ENROLLED 2023 Legislature CS for CS for SB 262, 2nd Engrossed 2023262er 1 2 An act relating to technology transparency; creating 3 s. 112.23, F.S.; defining terms; prohibiting officers 4 or salaried employees of governmental entities from 5 using their positions or state resources to make 6 certain requests of social media platforms; 7 prohibiting governmental entities from initiating or 8 maintaining agreements or working relationships with 9 social media platforms under a specified circumstance; 10 providing exceptions; creating s. 501.1735, F.S.; 11 providing definitions; prohibiting certain conduct by 12 an online platform that provides online services, 13 products, games, or features likely to be 14 predominantly accessed by children; providing 15 exceptions; providing for enforcement; providing 16 construction; authorizing the department to bring an 17 action under the Florida Deceptive and Unfair Trade 18 Practices Act; providing for civil penalties; 19 providing that the department may grant an online 20 platform a timeframe to cure any violations; providing 21 jurisdiction; providing directives to the Division of 22 Law Revision; creating s. 501.701, F.S.; providing a 23 short title; creating s. 501.702, F.S.; defining 24 terms; creating s. 501.703, F.S.; providing 25 applicability; creating s. 501.704, F.S.; providing 26 exemptions; creating s. 501.705, F.S.; providing that 27 a consumer may submit requests to controllers to 28 exercise specified rights; requiring controllers to 29 comply with certain authenticated consumer requests; 30 prohibiting certain devices from being used for 31 surveillance purposes without the express 32 authorization of the consumer under certain 33 circumstances; creating s. 501.706, F.S.; providing 34 timeframes within which controllers must respond to 35 consumer requests; providing notice requirements for 36 controllers that cannot take action regarding a 37 consumer’s request; providing that controllers are not 38 required to comply with certain consumer requests; 39 providing notice requirements for controllers’ 40 compliance with consumer requests; requiring responses 41 to consumer requests to be made free of charge; 42 providing exceptions; specifying the methods by which 43 controllers may be considered to be in compliance with 44 consumer requests for the controller to delete their 45 personal data; creating s. 501.707, F.S.; requiring 46 controllers to establish a process for consumers to 47 appeal the controller’s refusal to take action on the 48 consumer’s request within a specified timeframe; 49 providing requirements for such process; creating s. 50 501.708, F.S.; providing that contracts or agreements 51 that waive or limit specified consumer rights are void 52 and unenforceable; creating s. 501.709, F.S.; 53 requiring controllers to establish methods for 54 submitting consumer requests; prohibiting controllers 55 from requiring consumers to create new accounts to 56 exercise their consumer rights; requiring controllers 57 to provide a certain mechanism on their websites for 58 consumers to submit certain requests; creating s. 59 501.71, F.S.; requiring controllers to limit the 60 collection of personal data according to certain 61 parameters; requiring controllers to establish, 62 implement, and maintain specified practices regarding 63 personal data; prohibiting controllers from taking 64 certain actions regarding a consumer’s personal data; 65 prohibiting controllers from discriminating against 66 consumers exercising their consumer rights; providing 67 construction; requiring a controller that operates a 68 search engine to make certain information available on 69 its webpage; creating s. 501.711, F.S.; requiring 70 controllers to provide consumers with privacy notices 71 that meet certain requirements; requiring controllers 72 that engage in the sale of sensitive or biometric 73 personal data to provide notices that meet certain 74 requirements; requiring controllers that sell personal 75 data or process personal data for targeted advertising 76 to disclose certain information; prohibiting 77 controllers from collecting additional categories of 78 personal information or using such information for 79 additional purposes without providing specified 80 notice; creating s. 501.712, F.S.; requiring 81 processors to adhere to controller instructions and to 82 assist the controller in meeting or complying with 83 certain requirements; providing requirements for 84 contracts between controllers and processors regarding 85 data processing procedures; providing construction; 86 providing that the determination of whether a person 87 is acting as a controller or processor is a fact-based 88 determination; creating s. 501.713, F.S.; requiring 89 controllers to conduct and document data protection 90 assessments of specified processing activities 91 involving personal data; providing requirements for 92 such assessments; providing applicability; creating s. 93 501.714, F.S.; requiring controllers in possession of 94 deidentified data to take certain actions; providing 95 construction; providing that specified consumer rights 96 and controller duties do not apply to pseudonymous 97 data or aggregate consumer information under certain 98 circumstances; requiring controllers that disclose 99 pseudonymous data, deidentified data, or aggregate 100 consumer information to exercise reasonable oversight 101 and take appropriate steps to address breaches of 102 contractual agreements; creating s. 501.715, F.S.; 103 requiring certain persons to receive consumer consent 104 before engaging in the sale of sensitive personal 105 data; requiring a specified notice; providing for 106 penalties; creating s. 501.716, F.S.; providing 107 exemptions for specified controller or processor uses 108 of consumer personal data; providing that controllers 109 or processors may provide personal data concerning a 110 consumer to certain covered persons; creating s. 111 501.717, F.S.; authorizing controllers and processors 112 to collect, use, or retain data for specified 113 purposes; providing that certain requirements do not 114 apply if such compliance would violate certain laws; 115 creating s. 501.718, F.S.; providing circumstances 116 under which processors are not in violation of this 117 act for the disclosure of personal data to a third 118 party controller or processor; providing that third 119 party controllers or processors that comply with this 120 part are not liable for violations committed by 121 controllers or processors from whom they receive 122 personal data; creating s. 501.719, F.S.; providing 123 requirements for the processing of certain personal 124 data by controllers; requiring controllers and 125 processors to adopt and implement a retention schedule 126 that meets certain requirements; requiring controllers 127 or processors that process certain personal data to 128 demonstrate that such processing qualifies for a 129 specified exemption; creating s. 501.72, F.S.; 130 authorizing the Department of Legal Affairs to bring 131 an action under the Florida Deceptive and Unfair Trade 132 Practices Act for violations of the act; providing for 133 civil penalties; providing for enhanced civil 134 penalties for certain violations; authorizing the 