CS for CS for SB 262 First Engrossed (ntc)
2023262e1
1 A bill to be entitled
2 An act relating to technology transparency; creating
3 s. 112.23, F.S.; defining terms; prohibiting officers
4 or salaried employees of governmental entities from
5 using their positions or state resources to make
6 certain requests of social media platforms;
7 prohibiting governmental entities from initiating or
8 maintaining agreements or working relationships with
9 social media platforms under a specified circumstance;
10 providing exceptions; providing directives to the
11 Division of Law Revision; creating s. 501.701, F.S.;
12 providing a short title; creating s. 501.702, F.S.;
13 defining terms; creating s. 501.703, F.S.; providing
14 applicability; creating s. 501.704, F.S.; providing
15 exemptions; creating s. 501.705, F.S.; providing that
16 a consumer may submit requests to controllers to
17 exercise specified rights; requiring controllers to
18 comply with certain authenticated consumer requests;
19 creating s. 501.706, F.S.; providing timeframes within
20 which controllers must respond to consumer requests;
21 providing notice requirements for controllers that
22 cannot take action regarding a consumer’s request;
23 providing that controllers are not required to comply
24 with certain consumer requests; providing notice
25 requirements for controllers’ compliance with consumer
26 requests; requiring responses to consumer requests to
27 be made free of charge; providing exceptions;
28 specifying the methods by which controllers may be
29 considered to be in compliance with consumer requests
30 for the controller to delete their personal data;
31 creating s. 501.707, F.S.; requiring controllers to
32 establish a process for consumers to appeal the
33 controller’s refusal to take action on the consumer’s
34 request within a specified timeframe; providing
35 requirements for such process; creating s. 501.708,
36 F.S.; providing that contracts or agreements that
37 waive or limit specified consumer rights are void and
38 unenforceable; creating s. 501.709, F.S.; requiring
39 controllers to establish methods for submitting
40 consumer requests; prohibiting controllers from
41 requiring consumers to create new accounts to exercise
42 their consumer rights; requiring controllers to
43 provide a certain mechanism on their websites for
44 consumers to submit certain requests; creating s.
45 501.71, F.S.; requiring controllers to limit the
46 collection of personal data according to certain
47 parameters; requiring controllers to establish,
48 implement, and maintain specified practices regarding
49 personal data; prohibiting controllers from taking
50 certain actions regarding a consumer’s personal data;
51 prohibiting controllers from discriminating against
52 consumers exercising their consumer rights; providing
53 construction; requiring a controller that operates a
54 search engine to make certain information available on
55 its webpage; creating s. 501.711, F.S.; requiring
56 controllers to provide consumers with privacy notices
57 that meet certain requirements; requiring controllers
58 that engage in the sale of sensitive or biometric
59 personal data to provide notices that meet certain
60 requirements; requiring controllers that sell personal
61 data or process personal data for targeted advertising
62 to disclose certain information; prohibiting
63 controllers from collecting additional categories of
64 personal information or using such information for
65 additional purposes without providing specified
66 notice; creating s. 501.712, F.S.; requiring
67 processors to adhere to controller instructions and to
68 assist the controller in meeting or complying with
69 certain requirements; providing requirements for
70 contracts between controllers and processors regarding
71 data processing procedures; providing construction;
72 providing that the determination of whether a person
73 is acting as a controller or processor is a fact-based
74 determination; creating s. 501.713, F.S.; requiring
75 controllers to conduct and document data protection
76 assessments of specified processing activities
77 involving personal data; providing requirements for
78 such assessments; providing applicability; creating s.
79 501.714, F.S.; requiring controllers in possession of
80 deidentified data to take certain actions; providing
81 construction; providing that specified consumer rights
82 and controller duties do not apply to pseudonymous
83 data or aggregate consumer information under certain
84 circumstances; requiring controllers that disclose
85 pseudonymous data, deidentified data, or aggregate
86 consumer information to exercise reasonable oversight
87 and take appropriate steps to address breaches of
88 contractual agreements; creating s. 501.715, F.S.;
89 requiring certain persons to receive consumer consent
90 before engaging in the sale of sensitive personal
91 data; requiring a specified notice; providing for
92 penalties; creating s. 501.716, F.S.; providing
93 exemptions for specified controller or processor uses
94 of consumer personal data; providing that controllers
95 or processors may provide personal data concerning a
96 consumer to certain covered persons; creating s.
97 501.717, F.S.; authorizing controllers and processors
98 to collect, use, or retain data for specified
99 purposes; providing that certain requirements do not
100 apply if such compliance would violate certain laws;
101 creating s. 501.718, F.S.; providing circumstances
102 under which processors are not in violation of this
103 act for the disclosure of personal data to a third
104 party controller or processor; providing that third
105 party controllers or processors that comply with this
106 part are not liable for violations committed by
107 controllers or processors from whom they receive
108 personal data; creating s. 501.719, F.S.; providing
109 requirements for the processing of certain personal
110 data by controllers; requiring controllers and
111 processors to adopt and implement a retention schedule
112 that meets certain requirements; requiring controllers
113 or processors that process certain personal data to
114 demonstrate that such processing qualifies for a
115 specified exemption; creating s. 501.72, F.S.;
116 authorizing the Department of Legal Affairs to bring
117 an action under the Florida Deceptive and Unfair Trade
118 Practices Act for violations of the act; providing for
119 civil penalties; providing for enhanced civil
120 penalties for certain violations; authorizing the
121 department to grant a specified timeframe within which
122 an alleged violation may be cured; providing an
123 exception; providing certain factors the department
124 may take into consideration; requiring the department
125 to make a report regarding certain enforcement actions
126 publicly available on the department’s website;
127 providing requirements for the report; requiring the
128 department to adopt rules; authorizing the department
129 to collaborate and cooperate with specified
130 enforcement authorities; specifying that the act does
131 not create a private cause of action; authorizing the
132 department to employ or use outside legal counsel for
133 specified purposes; providing for jurisdiction;
134 creating s. 501.721, F.S.; declaring that the act is a
135 matter of statewide concern; preempting the
136 collection, processing, sharing, and sale of consumer
137 personal data to the state; amending s. 501.171, F.S.;
138 revising the definition of the term “personal
139 information”; amending s. 16.53, F.S.; requiring that
140 certain attorney fees, costs, and penalties recovered
141 by the Attorney General be deposited in the Legal
142 Affairs Revolving Trust Fund; providing an effective
143 date.
144
145 Be It Enacted by the Legislature of the State of Florida:
146
147 Section 1. Section 112.23, Florida Statutes, is created to
148 read:
149 112.23 Government-directed content moderation of social
150 media platforms prohibited.—
151 (1) As used in this section, the term:
152 (a) “Governmental entity” means any state, county,
153 district, authority, or municipal officer, department, division,
154 board, bureau, commission, or other separate unit of government
155 created or established by law, including, but not limited to,
156 the Commission on Ethics, the Public Service Commission, the
157 Office of Public Counsel, and any other public or private
158 agency, person, partnership, corporation, or business entity
159 acting on behalf of any public agency.
160 (b) “Social media platform” means a form of electronic
161 communication through which users create online communities to
162 share information, ideas, personal messages, and other content.
163 (2) An officer or a salaried employee of a governmental
164 entity may not use his or her position or any state resources to
165 communicate with a social media platform to request the social
166 media platform to remove content or accounts from the social
167 media platform.
168 (3) A governmental entity, or an officer or a salaried
169 employee acting on behalf of a governmental entity, may not
170 initiate or maintain any agreements or working relationships
171 with a social media platform for the purpose of content
172 moderation.
