Florida Senate - 2023                       CS for CS for SB 262
       By the Committees on Rules; and Commerce and Tourism; and
       Senator Bradley
       595-04199-23                                           2023262c2
    1                        A bill to be entitled                      
    2         An act relating to technology transparency; creating
    3         s. 112.23, F.S.; defining terms; prohibiting officers
    4         or salaried employees of governmental entities from
    5         using their positions or state resources to make
    6         certain requests of social media platforms;
    7         prohibiting governmental entities from initiating or
    8         maintaining agreements or working relationships with
    9         social media platforms under a specified circumstance;
   10         providing exceptions; providing directives to the
   11         Division of Law Revision; creating s. 501.701, F.S.;
   12         providing a short title; creating s. 501.702, F.S.;
   13         defining terms; creating s. 501.703, F.S.; providing
   14         applicability; creating s. 501.704, F.S.; providing
   15         exemptions; creating s. 501.705, F.S.; providing that
   16         a consumer may submit requests to controllers to
   17         exercise specified rights; requiring controllers to
   18         comply with certain authenticated consumer requests;
   19         creating s. 501.706, F.S.; providing timeframes within
   20         which controllers must respond to consumer requests;
   21         providing notice requirements for controllers that
   22         cannot take action regarding a consumer’s request;
   23         providing that controllers are not required to comply
   24         with certain consumer requests; providing notice
   25         requirements for controllers’ compliance with consumer
   26         requests; requiring responses to consumer requests to
   27         be made free of charge; providing exceptions;
   28         specifying the methods by which controllers may be
   29         considered to be in compliance with consumer requests
   30         for the controller to delete their personal data;
   31         creating s. 501.707, F.S.; requiring controllers to
   32         establish a process for consumers to appeal the
   33         controller’s refusal to take action on the consumer’s
   34         request within a specified timeframe; providing
   35         requirements for such process; creating s. 501.708,
   36         F.S.; providing that contracts or agreements that
   37         waive or limit specified consumer rights are void and
   38         unenforceable; creating s. 501.709, F.S.; requiring
   39         controllers to establish methods for submitting
   40         consumer requests; prohibiting controllers from
   41         requiring consumers to create new accounts to exercise
   42         their consumer rights; requiring controllers to
   43         provide a certain mechanism on their websites for
   44         consumers to submit certain requests; creating s.
   45         501.71, F.S.; requiring controllers to limit the
   46         collection of personal data according to certain
   47         parameters; requiring controllers to establish,
   48         implement, and maintain specified practices regarding
   49         personal data; prohibiting controllers from taking
   50         certain actions regarding a consumer’s personal data;
   51         prohibiting controllers from discriminating against
   52         consumers exercising their consumer rights; providing
   53         construction; requiring a controller that operates a
   54         search engine to make certain information available on
   55         its webpage; creating s. 501.711, F.S.; requiring
   56         controllers to provide consumers with privacy notices
   57         that meet certain requirements; requiring controllers
   58         that engage in the sale of sensitive or biometric
   59         personal data to provide notices that meet certain
   60         requirements; requiring controllers that sell personal
   61         data or process personal data for targeted advertising
   62         to disclose certain information; prohibiting
   63         controllers from collecting additional categories of
   64         personal information or using such information for
   65         additional purposes without providing specified
   66         notice; creating s. 501.712, F.S.; requiring
   67         processors to adhere to controller instructions and to
   68         assist the controller in meeting or complying with
   69         certain requirements; providing requirements for
   70         contracts between controllers and processors regarding
   71         data processing procedures; providing construction;
   72         providing that the determination of whether a person
   73         is acting as a controller or processor is a fact-based
   74         determination; creating s. 501.713, F.S.; requiring
   75         controllers to conduct and document data protection
   76         assessments of specified processing activities
   77         involving personal data; providing requirements for
   78         such assessments; providing applicability; creating s.
   79         501.714, F.S.; requiring controllers in possession of
   80         deidentified data to take certain actions; providing
   81         construction; providing that specified consumer rights
   82         and controller duties do not apply to pseudonymous
   83         data or aggregate consumer information under certain
   84         circumstances; requiring controllers that disclose
   85         pseudonymous data, deidentified data, or aggregate
   86         consumer information to exercise reasonable oversight
   87         and take appropriate steps to address breaches of
   88         contractual agreements; creating s. 501.715, F.S.;
   89         requiring certain persons to receive consumer consent
   90         before engaging in the sale of sensitive personal
   91         data; requiring a specified notice; providing for
   92         penalties; creating s. 501.716, F.S.; providing
   93         exemptions for specified controller or processor uses
   94         of consumer personal data; providing that controllers
   95         or processors may provide personal data concerning a
   96         consumer to certain covered persons; creating s.
   97         501.717, F.S.; authorizing controllers and processors
   98         to collect, use, or retain data for specified
   99         purposes; providing that certain requirements do not
  100         apply if such compliance would violate certain laws;
  101         creating s. 501.718, F.S.; providing circumstances
  102         under which processors are not in violation of this
  103         act for the disclosure of personal data to a third
  104         party controller or processor; providing that third
  105         party controllers or processors that comply with this
  106         part are not liable for violations committed by
  107         controllers or processors from whom they receive
  108         personal data; creating s. 501.719, F.S.; providing
  109         requirements for the processing of certain personal
  110         data by controllers; requiring controllers and
  111         processors to adopt and implement a retention schedule
  112         that meets certain requirements; requiring controllers
  113         or processors that process certain personal data to
  114         demonstrate that such processing qualifies for a
  115         specified exemption; creating s. 501.72, F.S.;
  116         authorizing the Department of Legal Affairs to bring
  117         an action under the Florida Deceptive and Unfair Trade
  118         Practices Act for violations of the act; providing for
  119         civil penalties; providing for enhanced civil
  120         penalties for certain violations; authorizing the
  121         department to grant a specified timeframe within which
  122         an alleged violation may be cured; providing an
  123         exception; providing certain factors the department
  124         may take into consideration; requiring the department
  125         to make a report regarding certain enforcement actions
  126         publicly available on the department’s website;
  127         providing requirements for the report; requiring the
  128         department to adopt rules; authorizing the department
  129         to collaborate and cooperate with specified
  130         enforcement authorities; specifying that the act does
  131         not create a private cause of action; authorizing the
  132         department to employ or use outside legal counsel for
  133         specified purposes; providing for jurisdiction;
  134         creating s. 501.721, F.S.; declaring that the act is a
  135         matter of statewide concern; preempting the
  136         collection, processing, sharing, and sale of consumer
  137         personal data to the state; amending s. 501.171, F.S.;
  138         revising the definition of the term “personal
  139         information”; amending s. 16.53, F.S.; requiring that
  140         certain attorney fees, costs, and penalties recovered
  141         by the Attorney General be deposited in the Legal
  142         Affairs Revolving Trust Fund; providing an effective
  143         date.
  145  Be It Enacted by the Legislature of the State of Florida:
  147         Section 1. Section 112.23, Florida Statutes, is created to
  148  read:
  149         112.23 Government-directed content moderation of social
  150  media platforms prohibited.—
  151         (1) As used in this section, the term:
  152         (a)“Governmental entity” means any state, county,
  153  district, authority, or municipal officer, department, division,
  154  board, bureau, commission, or other separate unit of government
  155  created or established by law, including, but not limited to,
  156  the Commission on Ethics, the Public Service Commission, the
  157  Office of Public Counsel, and any other public or private
  158  agency, person, partnership, corporation, or business entity
  159  acting on behalf of any public agency.
  160         (b) “Social media platform” means a form of electronic
  161  communication through which users create online communities to
  162  share information, ideas, personal messages, and other content.
  163         (2) An officer or a salaried employee of a governmental
  164  entity may not use his or her position or any state resources to
  165  communicate with a social media platform to request the social
  166  media platform to remove content or accounts from the social
  167  media platform.
  168         (3)A governmental entity, or an officer or a salaried
  169  employee acting on behalf of a governmental entity, may not
  170  initiate or maintain any agreements or working relationships
  171  with a social media platform for the purpose of content
  172  moderation.
