CS for CS for SB 262 Second Engrossed
2023262e2
1 A bill to be entitled
2 An act relating to technology transparency; creating
3 s. 112.23, F.S.; defining terms; prohibiting officers
4 or salaried employees of governmental entities from
5 using their positions or state resources to make
6 certain requests of social media platforms;
7 prohibiting governmental entities from initiating or
8 maintaining agreements or working relationships with
9 social media platforms under a specified circumstance;
10 providing exceptions; creating s. 501.1735, F.S.;
11 providing definitions; prohibiting certain conduct by
12 an online platform that provides online services,
13 products, games, or features likely to be
14 predominantly accessed by children; providing
15 exceptions; providing for enforcement; providing
16 construction; authorizing the department to bring an
17 action under the Florida Deceptive and Unfair Trade
18 Practices Act; providing for civil penalties;
19 providing that the department may grant an online
20 platform a timeframe to cure any violations; providing
21 jurisdiction; providing directives to the Division of
22 Law Revision; creating s. 501.701, F.S.; providing a
23 short title; creating s. 501.702, F.S.; defining
24 terms; creating s. 501.703, F.S.; providing
25 applicability; creating s. 501.704, F.S.; providing
26 exemptions; creating s. 501.705, F.S.; providing that
27 a consumer may submit requests to controllers to
28 exercise specified rights; requiring controllers to
29 comply with certain authenticated consumer requests;
30 prohibiting certain devices from being used for
31 surveillance purposes without the express
32 authorization of the consumer under certain
33 circumstances; creating s. 501.706, F.S.; providing
34 timeframes within which controllers must respond to
35 consumer requests; providing notice requirements for
36 controllers that cannot take action regarding a
37 consumer’s request; providing that controllers are not
38 required to comply with certain consumer requests;
39 providing notice requirements for controllers’
40 compliance with consumer requests; requiring responses
41 to consumer requests to be made free of charge;
42 providing exceptions; specifying the methods by which
43 controllers may be considered to be in compliance with
44 consumer requests for the controller to delete their
45 personal data; creating s. 501.707, F.S.; requiring
46 controllers to establish a process for consumers to
47 appeal the controller’s refusal to take action on the
48 consumer’s request within a specified timeframe;
49 providing requirements for such process; creating s.
50 501.708, F.S.; providing that contracts or agreements
51 that waive or limit specified consumer rights are void
52 and unenforceable; creating s. 501.709, F.S.;
53 requiring controllers to establish methods for
54 submitting consumer requests; prohibiting controllers
55 from requiring consumers to create new accounts to
56 exercise their consumer rights; requiring controllers
57 to provide a certain mechanism on their websites for
58 consumers to submit certain requests; creating s.
59 501.71, F.S.; requiring controllers to limit the
60 collection of personal data according to certain
61 parameters; requiring controllers to establish,
62 implement, and maintain specified practices regarding
63 personal data; prohibiting controllers from taking
64 certain actions regarding a consumer’s personal data;
65 prohibiting controllers from discriminating against
66 consumers exercising their consumer rights; providing
67 construction; requiring a controller that operates a
68 search engine to make certain information available on
69 its webpage; creating s. 501.711, F.S.; requiring
70 controllers to provide consumers with privacy notices
71 that meet certain requirements; requiring controllers
72 that engage in the sale of sensitive or biometric
73 personal data to provide notices that meet certain
74 requirements; requiring controllers that sell personal
75 data or process personal data for targeted advertising
76 to disclose certain information; prohibiting
77 controllers from collecting additional categories of
78 personal information or using such information for
79 additional purposes without providing specified
80 notice; creating s. 501.712, F.S.; requiring
81 processors to adhere to controller instructions and to
82 assist the controller in meeting or complying with
83 certain requirements; providing requirements for
84 contracts between controllers and processors regarding
85 data processing procedures; providing construction;
86 providing that the determination of whether a person
87 is acting as a controller or processor is a fact-based
88 determination; creating s. 501.713, F.S.; requiring
89 controllers to conduct and document data protection
90 assessments of specified processing activities
91 involving personal data; providing requirements for
92 such assessments; providing applicability; creating s.
93 501.714, F.S.; requiring controllers in possession of
94 deidentified data to take certain actions; providing
95 construction; providing that specified consumer rights
96 and controller duties do not apply to pseudonymous
97 data or aggregate consumer information under certain
98 circumstances; requiring controllers that disclose
99 pseudonymous data, deidentified data, or aggregate
100 consumer information to exercise reasonable oversight
101 and take appropriate steps to address breaches of
102 contractual agreements; creating s. 501.715, F.S.;
103 requiring certain persons to receive consumer consent
104 before engaging in the sale of sensitive personal
105 data; requiring a specified notice; providing for
106 penalties; creating s. 501.716, F.S.; providing
107 exemptions for specified controller or processor uses
108 of consumer personal data; providing that controllers
109 or processors may provide personal data concerning a
110 consumer to certain covered persons; creating s.
111 501.717, F.S.; authorizing controllers and processors
112 to collect, use, or retain data for specified
113 purposes; providing that certain requirements do not
114 apply if such compliance would violate certain laws;
115 creating s. 501.718, F.S.; providing circumstances
116 under which processors are not in violation of this
117 act for the disclosure of personal data to a third
118 party controller or processor; providing that third
119 party controllers or processors that comply with this
120 part are not liable for violations committed by
121 controllers or processors from whom they receive
122 personal data; creating s. 501.719, F.S.; providing
123 requirements for the processing of certain personal
124 data by controllers; requiring controllers and
125 processors to adopt and implement a retention schedule
126 that meets certain requirements; requiring controllers
127 or processors that process certain personal data to
128 demonstrate that such processing qualifies for a
129 specified exemption; creating s. 501.72, F.S.;
130 authorizing the Department of Legal Affairs to bring
131 an action under the Florida Deceptive and Unfair Trade
132 Practices Act for violations of the act; providing for
133 civil penalties; providing for enhanced civil
134 penalties for certain violations; authorizing the
135 department to grant a specified timeframe within which
136 an alleged violation may be cured; providing an
137 exception; providing certain factors the department
138 may take into consideration; requiring the department
139 to make a report regarding certain enforcement actions
140 publicly available on the department’s website;
141 providing requirements for the report; requiring the
142 department to adopt rules; authorizing the department
143 to collaborate and cooperate with specified
144 enforcement authorities; specifying that the act does
145 not create a private cause of action; authorizing the
146 department to employ or use outside legal counsel for
147 specified purposes; providing for jurisdiction;
148 creating s. 501.721, F.S.; declaring that the act is a
149 matter of statewide concern; preempting the
150 collection, processing, sharing, and sale of consumer
151 personal data to the state; amending s. 501.171, F.S.;
152 revising the definition of the term “personal
153 information”; amending s. 16.53, F.S.; revising the
154 purpose of the Legal Affairs Revolving Trust Fund;
155 requiring that certain attorney fees, costs, and
156 penalties recovered by the Attorney General be
157 deposited in the trust fund; providing effective
158 dates.
159
160 Be It Enacted by the Legislature of the State of Florida:
161
162 Section 1. Effective July 1, 2023, section 112.23, Florida
163 Statutes, is created to read:
164 112.23 Government-directed content moderation of social
165 media platforms prohibited.—
166 (1) As used in this section, the term:
167 (a) “Governmental entity” means any officer or employee of
168 a state, county, district, authority, municipality, department,
169 agency, division, board, bureau, commission, or other separate
170 unit of government created or established by law, and includes
171 any other public or private entity acting on behalf of such
172 governmental entity.
173 (b) “Social media platform” means a form of electronic
174 communication through which users create online communities or
175 groups to share information, ideas, personal messages, and other
176 content.
177 (2) A governmental entity may not communicate with a social
178 media platform to request that it remove content or accounts
179 from the social media platform.
180 (3) A governmental entity may not initiate or maintain any
181 agreements or working relationships with a social media platform
182 for the purpose of content moderation.
183 (4) Subsections (2) and (3) do not apply if the
184 governmental entity or an officer or an employee acting on
185 behalf of a governmental entity is acting as part of any of the
186 following:
187 (a) Routine account management of the governmental entity’s
188 account, including, but not limited to, the removal or revision
189 of the governmental entity’s content or account or
190 identification of accounts falsely posing as a governmental
191 entity, officer, or salaried employee.
192 (b) An attempt to remove content that pertains to the
193 commission of a crime or violation of this state’s public
194 records law.
195 (c) An attempt to remove an account that pertains to the
196 commission of a crime or violation of this state’s public
197 records law.
198 (d) An investigation or inquiry related to an effort to
199 prevent imminent bodily harm, loss of life, or property damage.