135 department to grant a specified timeframe within which 136 an alleged violation may be cured; providing an 137 exception; providing certain factors the department 138 may take into consideration; requiring the department 139 to make a report regarding certain enforcement actions 140 publicly available on the department’s website; 141 providing requirements for the report; requiring the 142 department to adopt rules; authorizing the department 143 to collaborate and cooperate with specified 144 enforcement authorities; specifying that the act does 145 not create a private cause of action; authorizing the 146 department to employ or use outside legal counsel for 147 specified purposes; providing for jurisdiction; 148 creating s. 501.721, F.S.; declaring that the act is a 149 matter of statewide concern; preempting the 150 collection, processing, sharing, and sale of consumer 151 personal data to the state; amending s. 501.171, F.S.; 152 revising the definition of the term “personal 153 information”; amending s. 16.53, F.S.; revising the 154 purpose of the Legal Affairs Revolving Trust Fund; 155 requiring that certain attorney fees, costs, and 156 penalties recovered by the Attorney General be 157 deposited in the trust fund; providing effective 158 dates. 159 160 Be It Enacted by the Legislature of the State of Florida: 161 162 Section 1. Effective July 1, 2023, section 112.23, Florida 163 Statutes, is created to read: 164 112.23 Government-directed content moderation of social 165 media platforms prohibited.— 166 (1) As used in this section, the term: 167 (a) “Governmental entity” means any officer or employee of 168 a state, county, district, authority, municipality, department, 169 agency, division, board, bureau, commission, or other separate 170 unit of government created or established by law, and includes 171 any other public or private entity acting on behalf of such 172 governmental entity. 173 (b) “Social media platform” means a form of electronic 174 communication through which users create online communities or 175 groups to share information, ideas, personal messages, and other 176 content. 177 (2) A governmental entity may not communicate with a social 178 media platform to request that it remove content or accounts 179 from the social media platform. 180 (3) A governmental entity may not initiate or maintain any 181 agreements or working relationships with a social media platform 182 for the purpose of content moderation. 183 (4) Subsections (2) and (3) do not apply if the 184 governmental entity or an officer or an employee acting on 185 behalf of a governmental entity is acting as part of any of the 186 following: 187 (a) Routine account management of the governmental entity’s 188 account, including, but not limited to, the removal or revision 189 of the governmental entity’s content or account or 190 identification of accounts falsely posing as a governmental 191 entity, officer, or salaried employee. 192 (b) An attempt to remove content that pertains to the 193 commission of a crime or violation of this state’s public 194 records law. 195 (c) An attempt to remove an account that pertains to the 196 commission of a crime or violation of this state’s public 197 records law. 198 (d) An investigation or inquiry related to an effort to 199 prevent imminent bodily harm, loss of life, or property damage. 200 Section 2. Section 501.1735, Florida Statutes, is created 201 to read: 202 501.1735 Protection of children in online spaces.— 203 (1) DEFINITIONS.—As used in this section, the term: 204 (a) “Child” or “children” means a consumer or consumers who 205 are under 18 years of age. 206 (b) “Collect” means to buy, rent, gather, obtain, receive, 207 save, store, or access any personal information pertaining to a 208 child. 209 (c) “Dark pattern” means a user interface designed or 210 manipulated with the substantial effect of subverting or 211 impairing user autonomy, decision-making, or choice and 212 includes, but is not limited to, any practice the Federal Trade 213 Commission refers to as a dark pattern. 214 (d) “Department” means the Department of Legal Affairs. 215 (e) “Online platform” means a social media platform as 216 defined in s. 112.23(1), online game, or online gaming platform. 217 (f) “Personal information” means information that is linked 218 or reasonably linkable to an identified or identifiable child, 219 including biometric information and unique identifiers to the 220 child. 221 (g) “Precise geolocation data” means information identified 222 through technology which enables the online platform to collect 223 specific location data which directly identifies the specific 224 location of a child with precision and accuracy within a radius 225 of 1,750 feet. 226 (h) “Processing” means any operation or set of operations 227 performed on personal information or on sets of personal 228 information, regardless of whether by automated means. 229 (i) “Profile” or “profiling” means any form of automated 230 processing performed on personal information to evaluate, 231 analyze, or predict personal aspects relating to the economic 232 situation, health, personal preferences, interests, reliability, 233 behavior, location, or movements of a child. 234 (j) “Sell” means to sell, rent, release, disclose, 235 disseminate, make available, transfer, or otherwise communicate 236 orally, in writing, or by electronic or other means, a child’s 237 personal information or information that relates to a group or 238 category of children by an online platform to another online 239 platform or an affiliate or third party for monetary or other 240 valuable consideration. 241 (k) “Share” means to share, rent, release, disclose, 242 disseminate, make available, transfer, or access a child’s 243 personal information for advertising or marketing. The term 244 includes: 245 1. Allowing a third party to advertise or market based on a 246 child’s personal information without disclosure of the personal 247 information to the third party. 248 2. Monetary transactions, nonmonetary transactions, and 249 transactions for other valuable consideration between an online 250 platform and a third party for advertising or marketing. 251 (l) “Substantial harm or privacy risk to children” means 252 the processing of personal information in a manner that may 253 result in any reasonably foreseeable substantial physical 254 injury, economic injury, or offensive intrusion into the privacy 255 expectations of a reasonable child under the circumstances, 256 including: 257 1. Mental health disorders or associated behaviors, 258 including the promotion or exacerbation of self-harm, suicide, 259 eating disorders, and substance abuse disorders; 260 2. Patterns of use that indicate or encourage addictive 261 behaviors; 262 3. Physical violence, online bullying, and harassment; 263 4. Sexual exploitation, including enticement, sex 264 trafficking, and sexual abuse and trafficking of online sexual 265 abuse material; 266 5. Promotion and marketing of tobacco products, gambling, 267 alcohol, or narcotic drugs as defined in s. 102 of the 268 Controlled Substances Act, 21 U.S.C. 802; or 269 6. Predatory, unfair, or deceptive marketing practices or 270 other financial harms. 271 (2) PROHIBITIONS.