Florida Senate - 2023 SB 262
By Senator Bradley
6-01845D-23 2023262__
1 A bill to be entitled
2 An act relating to technology transparency; creating
3 s. 112.23, F.S.; defining terms; prohibiting officers
4 or salaried employees of governmental entities from
5 using their positions or state resources to make
6 certain requests of social media platforms;
7 prohibiting governmental entities from initiating or
8 maintaining agreements or working relationships with
9 social media platforms under a specified circumstance;
10 providing exceptions; creating s. 501.173, F.S.;
11 providing applicability; defining terms; prohibiting a
12 controller from collecting certain consumer
13 information without the consumer’s authorization;
14 requiring controllers that collect a consumer’s
15 personal information to disclose certain information
16 regarding data collection and selling practices to the
17 consumer at or before the point of collection;
18 specifying that such information may be provided
19 through a general privacy policy or through a notice
20 informing the consumer that additional specific
21 information will be provided upon a certain request;
22 prohibiting controllers from collecting additional
23 categories of personal information or using personal
24 information for additional purposes without notifying
25 the consumer; requiring controllers that collect
26 personal information to implement reasonable security
27 procedures and practices to protect such information;
28 authorizing consumers to request controllers to
29 disclose the specific personal information the
30 controller has collected about the consumer; requiring
31 controllers to make available two or more methods for
32 consumers to request their personal information;
33 requiring controllers to provide such information free
34 of charge within a certain timeframe and in a certain
35 format upon receiving a verifiable consumer request;
36 specifying requirements for third parties with respect
37 to consumer information acquired or used; providing
38 construction; authorizing consumers to request
39 controllers to delete or correct personal information
40 collected by the controllers; providing exceptions;
41 specifying requirements for controllers to comply with
42 deletion or correction requests; authorizing consumers
43 to opt out of third-party disclosure of personal
44 information collected by a controller; prohibiting
45 controllers from selling or disclosing the personal
46 information of consumers younger than a certain age,
47 except under certain circumstances; prohibiting
48 controllers from selling or sharing a consumer’s
49 information if the consumer has opted out of such
50 disclosure; prohibiting controllers from taking
51 certain actions to retaliate against consumers who
52 exercise certain rights; providing applicability;
53 providing that a contract or agreement that waives or
54 limits certain consumer rights is void and
55 unenforceable; authorizing the Department of Legal
56 Affairs to bring an action under the Florida Deceptive
57 and Unfair Trade Practices Act and to adopt rules;
58 requiring the department to submit an annual report to
59 the Legislature; providing report requirements;
60 providing that controllers must have a specified
61 timeframe to cure any violations; providing
62 jurisdiction; declaring that the act is a matter of
63 statewide concern; preempting the collection,
64 processing, sharing, and sale of consumer personal
65 information to the state; amending s. 501.171, F.S.;
66 revising the definition of “personal information”;
67 amending s. 16.53, F.S.; requiring that certain
68 attorney fees, costs, and penalties recovered by the
69 Attorney General be deposited in the Legal Affairs
70 Revolving Trust Fund; providing an effective date.
71
72 Be It Enacted by the Legislature of the State of Florida:
73
74 Section 1. Section 112.23, Florida Statutes, is created to
75 read:
76 112.23 Government-directed content moderation of social
77 media platforms prohibited.—
78 (1) As used in this section, the term:
79 (a) “Social media platform” means a form of electronic
80 communication through which users create online communities to
81 share information, ideas, personal messages, and other content.
82 (b) “Governmental entity” means any state, county,
83 district, authority, or municipal officer, department, division,
84 board, bureau, commission, or other separate unit of government
85 created or established by law, including, but not limited to,
86 the Commission on Ethics, the Public Service Commission, the
87 Office of Public Counsel, and any other public or private
88 agency, person, partnership, corporation, or business entity
89 acting on behalf of any public agency.
90 (2) An officer or a salaried employee of a governmental
91 entity may not use his or her position or any state resources to
92 communicate with a social media platform to request that it
93 remove content or accounts from the social media platform.
94 (3) A governmental entity, or an officer or a salaried
95 employee acting on behalf of a governmental entity, may not
96 initiate or maintain any agreements or working relationships
97 with a social media platform for the purpose of content
98 moderation.
99 (4) Subsections (2) and (3) do not apply if the
100 governmental entity or an officer or a salaried employee acting
101 on behalf of a governmental entity is acting as part of any of
102 the following:
103 (a) Routine account management of the governmental entity’s
104 account.
105 (b) An attempt to remove content or an account that
106 pertains to the commission of a crime or violation of this
107 state’s public records law.
108 (c) An investigation or inquiry related to public safety.
109 Section 2. Section 501.173, Florida Statutes, is created to
110 read:
111 501.173 Consumer data privacy.—
112 (1) APPLICABILITY.—This section does not apply to:
113 (a) Personal information collected and transmitted which is
114 necessary for the sole purpose of sharing such personal
115 information with a financial service provider solely to
116 facilitate short term, transactional payment processing for the
117 purchase of products or services.
118 (b) Personal information collected, used, retained, sold,
119 shared, or disclosed as deidentified personal information or
120 aggregate consumer information.
121 (c) Compliance with federal, state, or local laws.
122 (d) Compliance with a civil, criminal, or regulatory
123 inquiry, investigation, subpoena, or summons by federal, state,
124 or local authorities.
125 (e) Cooperation with law enforcement agencies concerning
126 conduct or activity that the controller, processor, or third
127 party reasonably and in good faith believes may violate federal,
128 state, or local law.
129 (f) Exercising or defending legal rights, claims, or
130 privileges.