  173         (4)Subsections (2) and (3) do not apply if the
  174  governmental entity or an officer or a salaried employee acting
  175  on behalf of a governmental entity is acting as part of any of
  176  the following:
  177         (a) Routine account management of the governmental entity’s
  178  account, including, but not limited to, the removal or revision
  179  of the governmental entity’s content or account or
  180  identification of accounts falsely posing as a governmental
  181  entity, officer, or salaried employee.
  182         (b)An attempt to remove content that pertains to the
  183  commission of a crime or violation of this state’s public
  184  records law.
  185         (c)An attempt to remove an account that pertains to the
  186  commission of a crime or violation of this state’s public
  187  records law.
  188         (d)An investigation or inquiry related to an effort to
  189  prevent imminent bodily harm, loss of life, or property damage.
  190         Section 2. The Division of Law Revision is directed to:
  191         (1)Redesignate current parts V, VI, and VII of chapter
  192  501, Florida Statutes, as parts VI, VII, and VIII of chapter
  193  501, Florida Statutes, respectively; and
  194         (2)Create a new part V of chapter 501, Florida Statutes,
  195  consisting of ss. 501.701-501.721, Florida Statutes, entitled
  196  “Data Privacy and Security.”
  197         Section 3. Section 501.701, Florida Statutes, is created to
  198  read:
  199         501.701 Short title.—This part may be cited as the “Florida
  200  Digital Bill of Rights.”
  201         Section 4. Section 501.702, Florida Statutes, is created to
  202  read:
  203         501.702 Definitions.—As used in this part, the term:
  204         (1)“Affiliate” means a legal entity that controls, is
  205  controlled by, or is under common control with another legal
  206  entity or that shares common branding with another legal entity.
  207  For purposes of this subsection, the term “control” or
  208  “controlled” means any of the following:
  209         (a)The ownership of, or power to vote, more than 50
  210  percent of the outstanding shares of any class of voting
  211  security of a company.
  212         (b)The control in any manner over the election of a
  213  majority of the directors or of individuals exercising similar
  214  functions.
  215         (c)The power to exercise controlling influence over the
  216  management of a company.
  217         (2)“Aggregate consumer information” means information that
  218  relates to a group or category of consumers, from which the
  219  identity of an individual consumer has been removed and is not
  220  reasonably capable of being directly or indirectly associated or
  221  linked with any consumer, household, or device. The term does
  222  not include information about a group or category of consumers
  223  used to facilitate targeted advertising or the display of ads
  224  online. The term does not include personal information that has
  225  been deidentified.
  226         (3)“Authenticate” or “authenticated” means to verify or
  227  the state of having been verified, respectively, through
  228  reasonable means that the consumer who is entitled to exercise
  229  the consumer’s rights under s. 501.705 is the same consumer
  230  exercising those consumer rights with respect to the personal
  231  data at issue.
  232         (4)“Biometric data” means data generated by automatic
  233  measurements of an individual’s biological characteristics. The
  234  term includes fingerprints, voiceprints, eye retinas or irises,
  235  or other unique biological patterns or characteristics used to
  236  identify a specific individual. The term does not include
  237  physical or digital photographs, video or audio recordings or
  238  data generated from video or audio recordings, or information
  239  collected, used, or stored for health care treatment, payment,
  240  or operations under the Health Insurance Portability and
  241  Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
  242         (5)“Business associate” has the same meaning as in 45
  243  C.F.R. s. 160.103 and the Health Insurance Portability and
  244  Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
  245         (6)“Child” means an individual younger than 18 years of
  246  age.
  247         (7)“Consent,” when referring to a consumer, means a clear
  248  affirmative act signifying a consumer’s freely given, specific,
  249  informed, and unambiguous agreement to process personal data
  250  relating to the consumer. The term includes a written statement,
  251  including a statement written by electronic means, or any other
  252  unambiguous affirmative act. The term does not include any of
  253  the following:
  254         (a)Acceptance of a general or broad terms of use or
  255  similar document that contains descriptions of personal data
  256  processing along with other, unrelated information.
  257         (b)Hovering over, muting, pausing, or closing a given
  258  piece of content.
  259         (c)Agreement obtained through the use of dark patterns.
  260         (8)“Consumer” means an individual who is a resident of or
  261  is domiciled in this state acting only in an individual or
  262  household context. The term does not include an individual
  263  acting in a commercial or employment context.
  264         (9)“Controller” means
  265         (a)A sole proprietorship, partnership, limited liability
  266  company, corporation, association, or legal entity that meets
  267  the following requirements:
  268         1.Is organized or operated for the profit or financial
  269  benefit of its shareholders or owners;
  270         2.Conducts business in this state;
  271         3.Collects personal data about consumers, or is the entity
  272  on behalf of which such information is collected;
  273         4.Determines the purposes and means of processing personal
  274  data about consumers alone or jointly with others;
  275         5.Makes in excess of $1 billion in global gross annual
  276  revenues; and
  277         6.Satisfies at least one of the following:
  278         a.Derives 50 percent or more of its global gross annual
  279  revenues from the sale of advertisements, including providing
  280  targeted advertising or the sale of ads online;
  281         b.Operates a consumer smart speaker and voice command
  282  component service with an integrated virtual assistant connected
  283  to a cloud computing service that uses hands-free verbal
  284  activation. For purposes of this sub-subparagraph, a consumer
  285  smart speaker and voice command component service does not
  286  include a motor vehicle or speaker or device associated with or
  287  connected to a vehicle which is operated by a motor vehicle
  288  manufacturer or a subsidiary or affiliate thereof; or
  289         c. Operates an app store or a digital distribution platform
  290  that offers at least 250,000 different software applications for
  291  consumers to download and install.
  292         (b)Any entity that controls or is controlled by a
  293  controller. As used in this paragraph, the term “control” means:
  294         1.Ownership of, or the power to vote, more than 50 percent
  295  of the outstanding shares of any class of voting security of a
  296  controller;
  297         2.Control in any manner over the election of a majority of
  298  the directors, or of individuals exercising similar functions;
  299  or
  300         3.The power to exercise a controlling influence over the
  301  management of a company.
  302         (10)“Covered entity” has the same meaning as in 45 C.F.R.
  303  s. 160.103 and the Health Insurance Portability and
  304  Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
  305         (11)“Dark pattern” means a user interface designed or
  306  manipulated with the effect of substantially subverting or
  307  impairing user autonomy, decisionmaking, or choice. The term
  308  includes any practice the Federal Trade Commission refers to as
  309  a dark pattern.
  310         (12)“Decision that produces a legal or similarly
  311  significant effect concerning a consumer” means a decision made
  312  by a controller which results in the provision or denial by the
  313  controller of any of the following:
  314         (a)Financial and lending services.
  315         (b)Housing, insurance, or health care services.
  316         (c)Education enrollment.
  317         (d)Employment opportunities.
  318         (e)Criminal justice.
  319         (f)Access to basic necessities, such as food and water.
  320         (13)“Deidentified data” means data that cannot reasonably
  321  be linked to an identified or identifiable individual or a
  322  device linked to that individual.
  323         (14)“Health care provider” has the same meaning as in 45
  324  C.F.R. s. 160.103 and the Health Insurance Portability and
  325  Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
  326         (15)“Health record” means any written, printed, or
  327  electronically recorded material maintained by a health care
  328  provider in the course of providing health care services to an
  329  individual which concerns the individual and the services
  330  provided. The term includes any of the following:
  331         (a)The substance of any communication made by an
  332  individual to a health care provider in confidence during or in
  333  connection with the provision of health care services.
  334         (b)Information otherwise acquired by the health care
  335  provider about an individual in confidence and in connection
  336  with health care services provided to the individual.
  337         (16)“Identified or identifiable individual” means a
  338  consumer who can be readily identified, directly or indirectly.
  339         (17)“Known child” means a child under circumstances of
  340  which a controller has actual knowledge of, or willfully
  341  disregards, the child’s age.