200 Section 2. Section 501.1735, Florida Statutes, is created
201 to read:
202 501.1735 Protection of children in online spaces.—
203 (1) DEFINITIONS.—As used in this section, the term:
204 (a) “Child” or “children” means a consumer or consumers who
205 are under 18 years of age.
206 (b) “Collect” means to buy, rent, gather, obtain, receive,
207 save, store, or access any personal information pertaining to a
208 child.
209 (c) “Dark pattern” means a user interface designed or
210 manipulated with the substantial effect of subverting or
211 impairing user autonomy, decision-making, or choice and
212 includes, but is not limited to, any practice the Federal Trade
213 Commission refers to as a dark pattern.
214 (d) “Department” means the Department of Legal Affairs.
215 (e) “Online platform” means a social media platform as
216 defined in s. 112.23(1), online game, or online gaming platform.
217 (f) “Personal information” means information that is linked
218 or reasonably linkable to an identified or identifiable child,
219 including biometric information and unique identifiers to the
220 child.
221 (g) “Precise geolocation data” means information identified
222 through technology which enables the online platform to collect
223 specific location data which directly identifies the specific
224 location of a child with precision and accuracy within a radius
225 of 1,750 feet.
226 (h) “Processing” means any operation or set of operations
227 performed on personal information or on sets of personal
228 information, regardless of whether by automated means.
229 (i) “Profile” or “profiling” means any form of automated
230 processing performed on personal information to evaluate,
231 analyze, or predict personal aspects relating to the economic
232 situation, health, personal preferences, interests, reliability,
233 behavior, location, or movements of a child.
234 (j) “Sell” means to sell, rent, release, disclose,
235 disseminate, make available, transfer, or otherwise communicate
236 orally, in writing, or by electronic or other means, a child’s
237 personal information or information that relates to a group or
238 category of children by an online platform to another online
239 platform or an affiliate or third party for monetary or other
240 valuable consideration.
241 (k) “Share” means to share, rent, release, disclose,
242 disseminate, make available, transfer, or access a child’s
243 personal information for advertising or marketing. The term
244 includes:
245 1. Allowing a third party to advertise or market based on a
246 child’s personal information without disclosure of the personal
247 information to the third party.
248 2. Monetary transactions, nonmonetary transactions, and
249 transactions for other valuable consideration between an online
250 platform and a third party for advertising or marketing.
251 (l) “Substantial harm or privacy risk to children” means
252 the processing of personal information in a manner that may
253 result in any reasonably foreseeable substantial physical
254 injury, economic injury, or offensive intrusion into the privacy
255 expectations of a reasonable child under the circumstances,
256 including:
257 1. Mental health disorders or associated behaviors,
258 including the promotion or exacerbation of self-harm, suicide,
259 eating disorders, and substance abuse disorders;
260 2. Patterns of use that indicate or encourage addictive
261 behaviors;
262 3. Physical violence, online bullying, and harassment;
263 4. Sexual exploitation, including enticement, sex
264 trafficking, and sexual abuse and trafficking of online sexual
265 abuse material;
266 5. Promotion and marketing of tobacco products, gambling,
267 alcohol, or narcotic drugs as defined in s. 102 of the
268 Controlled Substances Act, 21 U.S.C. 802; or
269 6. Predatory, unfair, or deceptive marketing practices or
270 other financial harms.
271 (2) PROHIBITIONS.—An online platform that provides an
272 online service, product, game, or feature likely to be
273 predominantly accessed by children may not:
274 (a) Process the personal information of any child if the
275 online platform has actual knowledge of or willfully disregards
276 that the processing may result in substantial harm or privacy
277 risk to children.
278 (b) Profile a child unless both of the following criteria
279 are met:
280 1. The online platform can demonstrate it has appropriate
281 safeguards in place to protect children.
282 2.a. Profiling is necessary to provide the online service,
283 product, or feature requested for the aspects of the online
284 service, product, or feature with which the child is actively
285 and knowingly engaged; or
286 b. The online platform can demonstrate a compelling reason
287 that profiling does not pose a substantial harm or privacy risk
288 to children.
289 (c) Collect, sell, share, or retain any personal
290 information that is not necessary to provide an online service,
291 product, or feature with which a child is actively and knowingly
292 engaged unless the online platform can demonstrate a compelling
293 reason that collecting, selling, sharing, or retaining the
294 personal information does not pose a substantial harm or privacy
295 risk to children.
296 (d) Use personal information of a child for any reason
297 other than the reason for which the personal information was
298 collected, unless the online platform can demonstrate a
299 compelling reason that the use of the personal information does
300 not pose a substantial harm or privacy risk to children.
301 (e) Collect, sell, or share any precise geolocation data of
302 children unless the collection of the precise geolocation data
303 is strictly necessary for the online platform to provide the
304 service, product, or feature requested and then only for the
305 limited time that the collection of the precise geolocation data
306 is necessary to provide the service, product, or feature.
307 (f) Collect any precise geolocation data of a child without
308 providing an obvious sign to the child for the duration of the
309 collection that the precise geolocation data is being collected.
310 (g) Use dark patterns to lead or encourage children to
311 provide personal information beyond what personal information
312 would otherwise be reasonably expected to be provided for that
313 online service, product, game, or feature; to forego privacy
314 protections; or to take any action that the online platform has
315 actual knowledge of or willfully disregards that may result in
316 substantial harm or privacy risk to children.
317 (h) Use any personal information collected to estimate age
318 or age range for any other purpose or retain that personal
319 information longer than necessary to estimate age. The age
320 estimate must be proportionate to the risks and data practice of
321 an online service, product, or feature.
322 (3) BURDEN OF PROOF.—If an online platform processes
323 personal information pursuant to subsection (2), the online
324 platform bears the burden of demonstrating that such processing
325 does not violate subsection (2).
326 (4) ENFORCEMENT AND IMPLEMENTATION BY THE DEPARTMENT.—
327 (a) Any violation of subsection (2) is an unfair and
328 deceptive trade practice actionable under part II of chapter 501
329 solely by the department against an online platform. If the
330 department has reason to believe that an online platform is in
331 violation of subsection (2), the department, as the enforcing
332 authority, may bring an action against such online platform for
333 an unfair or deceptive act or practice. For the purpose of
334 bringing an action pursuant to this section, ss. 501.211 and
335 501.212 do not apply. In addition to other remedies under part
336 II of chapter 501, the department may collect a civil penalty of
337 up to $50,000 per violation of this section. Civil penalties may
338 be tripled for any violation involving a Florida child who the
339 online platform has actual knowledge is under 18 years of age.
340 (b) After the department has notified an online platform in
341 writing of an alleged violation, the department may in its
342 discretion grant a 45-day period to cure the alleged violation.
343 If the violation is cured to the satisfaction of the department
344 and proof of such cure is provided to the department, the
345 department may not bring an action for the alleged violation but
346 in its discretion may issue a letter of guidance that indicates
347 that the online platform will not be offered a 45-day cure
348 period for any future violations. If the online platform fails
349 to cure the violation within 45 calendar days, the department
350 may bring an action against the online platform for the alleged
351 violation.
352 (c) Any action brought by the department may be brought
353 only on behalf of a Florida child.
354 (d) The department may adopt rules to implement this
355 section.
356 (e) Liability for a tort, contract claim, or consumer
357 protection claim that is unrelated to an action brought under
358 this subsection does not arise solely from the failure of an
359 online platform to comply with this section.
360 (f) This section does not establish a private cause of
361 action.
362 (5) JURISDICTION.—For purposes of bringing an action
363 pursuant to this section, any person who meets the definition of
364 online platform which operates an online service, product, game,
365 or feature likely to be predominantly accessed by children and
366 accessible by Florida children located in this state is
367 considered to be both engaged in substantial and not isolated
368 activities within this state and operating, conducting, engaging
369 in, or carrying on a business, and doing business in this state,
370 and is therefore subject to the jurisdiction of the courts of
371 this state.
372 Section 3. The Division of Law Revision is directed to:
373 (1) Redesignate current parts V, VI, and VII of chapter
374 501, Florida Statutes, as parts VI, VII, and VIII of chapter
375 501, Florida Statutes, respectively; and
376 (2) Create a new part V of chapter 501, Florida Statutes,
377 consisting of ss. 501.701-501.721, Florida Statutes, entitled
378 “Data Privacy and Security.”
379 Section 4. Section 501.701, Florida Statutes, is created to
380 read:
381 501.701 Short title.—This part may be cited as the “Florida
382 Digital Bill of Rights.”
383 Section 5. Section 501.702, Florida Statutes, is created to
384 read:
385 501.702 Definitions.—As used in this part, the term:
386 (1) “Affiliate” means a legal entity that controls, is
387 controlled by, or is under common control with another legal
388 entity or that shares common branding with another legal entity.