131 (g) Personal information collected through the controller’s
132 direct interactions with the consumer, if collected in
133 accordance with this section, which is used by the controller or
134 the processor that the controller directly contracts with for
135 advertising or marketing services to advertise or market
136 products or services that are produced or offered directly by
137 the controller. Such information may not be sold, shared, or
138 disclosed unless otherwise authorized under this section.
139 (h) Personal information of a person acting in the role of
140 a job applicant, employee, owner, director, officer, contractor,
141 volunteer, or intern of a controller which is collected by a
142 controller, to the extent the personal information is collected
143 and used solely within the context of the person’s role or
144 former role with the controller. For purposes of this paragraph,
145 personal information includes employee benefit information.
146 (i) Protected health information for purposes of the
147 federal Health Insurance Portability and Accountability Act of
148 1996 and related regulations, and patient identifying
149 information for purposes of 42 C.F.R. part 2, established
150 pursuant to 42 U.S.C. s. 290dd-2.
151 (j) An entity or business associate governed by the
152 privacy, security, and breach notification rules issued by the
153 United States Department of Health and Human Services in 45
154 C.F.R. parts 160 and 164, or a program or a qualified service
155 program as defined in 42 C.F.R. part 2, to the extent the
156 entity, business associate, or program maintains personal
157 information in the same manner as medical information or
158 protected health information as described in paragraph (i), and
159 as long as the entity, business associate, or program does not
160 use personal information for targeted advertising with third
161 parties and does not sell or share personal information to a
162 third party unless such sale or sharing is covered by an
163 exception under this section.
164 (k) Identifiable private information collected for purposes
165 of research as defined in 45 C.F.R. s. 164.501 conducted in
166 accordance with the Federal Policy for the Protection of Human
167 Subjects for purposes of 45 C.F.R. part 46, the good clinical
168 practice guidelines issued by the International Council for
169 Harmonisation of Technical Requirements for Pharmaceuticals for
170 Human Use, or the Federal Policy for the Protection for Human
171 Subjects for purposes of 21 C.F.R. parts 50 and 56, or personal
172 information used or shared in research conducted in accordance
173 with one or more of these standards.
174 (l) Information and documents created for purposes of the
175 federal Health Care Quality Improvement Act of 1986 and related
176 regulations, or patient safety work product for purposes of 42
177 C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21
178 through 299b-26.
179 (m) Information that is deidentified in accordance with 45
180 C.F.R. part 164 and derived from individually identifiable
181 health information as described in the Health Insurance
182 Portability and Accountability Act of 1996, or identifiable
183 personal information, consistent with the Federal Policy for the
184 Protection of Human Subjects or the human subject protection
185 requirements of the United States Food and Drug Administration.
186 (n) Information used only for public health activities and
187 purposes as described in 45 C.F.R. s. 164.512.
188 (o) Personal information collected, processed, sold, or
189 disclosed pursuant to the federal Fair Credit Reporting Act, 15
190 U.S.C. s. 1681 and implementing regulations.
191 (p) Nonpublic personal information collected, processed,
192 sold, or disclosed pursuant to the Gramm-Leach-Bliley Act, 15
193 U.S.C. s. 6801 et seq., and implementing regulations.
194 (q) A financial institution as defined in the Gramm-Leach
195 Bliley Act, 15 U.S.C. s. 6801 et seq., to the extent the
196 financial institution maintains personal information in the same
197 manner as nonpublic personal information as described in
198 paragraph (p), and as long as such financial institution does
199 not use personal information for targeted advertising with third
200 parties and does not sell or share personal information to a
201 third party unless such sale or sharing is covered by an
202 exception under this section.
203 (r) Personal information collected, processed, sold, or
204 disclosed pursuant to the federal Driver’s Privacy Protection
205 Act of 1994, 18 U.S.C. s. 2721 et seq.
206 (s) Education information covered by the Family Educational
207 Rights and Privacy Act, 20 U.S.C. s. 1232(g) and 34 C.F.R. part
208 99.
209 (t) Information collected as part of public or peer
210 reviewed scientific or statistical research in the public
211 interest and which adheres to all other applicable ethics and
212 privacy laws, if the consumer has provided informed consent.
213 Research with personal information must be subjected by the
214 controller conducting the research to additional security
215 controls that limit access to the research data to only those
216 individuals necessary to carry out the research purpose, and
217 such personal information must be subsequently deidentified.
218 (u) Personal information disclosed for the purpose of
219 responding to an alert of a present risk of harm to a person or
220 property or prosecuting those responsible for that activity.
221 (v) Personal information disclosed when a consumer uses or
222 directs a controller to intentionally disclose information to a
223 third party or uses the controller to intentionally interact
224 with a third party. An intentional interaction occurs when the
225 consumer intends to interact with the third party, by one or
226 more deliberate interactions. Hovering over, muting, pausing, or
227 closing a given piece of content does not constitute a
228 consumer’s intent to interact with a third party.
229 (w) An identifier used for a consumer who has opted out of
230 the sale or sharing of the consumer’s personal information for
231 the sole purpose of alerting processors and third parties that
232 the consumer has opted out of the sale or sharing of the
233 consumer’s personal information.
234 (x) Personal information transferred by a controller to a
235 third party as an asset that is part of a merger, acquisition,
236 bankruptcy, or other transaction in which the third party
237 assumes control of all or part of the controller, provided that
238 the information is used or shared consistently with this
239 section. If a third party materially alters how it uses or
240 shares the personal information of a consumer in a manner that
241 is materially inconsistent with the commitments or promises made
242 at the time of collection, it must provide prior notice of the
243 new or changed practice to the consumer. The notice must be
244 sufficiently prominent and robust to ensure that consumers can
245 easily exercise choices consistent with this section.
246 (y) Personal information necessary to fulfill the terms of
247 a written warranty when such warranty was purchased by the
248 consumer or the product that is warranted was purchased by the
249 consumer. Such information may not be sold or shared unless
250 otherwise authorized under this section.