173 (4) Subsections (2) and (3) do not apply if the
174 governmental entity or an officer or a salaried employee acting
175 on behalf of a governmental entity is acting as part of any of
176 the following:
177 (a) Routine account management of the governmental entity’s
178 account, including, but not limited to, the removal or revision
179 of the governmental entity’s content or account or
180 identification of accounts falsely posing as a governmental
181 entity, officer, or salaried employee.
182 (b) An attempt to remove content that pertains to the
183 commission of a crime or violation of this state’s public
184 records law.
185 (c) An attempt to remove an account that pertains to the
186 commission of a crime or violation of this state’s public
187 records law.
188 (d) An investigation or inquiry related to an effort to
189 prevent imminent bodily harm, loss of life, or property damage.
190 Section 2. The Division of Law Revision is directed to:
191 (1) Redesignate current parts V, VI, and VII of chapter
192 501, Florida Statutes, as parts VI, VII, and VIII of chapter
193 501, Florida Statutes, respectively; and
194 (2) Create a new part V of chapter 501, Florida Statutes,
195 consisting of ss. 501.701-501.721, Florida Statutes, entitled
196 “Data Privacy and Security.”
197 Section 3. Section 501.701, Florida Statutes, is created to
198 read:
199 501.701 Short title.—This part may be cited as the “Florida
200 Digital Bill of Rights.”
201 Section 4. Section 501.702, Florida Statutes, is created to
202 read:
203 501.702 Definitions.—As used in this part, the term:
204 (1) “Affiliate” means a legal entity that controls, is
205 controlled by, or is under common control with another legal
206 entity or that shares common branding with another legal entity.
207 For purposes of this subsection, the term “control” or
208 “controlled” means any of the following:
209 (a) The ownership of, or power to vote, more than 50
210 percent of the outstanding shares of any class of voting
211 security of a company.
212 (b) The control in any manner over the election of a
213 majority of the directors or of individuals exercising similar
214 functions.
215 (c) The power to exercise controlling influence over the
216 management of a company.
217 (2) “Aggregate consumer information” means information that
218 relates to a group or category of consumers, from which the
219 identity of an individual consumer has been removed and is not
220 reasonably capable of being directly or indirectly associated or
221 linked with any consumer, household, or device. The term does
222 not include information about a group or category of consumers
223 used to facilitate targeted advertising or the display of ads
224 online. The term does not include personal information that has
225 been deidentified.
226 (3) “Authenticate” or “authenticated” means to verify or
227 the state of having been verified, respectively, through
228 reasonable means that the consumer who is entitled to exercise
229 the consumer’s rights under s. 501.705 is the same consumer
230 exercising those consumer rights with respect to the personal
231 data at issue.
232 (4) “Biometric data” means data generated by automatic
233 measurements of an individual’s biological characteristics. The
234 term includes fingerprints, voiceprints, eye retinas or irises,
235 or other unique biological patterns or characteristics used to
236 identify a specific individual. The term does not include
237 physical or digital photographs, video or audio recordings or
238 data generated from video or audio recordings, or information
239 collected, used, or stored for health care treatment, payment,
240 or operations under the Health Insurance Portability and
241 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
242 (5) “Business associate” has the same meaning as in 45
243 C.F.R. s. 160.103 and the Health Insurance Portability and
244 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
245 (6) “Child” means an individual younger than 18 years of
246 age.
247 (7) “Consent,” when referring to a consumer, means a clear
248 affirmative act signifying a consumer’s freely given, specific,
249 informed, and unambiguous agreement to process personal data
250 relating to the consumer. The term includes a written statement,
251 including a statement written by electronic means, or any other
252 unambiguous affirmative act. The term does not include any of
253 the following:
254 (a) Acceptance of a general or broad terms of use or
255 similar document that contains descriptions of personal data
256 processing along with other, unrelated information.
257 (b) Hovering over, muting, pausing, or closing a given
258 piece of content.
259 (c) Agreement obtained through the use of dark patterns.
260 (8) “Consumer” means an individual who is a resident of or
261 is domiciled in this state acting only in an individual or
262 household context. The term does not include an individual
263 acting in a commercial or employment context.
264 (9) “Controller” means
265 (a) A sole proprietorship, partnership, limited liability
266 company, corporation, association, or legal entity that meets
267 the following requirements:
268 1. Is organized or operated for the profit or financial
269 benefit of its shareholders or owners;
270 2. Conducts business in this state;
271 3. Collects personal data about consumers, or is the entity
272 on behalf of which such information is collected;
273 4. Determines the purposes and means of processing personal
274 data about consumers alone or jointly with others;
275 5. Makes in excess of $1 billion in global gross annual
276 revenues; and
277 6. Satisfies at least one of the following:
278 a. Derives 50 percent or more of its global gross annual
279 revenues from the sale of advertisements online, including
280 providing targeted advertising or the sale of ads online;
281 b. Operates a consumer smart speaker and voice command
282 component service with an integrated virtual assistant connected
283 to a cloud computing service that uses hands-free verbal
284 activation. For purposes of this sub-subparagraph, a consumer
285 smart speaker and voice command component service does not
286 include a motor vehicle or speaker or device associated with or
287 connected to a vehicle which is operated by a motor vehicle
288 manufacturer or a subsidiary or affiliate thereof; or
289 c. Operates an app store or a digital distribution platform
290 that offers at least 250,000 different software applications for
291 consumers to download and install.
292 (b) Any entity that controls or is controlled by a
293 controller. As used in this paragraph, the term “control” means:
294 1. Ownership of, or the power to vote, more than 50 percent
295 of the outstanding shares of any class of voting security of a
296 controller;
297 2. Control in any manner over the election of a majority of
298 the directors, or of individuals exercising similar functions;
299 or
300 3. The power to exercise a controlling influence over the
301 management of a company.
302 (10) “Covered entity” has the same meaning as in 45 C.F.R.
303 s. 160.103 and the Health Insurance Portability and
304 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
305 (11) “Dark pattern” means a user interface designed or
306 manipulated with the effect of substantially subverting or
307 impairing user autonomy, decisionmaking, or choice. The term
308 includes any practice the Federal Trade Commission refers to as
309 a dark pattern.
310 (12) “Decision that produces a legal or similarly
311 significant effect concerning a consumer” means a decision made
312 by a controller which results in the provision or denial by the
313 controller of any of the following:
314 (a) Financial and lending services.
315 (b) Housing, insurance, or health care services.
316 (c) Education enrollment.
317 (d) Employment opportunities.
318 (e) Criminal justice.
319 (f) Access to basic necessities, such as food and water.
320 (13) “Deidentified data” means data that cannot reasonably
321 be linked to an identified or identifiable individual or a
322 device linked to that individual.
323 (14) “Health care provider” has the same meaning as in 45
324 C.F.R. s. 160.103 and the Health Insurance Portability and
325 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
326 (15) “Health record” means any written, printed, or
327 electronically recorded material maintained by a health care
328 provider in the course of providing health care services to an
329 individual which concerns the individual and the services
330 provided. The term includes any of the following:
331 (a) The substance of any communication made by an
332 individual to a health care provider in confidence during or in
333 connection with the provision of health care services.
334 (b) Information otherwise acquired by the health care
335 provider about an individual in confidence and in connection
336 with health care services provided to the individual.
337 (16) “Identified or identifiable individual” means a
338 consumer who can be readily identified, directly or indirectly.
339 (17) “Known child” means a child under circumstances of
340 which a controller has actual knowledge of, or willfully
341 disregards, the child’s age.
342 (18) “Nonprofit organization” means any of the following:
343 (a) An organization exempt from federal taxation under s.
