Florida Senate - 2023 CS for SB 262
By the Committee on Commerce and Tourism; and Senator Bradley
577-03495-23 2023262c1
1 A bill to be entitled
2 An act relating to technology transparency; creating
3 s. 112.23, F.S.; defining terms; prohibiting officers
4 or salaried employees of governmental entities from
5 using their positions or state resources to make
6 certain requests of social media platforms;
7 prohibiting governmental entities from initiating or
8 maintaining agreements or working relationships with
9 social media platforms under a specified circumstance;
10 providing exceptions; creating s. 501.173, F.S.;
11 providing applicability; defining terms; prohibiting a
12 controller from collecting certain consumer
13 information without the consumer’s authorization;
14 requiring controllers that collect a consumer’s
15 personal information to disclose certain information
16 regarding data collection and selling practices to the
17 consumer at or before the point of collection;
18 specifying that such information may be provided
19 through a general privacy policy or through a notice
20 informing the consumer that additional specific
21 information will be provided upon a certain request;
22 prohibiting controllers from collecting additional
23 categories of personal information or using personal
24 information for additional purposes without notifying
25 the consumer; requiring controllers that collect
26 personal information to implement reasonable security
27 procedures and practices to protect such information;
28 authorizing consumers to request controllers to
29 disclose the specific personal information the
30 controller has collected about the consumer; requiring
31 controllers to make available two or more methods for
32 consumers to request their personal information;
33 requiring controllers to provide such information free
34 of charge within a certain timeframe and in a certain
35 format upon receiving a verifiable consumer request;
36 specifying requirements for third parties with respect
37 to consumer information acquired or used; providing
38 construction; authorizing consumers to request
39 controllers to delete or correct personal information
40 collected by the controllers; providing exceptions;
41 specifying requirements for controllers to comply with
42 deletion or correction requests; authorizing consumers
43 to opt out of third-party disclosure of personal
44 information collected by a controller; prohibiting
45 controllers from selling or disclosing the personal
46 information of consumers younger than a certain age,
47 except under certain circumstances; prohibiting
48 controllers from selling or sharing a consumer’s
49 information if the consumer has opted out of such
50 disclosure; prohibiting controllers from taking
51 certain actions to retaliate against consumers who
52 exercise certain rights; providing applicability;
53 providing that a contract or agreement that waives or
54 limits certain consumer rights is void and
55 unenforceable; authorizing the Department of Legal
56 Affairs to bring an action under the Florida Deceptive
57 and Unfair Trade Practices Act and to adopt rules;
58 requiring the department to submit an annual report to
59 the Legislature; providing report requirements;
60 providing that controllers must have a specified
61 timeframe to cure any violations; providing
62 jurisdiction; declaring that the act is a matter of
63 statewide concern; preempting the collection,
64 processing, sharing, and sale of consumer personal
65 information to the state; amending s. 501.171, F.S.;
66 revising the definition of “personal information”;
67 amending s. 16.53, F.S.; requiring that certain
68 attorney fees, costs, and penalties recovered by the
69 Attorney General be deposited in the Legal Affairs
70 Revolving Trust Fund; providing an effective date.
71
72 Be It Enacted by the Legislature of the State of Florida:
73
74 Section 1. Section 112.23, Florida Statutes, is created to
75 read:
76 112.23 Government-directed content moderation of social
77 media platforms prohibited.—
78 (1) As used in this section, the term:
79 (a) “Social media platform” means a form of electronic
80 communication through which users create online communities to
81 share information, ideas, personal messages, and other content.
82 (b) “Governmental entity” means any state, county,
83 district, authority, or municipal officer, department, division,
84 board, bureau, commission, or other separate unit of government
85 created or established by law, including, but not limited to,
86 the Commission on Ethics, the Public Service Commission, the
87 Office of Public Counsel, and any other public or private
88 agency, person, partnership, corporation, or business entity
89 acting on behalf of any public agency.
90 (2) An officer or a salaried employee of a governmental
91 entity may not use his or her position or any state resources to
92 communicate with a social media platform to request the social
93 media platform to remove content or accounts from the social
94 media platform.
95 (3) A governmental entity, or an officer or a salaried
96 employee acting on behalf of a governmental entity, may not
97 initiate or maintain any agreements or working relationships
98 with a social media platform for the purpose of content
99 moderation.
100 (4) Subsections (2) and (3) do not apply if the
101 governmental entity or an officer or a salaried employee acting
102 on behalf of a governmental entity is acting as part of any of
103 the following:
104 (a) Routine account management of the governmental entity’s
105 account.
106 (b) An attempt to remove content that pertains to the
107 commission of a crime or violation of this state’s public
108 records law.
109 (c) An attempt to remove an account that pertains to the
110 commission of a crime or violation of this state’s public
111 records law.
112 (d) An investigation or inquiry related to public safety.
113 Section 2. Section 501.173, Florida Statutes, is created to
114 read:
115 501.173 Consumer data privacy.—
116 (1) APPLICABILITY.—This section does not apply to:
117 (a) Personal information collected and transmitted which is
118 necessary for the sole purpose of sharing such personal
119 information with a financial service provider solely to
120 facilitate short term, transactional payment processing for the
121 purchase of products or services.
122 (b) Personal information collected, used, retained, sold,
123 shared, or disclosed as deidentified personal information or
124 aggregate consumer information.
125 (c) Compliance with federal, state, or local laws.
126 (d) Compliance with a civil, criminal, or regulatory
127 inquiry, investigation, subpoena, or summons by federal, state,
128 or local authorities.
129 (e) Cooperation with law enforcement agencies concerning
130 conduct or activity that the controller, processor, or third
131 party reasonably and in good faith believes may violate federal,
132 state, or local law.
133 (f) Exercising or defending legal rights, claims, or
134 privileges.