—An online platform that provides an 272 online service, product, game, or feature likely to be 273 predominantly accessed by children may not: 274 (a) Process the personal information of any child if the 275 online platform has actual knowledge of or willfully disregards 276 that the processing may result in substantial harm or privacy 277 risk to children. 278 (b) Profile a child unless both of the following criteria 279 are met: 280 1. The online platform can demonstrate it has appropriate 281 safeguards in place to protect children. 282 2.a. Profiling is necessary to provide the online service, 283 product, or feature requested for the aspects of the online 284 service, product, or feature with which the child is actively 285 and knowingly engaged; or 286 b. The online platform can demonstrate a compelling reason 287 that profiling does not pose a substantial harm or privacy risk 288 to children. 289 (c) Collect, sell, share, or retain any personal 290 information that is not necessary to provide an online service, 291 product, or feature with which a child is actively and knowingly 292 engaged unless the online platform can demonstrate a compelling 293 reason that collecting, selling, sharing, or retaining the 294 personal information does not pose a substantial harm or privacy 295 risk to children. 296 (d) Use personal information of a child for any reason 297 other than the reason for which the personal information was 298 collected, unless the online platform can demonstrate a 299 compelling reason that the use of the personal information does 300 not pose a substantial harm or privacy risk to children. 301 (e) Collect, sell, or share any precise geolocation data of 302 children unless the collection of the precise geolocation data 303 is strictly necessary for the online platform to provide the 304 service, product, or feature requested and then only for the 305 limited time that the collection of the precise geolocation data 306 is necessary to provide the service, product, or feature. 307 (f) Collect any precise geolocation data of a child without 308 providing an obvious sign to the child for the duration of the 309 collection that the precise geolocation data is being collected. 310 (g) Use dark patterns to lead or encourage children to 311 provide personal information beyond what personal information 312 would otherwise be reasonably expected to be provided for that 313 online service, product, game, or feature; to forego privacy 314 protections; or to take any action that the online platform has 315 actual knowledge of or willfully disregards that may result in 316 substantial harm or privacy risk to children. 317 (h) Use any personal information collected to estimate age 318 or age range for any other purpose or retain that personal 319 information longer than necessary to estimate age. The age 320 estimate must be proportionate to the risks and data practice of 321 an online service, product, or feature. 322 (3) BURDEN OF PROOF.—If an online platform processes 323 personal information pursuant to subsection (2), the online 324 platform bears the burden of demonstrating that such processing 325 does not violate subsection (2). 326 (4) ENFORCEMENT AND IMPLEMENTATION BY THE DEPARTMENT.— 327 (a) Any violation of subsection (2) is an unfair and 328 deceptive trade practice actionable under part II of chapter 501 329 solely by the department against an online platform. If the 330 department has reason to believe that an online platform is in 331 violation of subsection (2), the department, as the enforcing 332 authority, may bring an action against such online platform for 333 an unfair or deceptive act or practice. For the purpose of 334 bringing an action pursuant to this section, ss. 501.211 and 335 501.212 do not apply. In addition to other remedies under part 336 II of chapter 501, the department may collect a civil penalty of 337 up to $50,000 per violation of this section. Civil penalties may 338 be tripled for any violation involving a Florida child who the 339 online platform has actual knowledge is under 18 years of age. 340 (b) After the department has notified an online platform in 341 writing of an alleged violation, the department may in its 342 discretion grant a 45-day period to cure the alleged violation. 343 If the violation is cured to the satisfaction of the department 344 and proof of such cure is provided to the department, the 345 department may not bring an action for the alleged violation but 346 in its discretion may issue a letter of guidance that indicates 347 that the online platform will not be offered a 45-day cure 348 period for any future violations. If the online platform fails 349 to cure the violation within 45 calendar days, the department 350 may bring an action against the online platform for the alleged 351 violation. 352 (c) Any action brought by the department may be brought 353 only on behalf of a Florida child. 354 (d) The department may adopt rules to implement this 355 section. 356 (e) Liability for a tort, contract claim, or consumer 357 protection claim that is unrelated to an action brought under 358 this subsection does not arise solely from the failure of an 359 online platform to comply with this section. 360 (f) This section does not establish a private cause of 361 action. 362 (5) JURISDICTION.—For purposes of bringing an action 363 pursuant to this section, any person who meets the definition of 364 online platform which operates an online service, product, game, 365 or feature likely to be predominantly accessed by children and 366 accessible by Florida children located in this state is 367 considered to be both engaged in substantial and not isolated 368 activities within this state and operating, conducting, engaging 369 in, or carrying on a business, and doing business in this state, 370 and is therefore subject to the jurisdiction of the courts of 371 this state. 372 Section 3. The Division of Law Revision is directed to: 373 (1) Redesignate current parts V, VI, and VII of chapter 374 501, Florida Statutes, as parts VI, VII, and VIII of chapter 375 501, Florida Statutes, respectively; and 376 (2) Create a new part V of chapter 501, Florida Statutes, 377 consisting of ss. 501.701-501.721, Florida Statutes, entitled 378 “Data Privacy and Security.” 379 Section 4. Section 501.701, Florida Statutes, is created to 380 read: 381 501.701 Short title.—This part may be cited as the “Florida 382 Digital Bill of Rights.” 383 Section 5. Section 501.702, Florida Statutes, is created to 384 read: 385 501.702 Definitions.—As used in this part, the term: 386 (1) “Affiliate” means a legal entity that controls, is 387 controlled by, or is under common control with another legal 388 entity or that shares common branding with another legal entity. 389 For purposes of this subsection, the term “control” or 390 “controlled” means any of the following: 391 (a) The ownership of, or power to vote, more than 50 392 percent of the outstanding shares of any class of voting 393 security of a company. 394 (b) The control in any manner over the election of a 395 majority of the directors or of individuals exercising similar 396 functions. 397 (c) The power to exercise controlling influence over the 398 management of a company. 