344 501(a) of the Internal Revenue Code of 1986 by virtue of being
345 listed as an exempt organization under s. 501(c)(3), s.
346 501(c)(4), s. 501(c)(6), or s. 501(c)(12) of that code.
347 (b) A political organization.
348 (19) “Personal data” means any information, including
349 sensitive data, which is linked or reasonably linkable to an
350 identified or identifiable individual. The term includes
351 pseudonymous data when the data is used by a controller or
352 processor in conjunction with additional information that
353 reasonably links the data to an identified or identifiable
354 individual. The term does not include deidentified data or
355 publicly available information.
356 (20) “Political organization” means a party, a committee,
357 an association, a fund, or any other organization, regardless of
358 whether incorporated, organized and operated primarily for the
359 purpose of influencing or attempting to influence any of the
360 following:
361 (a) The selection, nomination, election, or appointment of
362 an individual to a federal, state, or local public office or an
363 office in a political organization, regardless of whether the
364 individual is selected, nominated, elected, or appointed.
365 (b) The election of a presidential or vice-presidential
366 elector, regardless of whether the elector is selected,
367 nominated, elected, or appointed.
368 (21) “Postsecondary education institution” means a Florida
369 College System institution, state university, or nonpublic
370 postsecondary education institution that receives state funds.
371 (22) “Precise geolocation data” means information derived
372 from technology, including global positioning system level
373 latitude and longitude coordinates or other mechanisms, which
374 directly identifies the specific location of an individual with
375 precision and accuracy within a radius of 1,750 feet. The term
376 does not include the content of communications or any data
377 generated by or connected to an advanced utility metering
378 infrastructure system or to equipment for use by a utility.
379 (23) “Process” or “processing” means an operation or set of
380 operations performed, whether by manual or automated means, on
381 personal data or on sets of personal data, such as the
382 collection, use, storage, disclosure, analysis, deletion, or
383 modification of personal data.
384 (24) “Processor” means a person who processes personal data
385 on behalf of a controller.
386 (25) “Profiling” means any form of solely automated
387 processing performed on personal data to evaluate, analyze, or
388 predict personal aspects related to an identified or
389 identifiable individual’s economic situation, health, personal
390 preferences, interests, reliability, behavior, location, or
391 movements.
392 (26) “Protected health information” has the same meaning as
393 in 45 C.F.R. s. 160.103 and the Health Insurance Portability and
394 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
395 (27) “Pseudonymous data” means any information that cannot
396 be attributed to a specific individual without the use of
397 additional information, provided that the additional information
398 is kept separately and is subject to appropriate technical and
399 organizational measures to ensure that the personal data is not
400 attributed to an identified or identifiable individual.
401 (28) “Publicly available information” means information
402 lawfully made available through government records, or
403 information that a business has a reasonable basis for believing
404 is lawfully made available to the general public through widely
405 distributed media, by a consumer, or by a person to whom a
406 consumer has disclosed the information, unless the consumer has
407 restricted the information to a specific audience.
408 (29) “Sale of personal data” means the sharing, disclosing,
409 or transferring of personal data for monetary or other valuable
410 consideration by the controller to a third party. The term does
411 not include any of the following:
412 (a) The disclosure of personal data to a processor who
413 processes the personal data on the controller’s behalf.
414 (b) The disclosure of personal data to a third party for
415 purposes of providing a product or service requested by the
416 consumer.
417 (c) The disclosure of information that the consumer:
418 1. Intentionally made available to the general public
419 through a mass media channel; and
420 2. Did not restrict to a specific audience.
421 (d) The disclosure or transfer of personal data to a third
422 party as an asset that is part of a merger or an acquisition.
423 (30) “Search engine” means technology and systems that use
424 algorithms to sift through and index vast third-party websites
425 and content on the Internet in response to search queries
426 entered by a user. The term does not include the license of
427 search functionality for the purpose of enabling the licensee to
428 operate a third-party search engine service in circumstances
429 where the licensee does not have legal or operational control of
430 the search algorithm, the index from which results are
431 generated, or the ranking order in which the results are
432 provided.
433 (31) “Sensitive data” means a category of personal data
434 which includes any of the following:
435 (a) Personal data revealing an individual’s racial or
436 ethnic origin, religious beliefs, mental or physical health
437 diagnosis, sexual orientation, or citizenship or immigration
438 status.
439 (b) Genetic or biometric data processed for the purpose of
440 uniquely identifying an individual.
441 (c) Personal data collected from a known child.
442 (d) Precise geolocation data.
443 (32) “State agency” means any department, commission,
444 board, office, council, authority, or other agency in the
445 executive branch of state government created by the State
446 Constitution or state law. The term includes a postsecondary
447 education institution.
448 (33) “Targeted advertising” means displaying to a consumer
449 an advertisement selected based on personal data obtained from
450 that consumer’s activities over time and across nonaffiliated
451 websites or online applications to predict the consumer’s
452 preferences or interests. The term does not include any of the
453 following:
454 (a) An advertisement that is:
455 1. Based on activities within a controller’s own website or
456 online application;
457 2. Based on the context of a consumer’s current search
458 query, visit to a website, or use of an online application; or
459 3. Directed to a consumer in response to the consumer’s
460 request for information or feedback.
461 (b) The processing of personal data solely for measuring or
462 reporting advertising performance, reach, or frequency.
463 (34) “Third party” means a person, other than the consumer,
464 the controller, the processor, or an affiliate of the controller
465 or processor.
466 (35) “Trade secret” has the same meaning as in s. 812.081.
467 (36) “Voice recognition feature” means the function of a
468 device which enables the collection, recording, storage,
469 analysis, transmission, interpretation, or other use of spoken
470 words or other sounds.
471 Section 5. Section 501.703, Florida Statutes, is created to
472 read:
473 501.703 Applicability.—
474 (1) This part applies only to a person who:
475 (a) Conducts business in this state or produces a product
476 or service used by residents of this state; and
477 (b) Processes or engages in the sale of personal data.
478 (2) This part does not apply to any of the following:
479 (a) A state agency or a political subdivision of the state.
480 (b) A financial institution or data subject to Title V,
481 Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.
482 (c) A covered entity or business associate governed by the
483 privacy, security, and breach notification regulations issued by
484 the United States Department of Health and Human Services, 45
485 C.F.R. parts 160 and 164, established under the Health Insurance
486 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
487 et seq., and the Health Information Technology for Economic and
488 Clinical Health Act, Division A, Title XIII and Division B,
489 Title IV, Pub. L. No. 111-5.
490 (d) A nonprofit organization.
491 (e) A postsecondary education institution.
492 (3) This part does not apply to the processing of personal
493 data by a person in the course of a purely personal or household
494 activity.
495 (4) A controller or processor that complies with the
496 authenticated parental consent requirements of the Children’s
497 Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq., with
498 respect to data collected online, is considered to be in
499 compliance with any requirement to obtain parental consent under
500 this part.
501 Section 6. Section 501.704, Florida Statutes, is created to
502 read:
503 501.704 Exemptions.—All of the following information is
504 exempt from this part:
505 (1) Protected health information under the Health Insurance
506 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
507 et seq.
508 (2) Health records.
509 (3) Patient identifying information for purposes of 42
510 U.S.C. s. 290dd-2.
511 (4) Identifiable private information:
512 (a) For purposes of the federal policy for the protection
513 of human subjects under 45 C.F.R. part 46;
514 (b) Collected as part of human subjects research under the
515 good clinical practice guidelines issued by the International
516 Council for Harmonisation of Technical Requirements for
517 Pharmaceuticals for Human Use or the protection of human
518 subjects under 21 C.F.R. parts 50 and 56; or
519 (c) That is personal data used or shared in research
520 conducted in accordance with this part or other research
521 conducted in accordance with applicable law.