  342         (18)“Nonprofit organization” means any of the following:
  343         (a)An organization exempt from federal taxation under s.
  344  501(a) of the Internal Revenue Code of 1986 by virtue of being
  345  listed as an exempt organization under s. 501(c)(3), s.
  346  501(c)(4), s. 501(c)(6), or s. 501(c)(12) of that code.
  347         (b)A political organization.
  348         (19)“Personal data” means any information, including
  349  sensitive data, which is linked or reasonably linkable to an
  350  identified or identifiable individual. The term includes
  351  pseudonymous data when the data is used by a controller or
  352  processor in conjunction with additional information that
  353  reasonably links the data to an identified or identifiable
  354  individual. The term does not include deidentified data or
  355  publicly available information.
  356         (20)“Political organization” means a party, a committee,
  357  an association, a fund, or any other organization, regardless of
  358  whether incorporated, organized and operated primarily for the
  359  purpose of influencing or attempting to influence any of the
  360  following:
  361         (a)The selection, nomination, election, or appointment of
  362  an individual to a federal, state, or local public office or an
  363  office in a political organization, regardless of whether the
  364  individual is selected, nominated, elected, or appointed.
  365         (b)The election of a presidential or vice-presidential
  366  elector, regardless of whether the elector is selected,
  367  nominated, elected, or appointed.
  368         (21)“Postsecondary education institution means a Florida
  369  College System institution, state university, or nonpublic
  370  postsecondary education institution that receives state funds.
  371         (22)“Precise geolocation data” means information derived
  372  from technology, including global positioning system level
  373  latitude and longitude coordinates or other mechanisms, which
  374  directly identifies the specific location of an individual with
  375  precision and accuracy within a radius of 1,750 feet. The term
  376  does not include the content of communications or any data
  377  generated by or connected to an advanced utility metering
  378  infrastructure system or to equipment for use by a utility.
  379         (23)“Process” or “processing” means an operation or set of
  380  operations performed, whether by manual or automated means, on
  381  personal data or on sets of personal data, such as the
  382  collection, use, storage, disclosure, analysis, deletion, or
  383  modification of personal data.
  384         (24)“Processor” means a person who processes personal data
  385  on behalf of a controller.
  386         (25)“Profiling” means any form of solely automated
  387  processing performed on personal data to evaluate, analyze, or
  388  predict personal aspects related to an identified or
  389  identifiable individual’s economic situation, health, personal
  390  preferences, interests, reliability, behavior, location, or
  391  movements.
  392         (26)“Protected health information” has the same meaning as
  393  in 45 C.F.R. s. 160.103 and the Health Insurance Portability and
  394  Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
  395         (27)“Pseudonymous data” means any information that cannot
  396  be attributed to a specific individual without the use of
  397  additional information, provided that the additional information
  398  is kept separately and is subject to appropriate technical and
  399  organizational measures to ensure that the personal data is not
  400  attributed to an identified or identifiable individual.
  401         (28)“Publicly available information” means information
  402  lawfully made available through government records, or
  403  information that a business has a reasonable basis for believing
  404  is lawfully made available to the general public through widely
  405  distributed media, by a consumer, or by a person to whom a
  406  consumer has disclosed the information, unless the consumer has
  407  restricted the information to a specific audience.
  408         (29)“Sale of personal data” means the sharing, disclosing,
  409  or transferring of personal data for monetary or other valuable
  410  consideration by the controller to a third party. The term does
  411  not include any of the following:
  412         (a)The disclosure of personal data to a processor who
  413  processes the personal data on the controller’s behalf.
  414         (b)The disclosure of personal data to a third party for
  415  purposes of providing a product or service requested by the
  416  consumer.
  417         (c)The disclosure of information that the consumer:
  418         1.Intentionally made available to the general public
  419  through a mass media channel; and
  420         2.Did not restrict to a specific audience.
  421         (d)The disclosure or transfer of personal data to a third
  422  party as an asset that is part of a merger or an acquisition.
  423         (30) “Search engine” means technology and systems that use
  424  algorithms to sift through and index vast third-party websites
  425  and content on the Internet in response to search queries
  426  entered by a user. The term does not include the license of
  427  search functionality for the purpose of enabling the licensee to
  428  operate a third-party search engine service in circumstances
  429  where the licensee does not have legal or operational control of
  430  the search algorithm, the index from which results are
  431  generated, or the ranking order in which the results are
  432  provided.
  433         (31)“Sensitive data” means a category of personal data
  434  which includes any of the following:
  435         (a)Personal data revealing an individual’s racial or
  436  ethnic origin, religious beliefs, mental or physical health
  437  diagnosis, sexual orientation, or citizenship or immigration
  438  status.
  439         (b)Genetic or biometric data processed for the purpose of
  440  uniquely identifying an individual.
  441         (c)Personal data collected from a known child.
  442         (d)Precise geolocation data.
  443         (32)“State agency” means any department, commission,
  444  board, office, council, authority, or other agency in the
  445  executive branch of state government created by the State
  446  Constitution or state law. The term includes a postsecondary
  447  education institution.
  448         (33)“Targeted advertising” means displaying to a consumer
  449  an advertisement selected based on personal data obtained from
  450  that consumer’s activities over time and across nonaffiliated
  451  websites or online applications to predict the consumer’s
  452  preferences or interests. The term does not include any of the
  453  following:
  454         (a)An advertisement that is:
  455         1.Based on activities within a controller’s own website or
  456  online application;
  457         2.Based on the context of a consumer’s current search
  458  query, visit to a website, or use of an online application; or
  459         3.Directed to a consumer in response to the consumer’s
  460  request for information or feedback.
  461         (b)The processing of personal data solely for measuring or
  462  reporting advertising performance, reach, or frequency.
  463         (34)“Third party” means a person, other than the consumer,
  464  the controller, the processor, or an affiliate of the controller
  465  or processor.
  466         (35)Trade secret has the same meaning as in s. 812.081.
  467         (36)“Voice recognition feature” means the function of a
  468  device which enables the collection, recording, storage,
  469  analysis, transmission, interpretation, or other use of spoken
  470  words or other sounds.
  471         Section 5. Section 501.703, Florida Statutes, is created to
  472  read:
  473         501.703 Applicability.—
  474         (1)This part applies only to a person who:
  475         (a)Conducts business in this state or produces a product
  476  or service used by residents of this state; and
  477         (b)Processes or engages in the sale of personal data.
  478         (2)This part does not apply to any of the following:
  479         (a)A state agency or a political subdivision of the state.
  480         (b)A financial institution or data subject to Title V,
  481  Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.
  482         (c)A covered entity or business associate governed by the
  483  privacy, security, and breach notification regulations issued by
  484  the United States Department of Health and Human Services, 45
  485  C.F.R. parts 160 and 164, established under the Health Insurance
  486  Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
  487  et seq., and the Health Information Technology for Economic and
  488  Clinical Health Act, Division A, Title XIII and Division B,
  489  Title IV, Pub. L. No. 111-5.
  490         (d)A nonprofit organization.
  491         (e)A postsecondary education institution.
  492         (3)This part does not apply to the processing of personal
  493  data by a person in the course of a purely personal or household
  494  activity.
  495         (4)A controller or processor that complies with the
  496  authenticated parental consent requirements of the Children’s
  497  Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq., with
  498  respect to data collected online, is considered to be in
  499  compliance with any requirement to obtain parental consent under
  500  this part.
  501         Section 6. Section 501.704, Florida Statutes, is created to
  502  read:
  503         501.704 Exemptions.—All of the following information is
  504  exempt from this part:
  505         (1)Protected health information under the Health Insurance
  506  Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
  507  et seq.
  508         (2)Health records.
  509         (3)Patient identifying information for purposes of 42
  510  U.S.C. s. 290dd-2.
  511         (4)Identifiable private information:
  512         (a)For purposes of the federal policy for the protection
  513  of human subjects under 45 C.F.R. part 46;
  514         (b)Collected as part of human subjects research under the
  515  good clinical practice guidelines issued by the International
  516  Council for Harmonisation of Technical Requirements for
  517  Pharmaceuticals for Human Use or the protection of human
  518  subjects under 21 C.F.R. parts 50 and 56; or
  519         (c)That is personal data used or shared in research
  520  conducted in accordance with this part or other research
  521  conducted in accordance with applicable law.
