Florida Senate - 2023 SENATOR AMENDMENT
Bill No. CS/CS/SB 262, 1st Eng.
Ì338388ZÎ338388
LEGISLATIVE ACTION
Senate . House
.
.
.
Floor: AD/RM . Floor: C
05/04/2023 05:19 PM . 05/04/2023 06:26 PM
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
Senator Bradley moved the following:
1 Senate Amendment to House Amendment (703943) (with title
2 amendment)
3
4 Delete lines 7 - 185
5 and insert:
6 that consumer’s activities over time across affiliated or
7 unaffiliated websites and online applications used to predict
8 the consumer’s preferences or interests. The term does not
9 include an advertisement that is:
10 (a) Based on the context of a consumer’s current search
11 query on the controller’s own website or online application; or
12 (b) Directed to a consumer search query on the controller’s
13 own website or online application in response to the consumer’s
14 request for information or feedback.
15 (34) “Third party” means a person, other than the consumer,
16 the controller, the processor, or an affiliate of the controller
17 or processor.
18 (35) “Trade secret” has the same meaning as in s. 812.081.
19 (36) “Voice recognition feature” means the function of a
20 device which enables the collection, recording, storage,
21 analysis, transmission, interpretation, or other use of spoken
22 words or other sounds.
23 Section 5. Section 501.703, Florida Statutes, is created to
24 read:
25 501.703 Applicability.—
26 (1) This part applies only to a person who:
27 (a) Conducts business in this state or produces a product
28 or service used by residents of this state; and
29 (b) Processes or engages in the sale of personal data.
30 (2) This part does not apply to any of the following:
31 (a) A state agency or a political subdivision of the state.
32 (b) A financial institution or data subject to Title V,
33 Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.
34 (c) A covered entity or business associate governed by the
35 privacy, security, and breach notification regulations issued by
36 the United States Department of Health and Human Services, 45
37 C.F.R. parts 160 and 164, established under the Health Insurance
38 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
39 et seq., and the Health Information Technology for Economic and
40 Clinical Health Act, Division A, Title XIII and Division B,
41 Title IV, Pub. L. No. 111-5.
42 (d) A nonprofit organization.
43 (e) A postsecondary education institution.
44 (f) The processing of personal data:
45 1. By a person in the course of a purely personal or
46 household activity.
47 2. Solely for measuring or reporting advertising
48 performance, reach, or frequency.
49 (3) A controller or processor that complies with the
50 authenticated parental consent requirements of the Children’s
51 Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq., with
52 respect to data collected online, is considered to be in
53 compliance with any requirement to obtain parental consent under
54 this part.
55 Section 6. Section 501.704, Florida Statutes, is created to
56 read:
57 501.704 Exemptions.—All of the following information is
58 exempt from this part:
59 (1) Protected health information under the Health Insurance
60 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
61 et seq.
62 (2) Health records.
63 (3) Patient identifying information for purposes of 42
64 U.S.C. s. 290dd-2.
65 (4) Identifiable private information:
66 (a) For purposes of the federal policy for the protection
67 of human subjects under 45 C.F.R. part 46;
68 (b) Collected as part of human subjects research under the
69 good clinical practice guidelines issued by the International
70 Council for Harmonisation of Technical Requirements for
71 Pharmaceuticals for Human Use or the protection of human
72 subjects under 21 C.F.R. parts 50 and 56; or
73 (c) That is personal data used or shared in research
74 conducted in accordance with this part or other research
75 conducted in accordance with applicable law.
76 (5) Information and documents created for purposes of the
77 Health Care Quality Improvement Act of 1986, 42 U.S.C. ss. 11101
78 et seq.
79 (6) Patient safety work product for purposes of the Patient
80 Safety and Quality Improvement Act of 2005, 42 U.S.C. ss. 299b
81 21 et seq.
82 (7) Information derived from any of the health care-related
83 information listed in this section which is deidentified in
84 accordance with the requirements for deidentification under the
85 Health Insurance Portability and Accountability Act of 1996, 42
86 U.S.C. ss. 1320d et seq.
87 (8) Information originating from, and intermingled to be
88 indistinguishable with, or information treated in the same
89 manner as, information exempt under this section which is
90 maintained by a covered entity or business associate as defined
91 by the Health Insurance Portability and Accountability Act of
92 1996, 42 U.S.C. ss. 1320d et seq. or by a program or a qualified
93 service organization as defined by 42 U.S.C. s. 290dd-2.
94 (9) Information included in a limited data set as described
95 by 45 C.F.R. s. 164.514(e), to the extent that the information
96 is used, disclosed, and maintained in the manner specified by 45
97 C.F.R. s. 164.514(e).
98 (10) Information used only for public health activities and
99 purposes as described in 45 C.F.R. s. 164.512.