135 (g) Personal information collected through the controller’s
136 direct interactions with the consumer, if collected in
137 accordance with this section, which is used by the controller or
138 the processor that the controller directly contracts with for
139 advertising or marketing services to advertise or market
140 products or services that are produced or offered directly by
141 the controller. Such information may not be sold, shared, or
142 disclosed unless otherwise authorized under this section.
143 (h) Personal information of a person acting in the role of
144 a job applicant, employee, owner, director, officer, contractor,
145 volunteer, or intern of a controller which is collected by a
146 controller, to the extent the personal information is collected
147 and used solely within the context of the person’s role or
148 former role with the controller. For purposes of this paragraph,
149 personal information includes employee benefit information.
150 (i) Protected health information for purposes of the
151 federal Health Insurance Portability and Accountability Act of
152 1996 and related regulations, and patient identifying
153 information for purposes of 42 C.F.R. part 2, established
154 pursuant to 42 U.S.C. s. 290dd-2.
155 (j) An entity or business associate governed by the
156 privacy, security, and breach notification rules issued by the
157 United States Department of Health and Human Services in 45
158 C.F.R. parts 160 and 164, or a program or a qualified service
159 program as defined in 42 C.F.R. part 2, to the extent the
160 entity, business associate, or program maintains personal
161 information in the same manner as medical information or
162 protected health information as described in paragraph (i), and
163 as long as the entity, business associate, or program does not
164 use personal information for targeted advertising with third
165 parties and does not sell or share personal information to a
166 third party unless such sale or sharing is covered by an
167 exception under this section.
168 (k) Identifiable private information collected for purposes
169 of research as defined in 45 C.F.R. s. 164.501 conducted in
170 accordance with the Federal Policy for the Protection of Human
171 Subjects for purposes of 45 C.F.R. part 46, the good clinical
172 practice guidelines issued by the International Council for
173 Harmonisation of Technical Requirements for Pharmaceuticals for
174 Human Use, or the Federal Policy for the Protection for Human
175 Subjects for purposes of 21 C.F.R. parts 50 and 56, or personal
176 information used or shared in research conducted in accordance
177 with one or more of these standards.
178 (l) Information and documents created for purposes of the
179 federal Health Care Quality Improvement Act of 1986 and related
180 regulations, or patient safety work product for purposes of 42
181 C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21
182 through 299b-26.
183 (m) Information that is deidentified in accordance with 45
184 C.F.R. part 164 and derived from individually identifiable
185 health information as described in the Health Insurance
186 Portability and Accountability Act of 1996, or identifiable
187 personal information, consistent with the Federal Policy for the
188 Protection of Human Subjects or the human subject protection
189 requirements of the United States Food and Drug Administration.
190 (n) Information used only for public health activities and
191 purposes as described in 45 C.F.R. s. 164.512.
192 (o) Personal information collected, processed, sold, or
193 disclosed pursuant to the federal Fair Credit Reporting Act, 15
194 U.S.C. s. 1681 and implementing regulations.
195 (p) Nonpublic personal information collected, processed,
196 sold, or disclosed pursuant to the Gramm-Leach-Bliley Act, 15
197 U.S.C. s. 6801 et seq., and implementing regulations.
198 (q) A financial institution as defined in the Gramm-Leach
199 Bliley Act, 15 U.S.C. s. 6801 et seq., to the extent the
200 financial institution maintains personal information in the same
201 manner as nonpublic personal information as described in
202 paragraph (p), and as long as such financial institution does
203 not use personal information for targeted advertising with third
204 parties and does not sell or share personal information to a
205 third party unless such sale or sharing is covered by an
206 exception under this section.
207 (r) Personal information collected, processed, sold, or
208 disclosed pursuant to the federal Driver’s Privacy Protection
209 Act of 1994, 18 U.S.C. s. 2721 et seq.
210 (s) Education information covered by the Family Educational
211 Rights and Privacy Act, 20 U.S.C. s. 1232(g) and 34 C.F.R. part
212 99.
213 (t) Information collected as part of public or peer
214 reviewed scientific or statistical research in the public
215 interest and which adheres to all other applicable ethics and
216 privacy laws, if the consumer has provided informed consent.
217 Research with personal information must be subjected by the
218 controller conducting the research to additional security
219 controls that limit access to the research data to only those
220 individuals necessary to carry out the research purpose, and
221 such personal information must be subsequently deidentified.
222 (u) Personal information disclosed for the purpose of
223 responding to an alert of a present risk of harm to a person or
224 property or prosecuting those responsible for that activity.
225 (v) Personal information disclosed when a consumer uses or
226 directs a controller to intentionally disclose information to a
227 third party or uses the controller to intentionally interact
228 with a third party. An intentional interaction occurs when the
229 consumer intends to interact with the third party, by one or
230 more deliberate interactions. Hovering over, muting, pausing, or
231 closing a given piece of content does not constitute a
232 consumer’s intent to interact with a third party.
233 (w) An identifier used for a consumer who has opted out of
234 the sale or sharing of the consumer’s personal information for
235 the sole purpose of alerting processors and third parties that
236 the consumer has opted out of the sale or sharing of the
237 consumer’s personal information.
238 (x) Personal information transferred by a controller to a
239 third party as an asset that is part of a merger, acquisition,
240 bankruptcy, or other transaction in which the third party
241 assumes control of all or part of the controller, provided that
242 the information is used or shared consistently with this
243 section. If a third party materially alters how it uses or
244 shares the personal information of a consumer in a manner that
245 is materially inconsistent with the commitments or promises made
246 at the time of collection, it must provide prior notice of the
247 new or changed practice to the consumer. The notice must be
248 sufficiently prominent and robust to ensure that consumers can
249 easily exercise choices consistent with this section.