  522         (5)Information and documents created for purposes of the
  523  Health Care Quality Improvement Act of 1986, 42 U.S.C. ss. 11101
  524  et seq.
  525         (6)Patient safety work product for purposes of the Patient
  526  Safety and Quality Improvement Act of 2005, 42 U.S.C. ss. 299b
  527  21 et seq.
  528         (7)Information derived from any of the health care-related
  529  information listed in this section which is deidentified in
  530  accordance with the requirements for deidentification under the
  531  Health Insurance Portability and Accountability Act of 1996, 42
  532  U.S.C. ss. 1320d et seq.
  533         (8)Information originating from, and intermingled to be
  534  indistinguishable with, or information treated in the same
  535  manner as, information exempt under this section which is
  536  maintained by a covered entity or business associate as defined
  537  by the Health Insurance Portability and Accountability Act of
  538  1996, 42 U.S.C. ss. 1320d et seq. or by a program or a qualified
  539  service organization as defined by 42 U.S.C. s. 290dd-2.
  540         (9)Information included in a limited data set as described
  541  by 45 C.F.R. s. 164.514(e), to the extent that the information
  542  is used, disclosed, and maintained in the manner specified by 45
  543  C.F.R. s. 164.514(e).
  544         (10) Information used only for public health activities and
  545  purposes as described in 45 C.F.R. s. 164.512.
  546         (11)Information collected or used only for public health
  547  activities and purposes as authorized by the Health Insurance
  548  Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
  549  et seq.
  550         (12)The collection, maintenance, disclosure, sale,
  551  communication, or use of any personal data bearing on a
  552  consumer’s creditworthiness, credit standing, credit capacity,
  553  character, general reputation, personal characteristics, or mode
  554  of living by a consumer reporting agency or furnisher that
  555  provides information for use in a consumer report, or by a user
  556  of a consumer report, but only to the extent that the activity
  557  is regulated by and authorized under the Fair Credit Reporting
  558  Act, 15 U.S.C. ss. 1681 et seq.
  559         (13)Personal data collected, processed, sold, or disclosed
  560  in compliance with the Driver’s Privacy Protection Act of 1994,
  561  18 U.S.C. ss. 2721 et seq.
  562         (14)Personal data regulated by the Family Educational
  563  Rights and Privacy Act of 1974, 20 U.S.C. s. 1232g.
  564         (15)Personal data collected, processed, sold, or disclosed
  565  in compliance with the Farm Credit Act of 1971, 12 U.S.C. ss.
  566  2001 et seq.
  567         (16)Data processed or maintained in the course of an
  568  individual applying to, being employed by, or acting as an agent
  569  or independent contractor of a controller, processor, or third
  570  party, to the extent that the data is collected and used within
  571  the context of that role.
  572         (17)Data processed or maintained as the emergency contact
  573  information of an individual under this part which is used for
  574  emergency contact purposes.
  575         (18)Data that is processed or maintained and that is
  576  necessary to retain to administer benefits for another
  577  individual which relates to an individual described in
  578  subsection (16) and which is used for the purposes of
  579  administering those benefits.
  580         (19) Personal data collected and transmitted which is
  581  necessary for the sole purpose of sharing such personal data
  582  with a financial service provider solely to facilitate short
  583  term, transactional payment processing for the purchase of
  584  products or services.
  585         (20) Personal data collected, processed, sold, or disclosed
  586  in relation to price, route, or service as those terms are used
  587  in the Airline Deregulation Act, 49 U.S.C. ss. 40101 et seq., by
  588  entities subject to that act, to the extent the provisions of
  589  this act are preempted by 49 U.S.C. s. 41713.
  590         (21)Personal data shared between a manufacturer of a
  591  tangible product and authorized third-party distributors or
  592  vendors of the product, as long as such personal data is used
  593  solely for advertising, marketing, or servicing the product that
  594  is acquired directly through such manufacturer and such
  595  authorized third-party distributors or vendors. Such personal
  596  data may not be sold or shared unless otherwise authorized under
  597  this part.
  598         Section 7. Section 501.705, Florida Statutes, is created to
  599  read:
  600         501.705 Consumer rights.—
  601         (1)A consumer is entitled to exercise the consumer rights
  602  authorized by this section at any time by submitting a request
  603  to a controller which specifies the consumer rights that the
  604  consumer wishes to exercise. With respect to the processing of
  605  personal data belonging to a known child, a parent or legal
  606  guardian of the child may exercise these rights on behalf of the
  607  child.
  608         (2)A controller shall comply with an authenticated
  609  consumer request to exercise any of the following rights:
  610         (a)To confirm whether a controller is processing the
  611  consumer’s personal data and to access the personal data.
  612         (b)To correct inaccuracies in the consumer’s personal
  613  data, taking into account the nature of the personal data and
  614  the purposes of the processing of the consumer’s personal data.
  615         (c)To delete any or all personal data provided by or
  616  obtained about the consumer.
  617         (d)To obtain a copy of the consumer’s personal data in a
  618  portable and, to the extent technically feasible, readily usable
  619  format if the data is available in a digital format.
  620         (e)To opt out of the processing of the personal data for
  621  purposes of:
  622         1.Targeted advertising;
  623         2.The sale of personal data; or
  624         3.Profiling in furtherance of a decision that produces a
  625  legal or similarly significant effect concerning a consumer.
  626         (f) To opt out of the collection of sensitive data,
  627  including precise geolocation data, or the processing of such
  628  data.
  629         (g) To opt out of the collection of personal data collected
  630  through the operation of a voice recognition feature.
  631         Section 8. Section 501.706, Florida Statutes, is created to
  632  read:
  633         501.706 Controller response to consumer requests.—
  634         (1)Except as otherwise provided by this part, a controller
  635  shall comply with a request submitted by a consumer to exercise
  636  the consumer’s rights pursuant to s. 501.705, as provided in
  637  this section.
  638         (2)A controller shall respond to the consumer request
  639  without undue delay, which may not be later than 45 days after
  640  the date of receipt of the request. The controller may extend
  641  the response period once by an additional 15 days when
  642  reasonably necessary, taking into account the complexity and
  643  number of the consumer’s requests, so long as the controller
  644  informs the consumer of the extension within the initial 45-day
  645  response period, together with the reason for the extension.
  646         (3)If a controller cannot take action regarding the
  647  consumer’s request, the controller must inform the consumer
  648  without undue delay, which may not be later than 45 days after
  649  the date of receipt of the request, of the justification for the
  650  inability to take action on the request and provide instructions
  651  on how to appeal the decision in accordance with s. 501.707. A
  652  controller is not required to comply with a consumer request
  653  submitted under s. 501.705 if the controller cannot authenticate
  654  the request. However, the controller must make a reasonable
  655  effort to request that the consumer provide additional
  656  information reasonably necessary to authenticate the consumer
  657  and the consumer’s request. If a controller maintains a self
  658  service mechanism to allow a consumer to correct certain
  659  personal data, the controller may deny the consumer’s request
  660  and require the consumer to correct his or her own personal data
  661  through such mechanism.
  662         (4) A controller must provide the consumer with notice
  663  within 60 days after the request is received that the controller
  664  has complied with the consumer’s request as required in this
  665  section.
  666         (5)A controller shall provide information or take action
  667  in response to a consumer request free of charge, at least twice
  668  annually per consumer. If a request from a consumer is
  669  manifestly unfounded, excessive, or repetitive, the controller
  670  may charge the consumer a reasonable fee to cover the
  671  administrative costs of complying with the request or may
  672  decline to act on the request. The controller bears the burden
  673  of demonstrating for purposes of this subsection that a request
  674  is manifestly unfounded, excessive, or repetitive.