100 (11) Information collected or used only for public health
101 activities and purposes as authorized by the Health Insurance
102 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
103 et seq.
104 (12) The collection, maintenance, disclosure, sale,
105 communication, or use of any personal data bearing on a
106 consumer’s creditworthiness, credit standing, credit capacity,
107 character, general reputation, personal characteristics, or mode
108 of living by a consumer reporting agency or furnisher that
109 provides information for use in a consumer report, or by a user
110 of a consumer report, but only to the extent that the activity
111 is regulated by and authorized under the Fair Credit Reporting
112 Act, 15 U.S.C. ss. 1681 et seq.
113 (13) Personal data collected, processed, sold, or disclosed
114 in compliance with the Driver’s Privacy Protection Act of 1994,
115 18 U.S.C. ss. 2721 et seq.
116 (14) Personal data regulated by the Family Educational
117 Rights and Privacy Act of 1974, 20 U.S.C. s. 1232g.
118 (15) Personal data collected, processed, sold, or disclosed
119 in compliance with the Farm Credit Act of 1971, 12 U.S.C. ss.
120 2001 et seq.
121 (16) Data processed or maintained in the course of an
122 individual applying to, being employed by, or acting as an agent
123 or independent contractor of a controller, processor, or third
124 party, to the extent that the data is collected and used within
125 the context of that role.
126 (17) Data processed or maintained as the emergency contact
127 information of an individual under this part which is used for
128 emergency contact purposes.
129 (18) Data that is processed or maintained and that is
130 necessary to retain to administer benefits for another
131 individual which relates to an individual described in
132 subsection (16) and which is used for the purposes of
133 administering those benefits.
134 (19) Personal data collected and transmitted which is
135 necessary for the sole purpose of sharing such personal data
136 with a financial service provider solely to facilitate short
137 term, transactional payment processing for the purchase of
138 products or services.
139 (20) Personal data collected, processed, sold, or disclosed
140 in relation to price, route, or service as those terms are used
141 in the Airline Deregulation Act, 49 U.S.C. ss. 40101 et seq., by
142 entities subject to that act, to the extent the provisions of
143 this act are preempted by 49 U.S.C. s. 41713.
144 (21) Personal data shared between a manufacturer of a
145 tangible product and authorized third-party distributors or
146 vendors of the product, as long as such personal data is used
147 solely for advertising, marketing, or servicing the product that
148 is acquired directly through such manufacturer and such
149 authorized third-party distributors or vendors. Such personal
150 data may not be sold or shared unless otherwise authorized under
151 this part.
152 Section 7. Section 501.705, Florida Statutes, is created to
153 read:
154 501.705 Consumer rights.—
155 (1) A consumer is entitled to exercise the consumer rights
156 authorized by this section at any time by submitting a request
157 to a controller which specifies the consumer rights that the
158 consumer wishes to exercise. With respect to the processing of
159 personal data belonging to a known child, a parent or legal
160 guardian of the child may exercise these rights on behalf of the
161 child.
162 (2) A controller shall comply with an authenticated
163 consumer request to exercise any of the following rights:
164 (a) To confirm whether a controller is processing the
165 consumer’s personal data and to access the personal data.
166 (b) To correct inaccuracies in the consumer’s personal
167 data, taking into account the nature of the personal data and
168 the purposes of the processing of the consumer’s personal data.
169 (c) To delete any or all personal data provided by or
170 obtained about the consumer.
171 (d) To obtain a copy of the consumer’s personal data in a
172 portable and, to the extent technically feasible, readily usable
173 format if the data is available in a digital format.
174 (e) To opt out of the processing of the personal data for
175 purposes of:
176 1. Targeted advertising;
177 2. The sale of personal data; or
178 3. Profiling in furtherance of a decision that produces a
179 legal or similarly significant effect concerning a consumer.
180 (f) To opt out of the collection of sensitive data,
181 including precise geolocation data, or the processing of
182 sensitive data.
183 (g) To opt out of the collection of personal data collected
184 through the operation of a voice recognition or facial
185 recognition feature.
186 (3) A device that has a voice recognition feature, a facial
187 recognition feature, a video recording feature, an audio
188 recording feature, or any other electronic, visual, thermal, or
189 olfactory feature that collects data may not use those features
190 for the purpose of surveillance by the controller, processor, or
191 affiliate of a controller or processor when such features are
192 not in active use by the consumer, unless otherwise expressly
193 authorized by the consumer.
194
195 ================= T I T L E A M E N D M E N T ================
196 And the title is amended as follows:
197 After line 185
198 insert:
199 Between lines 18 and 19
200 insert:
201 prohibiting certain devices from being used for
202 surveillance purposes without the express
203 authorization of the consumer under certain
204 circumstances;