522 (5) Information and documents created for purposes of the
523 Health Care Quality Improvement Act of 1986, 42 U.S.C. ss. 11101
524 et seq.
525 (6) Patient safety work product for purposes of the Patient
526 Safety and Quality Improvement Act of 2005, 42 U.S.C. ss. 299b
527 21 et seq.
528 (7) Information derived from any of the health care-related
529 information listed in this section which is deidentified in
530 accordance with the requirements for deidentification under the
531 Health Insurance Portability and Accountability Act of 1996, 42
532 U.S.C. ss. 1320d et seq.
533 (8) Information originating from, and intermingled to be
534 indistinguishable with, or information treated in the same
535 manner as, information exempt under this section which is
536 maintained by a covered entity or business associate as defined
537 by the Health Insurance Portability and Accountability Act of
538 1996, 42 U.S.C. ss. 1320d et seq. or by a program or a qualified
539 service organization as defined by 42 U.S.C. s. 290dd-2.
540 (9) Information included in a limited data set as described
541 by 45 C.F.R. s. 164.514(e), to the extent that the information
542 is used, disclosed, and maintained in the manner specified by 45
543 C.F.R. s. 164.514(e).
544 (10) Information used only for public health activities and
545 purposes as described in 45 C.F.R. s. 164.512.
546 (11) Information collected or used only for public health
547 activities and purposes as authorized by the Health Insurance
548 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
549 et seq.
550 (12) The collection, maintenance, disclosure, sale,
551 communication, or use of any personal data bearing on a
552 consumer’s creditworthiness, credit standing, credit capacity,
553 character, general reputation, personal characteristics, or mode
554 of living by a consumer reporting agency or furnisher that
555 provides information for use in a consumer report, or by a user
556 of a consumer report, but only to the extent that the activity
557 is regulated by and authorized under the Fair Credit Reporting
558 Act, 15 U.S.C. ss. 1681 et seq.
559 (13) Personal data collected, processed, sold, or disclosed
560 in compliance with the Driver’s Privacy Protection Act of 1994,
561 18 U.S.C. ss. 2721 et seq.
562 (14) Personal data regulated by the Family Educational
563 Rights and Privacy Act of 1974, 20 U.S.C. s. 1232g.
564 (15) Personal data collected, processed, sold, or disclosed
565 in compliance with the Farm Credit Act of 1971, 12 U.S.C. ss.
566 2001 et seq.
567 (16) Data processed or maintained in the course of an
568 individual applying to, being employed by, or acting as an agent
569 or independent contractor of a controller, processor, or third
570 party, to the extent that the data is collected and used within
571 the context of that role.
572 (17) Data processed or maintained as the emergency contact
573 information of an individual under this part which is used for
574 emergency contact purposes.
575 (18) Data that is processed or maintained and that is
576 necessary to retain to administer benefits for another
577 individual which relates to an individual described in
578 subsection (16) and which is used for the purposes of
579 administering those benefits.
580 (19) Personal data collected and transmitted which is
581 necessary for the sole purpose of sharing such personal data
582 with a financial service provider solely to facilitate short
583 term, transactional payment processing for the purchase of
584 products or services.
585 (20) Personal data collected, processed, sold, or disclosed
586 in relation to price, route, or service as those terms are used
587 in the Airline Deregulation Act, 49 U.S.C. ss. 40101 et seq., by
588 entities subject to that act, to the extent the provisions of
589 this act are preempted by 49 U.S.C. s. 41713.
590 (21) Personal data shared between a manufacturer of a
591 tangible product and authorized third-party distributors or
592 vendors of the product, as long as such personal data is used
593 solely for advertising, marketing, or servicing the product that
594 is acquired directly through such manufacturer and such
595 authorized third-party distributors or vendors. Such personal
596 data may not be sold or shared unless otherwise authorized under
597 this part.
598 Section 7. Section 501.705, Florida Statutes, is created to
599 read:
600 501.705 Consumer rights.—
601 (1) A consumer is entitled to exercise the consumer rights
602 authorized by this section at any time by submitting a request
603 to a controller which specifies the consumer rights that the
604 consumer wishes to exercise. With respect to the processing of
605 personal data belonging to a known child, a parent or legal
606 guardian of the child may exercise these rights on behalf of the
607 child.
608 (2) A controller shall comply with an authenticated
609 consumer request to exercise any of the following rights:
610 (a) To confirm whether a controller is processing the
611 consumer’s personal data and to access the personal data.
612 (b) To correct inaccuracies in the consumer’s personal
613 data, taking into account the nature of the personal data and
614 the purposes of the processing of the consumer’s personal data.
615 (c) To delete any or all personal data provided by or
616 obtained about the consumer.
617 (d) To obtain a copy of the consumer’s personal data in a
618 portable and, to the extent technically feasible, readily usable
619 format if the data is available in a digital format.
620 (e) To opt out of the processing of the personal data for
621 purposes of:
622 1. Targeted advertising;
623 2. The sale of personal data; or
624 3. Profiling in furtherance of a decision that produces a
625 legal or similarly significant effect concerning a consumer.
626 (f) To opt out of the collection of sensitive data,
627 including precise geolocation data, or the processing of such
628 data.
629 (g) To opt out of the collection of personal data collected
630 through the operation of a voice recognition feature.
631 Section 8. Section 501.706, Florida Statutes, is created to
632 read:
633 501.706 Controller response to consumer requests.—
634 (1) Except as otherwise provided by this part, a controller
635 shall comply with a request submitted by a consumer to exercise
636 the consumer’s rights pursuant to s. 501.705, as provided in
637 this section.
638 (2) A controller shall respond to the consumer request
639 without undue delay, which may not be later than 45 days after
640 the date of receipt of the request. The controller may extend
641 the response period once by an additional 15 days when
642 reasonably necessary, taking into account the complexity and
643 number of the consumer’s requests, so long as the controller
644 informs the consumer of the extension within the initial 45-day
645 response period, together with the reason for the extension.
646 (3) If a controller cannot take action regarding the
647 consumer’s request, the controller must inform the consumer
648 without undue delay, which may not be later than 45 days after
649 the date of receipt of the request, of the justification for the
650 inability to take action on the request and provide instructions
651 on how to appeal the decision in accordance with s. 501.707. A
652 controller is not required to comply with a consumer request
653 submitted under s. 501.705 if the controller cannot authenticate
654 the request. However, the controller must make a reasonable
655 effort to request that the consumer provide additional
656 information reasonably necessary to authenticate the consumer
657 and the consumer’s request. If a controller maintains a self
658 service mechanism to allow a consumer to correct certain
659 personal data, the controller may deny the consumer’s request
660 and require the consumer to correct his or her own personal data
661 through such mechanism.
662 (4) A controller must provide the consumer with notice
663 within 60 days after the request is received that the controller
664 has complied with the consumer’s request as required in this
665 section.
666 (5) A controller shall provide information or take action
667 in response to a consumer request free of charge, at least twice
668 annually per consumer. If a request from a consumer is
669 manifestly unfounded, excessive, or repetitive, the controller
670 may charge the consumer a reasonable fee to cover the
671 administrative costs of complying with the request or may
672 decline to act on the request. The controller bears the burden
673 of demonstrating for purposes of this subsection that a request
674 is manifestly unfounded, excessive, or repetitive.