389 For purposes of this subsection, the term “control” or
390 “controlled” means any of the following:
391 (a) The ownership of, or power to vote, more than 50
392 percent of the outstanding shares of any class of voting
393 security of a company.
394 (b) The control in any manner over the election of a
395 majority of the directors or of individuals exercising similar
396 functions.
397 (c) The power to exercise controlling influence over the
398 management of a company.
399 (2) “Aggregate consumer information” means information that
400 relates to a group or category of consumers, from which the
401 identity of an individual consumer has been removed and is not
402 reasonably capable of being directly or indirectly associated or
403 linked with any consumer, household, or device. The term does
404 not include information about a group or category of consumers
405 used to facilitate targeted advertising or the display of ads
406 online. The term does not include personal information that has
407 been deidentified.
408 (3) “Authenticate” or “authenticated” means to verify or
409 the state of having been verified, respectively, through
410 reasonable means that the consumer who is entitled to exercise
411 the consumer’s rights under s. 501.705 is the same consumer
412 exercising those consumer rights with respect to the personal
413 data at issue.
414 (4) “Biometric data” means data generated by automatic
415 measurements of an individual’s biological characteristics. The
416 term includes fingerprints, voiceprints, eye retinas or irises,
417 or other unique biological patterns or characteristics used to
418 identify a specific individual. The term does not include
419 physical or digital photographs, video or audio recordings or
420 data generated from video or audio recordings, or information
421 collected, used, or stored for health care treatment, payment,
422 or operations under the Health Insurance Portability and
423 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
424 (5) “Business associate” has the same meaning as in 45
425 C.F.R. s. 160.103 and the Health Insurance Portability and
426 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
427 (6) “Child” means an individual younger than 18 years of
428 age.
429 (7) “Consent,” when referring to a consumer, means a clear
430 affirmative act signifying a consumer’s freely given, specific,
431 informed, and unambiguous agreement to process personal data
432 relating to the consumer. The term includes a written statement,
433 including a statement written by electronic means, or any other
434 unambiguous affirmative act. The term does not include any of
435 the following:
436 (a) Acceptance of a general or broad terms of use or
437 similar document that contains descriptions of personal data
438 processing along with other, unrelated information.
439 (b) Hovering over, muting, pausing, or closing a given
440 piece of content.
441 (c) Agreement obtained through the use of dark patterns.
442 (8) “Consumer” means an individual who is a resident of or
443 is domiciled in this state acting only in an individual or
444 household context. The term does not include an individual
445 acting in a commercial or employment context.
446 (9) “Controller” means:
447 (a) A sole proprietorship, partnership, limited liability
448 company, corporation, association, or legal entity that meets
449 the following requirements:
450 1. Is organized or operated for the profit or financial
451 benefit of its shareholders or owners;
452 2. Conducts business in this state;
453 3. Collects personal data about consumers, or is the entity
454 on behalf of which such information is collected;
455 4. Determines the purposes and means of processing personal
456 data about consumers alone or jointly with others;
457 5. Makes in excess of $1 billion in global gross annual
458 revenues; and
459 6. Satisfies at least one of the following:
460 a. Derives 50 percent or more of its global gross annual
461 revenues from the sale of advertisements online, including
462 providing targeted advertising or the sale of ads online;
463 b. Operates a consumer smart speaker and voice command
464 component service with an integrated virtual assistant connected
465 to a cloud computing service that uses hands-free verbal
466 activation. For purposes of this sub-subparagraph, a consumer
467 smart speaker and voice command component service does not
468 include a motor vehicle or speaker or device associated with or
469 connected to a vehicle which is operated by a motor vehicle
470 manufacturer or a subsidiary or affiliate thereof; or
471 c. Operates an app store or a digital distribution platform
472 that offers at least 250,000 different software applications for
473 consumers to download and install.
474 (b) Any entity that controls or is controlled by a
475 controller. As used in this paragraph, the term “control” means:
476 1. Ownership of, or the power to vote, more than 50 percent
477 of the outstanding shares of any class of voting security of a
478 controller;
479 2. Control in any manner over the election of a majority of
480 the directors, or of individuals exercising similar functions;
481 or
482 3. The power to exercise a controlling influence over the
483 management of a company.
484 (10) “Covered entity” has the same meaning as in 45 C.F.R.
485 s. 160.103 and the Health Insurance Portability and
486 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
487 (11) “Dark pattern” means a user interface designed or
488 manipulated with the effect of substantially subverting or
489 impairing user autonomy, decisionmaking, or choice. The term
490 includes any practice the Federal Trade Commission refers to as
491 a dark pattern.
492 (12) “Decision that produces a legal or similarly
493 significant effect concerning a consumer” means a decision made
494 by a controller which results in the provision or denial by the
495 controller of any of the following:
496 (a) Financial and lending services.
497 (b) Housing, insurance, or health care services.
498 (c) Education enrollment.
499 (d) Employment opportunities.
500 (e) Criminal justice.
501 (f) Access to basic necessities, such as food and water.
502 (13) “Deidentified data” means data that cannot reasonably
503 be linked to an identified or identifiable individual or a
504 device linked to that individual.
505 (14) “Health care provider” has the same meaning as in 45
506 C.F.R. s. 160.103 and the Health Insurance Portability and
507 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
508 (15) “Health record” means any written, printed, or
509 electronically recorded material maintained by a health care
510 provider in the course of providing health care services to an
511 individual which concerns the individual and the services
512 provided. The term includes any of the following:
513 (a) The substance of any communication made by an
514 individual to a health care provider in confidence during or in
515 connection with the provision of health care services.
516 (b) Information otherwise acquired by the health care
517 provider about an individual in confidence and in connection
518 with health care services provided to the individual.
519 (16) “Identified or identifiable individual” means a
520 consumer who can be readily identified, directly or indirectly.
521 (17) “Known child” means a child under circumstances of
522 which a controller has actual knowledge of, or willfully
523 disregards, the child’s age.
524 (18) “Nonprofit organization” means any of the following:
525 (a) An organization exempt from federal taxation under s.
526 501(a) of the Internal Revenue Code of 1986 by virtue of being
527 listed as an exempt organization under s. 501(c)(3), s.
528 501(c)(4), s. 501(c)(6), or s. 501(c)(12) of that code.
529 (b) A political organization.
530 (19) “Personal data” means any information, including
531 sensitive data, which is linked or reasonably linkable to an
532 identified or identifiable individual. The term includes
533 pseudonymous data when the data is used by a controller or
534 processor in conjunction with additional information that
535 reasonably links the data to an identified or identifiable
536 individual. The term does not include deidentified data or
537 publicly available information.
538 (20) “Political organization” means a party, a committee,
539 an association, a fund, or any other organization, regardless of
540 whether incorporated, organized and operated primarily for the
541 purpose of influencing or attempting to influence any of the
542 following:
543 (a) The selection, nomination, election, or appointment of
544 an individual to a federal, state, or local public office or an
545 office in a political organization, regardless of whether the
546 individual is selected, nominated, elected, or appointed.
547 (b) The election of a presidential or vice-presidential
548 elector, regardless of whether the elector is selected,
549 nominated, elected, or appointed.
550 (21) “Postsecondary education institution” means a Florida
551 College System institution, state university, or nonpublic
552 postsecondary education institution that receives state funds.
553 (22) “Precise geolocation data” means information derived
554 from technology, including global positioning system level
555 latitude and longitude coordinates or other mechanisms, which
556 directly identifies the specific location of an individual with
557 precision and accuracy within a radius of 1,750 feet. The term
558 does not include the content of communications or any data
559 generated by or connected to an advanced utility metering
560 infrastructure system or to equipment for use by a utility.
561 (23) “Process” or “processing” means an operation or set of
562 operations performed, whether by manual or automated means, on
563 personal data or on sets of personal data, such as the
564 collection, use, storage, disclosure, analysis, deletion, or
565 modification of personal data.
566 (24) “Processor” means a person who processes personal data
567 on behalf of a controller.
568 (25) “Profiling” means any form of solely automated
569 processing performed on personal data to evaluate, analyze, or
570 predict personal aspects related to an identified or
571 identifiable individual’s economic situation, health, personal
572 preferences, interests, reliability, behavior, location, or
573 movements.
574 (26) “Protected health information” has the same meaning as
575 in 45 C.F.R. s. 160.103 and the Health Insurance Portability and
576 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
577 (27) “Pseudonymous data” means any information that cannot
578 be attributed to a specific individual without the use of
579 additional information, provided that the additional information
580 is kept separately and is subject to appropriate technical and
581 organizational measures to ensure that the personal data is not
582 attributed to an identified or identifiable individual.