251 (z) Personal information necessary for a product recall for
252 a product purchased or owned by the consumer conducted in
253 accordance with federal law. Such information may not be sold or
254 shared unless otherwise authorized under this section.
255 (aa) Personal information processed solely for the purpose
256 of independently measuring or reporting advertising or content
257 performance, reach, or frequency pursuant to a contract with a
258 controller that collected personal information in accordance
259 with this section. Such information may not be sold or shared
260 unless otherwise authorized under this section.
261 (bb) Personal information shared between a manufacturer of
262 a tangible product and authorized third-party distributors or
263 vendors of the product, as long as such personal information is
264 used solely for advertising, marketing, or servicing the product
265 that is acquired directly through such manufacturer and such
266 authorized third-party distributors or vendors. Such personal
267 information may not be sold or shared unless otherwise
268 authorized under this section.
269 (2) DEFINITIONS.—As used in this section, the term:
270 (a) “Aggregate consumer information” means information that
271 relates to a group or category of consumers, from which the
272 identity of an individual consumer has been removed and is not
273 reasonably capable of being directly or indirectly associated or
274 linked with any consumer, household, or device. The term does
275 not include information about a group or category of consumers
276 used to facilitate targeted advertising or the display of ads
277 online. The term does not include personal information that has
278 been deidentified.
279 (b) “Biometric information” means an individual’s
280 physiological, biological, or behavioral characteristics that
281 can be used, singly or in combination with each other or with
282 other identifying data, to establish individual identity. The
283 term includes, but is not limited to, imagery of the iris,
284 retina, fingerprint, face, hand, palm, vein patterns, and voice
285 recordings, from which an identifier template, such as a
286 faceprint, a minutiae template, or a voiceprint, can be
287 extracted, and keystroke patterns or rhythms, gait patterns or
288 rhythms, and sleep, health, or exercise data that contain
289 identifying information.
290 (c) “Collect” means to buy, rent, gather, obtain, receive,
291 or access any personal information pertaining to a consumer by
292 any means. The term includes, but is not limited to, actively or
293 passively receiving information from the consumer or by
294 observing the consumer’s behavior or actions.
295 (d) “Consumer” means a natural person who resides in or is
296 domiciled in this state, however identified, including by any
297 unique identifier, who is acting in a personal capacity or
298 household context. The term does not include a natural person
299 acting on behalf of a legal entity in a commercial or employment
300 context.
301 (e) “Controller” means:
302 1. A sole proprietorship, partnership, limited liability
303 company, corporation, association, or legal entity that meets
304 the following requirements:
305 a. Is organized or operated for the profit or financial
306 benefit of its shareholders or owners;
307 b. Does business in this state;
308 c. Collects personal information about consumers, or is the
309 entity on behalf of which such information is collected;
310 d. Determines the purposes and means of processing personal
311 information about consumers alone or jointly with others;
312 e. Makes in excess of $1 billion in gross revenues, as
313 adjusted in January of every odd-numbered year to reflect any
314 increase in the Consumer Price Index; and
315 f. Satisfies one of the following:
316 (I) Derives 50 percent or more of its global annual
317 revenues from providing targeted advertising or the sale of ads
318 online; or
319 (II) Operates a consumer smart speaker and voice command
320 component service with an integrated virtual assistant connected
321 to a cloud computing service that uses hands-free verbal
322 activation. For purposes of this sub-sub-subparagraph, a
323 consumer smart speaker and voice command component service does
324 not include a motor vehicle or speaker or device associated with
325 or connected to a vehicle.
326 2. Any entity that controls or is controlled by a
327 controller. As used in this subparagraph, the term “control”
328 means:
329 a. Ownership of, or the power to vote, more than 50 percent
330 of the outstanding shares of any class of voting security of a
331 controller;
332 b. Control in any manner over the election of a majority of
333 the directors, or of individuals exercising similar functions;
334 or
335 c. The power to exercise a controlling influence over the
336 management of a company.
337 (f) “Deidentified” means information that cannot reasonably
338 be used to infer information about or otherwise be linked to a
339 particular consumer, provided that the controller that possesses
340 the information:
341 1. Takes reasonable measures to ensure that the information
342 cannot be associated with a specific consumer;
343 2. Maintains and uses the information in deidentified form
344 and does not attempt to reidentify the information, except that
345 the controller may attempt to reidentify the information solely
346 for the purpose of determining whether its deidentification
347 processes satisfy the requirements of this paragraph;
348 3. Contractually obligates any recipients of the
349 information to comply with all this paragraph to avoid
350 reidentifying such information; and
351 4. Implements business processes to prevent the inadvertent
352 release of deidentified information.
353 (g) “Department” means the Department of Legal Affairs.
354 (h) “Device” means a physical object associated with a
355 consumer or household capable of directly or indirectly
356 connecting to the Internet.
357 (i) “Genetic information” means information about an
358 individual’s deoxyribonucleic acid (DNA).
359 (j) “Homepage” means the introductory page of an Internet
360 website and any Internet webpage where personal information is
361 collected. In the case of a mobile application, the homepage is
362 the application’s platform page or download page, a link within
363 the application, such as the “About” or “Information”
364 application configurations, or the settings page, and any other
365 location that allows consumers to review the notice required by
366 subsection (7), including, but not limited to, before
367 downloading the application.
368 (k) “Household” means a natural person or a group of people
369 in this state who reside at the same address, share a common
370 device or the same service provided by a controller, and are
371 identified by a controller as sharing the same group account or
372 unique identifier.
373 (l) “Personal information” means information that is linked
374 or reasonably linkable to an identified or identifiable consumer
375 or household, including biometric information, genetic
376 information, and unique identifiers to the consumer.