675 (6) A controller who has obtained personal data about a
676 consumer from a source other than the consumer is considered in
677 compliance with a consumer’s request to delete that personal
678 data pursuant to s. 501.705(2)(c), by doing any of the
679 following:
680 (a) Deleting the personal data, retaining a record of the
681 deletion request and the minimum data necessary for the purpose
682 of ensuring that the consumer’s personal data remains deleted
683 from the business’s records, and not using the retained data for
684 any other purpose under this part.
685 (b) Opting the consumer out of the processing of that
686 personal data for any purpose other than a purpose exempt under
687 this part.
688 Section 9. Section 501.707, Florida Statutes, is created to
689 read:
690 501.707 Appeal.—
691 (1) A controller shall establish a process for a consumer
692 to appeal the controller’s refusal to take action on a request
693 within a reasonable period of time after the consumer’s receipt
694 of the decision under s. 501.706(3).
695 (2) The appeal process must be conspicuously available and
696 similar to the process for initiating action to exercise
697 consumer rights by submitting a request under s. 501.705.
698 (3) A controller shall inform the consumer in writing of
699 any action taken or not taken in response to an appeal under
700 this section within 60 days after the date of receipt of the
701 appeal, including a written explanation of the reason or reasons
702 for the decision.
703 Section 10. Section 501.708, Florida Statutes, is created
704 to read:
705 501.708 Waiver or limitation of consumer rights
706 prohibited.—Any provision of a contract or agreement which
707 waives or limits in any way a consumer right described by s.
708 501.705, s. 501.706, or s. 501.707 is contrary to public policy
709 and is void and unenforceable.
710 Section 11. Section 501.709, Florida Statutes, is created
711 to read:
712 501.709 Submitting consumer requests.—
713 (1) A controller shall establish two or more methods to
714 enable consumers to submit a request to exercise their consumer
715 rights under this part. The methods must be secure, reliable,
716 and clearly and conspicuously accessible. The methods must take
717 all of the following into account:
718 (a) The ways in which consumers normally interact with the
719 controller.
720 (b) The necessity for secure and reliable communications of
721 these requests.
722 (c) The ability of the controller to authenticate the
723 identity of the consumer making the request.
724 (2) A controller may not require a consumer to create a new
725 account to exercise the consumer’s rights under this part but
726 may require a consumer to use an existing account.
727 (3) A controller shall provide a mechanism on its website
728 for a consumer to submit a request for information required to
729 be disclosed under this part. A controller that operates
730 exclusively online and has a direct relationship with a consumer
731 from whom the controller collects personal data may also provide
732 an e-mail address for the submission of requests.
733 Section 12. Section 501.71, Florida Statutes, is created to
734 read:
735 501.71 Controller duties.—
736 (1) A controller shall:
737 (a) Limit the collection of personal data to data that is
738 adequate, relevant, and reasonably necessary in relation to the
739 purposes for which it is processed, as disclosed to the
740 consumer; and
741 (b) For purposes of protecting the confidentiality,
742 integrity, and accessibility of personal data, establish,
743 implement, and maintain reasonable administrative, technical,
744 and physical data security practices appropriate to the volume
745 and nature of the personal data at issue.
746 (2) A controller may not do any of the following:
747 (a) Except as otherwise provided by this part, process
748 personal data for a purpose that is neither reasonably necessary
749 nor compatible with the purpose for which the personal data is
750 processed, as disclosed to the consumer, unless the controller
751 obtains the consumer’s consent.
752 (b) Process personal data in violation of state or federal
753 laws that prohibit unlawful discrimination against consumers.
754 (c) Discriminate against a consumer for exercising any of
755 the consumer rights contained in this part, including by denying
756 goods or services, charging different prices or rates for goods
757 or services, or providing a different level of quality of goods
758 or services to the consumer. A controller may offer financial
759 incentives, including payments to consumers as compensation, for
760 processing of personal data if the consumer gives the controller
761 prior consent that clearly describes the material terms of the
762 financial incentive program and provided that such incentive
763 practices are not unjust, unreasonable, coercive, or usurious in
764 nature. The consent may be revoked by the consumer at any time.
765 (d) Process the sensitive data of a consumer without
766 obtaining the consumer’s consent, or, in the case of processing
767 the sensitive data of a known child, without processing that
768 data with the affirmative authorization for such processing by a
769 known child who is between 13 and 18 years of age or in
770 accordance with the Children’s Online Privacy Protection Act, 15
771 U.S.C. ss. 6501 et seq. for a known child under the age of 13.
772 (3) Paragraph (2)(c) may not be construed to require a
773 controller to provide a product or service that requires the
774 personal data of a consumer which the controller does not
775 collect or maintain or to prohibit a controller from offering a
776 different price, rate, level, quality, or selection of goods or
777 services to a consumer, including offering goods or services for
778 no fee, if the consumer has exercised the consumer’s right to
779 opt out under s. 501.705(2) or the offer is related to a
780 consumer’s voluntary participation in a bona fide loyalty,
781 rewards, premium features, discounts, or club card program.
782 (4) A controller that operates a search engine shall make
783 available, in an easily accessible location on the webpage which
784 does not require a consumer to log in or register to read, an
785 up-to-date plain language description of the main parameters
786 that are individually or collectively the most significant in
787 determining ranking and the relative importance of those main
788 parameters, including the prioritization or deprioritization of
789 political partisanship or political ideology in search results.
790 Algorithms are not required to be disclosed nor is any other
791 information that, with reasonable certainty, would enable
792 deception of or harm to consumers through the manipulation of
793 search results.
794 Section 13. Section 501.711, Florida Statutes, is created
795 to read:
796 501.711 Privacy notices.—
797 (1) A controller shall provide consumers with a reasonably
798 accessible and clear privacy notice, updated at least annually,
799 that includes all of the following information:
800 (a) The categories of personal data processed by the
801 controller, including, if applicable, any sensitive data
802 processed by the controller.
803 (b) The purpose of processing personal data.
804 (c) How consumers may exercise their rights under s.
805 501.705(2), including the process by which a consumer may appeal
806 a controller’s decision with regard to the consumer’s request.
807 (d) If applicable, the categories of personal data that the
808 controller shares with third parties.
809 (e) If applicable, the categories of third parties with
810 whom the controller shares personal data.
811 (f) A description of the methods specified in s. 501.709,
812 by which consumers can submit requests to exercise their
813 consumer rights under this part.
814 (2) If a controller engages in the sale of personal data
815 that is sensitive data, the controller must provide the
816 following notice: “NOTICE: This website may sell your sensitive
817 personal data.” The notice must be posted in accordance with
818 subsection (1).
819 (3) If a controller engages in the sale of personal data
820 that is biometric data, the controller must provide the
821 following notice: “NOTICE: This website may sell your biometric
822 personal data.” The notice must be posted in accordance with
823 subsection (1).
824 (4) If a controller sells personal data to third parties or
825 processes personal data for targeted advertising, the controller
826 must clearly and conspicuously disclose that process and the
827 manner in which a consumer may exercise the right to opt out of
828 that process.
829 (5) A controller may not collect additional categories of
830 personal information or use personal information collected for
831 additional purposes without providing the consumer with notice
832 consistent with this section.
833 Section 14. Section 501.712, Florida Statutes, is created
834 to read:
835 501.712 Duties of processor.—
836 (1) A processor shall adhere to the instructions of a
837 controller and shall assist the controller in meeting or
838 complying with the controller’s duties under this section and
839 the requirements of this part, including the following:
840 (a) Assisting the controller in responding to consumer
841 rights requests submitted pursuant to ss. 501.705 and 501.709,
842 by using appropriate technical and organizational measures, as
843 reasonably practicable, taking into account the nature of
844 processing and the information available to the processor.
