of the controller
   17  or processor.
   18         (35) “Trade secret” has the same meaning as in s. 812.081.
   19         (36) “Voice recognition feature” means the function of a
   20  device which enables the collection, recording, storage,
   21  analysis, transmission, interpretation, or other use of spoken
   22  words or other sounds.
   23         Section 5. Section 501.703, Florida Statutes, is created to
   24  read:
   25         501.703 Applicability.—
   26         (1) This part applies only to a person who:
   27         (a) Conducts business in this state or produces a product
   28  or service used by residents of this state; and
   29         (b) Processes or engages in the sale of personal data.
   30         (2) This part does not apply to any of the following:
   31         (a) A state agency or a political subdivision of the state.
   32         (b) A financial institution or data subject to Title V,
   33  Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.
   34         (c) A covered entity or business associate governed by the
   35  privacy, security, and breach notification regulations issued by
   36  the United States Department of Health and Human Services, 45
   37  C.F.R. parts 160 and 164, established under the Health Insurance
   38  Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
   39  et seq., and the Health Information Technology for Economic and
   40  Clinical Health Act, Division A, Title XIII and Division B,
   41  Title IV, Pub. L. No. 111-5.
   42         (d) A nonprofit organization.
   43         (e) A postsecondary education institution.
   44         (f) The processing of personal data:
   45         1. By a person in the course of a purely personal or
   46  household activity.
   47         2. Solely for measuring or reporting advertising
   48  performance, reach, or frequency.
   49         (3) A controller or processor that complies with the
   50  authenticated parental consent requirements of the Children’s
   51  Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq., with
   52  respect to data collected online, is considered to be in
   53  compliance with any requirement to obtain parental consent under
   54  this part.
   55         Section 6. Section 501.704, Florida Statutes, is created to
   56  read:
   57         501.704 Exemptions.—All of the following information is
   58  exempt from this part:
   59         (1) Protected health information under the Health Insurance
   60  Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
   61  et seq.
   62         (2) Health records.
   63         (3) Patient identifying information for purposes of 42
   64  U.S.C. s. 290dd-2.
   65         (4) Identifiable private information:
   66         (a) For purposes of the federal policy for the protection
   67  of human subjects under 45 C.F.R. part 46;
   68         (b) Collected as part of human subjects research under the
   69  good clinical practice guidelines issued by the International
   70  Council for Harmonisation of Technical Requirements for
   71  Pharmaceuticals for Human Use or the protection of human
   72  subjects under 21 C.F.R. parts 50 and 56; or
   73         (c) That is personal data used or shared in research
   74  conducted in accordance with this part or other research
   75  conducted in accordance with applicable law.
   76         (5) Information and documents created for purposes of the
   77  Health Care Quality Improvement Act of 1986, 42 U.S.C. ss. 11101
   78  et seq.
   79         (6) Patient safety work product for purposes of the Patient
   80  Safety and Quality Improvement Act of 2005, 42 U.S.C. ss. 299b
   81  21 et seq.
   82         (7) Information derived from any of the health care-related
   83  information listed in this section which is deidentified in
   84  accordance with the requirements for deidentification under the
   85  Health Insurance Portability and Accountability Act of 1996, 42
   86  U.S.C. ss. 1320d et seq.
   87         (8) Information originating from, and intermingled to be
   88  indistinguishable with, or information treated in the same
   89  manner as, information exempt under this section which is
   90  maintained by a covered entity or business associate as defined
   91  by the Health Insurance Portability and Accountability Act of
   92  1996, 42 U.S.C. ss. 1320d et seq. or by a program or a qualified
   93  service organization as defined by 42 U.S.C. s. 290dd-2.
   94         (9) Information included in a limited data set as described
   95  by 45 C.F.R. s. 164.514(e), to the extent that the information
   96  is used, disclosed, and maintained in the manner specified by 45
   97  C.F.R. s. 164.514(e).
   98         (10) Information used only for public health activities and
   99  purposes as described in 45 C.F.R. s. 164.512.
  100         (11) Information collected or used only for public health
  101  activities and purposes as authorized by the Health Insurance
  102  Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
  103  et seq.
  104         (12) The collection, maintenance, disclosure, sale,
  105  communication, or use of any personal data bearing on a
  106  consumer’s creditworthiness, credit standing, credit capacity,
  107  character, general reputation, personal characteristics, or mode
  108  of living by a consumer reporting agency or furnisher that
  109  provides information for use in a consumer report, or by a user
  110  of a consumer report, but only to the extent that the activity
  111  is regulated by and authorized under the Fair Credit Reporting
  112  Act, 15 U.S.C. ss. 1681 et seq.
  113         (13) Personal data collected, processed, sold, or disclosed
  114  in compliance with the Driver’s Privacy Protection Act of 1994,
  115  18 U.S.C. ss. 2721 et seq.