377 1. The term includes, but is not limited to, the following:
378 a. Identifiers such as a real name, alias, postal address,
379 unique identifier, online identifier, internet protocol address,
380 email address, account name, social security number, driver
381 license number, passport number, or other similar identifiers.
382 b. Information that identifies, relates to, or describes,
383 or could be associated with, a particular individual, including,
384 but not limited to, a name, signature, social security number,
385 physical characteristics or description, address, location,
386 telephone number, passport number, driver license or state
387 identification card number, insurance policy number, education,
388 employment, employment history, bank account number, credit card
389 number, debit card number, or any other financial information,
390 medical information, or health insurance information.
391 c. Characteristics of protected classifications under state
392 or federal law.
393 d. Commercial information, including records of personal
394 property, products or services purchased, obtained, or
395 considered, or other purchasing or consuming histories or
396 tendencies.
397 e. Biometric information.
398 f. Internet or other electronic network activity
399 information, including, but not limited to, browsing history,
400 search history, and information regarding a consumer’s
401 interaction with an Internet website, application, or
402 advertisement.
403 g. Geolocation data.
404 h. Audio, electronic, visual, thermal, olfactory, or
405 similar information.
406 i. Inferences drawn from any of the information identified
407 in this paragraph to create a profile about a consumer
408 reflecting the consumer’s preferences, characteristics,
409 psychological trends, predispositions, behavior, attitudes,
410 intelligence, abilities, and aptitudes.
411 2. The term does not include consumer information that is:
412 a. Consumer employment contact information, including a
413 position name or title, employment qualifications, emergency
414 contact information, business telephone number, business
415 electronic mail address, employee benefit information, and
416 similar information used solely in an employment context.
417 b. Deidentified or aggregate consumer information.
418 c. Publicly and lawfully available information reasonably
419 believed to be made available to the general public in a lawful
420 manner and without legal restrictions:
421 (I) From federal, state, or local government records.
422 (II) By a widely distributed media source.
423 (III) By the consumer or by someone to whom the consumer
424 disclosed the information unless the consumer has purposely and
425 effectively restricted the information to a certain audience on
426 a private account.
427 (m) “Precise geolocation data” means information from
428 technology, such as global positioning system level latitude and
429 longitude coordinates or other mechanisms, which directly
430 identifies the specific location of a natural person with
431 precision and accuracy within a radius of 1,750 feet. The term
432 does not include information generated by the transmission of
433 communications or any information generated by or connected to
434 advance utility metering infrastructure systems or equipment for
435 use by a utility.
436 (n) “Processing” means any operation or set of operations
437 performed on personal information or on sets of personal
438 information, regardless of whether by automated means.
439 (o) “Processor” means a sole proprietorship, partnership,
440 limited liability company, corporation, association, or other
441 legal entity that is organized or operated for the profit or
442 financial benefit of its shareholders or other owners, that
443 processes information on behalf of a controller and to which the
444 controller discloses a consumer’s personal information pursuant
445 to a written contract, provided that the contract prohibits the
446 entity receiving the information from retaining, using, or
447 disclosing the personal information for any purpose other than
448 for the specific purpose of performing the services specified in
449 the contract for the controller, as authorized by this section.
450 (p) “Sell” means to sell, rent, release, disclose,
451 disseminate, make available, transfer, or otherwise communicate
452 orally, in writing, or by electronic or other means, a
453 consumer’s personal information or information that relates to a
454 group or category of consumers by a controller to another
455 controller or a third party for monetary or other valuable
456 consideration.
457 (q) “Share” means to share, rent, release, disclose,
458 disseminate, make available, transfer, or access a consumer’s
459 personal information for advertising or marketing. The term
460 includes:
461 1. Allowing a third party to advertise or market to a
462 consumer based on a consumer’s personal information without
463 disclosure of the personal information to the third party.
464 2. Monetary transactions, nonmonetary transactions, and
465 transactions for other valuable consideration between a
466 controller and a third party for advertising or marketing.
467 (r) “Targeted advertising” means marketing to a consumer or
468 displaying an advertisement to a consumer when the advertisement
469 is selected based on personal information used to predict such
470 consumer’s preferences or interests.
471 (s) “Third party” means a person who is not a controller or
472 a processor.
473 (t) “Unique identifier” means a persistent identifier that
474 can be used to recognize a consumer, a family, or a device that
475 is linked to a consumer or a family, over time and across
476 different services, including, but not limited to, a device
477 identifier; an Internet Protocol address; cookies, beacons,
478 pixel tags, mobile ad identifiers, or similar technology; a
479 customer number, unique pseudonym, or user alias; telephone
480 numbers, or other forms of persistent or probabilistic
481 identifiers that can be used to identify a particular consumer,
482 family, or device that is linked to a consumer or family. As
483 used in this paragraph, the term “family” means a custodial
484 parent or guardian and any minor children of whom the parent or
485 guardian has custody, or a household as defined in paragraph
486 (k).
487 (u) “Verifiable consumer request” means a request made by a
488 consumer, by a parent or guardian on behalf of a consumer who is
489 a minor child, or by a person authorized by the consumer to act
490 on the consumer’s behalf, that the controller can reasonably
491 verify to be the consumer, pursuant to rules adopted by the
492 department. A verifiable consumer request is presumed to have
493 been made when requested through an established account using
494 the controller’s established security features to access the
495 account through communication features offered to consumers, but
496 a controller may not require the consumer to create or have an
497 account with the controller in order to make a verifiable
498 consumer request.
499 (v) “Voice recognition feature” means the function of a
500 device which enables the collection, recording, storage,
501 analysis, transmission, interpretation, or other use of spoken
502 words or other sounds.
503 (3) CONTROLLER REQUIREMENTS; CONSUMER DATA COLLECTION
504 REQUIREMENTS AND RESPONSIBILITIES.—
505 (a) A controller may not collect, without the consumer’s
506 authorization, a consumer’s precise geolocation data or personal
507 information through the operation of a voice recognition
508 feature.