583 (28) “Publicly available information” means information
584 lawfully made available through government records, or
585 information that a business has a reasonable basis for believing
586 is lawfully made available to the general public through widely
587 distributed media, by a consumer, or by a person to whom a
588 consumer has disclosed the information, unless the consumer has
589 restricted the information to a specific audience.
590 (29) “Sale of personal data” means the sharing, disclosing,
591 or transferring of personal data for monetary or other valuable
592 consideration by the controller to a third party. The term does
593 not include any of the following:
594 (a) The disclosure of personal data to a processor who
595 processes the personal data on the controller’s behalf.
596 (b) The disclosure of personal data to a third party for
597 purposes of providing a product or service requested by the
598 consumer.
599 (c) The disclosure of information that the consumer:
600 1. Intentionally made available to the general public
601 through a mass media channel; and
602 2. Did not restrict to a specific audience.
603 (d) The disclosure or transfer of personal data to a third
604 party as an asset that is part of a merger or an acquisition.
605 (30) “Search engine” means technology and systems that use
606 algorithms to sift through and index vast third-party websites
607 and content on the Internet in response to search queries
608 entered by a user. The term does not include the license of
609 search functionality for the purpose of enabling the licensee to
610 operate a third-party search engine service in circumstances
611 where the licensee does not have legal or operational control of
612 the search algorithm, the index from which results are
613 generated, or the ranking order in which the results are
614 provided.
615 (31) “Sensitive data” means a category of personal data
616 which includes any of the following:
617 (a) Personal data revealing an individual’s racial or
618 ethnic origin, religious beliefs, mental or physical health
619 diagnosis, sexual orientation, or citizenship or immigration
620 status.
621 (b) Genetic or biometric data processed for the purpose of
622 uniquely identifying an individual.
623 (c) Personal data collected from a known child.
624 (d) Precise geolocation data.
625 (32) “State agency” means any department, commission,
626 board, office, council, authority, or other agency in the
627 executive branch of state government created by the State
628 Constitution or state law. The term includes a postsecondary
629 education institution.
630 (33) “Targeted advertising” means displaying to a consumer
631 an advertisement selected based on personal data obtained from
632 that consumer’s activities over time across affiliated or
633 unaffiliated websites and online applications used to predict
634 the consumer’s preferences or interests. The term does not
635 include an advertisement that is:
636 (a) Based on the context of a consumer’s current search
637 query on the controller’s own website or online application; or
638 (b) Directed to a consumer search query on the controller’s
639 own website or online application in response to the consumer’s
640 request for information or feedback.
641 (34) “Third party” means a person, other than the consumer,
642 the controller, the processor, or an affiliate of the controller
643 or processor.
644 (35) “Trade secret” has the same meaning as in s. 812.081.
645 (36) “Voice recognition feature” means the function of a
646 device which enables the collection, recording, storage,
647 analysis, transmission, interpretation, or other use of spoken
648 words or other sounds.
649 Section 6. Section 501.703, Florida Statutes, is created to
650 read:
651 501.703 Applicability.—
652 (1) This part applies only to a person who:
653 (a) Conducts business in this state or produces a product
654 or service used by residents of this state; and
655 (b) Processes or engages in the sale of personal data.
656 (2) This part does not apply to any of the following:
657 (a) A state agency or a political subdivision of the state.
658 (b) A financial institution or data subject to Title V,
659 Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.
660 (c) A covered entity or business associate governed by the
661 privacy, security, and breach notification regulations issued by
662 the United States Department of Health and Human Services, 45
663 C.F.R. parts 160 and 164, established under the Health Insurance
664 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
665 et seq., and the Health Information Technology for Economic and
666 Clinical Health Act, Division A, Title XIII and Division B,
667 Title IV, Pub. L. No. 111-5.
668 (d) A nonprofit organization.
669 (e) A postsecondary education institution.
670 (f) The processing of personal data:
671 1. By a person in the course of a purely personal or
672 household activity.
673 2. Solely for measuring or reporting advertising
674 performance, reach, or frequency.
675 (3) A controller or processor that complies with the
676 authenticated parental consent requirements of the Children’s
677 Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq., with
678 respect to data collected online, is considered to be in
679 compliance with any requirement to obtain parental consent under
680 this part.
681 Section 7. Section 501.704, Florida Statutes, is created to
682 read:
683 501.704 Exemptions.—All of the following information is
684 exempt from this part:
685 (1) Protected health information under the Health Insurance
686 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
687 et seq.
688 (2) Health records.
689 (3) Patient identifying information for purposes of 42
690 U.S.C. s. 290dd-2.
691 (4) Identifiable private information:
692 (a) For purposes of the federal policy for the protection
693 of human subjects under 45 C.F.R. part 46;
694 (b) Collected as part of human subjects research under the
695 good clinical practice guidelines issued by the International
696 Council for Harmonisation of Technical Requirements for
697 Pharmaceuticals for Human Use or the protection of human
698 subjects under 21 C.F.R. parts 50 and 56; or
699 (c) That is personal data used or shared in research
700 conducted in accordance with this part or other research
701 conducted in accordance with applicable law.
702 (5) Information and documents created for purposes of the
703 Health Care Quality Improvement Act of 1986, 42 U.S.C. ss. 11101
704 et seq.
705 (6) Patient safety work product for purposes of the Patient
706 Safety and Quality Improvement Act of 2005, 42 U.S.C. ss. 299b
707 21 et seq.
708 (7) Information derived from any of the health-care-related
709 information listed in this section which is deidentified in
710 accordance with the requirements for deidentification under the
711 Health Insurance Portability and Accountability Act of 1996, 42
712 U.S.C. ss. 1320d et seq.
713 (8) Information originating from, and intermingled to be
714 indistinguishable with, or information treated in the same
715 manner as, information exempt under this section which is
716 maintained by a covered entity or business associate as defined
717 by the Health Insurance Portability and Accountability Act of
718 1996, 42 U.S.C. ss. 1320d et seq. or by a program or a qualified
719 service organization as defined by 42 U.S.C. s. 290dd-2.
720 (9) Information included in a limited data set as described
721 by 45 C.F.R. s. 164.514(e), to the extent that the information
722 is used, disclosed, and maintained in the manner specified by 45
723 C.F.R. s. 164.514(e).
724 (10) Information used only for public health activities and
725 purposes as described in 45 C.F.R. s. 164.512.
726 (11) Information collected or used only for public health
727 activities and purposes as authorized by the Health Insurance
728 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
729 et seq.
730 (12) The collection, maintenance, disclosure, sale,
731 communication, or use of any personal data bearing on a
732 consumer’s creditworthiness, credit standing, credit capacity,
733 character, general reputation, personal characteristics, or mode
734 of living by a consumer reporting agency or furnisher that
735 provides information for use in a consumer report, or by a user
736 of a consumer report, but only to the extent that the activity
737 is regulated by and authorized under the Fair Credit Reporting
738 Act, 15 U.S.C. ss. 1681 et seq.
739 (13) Personal data collected, processed, sold, or disclosed
740 in compliance with the Driver’s Privacy Protection Act of 1994,
741 18 U.S.C. ss. 2721 et seq.
742 (14) Personal data regulated by the Family Educational
743 Rights and Privacy Act of 1974, 20 U.S.C. s. 1232g.
744 (15) Personal data collected, processed, sold, or disclosed
745 in compliance with the Farm Credit Act of 1971, 12 U.S.C. ss.
746 2001 et seq.
747 (16) Data processed or maintained in the course of an
748 individual applying to, being employed by, or acting as an agent
749 or independent contractor of a controller, processor, or third
750 party, to the extent that the data is collected and used within
751 the context of that role.
752 (17) Data processed or maintained as the emergency contact
753 information of an individual under this part which is used for
754 emergency contact purposes.
755 (18) Data that is processed or maintained and that is
756 necessary to retain to administer benefits for another
757 individual which relates to an individual described in
758 subsection (16) and which is used for the purposes of
759 administering those benefits.
760 (19) Personal data collected and transmitted which is
761 necessary for the sole purpose of sharing such personal data
762 with a financial service provider solely to facilitate short
763 term, transactional payment processing for the purchase of
764 products or services.
765 (20) Personal data collected, processed, sold, or disclosed
766 in relation to price, route, or service as those terms are used
767 in the Airline Deregulation Act, 49 U.S.C. ss. 40101 et seq., by
768 entities subject to that act, to the extent the provisions of
769 this act are preempted by 49 U.S.C. s. 41713.
770 (21) Personal data shared between a manufacturer of a
771 tangible product and authorized third-party distributors or
772 vendors of the product, as long as such personal data is used
773 solely for advertising, marketing, or servicing the product that
774 is acquired directly through such manufacturer and such
775 authorized third-party distributors or vendors. Such personal
776 data may not be sold or shared unless otherwise authorized under
777 this part.