250 (y) Personal information necessary to fulfill the terms of
251 a written warranty when such warranty was purchased by the
252 consumer or the product that is warranted was purchased by the
253 consumer. Such information may not be sold or shared unless
254 otherwise authorized under this section.
255 (z) Personal information necessary for a product recall for
256 a product purchased or owned by the consumer conducted in
257 accordance with federal law. Such information may not be sold or
258 shared unless otherwise authorized under this section.
259 (aa) Personal information processed solely for the purpose
260 of independently measuring or reporting advertising or content
261 performance, reach, or frequency pursuant to a contract with a
262 controller that collected personal information in accordance
263 with this section. Such information may not be sold or shared
264 unless otherwise authorized under this section.
265 (bb) Personal information shared between a manufacturer of
266 a tangible product and authorized third-party distributors or
267 vendors of the product, as long as such personal information is
268 used solely for advertising, marketing, or servicing the product
269 that is acquired directly through such manufacturer and such
270 authorized third-party distributors or vendors. Such personal
271 information may not be sold or shared unless otherwise
272 authorized under this section.
273 (2) DEFINITIONS.—As used in this section, the term:
274 (a) “Aggregate consumer information” means information that
275 relates to a group or category of consumers, from which the
276 identity of an individual consumer has been removed and is not
277 reasonably capable of being directly or indirectly associated or
278 linked with any consumer, household, or device. The term does
279 not include information about a group or category of consumers
280 used to facilitate targeted advertising or the display of ads
281 online. The term does not include personal information that has
282 been deidentified.
283 (b) “Biometric information” means an individual’s
284 physiological, biological, or behavioral characteristics that
285 can be used, singly or in combination with each other or with
286 other identifying data, to establish individual identity. The
287 term includes, but is not limited to, imagery of the iris,
288 retina, fingerprint, face, hand, palm, vein patterns, and voice
289 recordings, from which an identifier template, such as a
290 faceprint, a minutiae template, or a voiceprint, can be
291 extracted, and keystroke patterns or rhythms, gait patterns or
292 rhythms, and sleep, health, or exercise data that contain
293 identifying information.
294 (c) “Collect” means to buy, rent, gather, obtain, receive,
295 or access any personal information pertaining to a consumer by
296 any means. The term includes, but is not limited to, actively or
297 passively receiving information from the consumer or by
298 observing the consumer’s behavior or actions.
299 (d) “Consumer” means a natural person who resides in or is
300 domiciled in this state, however identified, including by any
301 unique identifier, who is acting in a personal capacity or
302 household context. The term does not include a natural person
303 acting on behalf of a legal entity in a commercial or employment
304 context.
305 (e) “Controller” means:
306 1. A sole proprietorship, partnership, limited liability
307 company, corporation, association, or legal entity that meets
308 the following requirements:
309 a. Is organized or operated for the profit or financial
310 benefit of its shareholders or owners;
311 b. Does business in this state;
312 c. Collects personal information about consumers, or is the
313 entity on behalf of which such information is collected;
314 d. Determines the purposes and means of processing personal
315 information about consumers alone or jointly with others;
316 e. Makes in excess of $1 billion in gross revenues, as
317 adjusted in January of every odd-numbered year to reflect any
318 increase in the Consumer Price Index; and
319 f. Satisfies one of the following:
320 (I) Derives 50 percent or more of its global annual
321 revenues from providing targeted advertising or the sale of ads
322 online; or
323 (II) Operates a consumer smart speaker and voice command
324 component service with an integrated virtual assistant connected
325 to a cloud computing service that uses hands-free verbal
326 activation. For purposes of this sub-sub-subparagraph, a
327 consumer smart speaker and voice command component service does
328 not include a motor vehicle or speaker or device associated with
329 or connected to a vehicle.
330 2. Any entity that controls or is controlled by a
331 controller. As used in this subparagraph, the term “control”
332 means:
333 a. Ownership of, or the power to vote, more than 50 percent
334 of the outstanding shares of any class of voting security of a
335 controller;
336 b. Control in any manner over the election of a majority of
337 the directors, or of individuals exercising similar functions;
338 or
339 c. The power to exercise a controlling influence over the
340 management of a company.
341 (f) “Deidentified” means information that cannot reasonably
342 be used to infer information about or otherwise be linked to a
343 particular consumer, provided that the controller that possesses
344 the information:
345 1. Takes reasonable measures to ensure that the information
346 cannot be associated with a specific consumer;
347 2. Maintains and uses the information in deidentified form
348 and does not attempt to reidentify the information, except that
349 the controller may attempt to reidentify the information solely
350 for the purpose of determining whether its deidentification
351 processes satisfy the requirements of this paragraph;
352 3. Contractually obligates any recipients of the
353 information to comply with all this paragraph to avoid
354 reidentifying such information; and
355 4. Implements business processes to prevent the inadvertent
356 release of deidentified information.
357 (g) “Department” means the Department of Legal Affairs.
358 (h) “Device” means a physical object associated with a
359 consumer or household capable of directly or indirectly
360 connecting to the Internet.
361 (i) “Genetic information” means information about an
362 individual’s deoxyribonucleic acid (DNA).
363 (j) “Homepage” means the introductory page of an Internet
364 website and any Internet webpage where personal information is
365 collected. In the case of a mobile application, the homepage is
366 the application’s platform page or download page, a link within
367 the application, such as the “About” or “Information”
368 application configurations, or the settings page, and any other
369 location that allows consumers to review the notice required by
370 subsection (7), including, but not limited to, before
371 downloading the application.
372 (k) “Household” means a natural person or a group of people
373 in this state who reside at the same address, share a common
374 device or the same service provided by a controller, and are
375 identified by a controller as sharing the same group account or
376 unique identifier.
377 (l) “Personal information” means information that is linked
378 or reasonably linkable to an identified or identifiable consumer
379 or household, including biometric information, genetic
380 information, and unique identifiers to the consumer.