509 (b) A controller that operates a search engine shall
510 provide a consumer with information of how the controller’s
511 search engine algorithm prioritizes or deprioritizes political
512 partisanship or political ideology in its search results.
513 (c) A controller that collects personal information about
514 consumers shall maintain an up-to-date online privacy policy and
515 make such policy available on its homepage. The online privacy
516 policy must include the following information:
517 1. Any Florida-specific consumer privacy rights.
518 2. A list of the types and categories of personal
519 information that the controller collects, sells, or shares, or
520 has collected, sold, or shared, about consumers.
521 3. The consumer’s right to request deletion or correction
522 of certain personal information.
523 4. The consumer’s right to opt out of the sale or sharing
524 to third parties.
525 (d) A controller that collects personal information from
526 the consumer shall, at or before the point of collection,
527 inform, or direct the processor to inform, consumers of the
528 categories of personal information to be collected and the
529 purposes for which such categories of personal information will
530 be used.
531 (e) A controller may not collect additional categories of
532 personal information or use personal information collected for
533 additional purposes without providing the consumer with notice
534 consistent with this section.
535 (f) A controller that collects a consumer’s personal
536 information shall implement and maintain reasonable security
537 procedures and practices appropriate to the nature of the
538 personal information to protect such personal information from
539 unauthorized or illegal access, destruction, use, modification,
540 or disclosure. A controller shall require any processors to
541 implement and maintain the same or similar security procedures
542 and practices for personal information.
543 (g) A controller shall adopt and implement a retention
544 schedule that prohibits the use or retention of personal
545 information not subject to an exemption by the controller or
546 processor after the satisfaction of the initial purpose for
547 which such information was collected or obtained, after the
548 expiration or termination of the contract pursuant to which the
549 information was collected or obtained, or 2 years after the
550 consumer’s last interaction with the controller. This paragraph
551 does not apply to personal information reasonably used or
552 retained to do any of the following:
553 1. Fulfill the terms of a written warranty or product
554 recall conducted in accordance with federal law.
555 2. Provide a good or service requested by the consumer, or
556 reasonably anticipate the request of such good or service within
557 the context of a controller’s ongoing business relationship with
558 the consumer.
559 3. Detect security threats or incidents; protect against
560 malicious, deceptive, fraudulent, unauthorized, or illegal
561 activity or access; or prosecute those responsible for such
562 activity or access.
563 4. Debug to identify and repair errors that impair existing
564 intended functionality.
565 5. Engage in public or peer-reviewed scientific,
566 historical, or statistical research in the public interest which
567 adheres to all other applicable ethics and privacy laws when the
568 controller’s deletion of the information is likely to render
569 impossible or seriously impair the achievement of such research,
570 if the consumer has provided informed consent.
571 6. Enable solely internal uses that are reasonably aligned
572 with the expectations of the consumer based on the consumer’s
573 relationship with the controller or that are compatible with the
574 context in which the consumer provided the information.
575 7. Comply with a legal obligation, including any state or
576 federal retention laws.
577 8. Protect the controller’s interests against existing
578 disputes, legal action, or governmental investigations.
579 9. Assure the physical security of persons or property.
580 (4) CONSUMER RIGHT TO REQUEST COPY OF PERSONAL INFORMATION
581 COLLECTED, SOLD, OR SHARED.—
582 (a) A consumer has the right to request that a controller
583 that collects, sells, or shares personal information about the
584 consumer disclose the following to the consumer:
585 1. The specific pieces of personal information which have
586 been collected about the consumer.
587 2. The categories of sources from which the consumer’s
588 personal information was collected.
589 3. The specific pieces of personal information about the
590 consumer which were sold or shared.
591 4. The third parties to which the personal information
592 about the consumer was sold or shared.
593 5. The categories of personal information about the
594 consumer which were disclosed to a processor.
595 (b) A controller that collects, sells, or shares personal
596 information about a consumer shall disclose the information
597 specified in paragraph (a) to the consumer upon receipt of a
598 verifiable consumer request.
599 (c) This subsection does not require a controller to
600 retain, reidentify, or otherwise link any data that, in the
601 ordinary course of business is not maintained in a manner that
602 would be considered personal information.
603 (d) The controller shall deliver to a consumer the
604 information required under this subsection or act on a request
605 made under this subsection by a consumer free of charge within
606 45 calendar days after receiving a verifiable consumer request.
607 The response period may be extended once by 45 additional
608 calendar days when reasonably necessary, provided the controller
609 informs the consumer of any such extension within the initial
610 45-day response period and the reason for the extension. The
611 information must be delivered in a portable and, to the extent
612 technically feasible, readily usable format that allows the
613 consumer to transmit the data to another entity without
614 hindrance. A controller may provide the data to the consumer in
615 a manner that does not disclose the controller’s trade secrets.
616 A controller is not obligated to provide information to the
617 consumer if the consumer or a person authorized to act on the
618 consumer’s behalf does not provide verification of identity or
619 verification of authorization to act with the permission of the
620 consumer.
621 (e) A controller may provide personal information to a
622 consumer at any time, but is not required to provide personal
623 information to a consumer more than twice in a 12-month period.
624 (f) This subsection does not apply to personal information
625 relating solely to households.
626 (5) RIGHT TO HAVE PERSONAL INFORMATION DELETED OR
627 CORRECTED.—
628 (a) A consumer has the right to request that a controller
629 delete any personal information about the consumer or about the
630 consumer’s child younger than 18 years of age which the
631 controller has collected.
632 1. A controller that receives a verifiable consumer request
633 to delete the consumer’s personal information shall delete the
634 consumer’s personal information from its records and direct any
635 processors to delete such information within 90 calendar days
636 after receipt of the verifiable consumer request.