778 Section 8. Section 501.705, Florida Statutes, is created to
779 read:
780 501.705 Consumer rights.—
781 (1) A consumer is entitled to exercise the consumer rights
782 authorized by this section at any time by submitting a request
783 to a controller which specifies the consumer rights that the
784 consumer wishes to exercise. With respect to the processing of
785 personal data belonging to a known child, a parent or legal
786 guardian of the child may exercise these rights on behalf of the
787 child.
788 (2) A controller shall comply with an authenticated
789 consumer request to exercise any of the following rights:
790 (a) To confirm whether a controller is processing the
791 consumer’s personal data and to access the personal data.
792 (b) To correct inaccuracies in the consumer’s personal
793 data, taking into account the nature of the personal data and
794 the purposes of the processing of the consumer’s personal data.
795 (c) To delete any or all personal data provided by or
796 obtained about the consumer.
797 (d) To obtain a copy of the consumer’s personal data in a
798 portable and, to the extent technically feasible, readily usable
799 format if the data is available in a digital format.
800 (e) To opt out of the processing of the personal data for
801 purposes of:
802 1. Targeted advertising;
803 2. The sale of personal data; or
804 3. Profiling in furtherance of a decision that produces a
805 legal or similarly significant effect concerning a consumer.
806 (f) To opt out of the collection of sensitive data,
807 including precise geolocation data, or the processing of
808 sensitive data.
809 (g) To opt out of the collection of personal data collected
810 through the operation of a voice recognition or facial
811 recognition feature.
812 (3) A device that has a voice recognition feature, a facial
813 recognition feature, a video recording feature, an audio
814 recording feature, or any other electronic, visual, thermal, or
815 olfactory feature that collects data may not use those features
816 for the purpose of surveillance by the controller, processor, or
817 affiliate of a controller or processor when such features are
818 not in active use by the consumer, unless otherwise expressly
819 authorized by the consumer.
820 Section 9. Section 501.706, Florida Statutes, is created to
821 read:
822 501.706 Controller response to consumer requests.—
823 (1) Except as otherwise provided by this part, a controller
824 shall comply with a request submitted by a consumer to exercise
825 the consumer’s rights pursuant to s. 501.705, as provided in
826 this section.
827 (2) A controller shall respond to the consumer request
828 without undue delay, which may not be later than 45 days after
829 the date of receipt of the request. The controller may extend
830 the response period once by an additional 15 days when
831 reasonably necessary, taking into account the complexity and
832 number of the consumer’s requests, so long as the controller
833 informs the consumer of the extension within the initial 45-day
834 response period, together with the reason for the extension.
835 (3) If a controller cannot take action regarding the
836 consumer’s request, the controller must inform the consumer
837 without undue delay, which may not be later than 45 days after
838 the date of receipt of the request, of the justification for the
839 inability to take action on the request and provide instructions
840 on how to appeal the decision in accordance with s. 501.707. A
841 controller is not required to comply with a consumer request
842 submitted under s. 501.705 if the controller cannot authenticate
843 the request. However, the controller must make a reasonable
844 effort to request that the consumer provide additional
845 information reasonably necessary to authenticate the consumer
846 and the consumer’s request. If a controller maintains a self
847 service mechanism to allow a consumer to correct certain
848 personal data, the controller may deny the consumer’s request
849 and require the consumer to correct his or her own personal data
850 through such mechanism.
851 (4) A controller must provide the consumer with notice
852 within 60 days after the request is received that the controller
853 has complied with the consumer’s request as required in this
854 section.
855 (5) A controller shall provide information or take action
856 in response to a consumer request free of charge, at least twice
857 annually per consumer. If a request from a consumer is
858 manifestly unfounded, excessive, or repetitive, the controller
859 may charge the consumer a reasonable fee to cover the
860 administrative costs of complying with the request or may
861 decline to act on the request. The controller bears the burden
862 of demonstrating for purposes of this subsection that a request
863 is manifestly unfounded, excessive, or repetitive.
864 (6) A controller who has obtained personal data about a
865 consumer from a source other than the consumer is considered in
866 compliance with a consumer’s request to delete that personal
867 data pursuant to s. 501.705(2)(c), by doing any of the
868 following:
869 (a) Deleting the personal data, retaining a record of the
870 deletion request and the minimum data necessary for the purpose
871 of ensuring that the consumer’s personal data remains deleted
872 from the business’s records, and not using the retained data for
873 any other purpose under this part.
874 (b) Opting the consumer out of the processing of that
875 personal data for any purpose other than a purpose exempt under
876 this part.
877 Section 10. Section 501.707, Florida Statutes, is created
878 to read:
879 501.707 Appeal.—
880 (1) A controller shall establish a process for a consumer
881 to appeal the controller’s refusal to take action on a request
882 within a reasonable period of time after the consumer’s receipt
883 of the decision under s. 501.706(3).
884 (2) The appeal process must be conspicuously available and
885 similar to the process for initiating action to exercise
886 consumer rights by submitting a request under s. 501.705.
887 (3) A controller shall inform the consumer in writing of
888 any action taken or not taken in response to an appeal under
889 this section within 60 days after the date of receipt of the
890 appeal, including a written explanation of the reason or reasons
891 for the decision.
892 Section 11. Section 501.708, Florida Statutes, is created
893 to read:
894 501.708 Waiver or limitation of consumer rights
895 prohibited.—Any provision of a contract or agreement which
896 waives or limits in any way a consumer right described by s.
897 501.705, s. 501.706, or s. 501.707 is contrary to public policy
898 and is void and unenforceable.
899 Section 12. Section 501.709, Florida Statutes, is created
900 to read:
901 501.709 Submitting consumer requests.—
902 (1) A controller shall establish two or more methods to
903 enable consumers to submit a request to exercise their consumer
904 rights under this part. The methods must be secure, reliable,
905 and clearly and conspicuously accessible. The methods must take
906 all of the following into account:
907 (a) The ways in which consumers normally interact with the
908 controller.
909 (b) The necessity for secure and reliable communications of
910 these requests.
911 (c) The ability of the controller to authenticate the
912 identity of the consumer making the request.
913 (2) A controller may not require a consumer to create a new
914 account to exercise the consumer’s rights under this part but
915 may require a consumer to use an existing account.
916 (3) A controller shall provide a mechanism on its website
917 for a consumer to submit a request for information required to
918 be disclosed under this part. A controller that operates
919 exclusively online and has a direct relationship with a consumer
920 from whom the controller collects personal data may also provide
921 an e-mail address for the submission of requests.
922 Section 13. Section 501.71, Florida Statutes, is created to
923 read:
924 501.71 Controller duties.—
925 (1) A controller shall:
926 (a) Limit the collection of personal data to data that is
927 adequate, relevant, and reasonably necessary in relation to the
928 purposes for which it is processed, as disclosed to the
929 consumer; and
930 (b) For purposes of protecting the confidentiality,
931 integrity, and accessibility of personal data, establish,
932 implement, and maintain reasonable administrative, technical,
933 and physical data security practices appropriate to the volume
934 and nature of the personal data at issue.
935 (2) A controller may not do any of the following:
936 (a) Except as otherwise provided by this part, process
937 personal data for a purpose that is neither reasonably necessary
938 nor compatible with the purpose for which the personal data is
939 processed, as disclosed to the consumer, unless the controller
940 obtains the consumer’s consent.
941 (b) Process personal data in violation of state or federal
942 laws that prohibit unlawful discrimination against consumers.
943 (c) Discriminate against a consumer for exercising any of
944 the consumer rights contained in this part, including by denying
945 goods or services, charging different prices or rates for goods
946 or services, or providing a different level of quality of goods
947 or services to the consumer. A controller may offer financial
948 incentives, including payments to consumers as compensation, for
949 processing of personal data if the consumer gives the controller
950 prior consent that clearly describes the material terms of the
951 financial incentive program and provided that such incentive
952 practices are not unjust, unreasonable, coercive, or usurious in
953 nature. The consent may be revoked by the consumer at any time.
954 (d) Process the sensitive data of a consumer without
955 obtaining the consumer’s consent, or, in the case of processing
956 the sensitive data of a known child, without processing that
957 data with the affirmative authorization for such processing by a
958 known child who is between 13 and 18 years of age or in
959 accordance with the Children’s Online Privacy Protection Act, 15
960 U.S.C. ss. 6501 et seq. for a known child under the age of 13.
961 (3) Paragraph (2)(c) may not be construed to require a
962 controller to provide a product or service that requires the
963 personal data of a consumer which the controller does not
964 collect or maintain or to prohibit a controller from offering a
965 different price, rate, level, quality, or selection of goods or
966 services to a consumer, including offering goods or services for
967 no fee, if the consumer has exercised the consumer’s right to
968 opt out under s. 501.705(2) or the offer is related to a
969 consumer’s voluntary participation in a bona fide loyalty,
970 rewards, premium features, discounts, or club card program.