399 (2) “Aggregate consumer information” means information that 400 relates to a group or category of consumers, from which the 401 identity of an individual consumer has been removed and is not 402 reasonably capable of being directly or indirectly associated or 403 linked with any consumer, household, or device. The term does 404 not include information about a group or category of consumers 405 used to facilitate targeted advertising or the display of ads 406 online. The term does not include personal information that has 407 been deidentified. 408 (3) “Authenticate” or “authenticated” means to verify or 409 the state of having been verified, respectively, through 410 reasonable means that the consumer who is entitled to exercise 411 the consumer’s rights under s. 501.705 is the same consumer 412 exercising those consumer rights with respect to the personal 413 data at issue. 414 (4) “Biometric data” means data generated by automatic 415 measurements of an individual’s biological characteristics. The 416 term includes fingerprints, voiceprints, eye retinas or irises, 417 or other unique biological patterns or characteristics used to 418 identify a specific individual. The term does not include 419 physical or digital photographs, video or audio recordings or 420 data generated from video or audio recordings, or information 421 collected, used, or stored for health care treatment, payment, 422 or operations under the Health Insurance Portability and 423 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq. 424 (5) “Business associate” has the same meaning as in 45 425 C.F.R. s. 160.103 and the Health Insurance Portability and 426 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq. 427 (6) “Child” means an individual younger than 18 years of 428 age. 429 (7) “Consent,” when referring to a consumer, means a clear 430 affirmative act signifying a consumer’s freely given, specific, 431 informed, and unambiguous agreement to process personal data 432 relating to the consumer. The term includes a written statement, 433 including a statement written by electronic means, or any other 434 unambiguous affirmative act. The term does not include any of 435 the following: 436 (a) Acceptance of a general or broad terms of use or 437 similar document that contains descriptions of personal data 438 processing along with other, unrelated information. 439 (b) Hovering over, muting, pausing, or closing a given 440 piece of content. 441 (c) Agreement obtained through the use of dark patterns. 442 (8) “Consumer” means an individual who is a resident of or 443 is domiciled in this state acting only in an individual or 444 household context. The term does not include an individual 445 acting in a commercial or employment context. 446 (9) “Controller” means: 447 (a) A sole proprietorship, partnership, limited liability 448 company, corporation, association, or legal entity that meets 449 the following requirements: 450 1. Is organized or operated for the profit or financial 451 benefit of its shareholders or owners; 452 2. Conducts business in this state; 453 3. Collects personal data about consumers, or is the entity 454 on behalf of which such information is collected; 455 4. Determines the purposes and means of processing personal 456 data about consumers alone or jointly with others; 457 5. Makes in excess of $1 billion in global gross annual 458 revenues; and 459 6. Satisfies at least one of the following: 460 a. Derives 50 percent or more of its global gross annual 461 revenues from the sale of advertisements online, including 462 providing targeted advertising or the sale of ads online; 463 b. Operates a consumer smart speaker and voice command 464 component service with an integrated virtual assistant connected 465 to a cloud computing service that uses hands-free verbal 466 activation. For purposes of this sub-subparagraph, a consumer 467 smart speaker and voice command component service does not 468 include a motor vehicle or speaker or device associated with or 469 connected to a vehicle which is operated by a motor vehicle 470 manufacturer or a subsidiary or affiliate thereof; or 471 c. Operates an app store or a digital distribution platform 472 that offers at least 250,000 different software applications for 473 consumers to download and install. 474 (b) Any entity that controls or is controlled by a 475 controller. As used in this paragraph, the term “control” means: 476 1. Ownership of, or the power to vote, more than 50 percent 477 of the outstanding shares of any class of voting security of a 478 controller; 479 2. Control in any manner over the election of a majority of 480 the directors, or of individuals exercising similar functions; 481 or 482 3. The power to exercise a controlling influence over the 483 management of a company. 484 (10) “Covered entity” has the same meaning as in 45 C.F.R. 485 s. 160.103 and the Health Insurance Portability and 486 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq. 487 (11) “Dark pattern” means a user interface designed or 488 manipulated with the effect of substantially subverting or 489 impairing user autonomy, decisionmaking, or choice. The term 490 includes any practice the Federal Trade Commission refers to as 491 a dark pattern. 492 (12) “Decision that produces a legal or similarly 493 significant effect concerning a consumer” means a decision made 494 by a controller which results in the provision or denial by the 495 controller of any of the following: 496 (a) Financial and lending services. 497 (b) Housing, insurance, or health care services. 498 (c) Education enrollment. 499 (d) Employment opportunities. 500 (e) Criminal justice. 501 (f) Access to basic necessities, such as food and water. 502 (13) “Deidentified data” means data that cannot reasonably 503 be linked to an identified or identifiable individual or a 504 device linked to that individual. 505 (14) “Health care provider” has the same meaning as in 45 506 C.F.R. s. 160.103 and the Health Insurance Portability and 507 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq. 508 (15) “Health record” means any written, printed, or 509 electronically recorded material maintained by a health care 510 provider in the course of providing health care services to an 511 individual which concerns the individual and the services 512 provided. The term includes any of the following: 513 (a) The substance of any communication made by an 514 individual to a health care provider in confidence during or in 515 connection with the provision of health care services. 516 (b) Information otherwise acquired by the health care 517 provider about an individual in confidence and in connection 518 with health care services provided to the individual. 519 (16) “Identified or identifiable individual” means a 520 consumer who can be readily identified, directly or indirectly. 521 (17) “Known child” means a child under circumstances of 522 which a controller has actual knowledge of, or willfully 523 disregards, the child’s age. 524 (18) “Nonprofit organization” means any of the following: 525 (a) An organization exempt from federal taxation under s. 526 501(a) of the Internal Revenue Code of 1986 by virtue of being 527 listed as an exempt organization under s. 501(c)(3), s. 528 501(c)(4), s. 501(c)(6), or s. 501(c)(12) of that code. 529 (b) A political organization. 