845 (b) Assisting the controller with regard to complying with
846 the requirement relating to the security of processing personal
847 data and to the notification of a breach of security of the
848 processor’s system under s. 501.171, taking into account the
849 nature of processing and the information available to the
850 processor.
851 (c) Providing necessary information to enable the
852 controller to conduct and document data protection assessments
853 under s. 501.713.
854 (2) A contract between a controller and a processor governs
855 the processor’s data processing procedures with respect to
856 processing performed on behalf of the controller. The contract
857 must include all of the following information:
858 (a) Clear instructions for processing data.
859 (b) The nature and purpose of processing.
860 (c) The type of data subject to processing.
861 (d) The duration of processing.
862 (e) The rights and obligations of both parties.
863 (f) A requirement that the processor:
864 1. Ensure that each person processing personal data is
865 subject to a duty of confidentiality with respect to the data;
866 2. At the controller’s direction, delete or return all
867 personal data to the controller as requested after the provision
868 of the service is completed, unless retention of the personal
869 data is required by law;
870 3. Make available to the controller, upon reasonable
871 request, all information in the processor’s possession necessary
872 to demonstrate the processor’s compliance with this part;
873 4. Allow, and cooperate with, reasonable assessments by the
874 controller or the controller’s designated assessor; and
875 5. Engage any subcontractor pursuant to a written contract
876 that requires the subcontractor to meet the requirements of the
877 processor with respect to the personal data.
878 (3) Notwithstanding subparagraph (2)(f)4., a processor may
879 arrange for a qualified and independent assessor to conduct an
880 assessment of the processor’s policies and technical and
881 organizational measures in support of the requirements under
882 this part using an appropriate and accepted control standard or
883 framework and assessment procedure. The processor shall provide
884 a report of the assessment to the controller upon request.
885 (4) This section may not be construed to relieve a
886 controller or a processor from the liabilities imposed on the
887 controller or processor by virtue of its role in the processing
888 relationship as described by this part.
889 (5) A determination as to whether a person is acting as a
890 controller or processor with respect to a specific processing of
891 data is a fact-based determination that depends on the context
892 in which personal data is to be processed. A processor that
893 continues to adhere to a controller’s instructions with respect
894 to a specific processing of personal data remains in the role of
895 a processor.
896 Section 15. Section 501.713, Florida Statutes, is created
897 to read:
898 501.713 Data protection assessments.—
899 (1) A controller shall conduct and document a data
900 protection assessment of each of the following processing
901 activities involving personal data:
902 (a) The processing of personal data for purposes of
903 targeted advertising.
904 (b) The sale of personal data.
905 (c) The processing of personal data for purposes of
906 profiling if the profiling presents a reasonably foreseeable
907 risk of:
908 1. Unfair or deceptive treatment of or unlawful disparate
909 impact on consumers;
910 2. Financial, physical, or reputational injury to
911 consumers;
912 3. A physical or other intrusion on the solitude or
913 seclusion, or the private affairs or concerns, of consumers, if
914 the intrusion would be offensive to a reasonable person; or
915 4. Other substantial injury to consumers.
916 (d) The processing of sensitive data.
917 (e) Any processing activities involving personal data which
918 present a heightened risk of harm to consumers.
919 (2) A data protection assessment conducted under subsection
920 (1) must do all of the following:
921 (a) Identify and weigh the direct or indirect benefits that
922 may flow from the processing to the controller, the consumer,
923 other stakeholders, and the public against the potential risks
924 to the rights of the consumer associated with that processing,
925 as mitigated by safeguards that can be employed by the
926 controller to reduce such risks.
927 (b) Factor into the assessment:
928 1. The use of deidentified data;
929 2. The reasonable expectations of consumers;
930 3. The context of the processing; and
931 4. The relationship between the controller and the consumer
932 whose personal data will be processed.
933 (3) The disclosure of a data protection assessment in
934 compliance with a request from the Attorney General pursuant to
935 s. 501.72 does not constitute a waiver of attorney-client
936 privilege or work product protection with respect to the
937 assessment and any information contained in the assessment.
938 (4) A single data protection assessment may address a
939 comparable set of processing operations which include similar
940 activities.
941 (5) A data protection assessment conducted by a controller
942 for the purpose of compliance with any other law or regulation
943 may constitute compliance with the requirements of this section
944 if the assessment has a reasonably comparable scope and effect.
945 (6) This section applies only to processing activities
946 generated on or after July 1, 2023.
947 Section 16. Section 501.714, Florida Statutes, is created
948 to read:
949 501.714 Deidentified data, pseudonymous data, and aggregate
950 consumer information.—
951 (1) A controller in possession of deidentified data shall
952 do all of the following:
953 (a) Take reasonable measures to ensure that the data cannot
954 be associated with an individual.
955 (b) Maintain and use the data in deidentified form. A
956 controller may not attempt to reidentify the data, except that
957 the controller may attempt to reidentify the data solely for the
958 purpose of determining whether its deidentification processes
959 satisfy the requirements of this section.
960 (c) Contractually obligate any recipient of the
961 deidentified data to comply with this part.
962 (d) Implement business processes to prevent the inadvertent
963 release of deidentified data.
964 (2) This part may not be construed to require a controller
965 or processor to do any of the following:
966 (a) Reidentify deidentified data or pseudonymous data.
967 (b) Maintain data in an identifiable form or obtain,
968 retain, or access any data or technology for the purpose of
969 allowing the controller or processor to associate a consumer
970 request with personal data.
971 (c) Comply with an authenticated consumer rights request
972 under s. 501.705 if the controller:
973 1. Is not reasonably capable of associating the request
974 with the personal data or it would be unreasonably burdensome
975 for the controller to associate the request with the personal
976 data;
977 2. Does not use the personal data to recognize or respond
978 to the specific consumer who is the subject of the personal data
979 or associate the personal data with other personal data about
980 the same specific consumer; and
981 3. Does not sell the personal data to a third party or
982 otherwise voluntarily disclose the personal data to a third
983 party other than a processor, except as otherwise authorized by
984 this section.
985 (3) The consumer rights enumerated under s. 501.705(2), and
986 controller duties imposed under s. 501.71, do not apply to
987 pseudonymous data or aggregate consumer information in cases in
988 which the controller is able to demonstrate that any information
989 necessary to identify the consumer is kept separate and is
990 subject to effective technical and organizational controls that
991 prevent the controller from accessing the information.
992 (4) A controller that discloses pseudonymous data,
993 deidentified data, or aggregate consumer information shall
994 exercise reasonable oversight to monitor compliance with any
995 contractual commitments to which the data or information is
996 subject and shall take appropriate steps to address any breach
997 of the contractual commitments.
998 Section 17. Section 501.715, Florida Statutes, is created
999 to read:
1000 501.715 Requirements for sensitive data.—
1001 (1) A person who meets the requirements of s.
1002 501.702(9)(a)1., (a)2., and (a)3. for the definition of a
1003 controller may not engage in the sale of personal data that is
1004 sensitive data without receiving prior consent from the consumer
1005 or, if the sensitive data is of a known child, without
1006 processing that data with the affirmative authorization for such
1007 processing by a known child who is between 13 and 18 years of
1008 age or in accordance with the Children’s Online Privacy
1009 Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child
1010 under the age of 13.
1011 (2) A person in subsection (1) who engages in the sale of
1012 personal data that is sensitive data must provide the following
1013 notice: “NOTICE: This website may sell your sensitive personal
1014 data.”
1015 (3) A person who violates this section is subject to the
1016 penalty imposed under s. 501.72.