  675         (6)A controller who has obtained personal data about a
  676  consumer from a source other than the consumer is considered in
  677  compliance with a consumer’s request to delete that personal
  678  data pursuant to s. 501.705(2)(c), by doing any of the
  679  following:
  680         (a)Deleting the personal data, retaining a record of the
  681  deletion request and the minimum data necessary for the purpose
  682  of ensuring that the consumer’s personal data remains deleted
  683  from the business’s records, and not using the retained data for
  684  any other purpose under this part.
  685         (b)Opting the consumer out of the processing of that
  686  personal data for any purpose other than a purpose exempt under
  687  this part.
  688         Section 9. Section 501.707, Florida Statutes, is created to
  689  read:
  690         501.707 Appeal.—
  691         (1)A controller shall establish a process for a consumer
  692  to appeal the controller’s refusal to take action on a request
  693  within a reasonable period of time after the consumer’s receipt
  694  of the decision under s. 501.706(3).
  695         (2)The appeal process must be conspicuously available and
  696  similar to the process for initiating action to exercise
  697  consumer rights by submitting a request under s. 501.705.
  698         (3)A controller shall inform the consumer in writing of
  699  any action taken or not taken in response to an appeal under
  700  this section within 60 days after the date of receipt of the
  701  appeal, including a written explanation of the reason or reasons
  702  for the decision.
  703         Section 10. Section 501.708, Florida Statutes, is created
  704  to read:
  705         501.708 Waiver or limitation of consumer rights
  706  prohibited.—Any provision of a contract or agreement which
  707  waives or limits in any way a consumer right described by s.
  708  501.705, s. 501.706, or s. 501.707 is contrary to public policy
  709  and is void and unenforceable.
  710         Section 11. Section 501.709, Florida Statutes, is created
  711  to read:
  712         501.709 Submitting consumer requests.—
  713         (1)A controller shall establish two or more methods to
  714  enable consumers to submit a request to exercise their consumer
  715  rights under this part. The methods must be secure, reliable,
  716  and clearly and conspicuously accessible. The methods must take
  717  all of the following into account:
  718         (a)The ways in which consumers normally interact with the
  719  controller.
  720         (b)The necessity for secure and reliable communications of
  721  these requests.
  722         (c)The ability of the controller to authenticate the
  723  identity of the consumer making the request.
  724         (2)A controller may not require a consumer to create a new
  725  account to exercise the consumer’s rights under this part but
  726  may require a consumer to use an existing account.
  727         (3)A controller shall provide a mechanism on its website
  728  for a consumer to submit a request for information required to
  729  be disclosed under this part. A controller that operates
  730  exclusively online and has a direct relationship with a consumer
  731  from whom the controller collects personal data may also provide
  732  an e-mail address for the submission of requests.
  733         Section 12. Section 501.71, Florida Statutes, is created to
  734  read:
  735         501.71 Controller duties.—
  736         (1)A controller shall:
  737         (a)Limit the collection of personal data to data that is
  738  adequate, relevant, and reasonably necessary in relation to the
  739  purposes for which it is processed, as disclosed to the
  740  consumer; and
  741         (b)For purposes of protecting the confidentiality,
  742  integrity, and accessibility of personal data, establish,
  743  implement, and maintain reasonable administrative, technical,
  744  and physical data security practices appropriate to the volume
  745  and nature of the personal data at issue.
  746         (2)A controller may not do any of the following:
  747         (a)Except as otherwise provided by this part, process
  748  personal data for a purpose that is neither reasonably necessary
  749  nor compatible with the purpose for which the personal data is
  750  processed, as disclosed to the consumer, unless the controller
  751  obtains the consumer’s consent.
  752         (b)Process personal data in violation of state or federal
  753  laws that prohibit unlawful discrimination against consumers.
  754         (c)Discriminate against a consumer for exercising any of
  755  the consumer rights contained in this part, including by denying
  756  goods or services, charging different prices or rates for goods
  757  or services, or providing a different level of quality of goods
  758  or services to the consumer. A controller may offer financial
  759  incentives, including payments to consumers as compensation, for
  760  processing of personal data if the consumer gives the controller
  761  prior consent that clearly describes the material terms of the
  762  financial incentive program and provided that such incentive
  763  practices are not unjust, unreasonable, coercive, or usurious in
  764  nature. The consent may be revoked by the consumer at any time.
  765         (d)Process the sensitive data of a consumer without
  766  obtaining the consumer’s consent, or, in the case of processing
  767  the sensitive data of a known child, without processing that
  768  data with the affirmative authorization for such processing by a
  769  known child who is between 13 and 18 years of age or in
  770  accordance with the Children’s Online Privacy Protection Act, 15
  771  U.S.C. ss. 6501 et seq. for a known child under the age of 13.
  772         (3)Paragraph (2)(c) may not be construed to require a
  773  controller to provide a product or service that requires the
  774  personal data of a consumer which the controller does not
  775  collect or maintain or to prohibit a controller from offering a
  776  different price, rate, level, quality, or selection of goods or
  777  services to a consumer, including offering goods or services for
  778  no fee, if the consumer has exercised the consumer’s right to
  779  opt out under s. 501.705(2) or the offer is related to a
  780  consumer’s voluntary participation in a bona fide loyalty,
  781  rewards, premium features, discounts, or club card program.
  782         (4)A controller that operates a search engine shall make
  783  available, in an easily accessible location on the webpage which
  784  does not require a consumer to log in or register to read, an
  785  up-to-date plain language description of the main parameters
  786  that are individually or collectively the most significant in
  787  determining ranking and the relative importance of those main
  788  parameters, including the prioritization or deprioritization of
  789  political partisanship or political ideology in search results.
  790  Algorithms are not required to be disclosed nor is any other
  791  information that, with reasonable certainty, would enable
  792  deception of or harm to consumers through the manipulation of
  793  search results.
  794         Section 13. Section 501.711, Florida Statutes, is created
  795  to read:
  796         501.711Privacy notices.—
  797         (1)A controller shall provide consumers with a reasonably
  798  accessible and clear privacy notice, updated at least annually,
  799  that includes all of the following information:
  800         (a)The categories of personal data processed by the
  801  controller, including, if applicable, any sensitive data
  802  processed by the controller.
  803         (b)The purpose of processing personal data.
  804         (c)How consumers may exercise their rights under s.
  805  501.705(2), including the process by which a consumer may appeal
  806  a controller’s decision with regard to the consumer’s request.
  807         (d)If applicable, the categories of personal data that the
  808  controller shares with third parties.
  809         (e)If applicable, the categories of third parties with
  810  whom the controller shares personal data.
  811         (f)A description of the methods specified in s. 501.709,
  812  by which consumers can submit requests to exercise their
  813  consumer rights under this part.
  814         (2)If a controller engages in the sale of personal data
  815  that is sensitive data, the controller must provide the
  816  following notice: “NOTICE: This website may sell your sensitive
  817  personal data.” The notice must be posted in accordance with
  818  subsection (1).
  819         (3)If a controller engages in the sale of personal data
  820  that is biometric data, the controller must provide the
  821  following notice: “NOTICE: This website may sell your biometric
  822  personal data.” The notice must be posted in accordance with
  823  subsection (1).
  824         (4)If a controller sells personal data to third parties or
  825  processes personal data for targeted advertising, the controller
  826  must clearly and conspicuously disclose that process and the
  827  manner in which a consumer may exercise the right to opt out of
  828  that process.
  829         (5)A controller may not collect additional categories of
  830  personal information or use personal information collected for
  831  additional purposes without providing the consumer with notice
  832  consistent with this section.
  833         Section 14. Section 501.712, Florida Statutes, is created
  834  to read:
  835         501.712 Duties of processor.—
  836         (1)A processor shall adhere to the instructions of a
  837  controller and shall assist the controller in meeting or
  838  complying with the controller’s duties under this section and
  839  the requirements of this part, including the following:
  840         (a)Assisting the controller in responding to consumer
  841  rights requests submitted pursuant to ss. 501.705 and 501.709,
  842  by using appropriate technical and organizational measures, as
  843  reasonably practicable, taking into account the nature of
  844  processing and the information available to the processor.