530 (19) “Personal data” means any information, including 531 sensitive data, which is linked or reasonably linkable to an 532 identified or identifiable individual. The term includes 533 pseudonymous data when the data is used by a controller or 534 processor in conjunction with additional information that 535 reasonably links the data to an identified or identifiable 536 individual. The term does not include deidentified data or 537 publicly available information. 538 (20) “Political organization” means a party, a committee, 539 an association, a fund, or any other organization, regardless of 540 whether incorporated, organized and operated primarily for the 541 purpose of influencing or attempting to influence any of the 542 following: 543 (a) The selection, nomination, election, or appointment of 544 an individual to a federal, state, or local public office or an 545 office in a political organization, regardless of whether the 546 individual is selected, nominated, elected, or appointed. 547 (b) The election of a presidential or vice-presidential 548 elector, regardless of whether the elector is selected, 549 nominated, elected, or appointed. 550 (21) “Postsecondary education institution” means a Florida 551 College System institution, state university, or nonpublic 552 postsecondary education institution that receives state funds. 553 (22) “Precise geolocation data” means information derived 554 from technology, including global positioning system level 555 latitude and longitude coordinates or other mechanisms, which 556 directly identifies the specific location of an individual with 557 precision and accuracy within a radius of 1,750 feet. The term 558 does not include the content of communications or any data 559 generated by or connected to an advanced utility metering 560 infrastructure system or to equipment for use by a utility. 561 (23) “Process” or “processing” means an operation or set of 562 operations performed, whether by manual or automated means, on 563 personal data or on sets of personal data, such as the 564 collection, use, storage, disclosure, analysis, deletion, or 565 modification of personal data. 566 (24) “Processor” means a person who processes personal data 567 on behalf of a controller. 568 (25) “Profiling” means any form of solely automated 569 processing performed on personal data to evaluate, analyze, or 570 predict personal aspects related to an identified or 571 identifiable individual’s economic situation, health, personal 572 preferences, interests, reliability, behavior, location, or 573 movements. 574 (26) “Protected health information” has the same meaning as 575 in 45 C.F.R. s. 160.103 and the Health Insurance Portability and 576 Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq. 577 (27) “Pseudonymous data” means any information that cannot 578 be attributed to a specific individual without the use of 579 additional information, provided that the additional information 580 is kept separately and is subject to appropriate technical and 581 organizational measures to ensure that the personal data is not 582 attributed to an identified or identifiable individual. 583 (28) “Publicly available information” means information 584 lawfully made available through government records, or 585 information that a business has a reasonable basis for believing 586 is lawfully made available to the general public through widely 587 distributed media, by a consumer, or by a person to whom a 588 consumer has disclosed the information, unless the consumer has 589 restricted the information to a specific audience. 590 (29) “Sale of personal data” means the sharing, disclosing, 591 or transferring of personal data for monetary or other valuable 592 consideration by the controller to a third party. The term does 593 not include any of the following: 594 (a) The disclosure of personal data to a processor who 595 processes the personal data on the controller’s behalf. 596 (b) The disclosure of personal data to a third party for 597 purposes of providing a product or service requested by the 598 consumer. 599 (c) The disclosure of information that the consumer: 600 1. Intentionally made available to the general public 601 through a mass media channel; and 602 2. Did not restrict to a specific audience. 603 (d) The disclosure or transfer of personal data to a third 604 party as an asset that is part of a merger or an acquisition. 605 (30) “Search engine” means technology and systems that use 606 algorithms to sift through and index vast third-party websites 607 and content on the Internet in response to search queries 608 entered by a user. The term does not include the license of 609 search functionality for the purpose of enabling the licensee to 610 operate a third-party search engine service in circumstances 611 where the licensee does not have legal or operational control of 612 the search algorithm, the index from which results are 613 generated, or the ranking order in which the results are 614 provided. 615 (31) “Sensitive data” means a category of personal data 616 which includes any of the following: 617 (a) Personal data revealing an individual’s racial or 618 ethnic origin, religious beliefs, mental or physical health 619 diagnosis, sexual orientation, or citizenship or immigration 620 status. 621 (b) Genetic or biometric data processed for the purpose of 622 uniquely identifying an individual. 623 (c) Personal data collected from a known child. 624 (d) Precise geolocation data. 625 (32) “State agency” means any department, commission, 626 board, office, council, authority, or other agency in the 627 executive branch of state government created by the State 628 Constitution or state law. The term includes a postsecondary 629 education institution. 630 (33) “Targeted advertising” means displaying to a consumer 631 an advertisement selected based on personal data obtained from 632 that consumer’s activities over time across affiliated or 633 unaffiliated websites and online applications used to predict 634 the consumer’s preferences or interests. The term does not 635 include an advertisement that is: 636 (a) Based on the context of a consumer’s current search 637 query on the controller’s own website or online application; or 638 (b) Directed to a consumer search query on the controller’s 639 own website or online application in response to the consumer’s 640 request for information or feedback. 641 (34) “Third party” means a person, other than the consumer, 642 the controller, the processor, or an affiliate of the controller 643 or processor. 644 (35) “Trade secret” has the same meaning as in s. 812.081. 645 (36) “Voice recognition feature” means the function of a 646 device which enables the collection, recording, storage, 647 analysis, transmission, interpretation, or other use of spoken 648 words or other sounds. 649 Section 6. Section 501.703, Florida Statutes, is created to 650 read: 651 501.703 Applicability.— 652 (1) This part applies only to a person who: 653 (a) Conducts business in this state or produces a product 654 or service used by residents of this state; and 655 (b) Processes or engages in the sale of personal data. 656 (2) This part does not apply to any of the following: 657 (a) A state agency or a political subdivision of the state. 