381 1. The term includes, but is not limited to, the following:
382 a. Identifiers such as a real name, alias, postal address,
383 unique identifier, online identifier, internet protocol address,
384 email address, account name, social security number, driver
385 license number, passport number, or other similar identifiers.
386 b. Information that identifies, relates to, or describes,
387 or could be associated with, a particular individual, including,
388 but not limited to, a name, signature, social security number,
389 physical characteristics or description, address, location,
390 telephone number, passport number, driver license or state
391 identification card number, insurance policy number, education,
392 employment, employment history, bank account number, credit card
393 number, debit card number, or any other financial information,
394 medical information, or health insurance information.
395 c. Characteristics of protected classifications under state
396 or federal law.
397 d. Commercial information, including records of personal
398 property, products or services purchased, obtained, or
399 considered, or other purchasing or consuming histories or
400 tendencies.
401 e. Biometric information.
402 f. Internet or other electronic network activity
403 information, including, but not limited to, browsing history,
404 search history, and information regarding a consumer’s
405 interaction with an Internet website, application, or
406 advertisement.
407 g. Geolocation data.
408 h. Audio, electronic, visual, thermal, olfactory, or
409 similar information.
410 i. Inferences drawn from any of the information identified
411 in this paragraph to create a profile about a consumer
412 reflecting the consumer’s preferences, characteristics,
413 psychological trends, predispositions, behavior, attitudes,
414 intelligence, abilities, and aptitudes.
415 2. The term does not include consumer information that is:
416 a. Consumer employment contact information, including a
417 position name or title, employment qualifications, emergency
418 contact information, business telephone number, business
419 electronic mail address, employee benefit information, and
420 similar information used solely in an employment context.
421 b. Deidentified or aggregate consumer information.
422 c. Publicly and lawfully available information reasonably
423 believed to be made available to the general public in a lawful
424 manner and without legal restrictions:
425 (I) From federal, state, or local government records.
426 (II) By a widely distributed media source.
427 (III) By the consumer or by someone to whom the consumer
428 disclosed the information unless the consumer has purposely and
429 effectively restricted the information to a certain audience on
430 a private account.
431 (m) “Precise geolocation data” means information from
432 technology, such as global positioning system level latitude and
433 longitude coordinates or other mechanisms, which directly
434 identifies the specific location of a natural person with
435 precision and accuracy within a radius of 1,750 feet. The term
436 does not include information generated by the transmission of
437 communications or any information generated by or connected to
438 advance utility metering infrastructure systems or equipment for
439 use by a utility.
440 (n) “Processing” means any operation or set of operations
441 performed on personal information or on sets of personal
442 information, regardless of whether by automated means.
443 (o) “Processor” means a sole proprietorship, partnership,
444 limited liability company, corporation, association, or other
445 legal entity that is organized or operated for the profit or
446 financial benefit of its shareholders or other owners, that
447 processes information on behalf of a controller and to which the
448 controller discloses a consumer’s personal information pursuant
449 to a written contract, provided that the contract prohibits the
450 entity receiving the information from retaining, using, or
451 disclosing the personal information for any purpose other than
452 for the specific purpose of performing the services specified in
453 the contract for the controller, as authorized by this section.
454 (p) “Sell” means to sell, rent, release, disclose,
455 disseminate, make available, transfer, or otherwise communicate
456 orally, in writing, or by electronic or other means, a
457 consumer’s personal information or information that relates to a
458 group or category of consumers by a controller to another
459 controller or a third party for monetary or other valuable
460 consideration.
461 (q) “Share” means to share, rent, release, disclose,
462 disseminate, make available, transfer, or access a consumer’s
463 personal information for advertising or marketing. The term
464 includes:
465 1. Allowing a third party to advertise or market to a
466 consumer based on a consumer’s personal information without
467 disclosure of the personal information to the third party.
468 2. Monetary transactions, nonmonetary transactions, and
469 transactions for other valuable consideration between a
470 controller and a third party for advertising or marketing.
471 (r) “Targeted advertising” means marketing to a consumer or
472 displaying an advertisement to a consumer when the advertisement
473 is selected based on personal information used to predict such
474 consumer’s preferences or interests.
475 (s) “Third party” means a person who is not a controller or
476 a processor.
477 (t) “Unique identifier” means a persistent identifier that
478 can be used to recognize a consumer, a family, or a device that
479 is linked to a consumer or a family, over time and across
480 different services, including, but not limited to, a device
481 identifier; an Internet Protocol address; cookies, beacons,
482 pixel tags, mobile ad identifiers, or similar technology; a
483 customer number, unique pseudonym, or user alias; telephone
484 numbers, or other forms of persistent or probabilistic
485 identifiers that can be used to identify a particular consumer,
486 family, or device that is linked to a consumer or family. As
487 used in this paragraph, the term “family” means a custodial
488 parent or guardian and any minor children of whom the parent or
489 guardian has custody, or a household as defined in paragraph
490 (k).
491 (u) “Verifiable consumer request” means a request made by a
492 consumer, by a parent or guardian on behalf of a consumer who is
493 a minor child, or by a person authorized by the consumer to act
494 on the consumer’s behalf, that the controller can reasonably
495 verify to be the consumer, pursuant to rules adopted by the
496 department. A verifiable consumer request is presumed to have
497 been made when requested through an established account using
498 the controller’s established security features to access the
499 account through communication features offered to consumers, but
500 a controller may not require the consumer to create or have an
501 account with the controller in order to make a verifiable
502 consumer request.
503 (v) “Voice recognition feature” means the function of a
504 device which enables the collection, recording, storage,
505 analysis, transmission, interpretation, or other use of spoken
506 words or other sounds.