637 2. A controller or a processor acting pursuant to its
638 contract with the controller may not be required to comply with
639 a consumer’s request to delete the consumer’s personal
640 information if it is reasonably necessary for the controller or
641 processor to maintain the consumer’s personal information to do
642 any of the following:
643 a. Complete the transaction for which the personal
644 information was collected.
645 b. Fulfill the terms of a written warranty or product
646 recall conducted in accordance with federal law.
647 c. Provide a good or service requested by the consumer, or
648 reasonably anticipate the request of such good or service within
649 the context of a controller’s ongoing business relationship with
650 the consumer, or otherwise perform a contract between the
651 controller and the consumer.
652 d. Detect security threats or incidents; protect against
653 malicious, deceptive, fraudulent, unauthorized, or illegal
654 activity or access; or prosecute those responsible for such
655 activity or access.
656 e. Debug to identify and repair errors that impair existing
657 intended functionality.
658 f. Engage in public or peer-reviewed scientific,
659 historical, or statistical research in the public interest which
660 adheres to all other applicable ethics and privacy laws when the
661 controller’s deletion of the information is likely to render
662 impossible or seriously impair the achievement of such research,
663 if the consumer has provided informed consent.
664 g. Enable solely internal uses that are reasonably aligned
665 with the expectations of the consumer based on the consumer’s
666 relationship with the controller or that are compatible with the
667 context in which the consumer provided the information.
668 h. Comply with a legal obligation, including any state or
669 federal retention laws.
670 i. Protect the controller’s interests against existing
671 disputes, legal action, or governmental investigations.
672 j. Assure the physical security of persons or property.
673 (b) A consumer has the right to request that a controller
674 correct inaccurate personal information maintained by the
675 controller about the consumer or about the consumer’s child
676 younger than 18 years of age. A controller that receives a
677 verifiable consumer request to correct inaccurate personal
678 information shall use commercially reasonable efforts to correct
679 the inaccurate personal information as directed by the consumer
680 and shall direct any processors to correct such information
681 within 90 calendar days after receipt of the verifiable consumer
682 request. If a controller maintains a self-service mechanism to
683 allow a consumer to correct certain personal information, the
684 controller may require the consumer to correct their own
685 personal information through such mechanism. A controller or a
686 processor acting pursuant to its contract with the controller
687 may not be required to comply with a consumer’s request to
688 correct the consumer’s personal information if it is reasonably
689 necessary for the controller or processor to maintain the
690 consumer’s personal information to do any of the following:
691 1. Complete the transaction for which the personal
692 information was collected.
693 2. Fulfill the terms of a written warranty or product
694 recall conducted in accordance with federal law.
695 3. Detect security threats or incidents; protect against
696 malicious, deceptive, fraudulent, unauthorized, or illegal
697 activity or access; or prosecute those responsible for such
698 activity or access.
699 4. Debug to identify and repair errors that impair existing
700 intended functionality.
701 5. Enable solely internal uses that are reasonably aligned
702 with the expectations of the consumer based on the consumer’s
703 relationship with the controller or that are compatible with the
704 context in which the consumer provided the information.
705 6. Comply with a legal obligation, including any state or
706 federal retention laws.
707 7. Protect the controller’s interests against existing
708 disputes, legal action, or governmental investigations.
709 8. Assure the physical security of persons or property.
710 (6) RIGHT TO OPT OUT OF THE SALE OR SHARING OF PERSONAL
711 INFORMATION.—
712 (a) A consumer has the right at any time to direct a
713 controller not to sell or share the consumer’s personal
714 information to a third party. This right may be referred to as
715 the right to opt out.
716 (b) Notwithstanding paragraph (a), a controller may not
717 sell or share the personal information of a minor consumer if
718 the controller has actual knowledge that the consumer is not 18
719 years of age or older. However, if a consumer who is between 13
720 and 18 years of age, or if the parent or guardian of a consumer
721 who is 12 years of age or younger, has affirmatively authorized
722 the sale or sharing of such consumer’s personal information,
723 then a controller may sell or share such information in
724 accordance with this section. A controller that willfully
725 disregards the consumer’s age is deemed to have actual knowledge
726 of the consumer’s age. A controller that complies with the
727 verifiable parental consent requirements of the Children’s
728 Online Privacy Protection Act, 15 U.S.C. s. 6501 et seq., shall
729 be deemed compliant with any obligation to obtain parental
730 consent.
731 (c) A controller that has received direction from a
732 consumer opting out of the sale or sharing of the consumer’s
733 personal information is prohibited from selling or sharing the
734 consumer’s personal information beginning 4 calendar days after
735 receipt of such direction, unless the consumer subsequently
736 provides express authorization for the sale or sharing of the
737 consumer’s personal information.
738 (7) FORM TO OPT OUT OF SALE OR SHARING OF PERSONAL
739 INFORMATION.—
740 (a) A controller shall:
741 1. In a form that is reasonably accessible to consumers,
742 provide a clear and conspicuous link on the controller’s
743 Internet homepage, entitled “Do Not Sell or Share My Personal
744 Information,” to an Internet webpage that enables a consumer, a
745 parent or guardian of a minor who is a consumer, or a person
746 authorized by the consumer, to opt out of the sale or sharing of
747 the consumer’s personal information. A controller may not
748 require a consumer to create an account in order to direct the
749 controller not to sell or share the consumer’s personal
750 information. A controller may accept a request to opt out
751 received through a user-enabled global privacy control, such as
752 a browser plug-in or privacy setting, device setting, or other
753 mechanism, which communicates or signals the consumer’s choice
754 to opt out.
755 2. For consumers who opted out of the sale or sharing of
756 their personal information, respect the consumer’s decision to
757 opt out for at least 12 months before requesting that the
758 consumer authorize the sale or sharing of the consumer’s
759 personal information.