658 (b) A financial institution or data subject to Title V, 659 Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq. 660 (c) A covered entity or business associate governed by the 661 privacy, security, and breach notification regulations issued by 662 the United States Department of Health and Human Services, 45 663 C.F.R. parts 160 and 164, established under the Health Insurance 664 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d 665 et seq., and the Health Information Technology for Economic and 666 Clinical Health Act, Division A, Title XIII and Division B, 667 Title IV, Pub. L. No. 111-5. 668 (d) A nonprofit organization. 669 (e) A postsecondary education institution. 670 (f) The processing of personal data: 671 1. By a person in the course of a purely personal or 672 household activity. 673 2. Solely for measuring or reporting advertising 674 performance, reach, or frequency. 675 (3) A controller or processor that complies with the 676 authenticated parental consent requirements of the Children’s 677 Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq., with 678 respect to data collected online, is considered to be in 679 compliance with any requirement to obtain parental consent under 680 this part. 681 Section 7. Section 501.704, Florida Statutes, is created to 682 read: 683 501.704 Exemptions.—All of the following information is 684 exempt from this part: 685 (1) Protected health information under the Health Insurance 686 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d 687 et seq. 688 (2) Health records. 689 (3) Patient identifying information for purposes of 42 690 U.S.C. s. 290dd-2. 691 (4) Identifiable private information: 692 (a) For purposes of the federal policy for the protection 693 of human subjects under 45 C.F.R. part 46; 694 (b) Collected as part of human subjects research under the 695 good clinical practice guidelines issued by the International 696 Council for Harmonisation of Technical Requirements for 697 Pharmaceuticals for Human Use or the protection of human 698 subjects under 21 C.F.R. parts 50 and 56; or 699 (c) That is personal data used or shared in research 700 conducted in accordance with this part or other research 701 conducted in accordance with applicable law. 702 (5) Information and documents created for purposes of the 703 Health Care Quality Improvement Act of 1986, 42 U.S.C. ss. 11101 704 et seq. 705 (6) Patient safety work product for purposes of the Patient 706 Safety and Quality Improvement Act of 2005, 42 U.S.C. ss. 299b 707 21 et seq. 708 (7) Information derived from any of the health-care-related 709 information listed in this section which is deidentified in 710 accordance with the requirements for deidentification under the 711 Health Insurance Portability and Accountability Act of 1996, 42 712 U.S.C. ss. 1320d et seq. 713 (8) Information originating from, and intermingled to be 714 indistinguishable with, or information treated in the same 715 manner as, information exempt under this section which is 716 maintained by a covered entity or business associate as defined 717 by the Health Insurance Portability and Accountability Act of 718 1996, 42 U.S.C. ss. 1320d et seq. or by a program or a qualified 719 service organization as defined by 42 U.S.C. s. 290dd-2. 720 (9) Information included in a limited data set as described 721 by 45 C.F.R. s. 164.514(e), to the extent that the information 722 is used, disclosed, and maintained in the manner specified by 45 723 C.F.R. s. 164.514(e). 724 (10) Information used only for public health activities and 725 purposes as described in 45 C.F.R. s. 164.512. 726 (11) Information collected or used only for public health 727 activities and purposes as authorized by the Health Insurance 728 Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d 729 et seq. 730 (12) The collection, maintenance, disclosure, sale, 731 communication, or use of any personal data bearing on a 732 consumer’s creditworthiness, credit standing, credit capacity, 733 character, general reputation, personal characteristics, or mode 734 of living by a consumer reporting agency or furnisher that 735 provides information for use in a consumer report, or by a user 736 of a consumer report, but only to the extent that the activity 737 is regulated by and authorized under the Fair Credit Reporting 738 Act, 15 U.S.C. ss. 1681 et seq. 739 (13) Personal data collected, processed, sold, or disclosed 740 in compliance with the Driver’s Privacy Protection Act of 1994, 741 18 U.S.C. ss. 2721 et seq. 742 (14) Personal data regulated by the Family Educational 743 Rights and Privacy Act of 1974, 20 U.S.C. s. 1232g. 744 (15) Personal data collected, processed, sold, or disclosed 745 in compliance with the Farm Credit Act of 1971, 12 U.S.C. ss. 746 2001 et seq. 747 (16) Data processed or maintained in the course of an 748 individual applying to, being employed by, or acting as an agent 749 or independent contractor of a controller, processor, or third 750 party, to the extent that the data is collected and used within 751 the context of that role. 752 (17) Data processed or maintained as the emergency contact 753 information of an individual under this part which is used for 754 emergency contact purposes. 755 (18) Data that is processed or maintained and that is 756 necessary to retain to administer benefits for another 757 individual which relates to an individual described in 758 subsection (16) and which is used for the purposes of 759 administering those benefits. 760 (19) Personal data collected and transmitted which is 761 necessary for the sole purpose of sharing such personal data 762 with a financial service provider solely to facilitate short 763 term, transactional payment processing for the purchase of 764 products or services. 765 (20) Personal data collected, processed, sold, or disclosed 766 in relation to price, route, or service as those terms are used 767 in the Airline Deregulation Act, 49 U.S.C. ss. 40101 et seq., by 768 entities subject to that act, to the extent the provisions of 769 this act are preempted by 49 U.S.C. s. 41713. 770 (21) Personal data shared between a manufacturer of a 771 tangible product and authorized third-party distributors or 772 vendors of the product, as long as such personal data is used 773 solely for advertising, marketing, or servicing the product that 774 is acquired directly through such manufacturer and such 775 authorized third-party distributors or vendors. Such personal 776 data may not be sold or shared unless otherwise authorized under 777 this part. 778 Section 8. Section 501.705, Florida Statutes, is created to 779 read: 780 501.705 Consumer rights.— 781 (1) A consumer is entitled to exercise the consumer rights 782 authorized by this section at any time by submitting a request 783 to a controller which specifies the consumer rights that the 784 consumer wishes to exercise. With respect to the processing of 785 personal data belonging to a known child, a parent or legal 786 guardian of the child may exercise these rights on behalf of the 787 child. 