  116         (14) Personal data regulated by the Family Educational
  117  Rights and Privacy Act of 1974, 20 U.S.C. s. 1232g.
  118         (15) Personal data collected, processed, sold, or disclosed
  119  in compliance with the Farm Credit Act of 1971, 12 U.S.C. ss.
  120  2001 et seq.
  121         (16) Data processed or maintained in the course of an
  122  individual applying to, being employed by, or acting as an agent
  123  or independent contractor of a controller, processor, or third
  124  party, to the extent that the data is collected and used within
  125  the context of that role.
  126         (17) Data processed or maintained as the emergency contact
  127  information of an individual under this part which is used for
  128  emergency contact purposes.
  129         (18) Data that is processed or maintained and that is
  130  necessary to retain to administer benefits for another
  131  individual which relates to an individual described in
  132  subsection (16) and which is used for the purposes of
  133  administering those benefits.
  134         (19) Personal data collected and transmitted which is
  135  necessary for the sole purpose of sharing such personal data
  136  with a financial service provider solely to facilitate short
  137  term, transactional payment processing for the purchase of
  138  products or services.
  139         (20) Personal data collected, processed, sold, or disclosed
  140  in relation to price, route, or service as those terms are used
  141  in the Airline Deregulation Act, 49 U.S.C. ss. 40101 et seq., by
  142  entities subject to that act, to the extent the provisions of
  143  this act are preempted by 49 U.S.C. s. 41713.
  144         (21) Personal data shared between a manufacturer of a
  145  tangible product and authorized third-party distributors or
  146  vendors of the product, as long as such personal data is used
  147  solely for advertising, marketing, or servicing the product that
  148  is acquired directly through such manufacturer and such
  149  authorized third-party distributors or vendors. Such personal
  150  data may not be sold or shared unless otherwise authorized under
  151  this part.
  152         Section 7. Section 501.705, Florida Statutes, is created to
  153  read:
  154         501.705 Consumer rights.—
  155         (1) A consumer is entitled to exercise the consumer rights
  156  authorized by this section at any time by submitting a request
  157  to a controller which specifies the consumer rights that the
  158  consumer wishes to exercise. With respect to the processing of
  159  personal data belonging to a known child, a parent or legal
  160  guardian of the child may exercise these rights on behalf of the
  161  child.
  162         (2) A controller shall comply with an authenticated
  163  consumer request to exercise any of the following rights:
  164         (a) To confirm whether a controller is processing the
  165  consumer’s personal data and to access the personal data.
  166         (b) To correct inaccuracies in the consumer’s personal
  167  data, taking into account the nature of the personal data and
  168  the purposes of the processing of the consumer’s personal data.
  169         (c) To delete any or all personal data provided by or
  170  obtained about the consumer.
  171         (d) To obtain a copy of the consumer’s personal data in a
  172  portable and, to the extent technically feasible, readily usable
  173  format if the data is available in a digital format.
  174         (e) To opt out of the processing of the personal data for
  175  purposes of:
  176         1. Targeted advertising;
  177         2. The sale of personal data; or
  178         3. Profiling in furtherance of a decision that produces a
  179  legal or similarly significant effect concerning a consumer.
  180         (f) To opt out of the collection of sensitive data,
  181  including precise geolocation data, or the processing of
  182  sensitive data.
  183         (g) To opt out of the collection of personal data collected
  184  through the operation of a voice recognition or facial
  185  recognition feature.
  186         (3) A device that has a voice recognition feature, a facial
  187  recognition feature, a video recording feature, an audio
  188  recording feature, or any other electronic, visual, thermal, or
  189  olfactory feature that collects data may not use those features
  190  for the purpose of surveillance by the controller, processor, or
  191  affiliate of a controller or processor when such features are
  192  not in active use by the consumer, unless otherwise expressly
  193  authorized by the consumer.
  195  ================= T I T L E  A M E N D M E N T ================
  196  And the title is amended as follows:
  197         After line 185
  198  insert:
  199         Between lines 18 and 19
  200         insert:
  201         prohibiting certain devices from being used for
  202         surveillance purposes without the express
  203         authorization of the consumer under certain
  204         circumstances;