971 (4) A controller that operates a search engine shall make
972 available, in an easily accessible location on the webpage which
973 does not require a consumer to log in or register to read, an
974 up-to-date plain language description of the main parameters
975 that are individually or collectively the most significant in
976 determining ranking and the relative importance of those main
977 parameters, including the prioritization or deprioritization of
978 political partisanship or political ideology in search results.
979 Algorithms are not required to be disclosed nor is any other
980 information that, with reasonable certainty, would enable
981 deception of or harm to consumers through the manipulation of
982 search results.
983 Section 14. Section 501.711, Florida Statutes, is created
984 to read:
985 501.711 Privacy notices.—
986 (1) A controller shall provide consumers with a reasonably
987 accessible and clear privacy notice, updated at least annually,
988 that includes all of the following information:
989 (a) The categories of personal data processed by the
990 controller, including, if applicable, any sensitive data
991 processed by the controller.
992 (b) The purpose of processing personal data.
993 (c) How consumers may exercise their rights under s.
994 501.705(2), including the process by which a consumer may appeal
995 a controller’s decision with regard to the consumer’s request.
996 (d) If applicable, the categories of personal data that the
997 controller shares with third parties.
998 (e) If applicable, the categories of third parties with
999 whom the controller shares personal data.
1000 (f) A description of the methods specified in s. 501.709,
1001 by which consumers can submit requests to exercise their
1002 consumer rights under this part.
1003 (2) If a controller engages in the sale of personal data
1004 that is sensitive data, the controller must provide the
1005 following notice: “NOTICE: This website may sell your sensitive
1006 personal data.” The notice must be posted in accordance with
1007 subsection (1).
1008 (3) If a controller engages in the sale of personal data
1009 that is biometric data, the controller must provide the
1010 following notice: “NOTICE: This website may sell your biometric
1011 personal data.” The notice must be posted in accordance with
1012 subsection (1).
1013 (4) If a controller sells personal data to third parties or
1014 processes personal data for targeted advertising, the controller
1015 must clearly and conspicuously disclose that process and the
1016 manner in which a consumer may exercise the right to opt out of
1017 that process.
1018 (5) A controller may not collect additional categories of
1019 personal information or use personal information collected for
1020 additional purposes without providing the consumer with notice
1021 consistent with this section.
1022 Section 15. Section 501.712, Florida Statutes, is created
1023 to read:
1024 501.712 Duties of processor.—
1025 (1) A processor shall adhere to the instructions of a
1026 controller and shall assist the controller in meeting or
1027 complying with the controller’s duties under this section and
1028 the requirements of this part, including the following:
1029 (a) Assisting the controller in responding to consumer
1030 rights requests submitted pursuant to ss. 501.705 and 501.709,
1031 by using appropriate technical and organizational measures, as
1032 reasonably practicable, taking into account the nature of
1033 processing and the information available to the processor.
1034 (b) Assisting the controller with regard to complying with
1035 the requirement relating to the security of processing personal
1036 data and to the notification of a breach of security of the
1037 processor’s system under s. 501.171, taking into account the
1038 nature of processing and the information available to the
1039 processor.
1040 (c) Providing necessary information to enable the
1041 controller to conduct and document data protection assessments
1042 under s. 501.713.
1043 (2) A contract between a controller and a processor governs
1044 the processor’s data processing procedures with respect to
1045 processing performed on behalf of the controller. The contract
1046 must include all of the following information:
1047 (a) Clear instructions for processing data.
1048 (b) The nature and purpose of processing.
1049 (c) The type of data subject to processing.
1050 (d) The duration of processing.
1051 (e) The rights and obligations of both parties.
1052 (f) A requirement that the processor:
1053 1. Ensure that each person processing personal data is
1054 subject to a duty of confidentiality with respect to the data;
1055 2. At the controller’s direction, delete or return all
1056 personal data to the controller as requested after the provision
1057 of the service is completed, unless retention of the personal
1058 data is required by law;
1059 3. Make available to the controller, upon reasonable
1060 request, all information in the processor’s possession necessary
1061 to demonstrate the processor’s compliance with this part;
1062 4. Allow, and cooperate with, reasonable assessments by the
1063 controller or the controller’s designated assessor; and
1064 5. Engage any subcontractor pursuant to a written contract
1065 that requires the subcontractor to meet the requirements of the
1066 processor with respect to the personal data.
1067 (3) Notwithstanding subparagraph (2)(f)4., a processor may
1068 arrange for a qualified and independent assessor to conduct an
1069 assessment of the processor’s policies and technical and
1070 organizational measures in support of the requirements under
1071 this part using an appropriate and accepted control standard or
1072 framework and assessment procedure. The processor shall provide
1073 a report of the assessment to the controller upon request.
1074 (4) This section may not be construed to relieve a
1075 controller or a processor from the liabilities imposed on the
1076 controller or processor by virtue of its role in the processing
1077 relationship as described by this part.
1078 (5) A determination as to whether a person is acting as a
1079 controller or processor with respect to a specific processing of
1080 data is a fact-based determination that depends on the context
1081 in which personal data is to be processed. A processor that
1082 continues to adhere to a controller’s instructions with respect
1083 to a specific processing of personal data remains in the role of
1084 a processor.
1085 Section 16. Section 501.713, Florida Statutes, is created
1086 to read:
1087 501.713 Data protection assessments.—
1088 (1) A controller shall conduct and document a data
1089 protection assessment of each of the following processing
1090 activities involving personal data:
1091 (a) The processing of personal data for purposes of
1092 targeted advertising.
1093 (b) The sale of personal data.
1094 (c) The processing of personal data for purposes of
1095 profiling if the profiling presents a reasonably foreseeable
1096 risk of:
1097 1. Unfair or deceptive treatment of or unlawful disparate
1098 impact on consumers;
1099 2. Financial, physical, or reputational injury to
1100 consumers;
1101 3. A physical or other intrusion on the solitude or
1102 seclusion, or the private affairs or concerns, of consumers, if
1103 the intrusion would be offensive to a reasonable person; or
1104 4. Other substantial injury to consumers.
1105 (d) The processing of sensitive data.
1106 (e) Any processing activities involving personal data which
1107 present a heightened risk of harm to consumers.
1108 (2) A data protection assessment conducted under subsection
1109 (1) must do all of the following:
1110 (a) Identify and weigh the direct or indirect benefits that
1111 may flow from the processing to the controller, the consumer,
1112 other stakeholders, and the public against the potential risks
1113 to the rights of the consumer associated with that processing,
1114 as mitigated by safeguards that can be employed by the
1115 controller to reduce such risks.
1116 (b) Factor into the assessment:
1117 1. The use of deidentified data;
1118 2. The reasonable expectations of consumers;
1119 3. The context of the processing; and
1120 4. The relationship between the controller and the consumer
1121 whose personal data will be processed.
1122 (3) The disclosure of a data protection assessment in
1123 compliance with a request from the Attorney General pursuant to
1124 s. 501.72 does not constitute a waiver of attorney-client
1125 privilege or work product protection with respect to the
1126 assessment and any information contained in the assessment.
1127 (4) A single data protection assessment may address a
1128 comparable set of processing operations which include similar
1129 activities.
1130 (5) A data protection assessment conducted by a controller
1131 for the purpose of compliance with any other law or regulation
1132 may constitute compliance with the requirements of this section
1133 if the assessment has a reasonably comparable scope and effect.
1134 (6) This section applies only to processing activities
1135 generated on or after July 1, 2023.
1136 Section 17. Section 501.714, Florida Statutes, is created
1137 to read:
1138 501.714 Deidentified data, pseudonymous data, and aggregate
1139 consumer information.—
1140 (1) A controller in possession of deidentified data shall
1141 do all of the following:
1142 (a) Take reasonable measures to ensure that the data cannot
1143 be associated with an individual.
1144 (b) Maintain and use the data in deidentified form. A
1145 controller may not attempt to reidentify the data, except that
1146 the controller may attempt to reidentify the data solely for the
1147 purpose of determining whether its deidentification processes
1148 satisfy the requirements of this section.
1149 (c) Contractually obligate any recipient of the
1150 deidentified data to comply with this part.
1151 (d) Implement business processes to prevent the inadvertent
1152 release of deidentified data.
1153 (2) This part may not be construed to require a controller
1154 or processor to do any of the following:
1155 (a) Reidentify deidentified data or pseudonymous data.
1156 (b) Maintain data in an identifiable form or obtain,
1157 retain, or access any data or technology for the purpose of
1158 allowing the controller or processor to associate a consumer
1159 request with personal data.