788 (2) A controller shall comply with an authenticated 789 consumer request to exercise any of the following rights: 790 (a) To confirm whether a controller is processing the 791 consumer’s personal data and to access the personal data. 792 (b) To correct inaccuracies in the consumer’s personal 793 data, taking into account the nature of the personal data and 794 the purposes of the processing of the consumer’s personal data. 795 (c) To delete any or all personal data provided by or 796 obtained about the consumer. 797 (d) To obtain a copy of the consumer’s personal data in a 798 portable and, to the extent technically feasible, readily usable 799 format if the data is available in a digital format. 800 (e) To opt out of the processing of the personal data for 801 purposes of: 802 1. Targeted advertising; 803 2. The sale of personal data; or 804 3. Profiling in furtherance of a decision that produces a 805 legal or similarly significant effect concerning a consumer. 806 (f) To opt out of the collection of sensitive data, 807 including precise geolocation data, or the processing of 808 sensitive data. 809 (g) To opt out of the collection of personal data collected 810 through the operation of a voice recognition or facial 811 recognition feature. 812 (3) A device that has a voice recognition feature, a facial 813 recognition feature, a video recording feature, an audio 814 recording feature, or any other electronic, visual, thermal, or 815 olfactory feature that collects data may not use those features 816 for the purpose of surveillance by the controller, processor, or 817 affiliate of a controller or processor when such features are 818 not in active use by the consumer, unless otherwise expressly 819 authorized by the consumer. 820 Section 9. Section 501.706, Florida Statutes, is created to 821 read: 822 501.706 Controller response to consumer requests.— 823 (1) Except as otherwise provided by this part, a controller 824 shall comply with a request submitted by a consumer to exercise 825 the consumer’s rights pursuant to s. 501.705, as provided in 826 this section. 827 (2) A controller shall respond to the consumer request 828 without undue delay, which may not be later than 45 days after 829 the date of receipt of the request. The controller may extend 830 the response period once by an additional 15 days when 831 reasonably necessary, taking into account the complexity and 832 number of the consumer’s requests, so long as the controller 833 informs the consumer of the extension within the initial 45-day 834 response period, together with the reason for the extension. 835 (3) If a controller cannot take action regarding the 836 consumer’s request, the controller must inform the consumer 837 without undue delay, which may not be later than 45 days after 838 the date of receipt of the request, of the justification for the 839 inability to take action on the request and provide instructions 840 on how to appeal the decision in accordance with s. 501.707. A 841 controller is not required to comply with a consumer request 842 submitted under s. 501.705 if the controller cannot authenticate 843 the request. However, the controller must make a reasonable 844 effort to request that the consumer provide additional 845 information reasonably necessary to authenticate the consumer 846 and the consumer’s request. If a controller maintains a self 847 service mechanism to allow a consumer to correct certain 848 personal data, the controller may deny the consumer’s request 849 and require the consumer to correct his or her own personal data 850 through such mechanism. 851 (4) A controller must provide the consumer with notice 852 within 60 days after the request is received that the controller 853 has complied with the consumer’s request as required in this 854 section. 855 (5) A controller shall provide information or take action 856 in response to a consumer request free of charge, at least twice 857 annually per consumer. If a request from a consumer is 858 manifestly unfounded, excessive, or repetitive, the controller 859 may charge the consumer a reasonable fee to cover the 860 administrative costs of complying with the request or may 861 decline to act on the request. The controller bears the burden 862 of demonstrating for purposes of this subsection that a request 863 is manifestly unfounded, excessive, or repetitive. 864 (6) A controller who has obtained personal data about a 865 consumer from a source other than the consumer is considered in 866 compliance with a consumer’s request to delete that personal 867 data pursuant to s. 501.705(2)(c), by doing any of the 868 following: 869 (a) Deleting the personal data, retaining a record of the 870 deletion request and the minimum data necessary for the purpose 871 of ensuring that the consumer’s personal data remains deleted 872 from the business’s records, and not using the retained data for 873 any other purpose under this part. 874 (b) Opting the consumer out of the processing of that 875 personal data for any purpose other than a purpose exempt under 876 this part. 877 Section 10. Section 501.707, Florida Statutes, is created 878 to read: 879 501.707 Appeal.— 880 (1) A controller shall establish a process for a consumer 881 to appeal the controller’s refusal to take action on a request 882 within a reasonable period of time after the consumer’s receipt 883 of the decision under s. 501.706(3). 884 (2) The appeal process must be conspicuously available and 885 similar to the process for initiating action to exercise 886 consumer rights by submitting a request under s. 501.705. 887 (3) A controller shall inform the consumer in writing of 888 any action taken or not taken in response to an appeal under 889 this section within 60 days after the date of receipt of the 890 appeal, including a written explanation of the reason or reasons 891 for the decision. 892 Section 11. Section 501.708, Florida Statutes, is created 893 to read: 894 501.708 Waiver or limitation of consumer rights 895 prohibited.—Any provision of a contract or agreement which 896 waives or limits in any way a consumer right described by s. 897 501.705, s. 501.706, or s. 501.707 is contrary to public policy 898 and is void and unenforceable. 899 Section 12. Section 501.709, Florida Statutes, is created 900 to read: 901 501.709 Submitting consumer requests.— 902 (1) A controller shall establish two or more methods to 903 enable consumers to submit a request to exercise their consumer 904 rights under this part. The methods must be secure, reliable, 905 and clearly and conspicuously accessible. The methods must take 906 all of the following into account: 907 (a) The ways in which consumers normally interact with the 908 controller. 909 (b) The necessity for secure and reliable communications of 910 these requests. 911 (c) The ability of the controller to authenticate the 912 identity of the consumer making the request. 913 (2) A controller may not require a consumer to create a new 914 account to exercise the consumer’s rights under this part but 915 may require a consumer to use an existing account. 916 (3) A controller shall provide a mechanism on its website 917 for a consumer to submit a request for information required to 918 be disclosed under this part. A controller that operates 919 exclusively online and has a direct relationship with a consumer 920 from whom the controller collects personal data may also provide 921 an e-mail address for the submission of requests. 