  845         (b)Assisting the controller with regard to complying with
  846  the requirement relating to the security of processing personal
  847  data and to the notification of a breach of security of the
  848  processor’s system under s. 501.171, taking into account the
  849  nature of processing and the information available to the
  850  processor.
  851         (c)Providing necessary information to enable the
  852  controller to conduct and document data protection assessments
  853  under s. 501.713.
  854         (2)A contract between a controller and a processor governs
  855  the processor’s data processing procedures with respect to
  856  processing performed on behalf of the controller. The contract
  857  must include all of the following information:
  858         (a)Clear instructions for processing data.
  859         (b)The nature and purpose of processing.
  860         (c)The type of data subject to processing.
  861         (d)The duration of processing.
  862         (e)The rights and obligations of both parties.
  863         (f)A requirement that the processor:
  864         1.Ensure that each person processing personal data is
  865  subject to a duty of confidentiality with respect to the data;
  866         2.At the controller’s direction, delete or return all
  867  personal data to the controller as requested after the provision
  868  of the service is completed, unless retention of the personal
  869  data is required by law;
  870         3.Make available to the controller, upon reasonable
  871  request, all information in the processor’s possession necessary
  872  to demonstrate the processor’s compliance with this part;
  873         4.Allow, and cooperate with, reasonable assessments by the
  874  controller or the controller’s designated assessor; and
  875         5.Engage any subcontractor pursuant to a written contract
  876  that requires the subcontractor to meet the requirements of the
  877  processor with respect to the personal data.
  878         (3)Notwithstanding subparagraph (2)(f)4., a processor may
  879  arrange for a qualified and independent assessor to conduct an
  880  assessment of the processor’s policies and technical and
  881  organizational measures in support of the requirements under
  882  this part using an appropriate and accepted control standard or
  883  framework and assessment procedure. The processor shall provide
  884  a report of the assessment to the controller upon request.
  885         (4)This section may not be construed to relieve a
  886  controller or a processor from the liabilities imposed on the
  887  controller or processor by virtue of its role in the processing
  888  relationship as described by this part.
  889         (5)A determination as to whether a person is acting as a
  890  controller or processor with respect to a specific processing of
  891  data is a fact-based determination that depends on the context
  892  in which personal data is to be processed. A processor that
  893  continues to adhere to a controller’s instructions with respect
  894  to a specific processing of personal data remains in the role of
  895  a processor.
  896         Section 15. Section 501.713, Florida Statutes, is created
  897  to read:
  898         501.713 Data protection assessments.—
  899         (1)A controller shall conduct and document a data
  900  protection assessment of each of the following processing
  901  activities involving personal data:
  902         (a)The processing of personal data for purposes of
  903  targeted advertising.
  904         (b)The sale of personal data.
  905         (c)The processing of personal data for purposes of
  906  profiling if the profiling presents a reasonably foreseeable
  907  risk of:
  908         1.Unfair or deceptive treatment of or unlawful disparate
  909  impact on consumers;
  910         2.Financial, physical, or reputational injury to
  911  consumers;
  912         3.A physical or other intrusion on the solitude or
  913  seclusion, or the private affairs or concerns, of consumers, if
  914  the intrusion would be offensive to a reasonable person; or
  915         4.Other substantial injury to consumers.
  916         (d)The processing of sensitive data.
  917         (e)Any processing activities involving personal data which
  918  present a heightened risk of harm to consumers.
  919         (2)A data protection assessment conducted under subsection
  920  (1) must do all of the following:
  921         (a)Identify and weigh the direct or indirect benefits that
  922  may flow from the processing to the controller, the consumer,
  923  other stakeholders, and the public against the potential risks
  924  to the rights of the consumer associated with that processing,
  925  as mitigated by safeguards that can be employed by the
  926  controller to reduce such risks.
  927         (b)Factor into the assessment:
  928         1.The use of deidentified data;
  929         2.The reasonable expectations of consumers;
  930         3.The context of the processing; and
  931         4.The relationship between the controller and the consumer
  932  whose personal data will be processed.
  933         (3)The disclosure of a data protection assessment in
  934  compliance with a request from the Attorney General pursuant to
  935  s. 501.72 does not constitute a waiver of attorney-client
  936  privilege or work product protection with respect to the
  937  assessment and any information contained in the assessment.
  938         (4)A single data protection assessment may address a
  939  comparable set of processing operations which include similar
  940  activities.
  941         (5)A data protection assessment conducted by a controller
  942  for the purpose of compliance with any other law or regulation
  943  may constitute compliance with the requirements of this section
  944  if the assessment has a reasonably comparable scope and effect.
  945         (6)This section applies only to processing activities
  946  generated on or after July 1, 2023.
  947         Section 16. Section 501.714, Florida Statutes, is created
  948  to read:
  949         501.714 Deidentified data, pseudonymous data, and aggregate
  950  consumer information.—
  951         (1)A controller in possession of deidentified data shall
  952  do all of the following:
  953         (a)Take reasonable measures to ensure that the data cannot
  954  be associated with an individual.
  955         (b)Maintain and use the data in deidentified form. A
  956  controller may not attempt to reidentify the data, except that
  957  the controller may attempt to reidentify the data solely for the
  958  purpose of determining whether its deidentification processes
  959  satisfy the requirements of this section.
  960         (c)Contractually obligate any recipient of the
  961  deidentified data to comply with this part.
  962         (d)Implement business processes to prevent the inadvertent
  963  release of deidentified data.
  964         (2)This part may not be construed to require a controller
  965  or processor to do any of the following:
  966         (a)Reidentify deidentified data or pseudonymous data.
  967         (b)Maintain data in an identifiable form or obtain,
  968  retain, or access any data or technology for the purpose of
  969  allowing the controller or processor to associate a consumer
  970  request with personal data.
  971         (c)Comply with an authenticated consumer rights request
  972  under s. 501.705 if the controller:
  973         1.Is not reasonably capable of associating the request
  974  with the personal data or it would be unreasonably burdensome
  975  for the controller to associate the request with the personal
  976  data;
  977         2.Does not use the personal data to recognize or respond
  978  to the specific consumer who is the subject of the personal data
  979  or associate the personal data with other personal data about
  980  the same specific consumer; and
  981         3.Does not sell the personal data to a third party or
  982  otherwise voluntarily disclose the personal data to a third
  983  party other than a processor, except as otherwise authorized by
  984  this section.
  985         (3)The consumer rights enumerated under s. 501.705(2), and
  986  controller duties imposed under s. 501.71, do not apply to
  987  pseudonymous data or aggregate consumer information in cases in
  988  which the controller is able to demonstrate that any information
  989  necessary to identify the consumer is kept separate and is
  990  subject to effective technical and organizational controls that
  991  prevent the controller from accessing the information.
  992         (4)A controller that discloses pseudonymous data,
  993  deidentified data, or aggregate consumer information shall
  994  exercise reasonable oversight to monitor compliance with any
  995  contractual commitments to which the data or information is
  996  subject and shall take appropriate steps to address any breach
  997  of the contractual commitments.
  998         Section 17. Section 501.715, Florida Statutes, is created
  999  to read:
 1000         501.715 Requirements for sensitive data.—
 1001         (1)A person who meets the requirements of s.
 1002  501.702(9)(a)1., (a)2., and (a)3. for the definition of a
 1003  controller may not engage in the sale of personal data that is
 1004  sensitive data without receiving prior consent from the consumer
 1005  or, if the sensitive data is of a known child, without
 1006  processing that data with the affirmative authorization for such
 1007  processing by a known child who is between 13 and 18 years of
 1008  age or in accordance with the Children’s Online Privacy
 1009  Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child
 1010  under the age of 13.
 1011         (2) A person in subsection (1) who engages in the sale of
 1012  personal data that is sensitive data must provide the following
 1013  notice: “NOTICE: This website may sell your sensitive personal
 1014  data.”
 1015         (3)A person who violates this section is subject to the
 1016  penalty imposed under s. 501.72.