760 3. Use any personal information collected from the consumer
761 in connection with the submission of the consumer’s opt-out
762 request solely for the purposes of complying with the opt-out
763 request.
764 (b) A consumer may authorize another person to opt out of
765 the sale or sharing of the consumer’s personal information on
766 the consumer’s behalf pursuant to rules adopted by the
767 department.
768 (8) ACTIONS RELATED TO CONSUMERS WHO EXERCISE PRIVACY
769 RIGHTS.—
770 (a) A controller may not deny goods or services to a
771 consumer because the consumer exercised any of the consumer’s
772 rights under this section.
773 (b) A controller may charge a consumer who exercised any of
774 the consumer’s rights under this section a different price or
775 rate, or provide a different level or quality of goods or
776 services to the consumer, only if that difference is reasonably
777 related to the value provided to the controller by the
778 consumer’s data or is related to a consumer’s voluntary
779 participation in a financial incentive program, including a bona
780 fide loyalty, rewards, premium features, discounts, or club card
781 program offered by the controller.
782 (c) A controller may offer financial incentives, including
783 payments to consumers as compensation, for the collection,
784 sharing, sale, or deletion of personal information if the
785 consumer gives the controller prior consent that clearly
786 describes the material terms of the financial incentive program.
787 The consent may be revoked by the consumer at any time.
788 (d) A controller may not use financial incentive practices
789 that are unjust, unreasonable, coercive, or usurious in nature.
790 (9) CONTRACTS AND ROLES.—
791 (a) Any contract or agreement between a controller and a
792 processor must:
793 1. Prohibit the processor from selling, sharing, retaining,
794 using, or disclosing the personal information for any purpose
795 that violates this section;
796 2. Prohibit the processor from retaining, using, or
797 disclosing the personal information other than for the purposes
798 specified in the contract or agreement;
799 3. Prohibit the processor from combining the personal
800 information that the processor receives from or on behalf of the
801 controller with personal information that the processor receives
802 from or on behalf of another person or that the processor
803 collects from its own interaction with the consumer, provided
804 that the processor may combine personal information to perform
805 any purpose specified in the contract or agreement and such
806 combination is reported to the controller;
807 4. Govern the processor’s personal information processing
808 procedures with respect to processing performed on behalf of the
809 controller, including processing instructions, the nature and
810 purpose of processing, the type of information subject to
811 processing, the duration of processing, and the rights and
812 obligations of both the controller and processor;
813 5. Require the processor to return or delete all personal
814 information under the contract to the controller as requested by
815 the controller at the end of the provision of services, unless
816 retention of the information is required by law; and
817 6. Upon request of the controller, require the processor to
818 make available to the controller all personal information in its
819 possession under the contract or agreement.
820 (b) Determining whether a person is acting as a controller
821 or processor with respect to a specific processing of data is a
822 fact-based determination that depends upon the context in which
823 personal information is to be processed. The contract between a
824 controller and processor must reflect their respective roles and
825 relationships related to handling personal information. A
826 processor that continues to adhere to a controller’s
827 instructions with respect to a specific processing of personal
828 information remains a processor.
829 (c) A third party that has collected personal information
830 from a controller in accordance with this section:
831 1. May not sell or share personal information about a
832 consumer unless the consumer is provided an opportunity by such
833 third party to opt out under this section. Once a third party
834 sells or shares personal information after providing the
835 opportunity to opt out, the third party becomes a controller
836 under this section if the entity meets the definition of
837 controller in subsection (2).
838 2. May use such personal information from a controller to
839 advertise or market products or services that are produced or
840 offered directly by such third party.
841 (d) A processor or third party must require any
842 subcontractor to meet the same obligations of such processor or
843 third party with respect to personal information.
844 (e) A processor or third party or any subcontractor thereof
845 who violates any of the restrictions imposed upon it under this
846 section is liable or responsible for any failure to comply with
847 this section. A controller that discloses personal information
848 to a third party or processor in compliance with this section is
849 not liable or responsible if the person receiving the personal
850 information uses it without complying with the restrictions
851 under this section if, provided that at the time of disclosing
852 the personal information, the controller does not have actual
853 knowledge or reason to believe that the person does not intend
854 to comply with this section.
855 (f) Any provision of a contract or agreement of any kind
856 that waives or limits in any way a consumer’s rights under this
857 section, including, but not limited to, any right to a remedy or
858 means of enforcement, is deemed contrary to public policy and is
859 void and unenforceable. This section does not prevent a consumer
860 from declining to exercise the consumer’s rights under this
861 section.
862 (10) ENFORCEMENT AND IMPLEMENTATION BY THE DEPARTMENT.—
863 (a) Any violation of this section is an unfair and
864 deceptive trade practice actionable under part II of chapter 501
865 solely by the department against a controller, processor, or
866 third party. If the department has reason to believe that any
867 controller, processor, or third party is in violation of this
868 section, the department, as the enforcing authority, may bring
869 an action against such controller, processor, or third party for
870 an unfair or deceptive act or practice. For the purpose of
871 bringing an action pursuant to this section, ss. 501.211 and
872 501.212 do not apply. In addition to other remedies under part
873 II of chapter 501, the department may collect a civil penalty of
874 up to $50,000 per violation of this section. Civil penalties may
875 be tripled for the following violations:
876 1. Any violation involving a Florida consumer who the
877 controller, processor, or third party has actual knowledge is 18
878 years of age or younger.
879 2. Failure to delete or correct the consumer’s personal
880 information pursuant to this section after receiving a
881 verifiable consumer request or directions from a controller to
882 delete or correct such personal information unless the
883 controller, processor, or third party qualifies for an exception
884 to the requirements to delete or correct such personal
885 information under this section.