1017 Section 18. Section 501.716, Florida Statutes, is created
1018 to read:
1019 501.716 Exemptions for certain uses of consumer personal
1020 data.—
1021 (1) This part may not be construed to restrict a
1022 controller’s or processor’s ability to do any of the following:
1023 (a) Comply with federal or state laws, rules, or
1024 regulations.
1025 (b) Comply with a civil, criminal, or regulatory inquiry,
1026 investigation, subpoena, or summons by federal, state, local, or
1027 other governmental authorities.
1028 (c) Investigate, establish, exercise, prepare for, or
1029 defend legal claims.
1030 (d) Provide a product or service specifically requested by
1031 a consumer or the parent or guardian of a child, perform a
1032 contract to which the consumer is a party, including fulfilling
1033 the terms of a written warranty, or take steps at the request of
1034 the consumer before entering into a contract.
1035 (e) Take immediate steps to protect an interest that is
1036 essential for the life or physical safety of the consumer or of
1037 another individual and in which the processing cannot be
1038 manifestly based on another legal basis.
1039 (f) Prevent, detect, protect against, or respond to
1040 security incidents, identity theft, fraud, harassment, malicious
1041 or deceptive activities, or any illegal activity.
1042 (g) Preserve the integrity or security of systems or
1043 investigate, report, or prosecute those responsible for breaches
1044 of system security.
1045 (h) Engage in public or peer-reviewed scientific or
1046 statistical research in the public interest which adheres to all
1047 other applicable ethics and privacy laws and is approved,
1048 monitored, and governed by an institutional review board or
1049 similar independent oversight entity that determines:
1050 1. Whether the deletion of the information is likely to
1051 provide substantial benefits that do not exclusively accrue to
1052 the controller;
1053 2. Whether the expected benefits of the research outweigh
1054 the privacy risks; and
1055 3. Whether the controller has implemented reasonable
1056 safeguards to mitigate privacy risks associated with research,
1057 including any risks associated with reidentification.
1058 (i) Assist another controller, processor, or third party in
1059 complying with the requirements of this part.
1060 (j) Disclose personal data disclosed when a consumer uses
1061 or directs the controller to intentionally disclose information
1062 to a third party or uses the controller to intentionally
1063 interact with a third party. An intentional interaction occurs
1064 when the consumer intends to interact with the third party, by
1065 one or more deliberate interactions. Hovering over, muting,
1066 pausing, or closing a given piece of content does not constitute
1067 a consumer’s intent to interact with a third party.
1068 (k) Transfer personal data to a third party as an asset
1069 that is part of a merger, an acquisition, a bankruptcy, or other
1070 transaction in which the third party assumes control of all or
1071 part of the controller, provided that the information is used or
1072 shared in a manner consistent with this part. If a third party
1073 materially alters how it uses or shares the personal data of a
1074 consumer in a manner that is materially inconsistent with the
1075 commitments or promises made at the time of collection, it must
1076 provide prior notice of the new or changed practice to the
1077 consumer. The notice must be sufficiently prominent and robust
1078 to ensure that consumers can easily exercise choices consistent
1079 with this part.
1080 (2) This part may not be construed to prevent a controller
1081 or processor from providing personal data concerning a consumer
1082 to a person covered by an evidentiary privilege under the laws
1083 of this state as part of a privileged communication.
1084 (3) This part may not be construed as imposing a
1085 requirement on controllers and processors which adversely
1086 affects the rights or freedoms of any person, including the
1087 right of free speech.
1088 (4) This part may not be construed as requiring a
1089 controller, processor, third party, or consumer to disclose a
1090 trade secret.
1091 Section 19. Section 501.717, Florida Statutes, is created
1092 to read:
1093 501.717 Collection, use, or retention of data for certain
1094 purposes.—
1095 (1) The requirements imposed on controllers and processors
1096 under this part may not restrict a controller’s or processor’s
1097 ability to collect, use, or retain data to do any of the
1098 following:
1099 (a) Conduct internal research to develop, improve, or
1100 repair products, services, or technology.
1101 (b) Effect a product recall.
1102 (c) Identify and repair technical errors that impair
1103 existing or intended functionality.
1104 (d) Perform internal operations that are:
1105 1. Reasonably aligned with the expectations of the
1106 consumer;
1107 2. Reasonably anticipated based on the consumer’s existing
1108 relationship with the controller; or
1109 3. Otherwise compatible with processing data in furtherance
1110 of the provision of a product or service specifically requested
1111 by a consumer or the performance of a contract to which the
1112 consumer is a party.
1113 (2) A requirement imposed on a controller or processor
1114 under this part does not apply if compliance with the
1115 requirement by the controller or processor, as applicable, would
1116 violate an evidentiary privilege under the laws of this state.
1117 Section 20. Section 501.718, Florida Statutes, is created
1118 to read:
1119 501.718 Disclosure of personal data to third-party
1120 controller or processor.—
1121 (1) A controller or processor that discloses personal data
1122 to a third-party controller or processor in compliance with the
1123 requirements of this part does not violate this part if the
1124 third-party controller or processor that receives and processes
1125 that personal data violates this part, provided that, at the
1126 time of the data’s disclosure, the disclosing controller or
1127 processor could not have reasonably known that the recipient
1128 intended to commit a violation.
1129 (2) A third-party controller or processor receiving
1130 personal data from a controller or processor in compliance with
1131 the requirements of this part may not be held liable for
1132 violations of this part committed by the controller or processor
1133 from which the third-party controller or processor receives the
1134 personal data.
1135 Section 21. Section 501.719, Florida Statutes, is created
1136 to read:
1137 501.719 Processing of certain personal data by controller
1138 or other person.—
1139 (1) Personal data processed by a controller pursuant to ss.
1140 501.716, 501.717, and 501.718 may not be processed for any
1141 purpose other than those specified in those sections. Personal
1142 data processed by a controller pursuant to ss. 501.716, 501.717,
1143 and 501.718 may be processed to the extent that the processing
1144 of the data is:
1145 (a) Reasonably necessary and proportionate to the purposes
1146 specified in ss. 501.716, 501.717, and 501.718; and
1147 (b) Adequate, relevant, and limited to what is necessary in
1148 relation to the purposes specified in ss. 501.716, 501.717, and
1149 501.718.
1150 (c) Done to assist another controller, processor, or third
1151 party with any of the purposes specified in s. 501.716, s.
1152 501.717, or s. 501.718.
1153 (2) A controller or processor that collects, uses, or
1154 retains personal data for the purposes specified in s.
1155 501.717(1) must take into account the nature and purpose of such
1156 collection, use, or retention. Such personal data is subject to
1157 reasonable administrative, technical, and physical measures to
1158 protect its confidentiality, integrity, and accessibility and to
1159 reduce reasonably foreseeable risks of harm to consumers
1160 relating to the collection, use, or retention of personal data.
1161 (3) A controller or processor shall adopt and implement a
1162 retention schedule that prohibits the use or retention of
1163 personal data not subject to an exemption by the controller or
1164 processor after the satisfaction of the initial purpose for
1165 which such information was collected or obtained, after the
1166 expiration or termination of the contract pursuant to which the
1167 information was collected or obtained, or 2 years after the
1168 consumer’s last interaction with the controller or processor.
1169 This subsection does not apply to personal data reasonably used
1170 or retained to do any of the following:
1171 (a) Provide a good or service requested by the consumer, or
1172 reasonably anticipate the request of such good or service within
1173 the context of a controller’s ongoing business relationship with
1174 the consumer.
1175 (b) Debug to identify and repair errors that impair
1176 existing intended functionality.