507 (3) CONTROLLER REQUIREMENTS; CONSUMER DATA COLLECTION
508 REQUIREMENTS AND RESPONSIBILITIES.—
509 (a) A controller may not collect, without the consumer’s
510 authorization, a consumer’s precise geolocation data or personal
511 information through the operation of a voice recognition
512 feature.
513 (b) A controller that operates a search engine shall
514 provide a consumer with information of how the controller’s
515 search engine algorithm prioritizes or deprioritizes political
516 partisanship or political ideology in its search results.
517 (c) A controller that collects personal information about
518 consumers shall maintain an up-to-date online privacy policy and
519 make such policy available on its homepage. The online privacy
520 policy must include the following information:
521 1. Any Florida-specific consumer privacy rights.
522 2. A list of the types and categories of personal
523 information that the controller collects, sells, or shares, or
524 has collected, sold, or shared, about consumers.
525 3. The consumer’s right to request deletion or correction
526 of certain personal information.
527 4. The consumer’s right to opt out of the sale or sharing
528 to third parties.
529 (d) A controller that collects personal information from
530 the consumer shall, at or before the point of collection,
531 inform, or direct the processor to inform, consumers of the
532 categories of personal information to be collected and the
533 purposes for which such categories of personal information will
534 be used.
535 (e) A controller may not collect additional categories of
536 personal information or use personal information collected for
537 additional purposes without providing the consumer with notice
538 consistent with this section.
539 (f) A controller that collects a consumer’s personal
540 information shall implement and maintain reasonable security
541 procedures and practices appropriate to the nature of the
542 personal information to protect such personal information from
543 unauthorized or illegal access, destruction, use, modification,
544 or disclosure. A controller shall require any processors to
545 implement and maintain the same or similar security procedures
546 and practices for personal information.
547 (g) A controller shall adopt and implement a retention
548 schedule that prohibits the use or retention of personal
549 information not subject to an exemption by the controller or
550 processor after the satisfaction of the initial purpose for
551 which such information was collected or obtained, after the
552 expiration or termination of the contract pursuant to which the
553 information was collected or obtained, or 2 years after the
554 consumer’s last interaction with the controller. This paragraph
555 does not apply to personal information reasonably used or
556 retained to do any of the following:
557 1. Fulfill the terms of a written warranty or product
558 recall conducted in accordance with federal law.
559 2. Provide a good or service requested by the consumer, or
560 reasonably anticipate the request of such good or service within
561 the context of a controller’s ongoing business relationship with
562 the consumer.
563 3. Detect security threats or incidents; protect against
564 malicious, deceptive, fraudulent, unauthorized, or illegal
565 activity or access; or prosecute those responsible for such
566 activity or access.
567 4. Debug to identify and repair errors that impair existing
568 intended functionality.
569 5. Engage in public or peer-reviewed scientific,
570 historical, or statistical research in the public interest which
571 adheres to all other applicable ethics and privacy laws when the
572 controller’s deletion of the information is likely to render
573 impossible or seriously impair the achievement of such research,
574 if the consumer has provided informed consent.
575 6. Enable solely internal uses that are reasonably aligned
576 with the expectations of the consumer based on the consumer’s
577 relationship with the controller or that are compatible with the
578 context in which the consumer provided the information.
579 7. Comply with a legal obligation, including any state or
580 federal retention laws.
581 8. Protect the controller’s interests against existing
582 disputes, legal action, or governmental investigations.
583 9. Assure the physical security of persons or property.
584 (4) CONSUMER RIGHT TO REQUEST COPY OF PERSONAL INFORMATION
585 COLLECTED, SOLD, OR SHARED.—
586 (a) A consumer has the right to request that a controller
587 that collects, sells, or shares personal information about the
588 consumer disclose the following to the consumer:
589 1. The specific pieces of personal information which have
590 been collected about the consumer.
591 2. The categories of sources from which the consumer’s
592 personal information was collected.
593 3. The specific pieces of personal information about the
594 consumer which were sold or shared.
595 4. The third parties to which the personal information
596 about the consumer was sold or shared.
597 5. The categories of personal information about the
598 consumer which were disclosed to a processor.
599 (b) A controller that collects, sells, or shares personal
600 information about a consumer shall disclose the information
601 specified in paragraph (a) to the consumer upon receipt of a
602 verifiable consumer request.
603 (c) This subsection does not require a controller to
604 retain, reidentify, or otherwise link any data that, in the
605 ordinary course of business is not maintained in a manner that
606 would be considered personal information.
607 (d) The controller shall deliver to a consumer the
608 information required under this subsection or act on a request
609 made under this subsection by a consumer free of charge within
610 45 calendar days after receiving a verifiable consumer request.
611 The response period may be extended once by 45 additional
612 calendar days when reasonably necessary, provided the controller
613 informs the consumer of any such extension within the initial
614 45-day response period and the reason for the extension. The
615 information must be delivered in a portable and, to the extent
616 technically feasible, readily usable format that allows the
617 consumer to transmit the data to another entity without
618 hindrance. A controller may provide the data to the consumer in
619 a manner that does not disclose the controller’s trade secrets.
620 A controller is not obligated to provide information to the
621 consumer if the consumer or a person authorized to act on the
622 consumer’s behalf does not provide verification of identity or
623 verification of authorization to act with the permission of the
624 consumer.
625 (e) A controller may provide personal information to a
626 consumer at any time, but is not required to provide personal
627 information to a consumer more than twice in a 12-month period.
628 (f) This subsection does not apply to personal information
629 relating solely to households.
630 (5) RIGHT TO HAVE PERSONAL INFORMATION DELETED OR
631 CORRECTED.—
632 (a) A consumer has the right to request that a controller
633 delete any personal information about the consumer or about the
634 consumer’s child younger than 18 years of age which the
635 controller has collected.
636 1. A controller that receives a verifiable consumer request
637 to delete the consumer’s personal information shall delete the
638 consumer’s personal information from its records and direct any
639 processors to delete such information within 90 calendar days
640 after receipt of the verifiable consumer request.