1160 (c) Comply with an authenticated consumer rights request
1161 under s. 501.705 if the controller:
1162 1. Is not reasonably capable of associating the request
1163 with the personal data or it would be unreasonably burdensome
1164 for the controller to associate the request with the personal
1165 data;
1166 2. Does not use the personal data to recognize or respond
1167 to the specific consumer who is the subject of the personal data
1168 or associate the personal data with other personal data about
1169 the same specific consumer; and
1170 3. Does not sell the personal data to a third party or
1171 otherwise voluntarily disclose the personal data to a third
1172 party other than a processor, except as otherwise authorized by
1173 this section.
1174 (3) The consumer rights enumerated under s. 501.705(2), and
1175 controller duties imposed under s. 501.71, do not apply to
1176 pseudonymous data or aggregate consumer information in cases in
1177 which the controller is able to demonstrate that any information
1178 necessary to identify the consumer is kept separate and is
1179 subject to effective technical and organizational controls that
1180 prevent the controller from accessing the information.
1181 (4) A controller that discloses pseudonymous data,
1182 deidentified data, or aggregate consumer information shall
1183 exercise reasonable oversight to monitor compliance with any
1184 contractual commitments to which the data or information is
1185 subject and shall take appropriate steps to address any breach
1186 of the contractual commitments.
1187 Section 18. Section 501.715, Florida Statutes, is created
1188 to read:
1189 501.715 Requirements for sensitive data.—
1190 (1) A person who meets the requirements of s.
1191 501.702(9)(a)1., (a)2., and (a)3. for the definition of a
1192 controller may not engage in the sale of personal data that is
1193 sensitive data without receiving prior consent from the consumer
1194 or, if the sensitive data is of a known child, without
1195 processing that data with the affirmative authorization for such
1196 processing by a known child who is between 13 and 18 years of
1197 age or in accordance with the Children’s Online Privacy
1198 Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child
1199 under the age of 13.
1200 (2) A person in subsection (1) who engages in the sale of
1201 personal data that is sensitive data must provide the following
1202 notice: “NOTICE: This website may sell your sensitive personal
1203 data.”
1204 (3) A person who violates this section is subject to the
1205 penalty imposed under s. 501.72.
1206 Section 19. Section 501.716, Florida Statutes, is created
1207 to read:
1208 501.716 Exemptions for certain uses of consumer personal
1209 data.—
1210 (1) This part may not be construed to restrict a
1211 controller’s or processor’s ability to do any of the following:
1212 (a) Comply with federal or state laws, rules, or
1213 regulations.
1214 (b) Comply with a civil, criminal, or regulatory inquiry,
1215 investigation, subpoena, or summons by federal, state, local, or
1216 other governmental authorities.
1217 (c) Investigate, establish, exercise, prepare for, or
1218 defend legal claims.
1219 (d) Provide a product or service specifically requested by
1220 a consumer or the parent or guardian of a child, perform a
1221 contract to which the consumer is a party, including fulfilling
1222 the terms of a written warranty, or take steps at the request of
1223 the consumer before entering into a contract.
1224 (e) Take immediate steps to protect an interest that is
1225 essential for the life or physical safety of the consumer or of
1226 another individual and in which the processing cannot be
1227 manifestly based on another legal basis.
1228 (f) Prevent, detect, protect against, or respond to
1229 security incidents, identity theft, fraud, harassment, malicious
1230 or deceptive activities, or any illegal activity.
1231 (g) Preserve the integrity or security of systems or
1232 investigate, report, or prosecute those responsible for breaches
1233 of system security.
1234 (h) Engage in public or peer-reviewed scientific or
1235 statistical research in the public interest which adheres to all
1236 other applicable ethics and privacy laws and is approved,
1237 monitored, and governed by an institutional review board or
1238 similar independent oversight entity that determines:
1239 1. Whether the deletion of the information is likely to
1240 provide substantial benefits that do not exclusively accrue to
1241 the controller;
1242 2. Whether the expected benefits of the research outweigh
1243 the privacy risks; and
1244 3. Whether the controller has implemented reasonable
1245 safeguards to mitigate privacy risks associated with research,
1246 including any risks associated with reidentification.
1247 (i) Assist another controller, processor, or third party in
1248 complying with the requirements of this part.
1249 (j) Disclose personal data disclosed when a consumer uses
1250 or directs the controller to intentionally disclose information
1251 to a third party or uses the controller to intentionally
1252 interact with a third party. An intentional interaction occurs
1253 when the consumer intends to interact with the third party, by
1254 one or more deliberate interactions. Hovering over, muting,
1255 pausing, or closing a given piece of content does not constitute
1256 a consumer’s intent to interact with a third party.
1257 (k) Transfer personal data to a third party as an asset
1258 that is part of a merger, an acquisition, a bankruptcy, or other
1259 transaction in which the third party assumes control of all or
1260 part of the controller, provided that the information is used or
1261 shared in a manner consistent with this part. If a third party
1262 materially alters how it uses or shares the personal data of a
1263 consumer in a manner that is materially inconsistent with the
1264 commitments or promises made at the time of collection, it must
1265 provide prior notice of the new or changed practice to the
1266 consumer. The notice must be sufficiently prominent and robust
1267 to ensure that consumers can easily exercise choices consistent
1268 with this part.
1269 (2) This part may not be construed to prevent a controller
1270 or processor from providing personal data concerning a consumer
1271 to a person covered by an evidentiary privilege under the laws
1272 of this state as part of a privileged communication.
1273 (3) This part may not be construed as imposing a
1274 requirement on controllers and processors which adversely
1275 affects the rights or freedoms of any person, including the
1276 right of free speech.
1277 (4) This part may not be construed as requiring a
1278 controller, processor, third party, or consumer to disclose a
1279 trade secret.
1280 Section 20. Section 501.717, Florida Statutes, is created
1281 to read:
1282 501.717 Collection, use, or retention of data for certain
1283 purposes.—
1284 (1) The requirements imposed on controllers and processors
1285 under this part may not restrict a controller’s or processor’s
1286 ability to collect, use, or retain data to do any of the
1287 following:
1288 (a) Conduct internal research to develop, improve, or
1289 repair products, services, or technology.
1290 (b) Effect a product recall.
1291 (c) Identify and repair technical errors that impair
1292 existing or intended functionality.
1293 (d) Perform internal operations that are:
1294 1. Reasonably aligned with the expectations of the
1295 consumer;
1296 2. Reasonably anticipated based on the consumer’s existing
1297 relationship with the controller; or
1298 3. Otherwise compatible with processing data in furtherance
1299 of the provision of a product or service specifically requested
1300 by a consumer or the performance of a contract to which the
1301 consumer is a party.
1302 (2) A requirement imposed on a controller or processor
1303 under this part does not apply if compliance with the
1304 requirement by the controller or processor, as applicable, would
1305 violate an evidentiary privilege under the laws of this state.
1306 Section 21. Section 501.718, Florida Statutes, is created
1307 to read:
1308 501.718 Disclosure of personal data to third-party
1309 controller or processor.—
1310 (1) A controller or processor that discloses personal data
1311 to a third-party controller or processor in compliance with the
1312 requirements of this part does not violate this part if the
1313 third-party controller or processor that receives and processes
1314 that personal data violates this part, provided that, at the
1315 time of the data’s disclosure, the disclosing controller or
1316 processor could not have reasonably known that the recipient
1317 intended to commit a violation.
1318 (2) A third-party controller or processor receiving
1319 personal data from a controller or processor in compliance with
1320 the requirements of this part may not be held liable for
1321 violations of this part committed by the controller or processor
1322 from which the third-party controller or processor receives the
1323 personal data.
1324 Section 22. Section 501.719, Florida Statutes, is created
1325 to read:
1326 501.719 Processing of certain personal data by controller
1327 or other person.—
1328 (1) Personal data processed by a controller pursuant to ss.
1329 501.716, 501.717, and 501.718 may not be processed for any
1330 purpose other than those specified in those sections. Personal
1331 data processed by a controller pursuant to ss. 501.716, 501.717,
1332 and 501.718 may be processed to the extent that the processing
1333 of the data is:
1334 (a) Reasonably necessary and proportionate to the purposes
1335 specified in ss. 501.716, 501.717, and 501.718;
1336 (b) Adequate, relevant, and limited to what is necessary in
1337 relation to the purposes specified in ss. 501.716, 501.717, and
1338 501.718; and
1339 (c) Done to assist another controller, processor, or third
1340 party with any of the purposes specified in s. 501.716, s.
1341 501.717, or s. 501.718.
1342 (2) A controller or processor that collects, uses, or
1343 retains personal data for the purposes specified in s.