886 3. Continuing to sell or share the consumer’s personal
887 information after the consumer chooses to opt out under this
888 section.
889 (b) After the department has notified a controller,
890 processor, or third party in writing of an alleged violation,
891 the department may in its discretion grant a 45-day period to
892 cure the alleged violation. The 45-day cure period does not
893 apply to a violation of subparagraph (a)1. The department may
894 consider the number and frequency of violations, the substantial
895 likelihood of injury to the public, and the safety of persons or
896 property when determining whether to grant 45 calendar days to
897 cure and the issuance of a letter of guidance. If the violation
898 is cured to the satisfaction of the department and proof of such
899 cure is provided to the department, the department may not bring
900 an action for the alleged violation but in its discretion may
901 issue a letter of guidance that indicates that the controller,
902 processor, or person will not be offered a 45-day cure period
903 for any future violations. If the controller, processor, or
904 third party fails to cure the violation within 45 calendar days,
905 the department may bring an action against the controller,
906 processor, or third party for the alleged violation.
907 (c) Any action brought by the department may be brought
908 only on behalf of a Florida consumer.
909 (d) By February 1 of each year, the department shall submit
910 a report to the President of the Senate and the Speaker of the
911 House of Representatives describing any actions taken by the
912 department to enforce this section. Such report must be made
913 publicly available on the department’s website. The report must
914 include statistics and relevant information detailing:
915 1. The number of complaints received and the categories or
916 types of violations alleged by the complainant;
917 2. The number and type of enforcement actions taken and the
918 outcomes of such actions, including the amount of penalties
919 issued and collected;
920 3. The number of complaints resolved without the need for
921 litigation; and
922 4. The status of the development and implementation of
923 rules to implement this section.
924 (e) The department may adopt rules to implement this
925 section, including standards for verifiable consumer requests,
926 enforcement, data security, and authorized persons who may act
927 on a consumer’s behalf.
928 (f) The department may collaborate and cooperate with other
929 enforcement authorities of the federal government or other state
930 governments concerning consumer data privacy issues and consumer
931 data privacy investigations if such enforcement authorities have
932 restrictions governing confidentiality at least as stringent as
933 the restrictions provided in this section.
934 (g) Liability for a tort, contract claim, or consumer
935 protection claim that is unrelated to an action brought under
936 this subsection does not arise solely from the failure of a
937 controller, processor, or third party to comply with this
938 section.
939 (h) This section does not establish a private cause of
940 action.
941 (i) The department may employ or use the legal services of
942 outside counsel and the investigative services of outside
943 personnel to fulfill the obligations of this section.
944 (11) JURISDICTION.—For purposes of bringing an action
945 pursuant to subsection (10), any person who meets the definition
946 of controller as defined in this section which collects, shares,
947 or sells the personal information of Florida consumers is
948 considered to be both engaged in substantial and not isolated
949 activities within this state and operating, conducting, engaging
950 in, or carrying on a business, and doing business in this state,
951 and is therefore subject to the jurisdiction of the courts of
952 this state.
953 (12) PREEMPTION.—This section is a matter of statewide
954 concern and supersedes all rules, regulations, codes,
955 ordinances, and other laws adopted by a city, county, city and
956 county, municipality, or local agency regarding the collection,
957 processing, sharing, or sale of consumer personal information by
958 a controller or processor. The regulation of the collection,
959 processing, sharing, or sale of consumer personal information by
960 a controller or processor is preempted to the state.
961 Section 3. Paragraph (g) of subsection (1) of section
962 501.171, Florida Statutes, is amended to read:
963 501.171 Security of confidential personal information.—
964 (1) DEFINITIONS.—As used in this section, the term:
965 (g)1. “Personal information” means either of the following:
966 a. An individual’s first name or first initial and last
967 name in combination with any one or more of the following data
968 elements for that individual:
969 (I) A social security number;
970 (II) A driver license or identification card number,
971 passport number, military identification number, or other
972 similar number issued on a government document used to verify
973 identity;
974 (III) A financial account number or credit or debit card
975 number, in combination with any required security code, access
976 code, or password that is necessary to permit access to an
977 individual’s financial account;
978 (IV) Any information regarding an individual’s medical
979 history, mental or physical condition, or medical treatment or
980 diagnosis by a health care professional; or
981 (V) An individual’s health insurance policy number or
982 subscriber identification number and any unique identifier used
983 by a health insurer to identify the individual;
984 (VI) An individual’s biometric information or genetic
985 information as defined in s. 501.173(2); or
986 (VII) Any information regarding an individual’s
987 geolocation.
988 b. A user name or e-mail address, in combination with a
989 password or security question and answer that would permit
990 access to an online account.
991 2. The term does not include information about an
992 individual that has been made publicly available by a federal,
993 state, or local governmental entity. The term also does not
994 include information that is encrypted, secured, or modified by
995 any other method or technology that removes elements that
996 personally identify an individual or that otherwise renders the
997 information unusable.
998 Section 4. Subsection (1) of section 16.53, Florida
999 Statutes, is amended, and subsection (8) is added to that
1000 section, to read:
1001 16.53 Legal Affairs Revolving Trust Fund.—
1002 (1) There is created in the State Treasury the Legal
1003 Affairs Revolving Trust Fund, from which the Legislature may
1004 appropriate funds for the purpose of funding investigation,
1005 prosecution, and enforcement by the Attorney General of the
1006 provisions of the Racketeer Influenced and Corrupt Organization
1007 Act, the Florida Deceptive and Unfair Trade Practices Act, the
1008 Florida False Claims Act, or state or federal antitrust laws, or
1009 s. 501.173.
1010 (8) All moneys recovered by the Attorney General for
1011 attorney fees, costs, and penalties in an action for a violation
1012 of s. 501.173 must be deposited in the fund.
1013 Section 5. This act shall take effect July 1, 2023.