1177 (c) Enable solely internal uses that are reasonably aligned
1178 with the expectations of the consumer based on the consumer’s
1179 relationship with the controller or that are compatible with the
1180 context in which the consumer provided the information.
1181 (4) A controller or processor that processes personal data
1182 pursuant to ss. 501.716, 501.717, and 501.718 bears the burden
1183 of demonstrating that the processing of the personal data
1184 qualifies for the exemption and complies with the requirements
1185 of this section.
1186 Section 22. Section 501.72, Florida Statutes, is created to
1187 read:
1188 501.72 Enforcement and implementation by the Department of
1189 Legal Affairs.—
1190 (1) A violation of this part is an unfair and deceptive
1191 trade practice actionable under part II of this chapter solely
1192 by the Department of Legal Affairs. If the department has reason
1193 to believe that a person is in violation of this section, the
1194 department may, as the enforcing authority, bring an action
1195 against such person for an unfair or deceptive act or practice.
1196 For the purpose of bringing an action pursuant to this section,
1197 ss. 501.211 and 501.212 do not apply. In addition to other
1198 remedies under part II of this chapter, the department may
1199 collect a civil penalty of up to $50,000 per violation. Civil
1200 penalties may be tripled for any of the following violations:
1201 (a) A violation involving a Florida consumer who is a known
1202 child. A controller that willfully disregards the consumer’s age
1203 is deemed to have actual knowledge of the consumer’s age.
1204 (b) Failure to delete or correct the consumer’s personal
1205 data pursuant to this section after receiving an authenticated
1206 consumer request or directions from a controller to delete or
1207 correct such personal data, unless an exception to the
1208 requirements to delete or correct such personal data under this
1209 section applies.
1210 (c) Continuing to sell or share the consumer’s personal
1211 data after the consumer chooses to opt out under this part.
1212 (2) After the department has notified a person in writing
1213 of an alleged violation, the department may grant a 45-day
1214 period to cure the alleged violation and issue a letter of
1215 guidance. The 45-day cure period does not apply to an alleged
1216 violation of paragraph (1)(a). The department may consider the
1217 number and frequency of violations, the substantial likelihood
1218 of injury to the public, and the safety of persons or property
1219 in determining whether to grant 45 calendar days to cure and the
1220 issuance of a letter of guidance. If the alleged violation is
1221 cured to the satisfaction of the department and proof of such
1222 cure is provided to the department, the department may not bring
1223 an action for the alleged violation but in its discretion may
1224 issue a letter of guidance that indicates that the person will
1225 not be offered a 45-day cure period for any future violations.
1226 If the person fails to cure the alleged violation within 45
1227 calendar days, the department may bring an action against such
1228 person for the alleged violation.
1229 (3) Any action brought by the department may be brought
1230 only on behalf of a Florida consumer.
1231 (4) By February 1 of each year, the department shall make a
1232 report publicly available on the department’s website describing
1233 any actions taken by the department to enforce this section. The
1234 report must include statistics and relevant information
1235 detailing all of the following:
1236 (a) The number of complaints received and the categories or
1237 types of violations alleged by the complainant.
1238 (b) The number and type of enforcement actions taken and
1239 the outcomes of such actions, including the amount of penalties
1240 issued and collected.
1241 (c) The number of complaints resolved without the need for
1242 litigation.
1243 (d) For the report due February 1, 2024, the status of the
1244 development and implementation of rules to implement this
1245 section.
1246 (5) The department shall adopt rules to implement this
1247 section, including standards for authenticated consumer
1248 requests, enforcement, data security, and authorized persons who
1249 may act on a consumer’s behalf.
1250 (6) The department may collaborate and cooperate with other
1251 enforcement authorities of the Federal Government or other state
1252 governments concerning consumer data privacy issues and consumer
1253 data privacy investigations if such enforcement authorities have
1254 restrictions governing confidentiality at least as stringent as
1255 the restrictions provided in this section.
1256 (7) Liability for a tort, contract claim, or consumer
1257 protection claim unrelated to an action brought under this
1258 section does not arise solely from the failure of a person to
1259 comply with this part.
1260 (8) This part does not establish a private cause of action.
1261 (9) The department may employ or use the legal services of
1262 outside counsel and the investigative services of outside
1263 personnel to fulfill the obligations of this section.
1264 (10) For purposes of bringing an action pursuant to this
1265 section, any person who meets the definition of controller as
1266 defined in this part who collects, shares, or sells the personal
1267 data of Florida consumers is considered to be engaged in both
1268 substantial and not isolated activities within this state and
1269 operating, conducting, engaging in, or carrying on a business,
1270 and doing business in this state, and is, therefore, subject to
1271 the jurisdiction of the courts of this state.
1272 Section 23. Section 501.721, Florida Statutes, is created
1273 to read:
1274 501.721 Preemption.—This part is a matter of statewide
1275 concern and supersedes all rules, regulations, codes,
1276 ordinances, and other laws adopted by a city, county, city and
1277 county, municipality, or local agency regarding the collection,
1278 processing, sharing, or sale of consumer personal data by a
1279 controller or processor. The regulation of the collection,
1280 processing, sharing, or sale of consumer personal data by a
1281 controller or processor is preempted to the state.
1282 Section 24. Paragraph (g) of subsection (1) of section
1283 501.171, Florida Statutes, is amended to read:
1284 501.171 Security of confidential personal information.—
1285 (1) DEFINITIONS.—As used in this section, the term:
1286 (g)1. “Personal information” means either of the following:
1287 a. An individual’s first name or first initial and last
1288 name in combination with any one or more of the following data
1289 elements for that individual:
1290 (I) A social security number;
1291 (II) A driver license or identification card number,
1292 passport number, military identification number, or other
1293 similar number issued on a government document used to verify
1294 identity;
1295 (III) A financial account number or credit or debit card
1296 number, in combination with any required security code, access
1297 code, or password that is necessary to permit access to an
1298 individual’s financial account;
1299 (IV) Any information regarding an individual’s medical
1300 history, mental or physical condition, or medical treatment or
1301 diagnosis by a health care professional; or
1302 (V) An individual’s health insurance policy number or
1303 subscriber identification number and any unique identifier used
1304 by a health insurer to identify the individual;
1305 (VI) An individual’s biometric data as defined in s.
1306 501.702; or
1307 (VII) Any information regarding an individual’s
1308 geolocation.
1309 b. A user name or e-mail address, in combination with a
1310 password or security question and answer that would permit
1311 access to an online account.
1312 2. The term does not include information about an
1313 individual that has been made publicly available by a federal,
1314 state, or local governmental entity. The term also does not
1315 include information that is encrypted, secured, or modified by
1316 any other method or technology that removes elements that
1317 personally identify an individual or that otherwise renders the
1318 information unusable.
1319 Section 25. Subsection (1) of section 16.53, Florida
1320 Statutes, is amended, and subsection (8) is added to that
1321 section, to read:
1322 16.53 Legal Affairs Revolving Trust Fund.—
1323 (1) There is created in the State Treasury the Legal
1324 Affairs Revolving Trust Fund, from which the Legislature may
1325 appropriate funds for the purpose of funding investigation,
1326 prosecution, and enforcement by the Attorney General of the
1327 provisions of the Racketeer Influenced and Corrupt Organization
1328 Act, the Florida Deceptive and Unfair Trade Practices Act, the
1329 Florida False Claims Act, or state or federal antitrust laws, or
1330 part V of chapter 501.
1331 (8) All moneys recovered by the Attorney General for
1332 attorney fees, costs, and penalties in an action for a violation
1333 of part V of chapter 501 must be deposited in the trust fund.
1334 Section 26. This act shall take effect December 31, 2023.