 1017         Section 18. Section 501.716, Florida Statutes, is created
 1018  to read:
 1019         501.716 Exemptions for certain uses of consumer personal
 1020  data.—
 1021         (1)This part may not be construed to restrict a
 1022  controller’s or processor’s ability to do any of the following:
 1023         (a)Comply with federal or state laws, rules, or
 1024  regulations.
 1025         (b)Comply with a civil, criminal, or regulatory inquiry,
 1026  investigation, subpoena, or summons by federal, state, local, or
 1027  other governmental authorities.
 1028         (c)Investigate, establish, exercise, prepare for, or
 1029  defend legal claims.
 1030         (d)Provide a product or service specifically requested by
 1031  a consumer or the parent or guardian of a child, perform a
 1032  contract to which the consumer is a party, including fulfilling
 1033  the terms of a written warranty, or take steps at the request of
 1034  the consumer before entering into a contract.
 1035         (e)Take immediate steps to protect an interest that is
 1036  essential for the life or physical safety of the consumer or of
 1037  another individual and in which the processing cannot be
 1038  manifestly based on another legal basis.
 1039         (f)Prevent, detect, protect against, or respond to
 1040  security incidents, identity theft, fraud, harassment, malicious
 1041  or deceptive activities, or any illegal activity.
 1042         (g)Preserve the integrity or security of systems or
 1043  investigate, report, or prosecute those responsible for breaches
 1044  of system security.
 1045         (h)Engage in public or peer-reviewed scientific or
 1046  statistical research in the public interest which adheres to all
 1047  other applicable ethics and privacy laws and is approved,
 1048  monitored, and governed by an institutional review board or
 1049  similar independent oversight entity that determines:
 1050         1.Whether the deletion of the information is likely to
 1051  provide substantial benefits that do not exclusively accrue to
 1052  the controller;
 1053         2.Whether the expected benefits of the research outweigh
 1054  the privacy risks; and
 1055         3.Whether the controller has implemented reasonable
 1056  safeguards to mitigate privacy risks associated with research,
 1057  including any risks associated with reidentification.
 1058         (i)Assist another controller, processor, or third party in
 1059  complying with the requirements of this part.
 1060         (j)Disclose personal data disclosed when a consumer uses
 1061  or directs the controller to intentionally disclose information
 1062  to a third party or uses the controller to intentionally
 1063  interact with a third party. An intentional interaction occurs
 1064  when the consumer intends to interact with the third party, by
 1065  one or more deliberate interactions. Hovering over, muting,
 1066  pausing, or closing a given piece of content does not constitute
 1067  a consumer’s intent to interact with a third party.
 1068         (k)Transfer personal data to a third party as an asset
 1069  that is part of a merger, an acquisition, a bankruptcy, or other
 1070  transaction in which the third party assumes control of all or
 1071  part of the controller, provided that the information is used or
 1072  shared in a manner consistent with this part. If a third party
 1073  materially alters how it uses or shares the personal data of a
 1074  consumer in a manner that is materially inconsistent with the
 1075  commitments or promises made at the time of collection, it must
 1076  provide prior notice of the new or changed practice to the
 1077  consumer. The notice must be sufficiently prominent and robust
 1078  to ensure that consumers can easily exercise choices consistent
 1079  with this part.
 1080         (2)This part may not be construed to prevent a controller
 1081  or processor from providing personal data concerning a consumer
 1082  to a person covered by an evidentiary privilege under the laws
 1083  of this state as part of a privileged communication.
 1084         (3)This part may not be construed as imposing a
 1085  requirement on controllers and processors which adversely
 1086  affects the rights or freedoms of any person, including the
 1087  right of free speech.
 1088         (4)This part may not be construed as requiring a
 1089  controller, processor, third party, or consumer to disclose a
 1090  trade secret.
 1091         Section 19. Section 501.717, Florida Statutes, is created
 1092  to read:
 1093         501.717 Collection, use, or retention of data for certain
 1094  purposes.—
 1095         (1)The requirements imposed on controllers and processors
 1096  under this part may not restrict a controller’s or processor’s
 1097  ability to collect, use, or retain data to do any of the
 1098  following:
 1099         (a)Conduct internal research to develop, improve, or
 1100  repair products, services, or technology.
 1101         (b)Effect a product recall.
 1102         (c)Identify and repair technical errors that impair
 1103  existing or intended functionality.
 1104         (d)Perform internal operations that are:
 1105         1.Reasonably aligned with the expectations of the
 1106  consumer;
 1107         2.Reasonably anticipated based on the consumer’s existing
 1108  relationship with the controller; or
 1109         3.Otherwise compatible with processing data in furtherance
 1110  of the provision of a product or service specifically requested
 1111  by a consumer or the performance of a contract to which the
 1112  consumer is a party.
 1113         (2)A requirement imposed on a controller or processor
 1114  under this part does not apply if compliance with the
 1115  requirement by the controller or processor, as applicable, would
 1116  violate an evidentiary privilege under the laws of this state.
 1117         Section 20. Section 501.718, Florida Statutes, is created
 1118  to read:
 1119         501.718 Disclosure of personal data to third-party
 1120  controller or processor.—
 1121         (1)A controller or processor that discloses personal data
 1122  to a third-party controller or processor in compliance with the
 1123  requirements of this part does not violate this part if the
 1124  third-party controller or processor that receives and processes
 1125  that personal data violates this part, provided that, at the
 1126  time of the data’s disclosure, the disclosing controller or
 1127  processor could not have reasonably known that the recipient
 1128  intended to commit a violation.
 1129         (2)A third-party controller or processor receiving
 1130  personal data from a controller or processor in compliance with
 1131  the requirements of this part may not be held liable for
 1132  violations of this part committed by the controller or processor
 1133  from which the third-party controller or processor receives the
 1134  personal data.
 1135         Section 21. Section 501.719, Florida Statutes, is created
 1136  to read:
 1137         501.719 Processing of certain personal data by controller
 1138  or other person.—
 1139         (1)Personal data processed by a controller pursuant to ss.
 1140  501.716, 501.717, and 501.718 may not be processed for any
 1141  purpose other than those specified in those sections. Personal
 1142  data processed by a controller pursuant to ss. 501.716, 501.717,
 1143  and 501.718 may be processed to the extent that the processing
 1144  of the data is:
 1145         (a)Reasonably necessary and proportionate to the purposes
 1146  specified in ss. 501.716, 501.717, and 501.718; and
 1147         (b)Adequate, relevant, and limited to what is necessary in
 1148  relation to the purposes specified in ss. 501.716, 501.717, and
 1149  501.718.
 1150         (c) Done to assist another controller, processor, or third
 1151  party with any of the purposes specified in s. 501.716, s.
 1152  501.717, or s. 501.718.
 1153         (2)A controller or processor that collects, uses, or
 1154  retains personal data for the purposes specified in s.
 1155  501.717(1) must take into account the nature and purpose of such
 1156  collection, use, or retention. Such personal data is subject to
 1157  reasonable administrative, technical, and physical measures to
 1158  protect its confidentiality, integrity, and accessibility and to
 1159  reduce reasonably foreseeable risks of harm to consumers
 1160  relating to the collection, use, or retention of personal data.
 1161         (3)A controller or processor shall adopt and implement a
 1162  retention schedule that prohibits the use or retention of
 1163  personal data not subject to an exemption by the controller or
 1164  processor after the satisfaction of the initial purpose for
 1165  which such information was collected or obtained, after the
 1166  expiration or termination of the contract pursuant to which the
 1167  information was collected or obtained, or 2 years after the
 1168  consumer’s last interaction with the controller or processor.
 1169  This subsection does not apply to personal data reasonably used
 1170  or retained to do any of the following:
 1171         (a)Provide a good or service requested by the consumer, or
 1172  reasonably anticipate the request of such good or service within
 1173  the context of a controller’s ongoing business relationship with
 1174  the consumer.
 1175         (b)Debug to identify and repair errors that impair
 1176  existing intended functionality.