641 2. A controller or a processor acting pursuant to its
642 contract with the controller may not be required to comply with
643 a consumer’s request to delete the consumer’s personal
644 information if it is reasonably necessary for the controller or
645 processor to maintain the consumer’s personal information to do
646 any of the following:
647 a. Complete the transaction for which the personal
648 information was collected.
649 b. Fulfill the terms of a written warranty or product
650 recall conducted in accordance with federal law.
651 c. Provide a good or service requested by the consumer, or
652 reasonably anticipate the request of such good or service within
653 the context of a controller’s ongoing business relationship with
654 the consumer, or otherwise perform a contract between the
655 controller and the consumer.
656 d. Detect security threats or incidents; protect against
657 malicious, deceptive, fraudulent, unauthorized, or illegal
658 activity or access; or prosecute those responsible for such
659 activity or access.
660 e. Debug to identify and repair errors that impair existing
661 intended functionality.
662 f. Engage in public or peer-reviewed scientific,
663 historical, or statistical research in the public interest which
664 adheres to all other applicable ethics and privacy laws when the
665 controller’s deletion of the information is likely to render
666 impossible or seriously impair the achievement of such research,
667 if the consumer has provided informed consent.
668 g. Enable solely internal uses that are reasonably aligned
669 with the expectations of the consumer based on the consumer’s
670 relationship with the controller or that are compatible with the
671 context in which the consumer provided the information.
672 h. Comply with a legal obligation, including any state or
673 federal retention laws.
674 i. Protect the controller’s interests against existing
675 disputes, legal action, or governmental investigations.
676 j. Assure the physical security of persons or property.
677 (b) A consumer has the right to request that a controller
678 correct inaccurate personal information maintained by the
679 controller about the consumer or about the consumer’s child
680 younger than 18 years of age. A controller that receives a
681 verifiable consumer request to correct inaccurate personal
682 information shall use commercially reasonable efforts to correct
683 the inaccurate personal information as directed by the consumer
684 and shall direct any processors to correct such information
685 within 90 calendar days after receipt of the verifiable consumer
686 request. If a controller maintains a self-service mechanism to
687 allow a consumer to correct certain personal information, the
688 controller may require the consumer to correct their own
689 personal information through such mechanism. A controller or a
690 processor acting pursuant to its contract with the controller
691 may not be required to comply with a consumer’s request to
692 correct the consumer’s personal information if it is reasonably
693 necessary for the controller or processor to maintain the
694 consumer’s personal information to do any of the following:
695 1. Complete the transaction for which the personal
696 information was collected.
697 2. Fulfill the terms of a written warranty or product
698 recall conducted in accordance with federal law.
699 3. Detect security threats or incidents; protect against
700 malicious, deceptive, fraudulent, unauthorized, or illegal
701 activity or access; or prosecute those responsible for such
702 activity or access.
703 4. Debug to identify and repair errors that impair existing
704 intended functionality.
705 5. Enable solely internal uses that are reasonably aligned
706 with the expectations of the consumer based on the consumer’s
707 relationship with the controller or that are compatible with the
708 context in which the consumer provided the information.
709 6. Comply with a legal obligation, including any state or
710 federal retention laws.
711 7. Protect the controller’s interests against existing
712 disputes, legal action, or governmental investigations.
713 8. Assure the physical security of persons or property.
714 (6) RIGHT TO OPT OUT OF THE SALE OR SHARING OF PERSONAL
715 INFORMATION.—
716 (a) A consumer has the right at any time to direct a
717 controller not to sell or share the consumer’s personal
718 information to a third party. This right may be referred to as
719 the right to opt out.
720 (b) Notwithstanding paragraph (a), a controller may not
721 sell or share the personal information of a minor consumer if
722 the controller has actual knowledge that the consumer is not 18
723 years of age or older. However, if a consumer who is between 13
724 and 18 years of age, or if the parent or guardian of a consumer
725 who is 12 years of age or younger, has affirmatively authorized
726 the sale or sharing of such consumer’s personal information,
727 then a controller may sell or share such information in
728 accordance with this section. A controller that willfully
729 disregards the consumer’s age is deemed to have actual knowledge
730 of the consumer’s age. A controller that complies with the
731 verifiable parental consent requirements of the Children’s
732 Online Privacy Protection Act, 15 U.S.C. s. 6501 et seq., shall
733 be deemed compliant with any obligation to obtain parental
734 consent.
735 (c) A controller that has received direction from a
736 consumer opting out of the sale or sharing of the consumer’s
737 personal information is prohibited from selling or sharing the
738 consumer’s personal information beginning 4 calendar days after
739 receipt of such direction, unless the consumer subsequently
740 provides express authorization for the sale or sharing of the
741 consumer’s personal information.
742 (7) FORM TO OPT OUT OF SALE OR SHARING OF PERSONAL
743 INFORMATION.—
744 (a) A controller shall:
745 1. In a form that is reasonably accessible to consumers,
746 provide a clear and conspicuous link on the controller’s
747 Internet homepage, entitled “Do Not Sell or Share My Personal
748 Information,” to an Internet webpage that enables a consumer, a
749 parent or guardian of a minor who is a consumer, or a person
750 authorized by the consumer, to opt out of the sale or sharing of
751 the consumer’s personal information. A controller may not
752 require a consumer to create an account in order to direct the
753 controller not to sell or share the consumer’s personal
754 information. A controller may accept a request to opt out
755 received through a user-enabled global privacy control, such as
756 a browser plug-in or privacy setting, device setting, or other
757 mechanism, which communicates or signals the consumer’s choice
758 to opt out.
759 2. For consumers who opted out of the sale or sharing of
760 their personal information, respect the consumer’s decision to
761 opt out for at least 12 months before requesting that the
762 consumer authorize the sale or sharing of the consumer’s
763 personal information.