1344 501.717(1) must take into account the nature and purpose of such
1345 collection, use, or retention. Such personal data is subject to
1346 reasonable administrative, technical, and physical measures to
1347 protect its confidentiality, integrity, and accessibility and to
1348 reduce reasonably foreseeable risks of harm to consumers
1349 relating to the collection, use, or retention of personal data.
1350 (3) A controller or processor shall adopt and implement a
1351 retention schedule that prohibits the use or retention of
1352 personal data not subject to an exemption by the controller or
1353 processor after the satisfaction of the initial purpose for
1354 which such information was collected or obtained, after the
1355 expiration or termination of the contract pursuant to which the
1356 information was collected or obtained, or 2 years after the
1357 consumer’s last interaction with the controller or processor.
1358 This subsection does not apply to personal data reasonably used
1359 or retained to do any of the following:
1360 (a) Provide a good or service requested by the consumer, or
1361 reasonably anticipate the request of such good or service within
1362 the context of a controller’s ongoing business relationship with
1363 the consumer.
1364 (b) Debug to identify and repair errors that impair
1365 existing intended functionality.
1366 (c) Enable solely internal uses that are reasonably aligned
1367 with the expectations of the consumer based on the consumer’s
1368 relationship with the controller or that are compatible with the
1369 context in which the consumer provided the information.
1370 (4) A controller or processor that processes personal data
1371 pursuant to ss. 501.716, 501.717, and 501.718 bears the burden
1372 of demonstrating that the processing of the personal data
1373 qualifies for the exemption and complies with the requirements
1374 of this section.
1375 Section 23. Section 501.72, Florida Statutes, is created to
1376 read:
1377 501.72 Enforcement and implementation by the Department of
1378 Legal Affairs.—
1379 (1) A violation of this part is an unfair and deceptive
1380 trade practice actionable under part II of this chapter solely
1381 by the Department of Legal Affairs. If the department has reason
1382 to believe that a person is in violation of this section, the
1383 department may, as the enforcing authority, bring an action
1384 against such person for an unfair or deceptive act or practice.
1385 For the purpose of bringing an action pursuant to this section,
1386 ss. 501.211 and 501.212 do not apply. In addition to other
1387 remedies under part II of this chapter, the department may
1388 collect a civil penalty of up to $50,000 per violation. Civil
1389 penalties may be tripled for any of the following violations:
1390 (a) A violation involving a Florida consumer who is a known
1391 child. A controller that willfully disregards the consumer’s age
1392 is deemed to have actual knowledge of the consumer’s age.
1393 (b) Failure to delete or correct the consumer’s personal
1394 data pursuant to this section after receiving an authenticated
1395 consumer request or directions from a controller to delete or
1396 correct such personal data, unless an exception to the
1397 requirements to delete or correct such personal data under this
1398 section applies.
1399 (c) Continuing to sell or share the consumer’s personal
1400 data after the consumer chooses to opt out under this part.
1401 (2) After the department has notified a person in writing
1402 of an alleged violation, the department may grant a 45-day
1403 period to cure the alleged violation and issue a letter of
1404 guidance. The 45-day cure period does not apply to an alleged
1405 violation of paragraph (1)(a). The department may consider the
1406 number and frequency of violations, the substantial likelihood
1407 of injury to the public, and the safety of persons or property
1408 in determining whether to grant 45 calendar days to cure and the
1409 issuance of a letter of guidance. If the alleged violation is
1410 cured to the satisfaction of the department and proof of such
1411 cure is provided to the department, the department may not bring
1412 an action for the alleged violation but in its discretion may
1413 issue a letter of guidance that indicates that the person will
1414 not be offered a 45-day cure period for any future violations.
1415 If the person fails to cure the alleged violation within 45
1416 calendar days, the department may bring an action against such
1417 person for the alleged violation.
1418 (3) Any action brought by the department may be brought
1419 only on behalf of a Florida consumer.
1420 (4) By February 1 of each year, the department shall make a
1421 report publicly available on the department’s website describing
1422 any actions taken by the department to enforce this section. The
1423 report must include statistics and relevant information
1424 detailing all of the following:
1425 (a) The number of complaints received and the categories or
1426 types of violations alleged by the complainant.
1427 (b) The number and type of enforcement actions taken and
1428 the outcomes of such actions, including the amount of penalties
1429 issued and collected.
1430 (c) The number of complaints resolved without the need for
1431 litigation.
1432 (d) For the report due February 1, 2024, the status of the
1433 development and implementation of rules to implement this
1434 section.
1435 (5) The department shall adopt rules to implement this
1436 section, including standards for authenticated consumer
1437 requests, enforcement, data security, and authorized persons who
1438 may act on a consumer’s behalf.
1439 (6) The department may collaborate and cooperate with other
1440 enforcement authorities of the Federal Government or other state
1441 governments concerning consumer data privacy issues and consumer
1442 data privacy investigations if such enforcement authorities have
1443 restrictions governing confidentiality at least as stringent as
1444 the restrictions provided in this section.
1445 (7) Liability for a tort, contract claim, or consumer
1446 protection claim unrelated to an action brought under this
1447 section does not arise solely from the failure of a person to
1448 comply with this part.
1449 (8) This part does not establish a private cause of action.
1450 (9) The department may employ or use the legal services of
1451 outside counsel and the investigative services of outside
1452 personnel to fulfill the obligations of this section.
1453 (10) For purposes of bringing an action pursuant to this
1454 section, any person who meets the definition of controller as
1455 defined in this part who collects, shares, or sells the personal
1456 data of Florida consumers is considered to be engaged in both
1457 substantial and not isolated activities within this state and
1458 operating, conducting, engaging in, or carrying on a business,
1459 and doing business in this state, and is, therefore, subject to
1460 the jurisdiction of the courts of this state.
1461 Section 24. Section 501.721, Florida Statutes, is created
1462 to read:
1463 501.721 Preemption.—This part is a matter of statewide
1464 concern and supersedes all rules, regulations, codes,
1465 ordinances, and other laws adopted by a city, county, city and
1466 county, municipality, or local agency regarding the collection,
1467 processing, sharing, or sale of consumer personal data by a
1468 controller or processor. The regulation of the collection,
1469 processing, sharing, or sale of consumer personal data by a
1470 controller or processor is preempted to the state.
1471 Section 25. Paragraph (g) of subsection (1) of section
1472 501.171, Florida Statutes, is amended to read:
1473 501.171 Security of confidential personal information.—
1474 (1) DEFINITIONS.—As used in this section, the term:
1475 (g)1. “Personal information” means either of the following:
1476 a. An individual’s first name or first initial and last
1477 name in combination with any one or more of the following data
1478 elements for that individual:
1479 (I) A social security number;
1480 (II) A driver license or identification card number,
1481 passport number, military identification number, or other
1482 similar number issued on a government document used to verify
1483 identity;
1484 (III) A financial account number or credit or debit card
1485 number, in combination with any required security code, access
1486 code, or password that is necessary to permit access to an
1487 individual’s financial account;
1488 (IV) Any information regarding an individual’s medical
1489 history, mental or physical condition, or medical treatment or
1490 diagnosis by a health care professional; or
1491 (V) An individual’s health insurance policy number or
1492 subscriber identification number and any unique identifier used
1493 by a health insurer to identify the individual;
1494 (VI) An individual’s biometric data as defined in s.
1495 501.702; or
1496 (VII) Any information regarding an individual’s
1497 geolocation.
1498 b. A user name or e-mail address, in combination with a
1499 password or security question and answer that would permit
1500 access to an online account.
1501 2. The term does not include information about an
1502 individual that has been made publicly available by a federal,
1503 state, or local governmental entity. The term also does not
1504 include information that is encrypted, secured, or modified by
1505 any other method or technology that removes elements that
1506 personally identify an individual or that otherwise renders the
1507 information unusable.
1508 Section 26. Subsection (1) of section 16.53, Florida
1509 Statutes, is amended, and subsection (8) is added to that
1510 section, to read:
1511 16.53 Legal Affairs Revolving Trust Fund.—
1512 (1) There is created in the State Treasury the Legal
1513 Affairs Revolving Trust Fund, from which the Legislature may
1514 appropriate funds for the purpose of funding investigation,
1515 prosecution, and enforcement by the Attorney General of the
1516 provisions of the Racketeer Influenced and Corrupt Organization
1517 Act, the Florida Deceptive and Unfair Trade Practices Act, the
1518 Florida False Claims Act, or state or federal antitrust laws, s.
1519 501.1735, or part V of chapter 501.
1520 (8) All moneys recovered by the Attorney General for
1521 attorney fees, costs, and penalties in an action for a violation
1522 of s. 501.1735 or part V of chapter 501 must be deposited in the
1523 fund.
1524 Section 27. Except as otherwise expressly provided in this
1525 act and except for this section, which shall take effect upon
1526 this act becoming a law, this act shall take effect July 1,
1527 2024.