 1177         (c)Enable solely internal uses that are reasonably aligned
 1178  with the expectations of the consumer based on the consumer’s
 1179  relationship with the controller or that are compatible with the
 1180  context in which the consumer provided the information.
 1181         (4)A controller or processor that processes personal data
 1182  pursuant to ss. 501.716, 501.717, and 501.718 bears the burden
 1183  of demonstrating that the processing of the personal data
 1184  qualifies for the exemption and complies with the requirements
 1185  of this section.
 1186         Section 22. Section 501.72, Florida Statutes, is created to
 1187  read:
 1188         501.72 Enforcement and implementation by the Department of
 1189  Legal Affairs.—
 1190         (1)A violation of this part is an unfair and deceptive
 1191  trade practice actionable under part II of this chapter solely
 1192  by the Department of Legal Affairs. If the department has reason
 1193  to believe that a person is in violation of this section, the
 1194  department may, as the enforcing authority, bring an action
 1195  against such person for an unfair or deceptive act or practice.
 1196  For the purpose of bringing an action pursuant to this section,
 1197  ss. 501.211 and 501.212 do not apply. In addition to other
 1198  remedies under part II of this chapter, the department may
 1199  collect a civil penalty of up to $50,000 per violation. Civil
 1200  penalties may be tripled for any of the following violations:
 1201         (a)A violation involving a Florida consumer who is a known
 1202  child. A controller that willfully disregards the consumer’s age
 1203  is deemed to have actual knowledge of the consumer’s age.
 1204         (b)Failure to delete or correct the consumer’s personal
 1205  data pursuant to this section after receiving an authenticated
 1206  consumer request or directions from a controller to delete or
 1207  correct such personal data, unless an exception to the
 1208  requirements to delete or correct such personal data under this
 1209  section applies.
 1210         (c)Continuing to sell or share the consumer’s personal
 1211  data after the consumer chooses to opt out under this part.
 1212         (2)After the department has notified a person in writing
 1213  of an alleged violation, the department may grant a 45-day
 1214  period to cure the alleged violation and issue a letter of
 1215  guidance. The 45-day cure period does not apply to an alleged
 1216  violation of paragraph (1)(a). The department may consider the
 1217  number and frequency of violations, the substantial likelihood
 1218  of injury to the public, and the safety of persons or property
 1219  in determining whether to grant 45 calendar days to cure and the
 1220  issuance of a letter of guidance. If the alleged violation is
 1221  cured to the satisfaction of the department and proof of such
 1222  cure is provided to the department, the department may not bring
 1223  an action for the alleged violation but in its discretion may
 1224  issue a letter of guidance that indicates that the person will
 1225  not be offered a 45-day cure period for any future violations.
 1226  If the person fails to cure the alleged violation within 45
 1227  calendar days, the department may bring an action against such
 1228  person for the alleged violation.
 1229         (3)Any action brought by the department may be brought
 1230  only on behalf of a Florida consumer.
 1231         (4)By February 1 of each year, the department shall make a
 1232  report publicly available on the department’s website describing
 1233  any actions taken by the department to enforce this section. The
 1234  report must include statistics and relevant information
 1235  detailing all of the following:
 1236         (a)The number of complaints received and the categories or
 1237  types of violations alleged by the complainant.
 1238         (b)The number and type of enforcement actions taken and
 1239  the outcomes of such actions, including the amount of penalties
 1240  issued and collected.
 1241         (c)The number of complaints resolved without the need for
 1242  litigation.
 1243         (d)For the report due February 1, 2024, the status of the
 1244  development and implementation of rules to implement this
 1245  section.
 1246         (5)The department shall adopt rules to implement this
 1247  section, including standards for authenticated consumer
 1248  requests, enforcement, data security, and authorized persons who
 1249  may act on a consumer’s behalf.
 1250         (6)The department may collaborate and cooperate with other
 1251  enforcement authorities of the Federal Government or other state
 1252  governments concerning consumer data privacy issues and consumer
 1253  data privacy investigations if such enforcement authorities have
 1254  restrictions governing confidentiality at least as stringent as
 1255  the restrictions provided in this section.
 1256         (7)Liability for a tort, contract claim, or consumer
 1257  protection claim unrelated to an action brought under this
 1258  section does not arise solely from the failure of a person to
 1259  comply with this part.
 1260         (8)This part does not establish a private cause of action.
 1261         (9)The department may employ or use the legal services of
 1262  outside counsel and the investigative services of outside
 1263  personnel to fulfill the obligations of this section.
 1264         (10)For purposes of bringing an action pursuant to this
 1265  section, any person who meets the definition of controller as
 1266  defined in this part who collects, shares, or sells the personal
 1267  data of Florida consumers is considered to be engaged in both
 1268  substantial and not isolated activities within this state and
 1269  operating, conducting, engaging in, or carrying on a business,
 1270  and doing business in this state, and is, therefore, subject to
 1271  the jurisdiction of the courts of this state.
 1272         Section 23. Section 501.721, Florida Statutes, is created
 1273  to read:
 1274         501.721 Preemption.—This part is a matter of statewide
 1275  concern and supersedes all rules, regulations, codes,
 1276  ordinances, and other laws adopted by a city, county, city and
 1277  county, municipality, or local agency regarding the collection,
 1278  processing, sharing, or sale of consumer personal data by a
 1279  controller or processor. The regulation of the collection,
 1280  processing, sharing, or sale of consumer personal data by a
 1281  controller or processor is preempted to the state.
 1282         Section 24. Paragraph (g) of subsection (1) of section
 1283  501.171, Florida Statutes, is amended to read:
 1284         501.171 Security of confidential personal information.—
 1285         (1) DEFINITIONS.—As used in this section, the term:
 1286         (g)1. “Personal information” means either of the following:
 1287         a. An individual’s first name or first initial and last
 1288  name in combination with any one or more of the following data
 1289  elements for that individual:
 1290         (I) A social security number;
 1291         (II) A driver license or identification card number,
 1292  passport number, military identification number, or other
 1293  similar number issued on a government document used to verify
 1294  identity;
 1295         (III) A financial account number or credit or debit card
 1296  number, in combination with any required security code, access
 1297  code, or password that is necessary to permit access to an
 1298  individual’s financial account;
 1299         (IV) Any information regarding an individual’s medical
 1300  history, mental or physical condition, or medical treatment or
 1301  diagnosis by a health care professional; or
 1302         (V) An individual’s health insurance policy number or
 1303  subscriber identification number and any unique identifier used
 1304  by a health insurer to identify the individual;
 1305         (VI)An individual’s biometric data as defined in s.
 1306  501.702; or
 1307         (VII)Any information regarding an individual’s
 1308  geolocation.
 1309         b. A user name or e-mail address, in combination with a
 1310  password or security question and answer that would permit
 1311  access to an online account.
 1312         2. The term does not include information about an
 1313  individual that has been made publicly available by a federal,
 1314  state, or local governmental entity. The term also does not
 1315  include information that is encrypted, secured, or modified by
 1316  any other method or technology that removes elements that
 1317  personally identify an individual or that otherwise renders the
 1318  information unusable.
 1319         Section 25. Subsection (1) of section 16.53, Florida
 1320  Statutes, is amended, and subsection (8) is added to that
 1321  section, to read:
 1322         16.53 Legal Affairs Revolving Trust Fund.—
 1323         (1) There is created in the State Treasury the Legal
 1324  Affairs Revolving Trust Fund, from which the Legislature may
 1325  appropriate funds for the purpose of funding investigation,
 1326  prosecution, and enforcement by the Attorney General of the
 1327  provisions of the Racketeer Influenced and Corrupt Organization
 1328  Act, the Florida Deceptive and Unfair Trade Practices Act, the
 1329  Florida False Claims Act, or state or federal antitrust laws, or
 1330  part V of chapter 501.
 1331         (8)All moneys recovered by the Attorney General for
 1332  attorney fees, costs, and penalties in an action for a violation
 1333  of part V of chapter 501 must be deposited in the trust fund.
 1334         Section 26. This act shall take effect July 1, 2023.