764 3. Use any personal information collected from the consumer
765 in connection with the submission of the consumer’s opt-out
766 request solely for the purposes of complying with the opt-out
767 request.
768 (b) A consumer may authorize another person to opt out of
769 the sale or sharing of the consumer’s personal information on
770 the consumer’s behalf pursuant to rules adopted by the
771 department.
772 (8) ACTIONS RELATED TO CONSUMERS WHO EXERCISE PRIVACY
773 RIGHTS.—
774 (a) A controller may not deny goods or services to a
775 consumer because the consumer exercised any of the consumer’s
776 rights under this section.
777 (b) A controller may charge a consumer who exercised any of
778 the consumer’s rights under this section a different price or
779 rate, or provide a different level or quality of goods or
780 services to the consumer, only if that difference is reasonably
781 related to the value provided to the controller by the
782 consumer’s data or is related to a consumer’s voluntary
783 participation in a financial incentive program, including a bona
784 fide loyalty, rewards, premium features, discounts, or club card
785 program offered by the controller.
786 (c) A controller may offer financial incentives, including
787 payments to consumers as compensation, for the collection,
788 sharing, sale, or deletion of personal information if the
789 consumer gives the controller prior consent that clearly
790 describes the material terms of the financial incentive program.
791 The consent may be revoked by the consumer at any time.
792 (d) A controller may not use financial incentive practices
793 that are unjust, unreasonable, coercive, or usurious in nature.
794 (9) CONTRACTS AND ROLES.—
795 (a) Any contract or agreement between a controller and a
796 processor must:
797 1. Prohibit the processor from selling, sharing, retaining,
798 using, or disclosing the personal information for any purpose
799 that violates this section;
800 2. Prohibit the processor from retaining, using, or
801 disclosing the personal information other than for the purposes
802 specified in the contract or agreement;
803 3. Prohibit the processor from combining the personal
804 information that the processor receives from or on behalf of the
805 controller with personal information that the processor receives
806 from or on behalf of another person or that the processor
807 collects from its own interaction with the consumer, provided
808 that the processor may combine personal information to perform
809 any purpose specified in the contract or agreement and such
810 combination is reported to the controller;
811 4. Govern the processor’s personal information processing
812 procedures with respect to processing performed on behalf of the
813 controller, including processing instructions, the nature and
814 purpose of processing, the type of information subject to
815 processing, the duration of processing, and the rights and
816 obligations of both the controller and processor;
817 5. Require the processor to return or delete all personal
818 information under the contract to the controller as requested by
819 the controller at the end of the provision of services, unless
820 retention of the information is required by law; and
821 6. Upon request of the controller, require the processor to
822 make available to the controller all personal information in its
823 possession under the contract or agreement.
824 (b) Determining whether a person is acting as a controller
825 or processor with respect to a specific processing of data is a
826 fact-based determination that depends upon the context in which
827 personal information is to be processed. The contract between a
828 controller and processor must reflect their respective roles and
829 relationships related to handling personal information. A
830 processor that continues to adhere to a controller’s
831 instructions with respect to a specific processing of personal
832 information remains a processor.
833 (c) A third party that has collected personal information
834 from a controller in accordance with this section:
835 1. May not sell or share personal information about a
836 consumer unless the consumer is provided an opportunity by such
837 third party to opt out under this section. Once a third party
838 sells or shares personal information after providing the
839 opportunity to opt out, the third party becomes a controller
840 under this section if the entity meets the definition of
841 controller in subsection (2).
842 2. May use such personal information from a controller to
843 advertise or market products or services that are produced or
844 offered directly by such third party.
845 (d) A processor or third party must require any
846 subcontractor to meet the same obligations of such processor or
847 third party with respect to personal information.
848 (e) A processor or third party or any subcontractor thereof
849 who violates any of the restrictions imposed upon it under this
850 section is liable or responsible for any failure to comply with
851 this section. A controller that discloses personal information
852 to a third party or processor in compliance with this section is
853 not liable or responsible if the person receiving the personal
854 information uses it without complying with the restrictions
855 under this section if, provided that at the time of disclosing
856 the personal information, the controller does not have actual
857 knowledge or reason to believe that the person does not intend
858 to comply with this section.
859 (f) Any provision of a contract or agreement of any kind
860 that waives or limits in any way a consumer’s rights under this
861 section, including, but not limited to, any right to a remedy or
862 means of enforcement, is deemed contrary to public policy and is
863 void and unenforceable. This section does not prevent a consumer
864 from declining to exercise the consumer’s rights under this
865 section.
866 (10) ENFORCEMENT AND IMPLEMENTATION BY THE DEPARTMENT.—
867 (a) Any violation of this section is an unfair and
868 deceptive trade practice actionable under part II of chapter 501
869 solely by the department against a controller, processor, or
870 third party. If the department has reason to believe that any
871 controller, processor, or third party is in violation of this
872 section, the department, as the enforcing authority, may bring
873 an action against such controller, processor, or third party for
874 an unfair or deceptive act or practice. For the purpose of
875 bringing an action pursuant to this section, ss. 501.211 and
876 501.212 do not apply. In addition to other remedies under part
877 II of chapter 501, the department may collect a civil penalty of
878 up to $50,000 per violation of this section. Civil penalties may
879 be tripled for the following violations:
880 1. Any violation involving a Florida consumer who the
881 controller, processor, or third party has actual knowledge is 18
882 years of age or younger.
883 2. Failure to delete or correct the consumer’s personal
884 information pursuant to this section after receiving a
885 verifiable consumer request or directions from a controller to
886 delete or correct such personal information unless the
887 controller, processor, or third party qualifies for an exception
888 to the requirements to delete or correct such personal
889 information under this section.
890 3. Continuing to sell or share the consumer’s personal
891 information after the consumer chooses to opt out under this
892 section.
893 (b) After the department has notified a controller,
894 processor, or third party in writing of an alleged violation,
895 the department may in its discretion grant a 45-day period to
896 cure the alleged violation. The 45-day cure period does not
897 apply to a violation of subparagraph (a)1. The department may
898 consider the number and frequency of violations, the substantial
899 likelihood of injury to the public, and the safety of persons or
900 property when determining whether to grant 45 calendar days to
901 cure and the issuance of a letter of guidance. If the violation
902 is cured to the satisfaction of the department and proof of such
903 cure is provided to the department, the department may not bring
904 an action for the alleged violation but in its discretion may
905 issue a letter of guidance that indicates that the controller,
906 processor, or person will not be offered a 45-day cure period
907 for any future violations. If the controller, processor, or
908 third party fails to cure the violation within 45 calendar days,
909 the department may bring an action against the controller,
910 processor, or third party for the alleged violation.
911 (c) Any action brought by the department may be brought
912 only on behalf of a Florida consumer.
913 (d) By February 1 of each year, the department shall submit
914 a report to the President of the Senate and the Speaker of the
915 House of Representatives describing any actions taken by the
916 department to enforce this section. Such report must be made
917 publicly available on the department’s website. The report must
918 include statistics and relevant information detailing:
919 1. The number of complaints received and the categories or
920 types of violations alleged by the complainant;
921 2. The number and type of enforcement actions taken and the
922 outcomes of such actions, including the amount of penalties
923 issued and collected;
924 3. The number of complaints resolved without the need for
925 litigation; and
926 4. The status of the development and implementation of
927 rules to implement this section.
928 (e) The department may adopt rules to implement this
929 section, including standards for verifiable consumer requests,
930 enforcement, data security, and authorized persons who may act
931 on a consumer’s behalf.
932 (f) The department may collaborate and cooperate with other
933 enforcement authorities of the federal government or other state
934 governments concerning consumer data privacy issues and consumer
935 data privacy investigations if such enforcement authorities have
936 restrictions governing confidentiality at least as stringent as
937 the restrictions provided in this section.
938 (g) Liability for a tort, contract claim, or consumer
939 protection claim that is unrelated to an action brought under
940 this subsection does not arise solely from the failure of a
941 controller, processor, or third party to comply with this
942 section.
943 (h) This section does not establish a private cause of
944 action.
945 (i) The department may employ or use the legal services of
946 outside counsel and the investigative services of outside
947 personnel to fulfill the obligations of this section.
948 (11) JURISDICTION.—For purposes of bringing an action
949 pursuant to subsection (10), any person who meets the definition
950 of controller as defined in this section which collects, shares,
951 or sells the personal information of Florida consumers is
952 considered to be both engaged in substantial and not isolated
953 activities within this state and operating, conducting, engaging
954 in, or carrying on a business, and doing business in this state,
955 and is therefore subject to the jurisdiction of the courts of
956 this state.
957 (12) PREEMPTION.—This section is a matter of statewide
958 concern and supersedes all rules, regulations, codes,
959 ordinances, and other laws adopted by a city, county, city and
960 county, municipality, or local agency regarding the collection,
961 processing, sharing, or sale of consumer personal information by
962 a controller or processor. The regulation of the collection,
963 processing, sharing, or sale of consumer personal information by
964 a controller or processor is preempted to the state.
965 Section 3. Paragraph (g) of subsection (1) of section
966 501.171, Florida Statutes, is amended to read:
967 501.171 Security of confidential personal information.—
968 (1) DEFINITIONS.—As used in this section, the term:
969 (g)1. “Personal information” means either of the following:
970 a. An individual’s first name or first initial and last
971 name in combination with any one or more of the following data
972 elements for that individual:
973 (I) A social security number;
974 (II) A driver license or identification card number,
975 passport number, military identification number, or other
976 similar number issued on a government document used to verify
977 identity;
978 (III) A financial account number or credit or debit card
979 number, in combination with any required security code, access
980 code, or password that is necessary to permit access to an
981 individual’s financial account;
982 (IV) Any information regarding an individual’s medical
983 history, mental or physical condition, or medical treatment or
984 diagnosis by a health care professional; or
985 (V) An individual’s health insurance policy number or
986 subscriber identification number and any unique identifier used
987 by a health insurer to identify the individual;
988 (VI) An individual’s biometric information or genetic
989 information as defined in s. 501.173(2); or
990 (VII) Any information regarding an individual’s
991 geolocation.
992 b. A user name or e-mail address, in combination with a
993 password or security question and answer that would permit
994 access to an online account.
995 2. The term does not include information about an
996 individual that has been made publicly available by a federal,
997 state, or local governmental entity. The term also does not
998 include information that is encrypted, secured, or modified by
999 any other method or technology that removes elements that
1000 personally identify an individual or that otherwise renders the
1001 information unusable.
1002 Section 4. Subsection (1) of section 16.53, Florida
1003 Statutes, is amended, and subsection (8) is added to that
1004 section, to read:
1005 16.53 Legal Affairs Revolving Trust Fund.—
1006 (1) There is created in the State Treasury the Legal
1007 Affairs Revolving Trust Fund, from which the Legislature may
1008 appropriate funds for the purpose of funding investigation,
1009 prosecution, and enforcement by the Attorney General of the
1010 provisions of the Racketeer Influenced and Corrupt Organization
1011 Act, the Florida Deceptive and Unfair Trade Practices Act, the
1012 Florida False Claims Act, or state or federal antitrust laws, or
1013 s. 501.173.
1014 (8) All moneys recovered by the Attorney General for
1015 attorney fees, costs, and penalties in an action for a violation
1016 of s. 501.173 must be deposited in the fund.
1017 Section 5. This act shall take effect July 1, 2023.