922 Section 13. Section 501.71, Florida Statutes, is created to 923 read: 924 501.71 Controller duties.— 925 (1) A controller shall: 926 (a) Limit the collection of personal data to data that is 927 adequate, relevant, and reasonably necessary in relation to the 928 purposes for which it is processed, as disclosed to the 929 consumer; and 930 (b) For purposes of protecting the confidentiality, 931 integrity, and accessibility of personal data, establish, 932 implement, and maintain reasonable administrative, technical, 933 and physical data security practices appropriate to the volume 934 and nature of the personal data at issue. 935 (2) A controller may not do any of the following: 936 (a) Except as otherwise provided by this part, process 937 personal data for a purpose that is neither reasonably necessary 938 nor compatible with the purpose for which the personal data is 939 processed, as disclosed to the consumer, unless the controller 940 obtains the consumer’s consent. 941 (b) Process personal data in violation of state or federal 942 laws that prohibit unlawful discrimination against consumers. 943 (c) Discriminate against a consumer for exercising any of 944 the consumer rights contained in this part, including by denying 945 goods or services, charging different prices or rates for goods 946 or services, or providing a different level of quality of goods 947 or services to the consumer. A controller may offer financial 948 incentives, including payments to consumers as compensation, for 949 processing of personal data if the consumer gives the controller 950 prior consent that clearly describes the material terms of the 951 financial incentive program and provided that such incentive 952 practices are not unjust, unreasonable, coercive, or usurious in 953 nature. The consent may be revoked by the consumer at any time. 954 (d) Process the sensitive data of a consumer without 955 obtaining the consumer’s consent, or, in the case of processing 956 the sensitive data of a known child, without processing that 957 data with the affirmative authorization for such processing by a 958 known child who is between 13 and 18 years of age or in 959 accordance with the Children’s Online Privacy Protection Act, 15 960 U.S.C. ss. 6501 et seq. for a known child under the age of 13. 961 (3) Paragraph (2)(c) may not be construed to require a 962 controller to provide a product or service that requires the 963 personal data of a consumer which the controller does not 964 collect or maintain or to prohibit a controller from offering a 965 different price, rate, level, quality, or selection of goods or 966 services to a consumer, including offering goods or services for 967 no fee, if the consumer has exercised the consumer’s right to 968 opt out under s. 501.705(2) or the offer is related to a 969 consumer’s voluntary participation in a bona fide loyalty, 970 rewards, premium features, discounts, or club card program. 971 (4) A controller that operates a search engine shall make 972 available, in an easily accessible location on the webpage which 973 does not require a consumer to log in or register to read, an 974 up-to-date plain language description of the main parameters 975 that are individually or collectively the most significant in 976 determining ranking and the relative importance of those main 977 parameters, including the prioritization or deprioritization of 978 political partisanship or political ideology in search results. 979 Algorithms are not required to be disclosed nor is any other 980 information that, with reasonable certainty, would enable 981 deception of or harm to consumers through the manipulation of 982 search results. 983 Section 14. Section 501.711, Florida Statutes, is created 984 to read: 985 501.711 Privacy notices.— 986 (1) A controller shall provide consumers with a reasonably 987 accessible and clear privacy notice, updated at least annually, 988 that includes all of the following information: 989 (a) The categories of personal data processed by the 990 controller, including, if applicable, any sensitive data 991 processed by the controller. 992 (b) The purpose of processing personal data. 993 (c) How consumers may exercise their rights under s. 994 501.705(2), including the process by which a consumer may appeal 995 a controller’s decision with regard to the consumer’s request. 996 (d) If applicable, the categories of personal data that the 997 controller shares with third parties. 998 (e) If applicable, the categories of third parties with 999 whom the controller shares personal data. 1000 (f) A description of the methods specified in s. 501.709, 1001 by which consumers can submit requests to exercise their 1002 consumer rights under this part. 1003 (2) If a controller engages in the sale of personal data 1004 that is sensitive data, the controller must provide the 1005 following notice: “NOTICE: This website may sell your sensitive 1006 personal data.” The notice must be posted in accordance with 1007 subsection (1). 1008 (3) If a controller engages in the sale of personal data 1009 that is biometric data, the controller must provide the 1010 following notice: “NOTICE: This website may sell your biometric 1011 personal data.” The notice must be posted in accordance with 1012 subsection (1). 1013 (4) If a controller sells personal data to third parties or 1014 processes personal data for targeted advertising, the controller 1015 must clearly and conspicuously disclose that process and the 1016 manner in which a consumer may exercise the right to opt out of 1017 that process. 1018 (5) A controller may not collect additional categories of 1019 personal information or use personal information collected for 1020 additional purposes without providing the consumer with notice 1021 consistent with this section. 1022 Section 15. Section 501.712, Florida Statutes, is created 1023 to read: 1024 501.712 Duties of processor.— 1025 (1) A processor shall adhere to the instructions of a 1026 controller and shall assist the controller in meeting or 1027 complying with the controller’s duties under this section and 1028 the requirements of this part, including the following: 1029 (a) Assisting the controller in responding to consumer 1030 rights requests submitted pursuant to ss. 501.705 and 501.709, 1031 by using appropriate technical and organizational measures, as 1032 reasonably practicable, taking into account the nature of 1033 processing and the information available to the processor. 1034 (b) Assisting the controller with regard to complying with 1035 the requirement relating to the security of processing personal 1036 data and to the notification of a breach of security of the 1037 processor’s system under s. 501.171, taking into account the 1038 nature of processing and the information available to the 1039 processor. 1040 (c) Providing necessary information to enable the 1041 controller to conduct and document data protection assessments 1042 under s. 501.713. 1043 (2) A contract between a controller and a processor governs 1044 the processor’s data processing procedures with respect to 1045 processing performed on behalf of the controller. The contract 1046 must include all of the following information: 1047 (a) Clear instructions for processing data. 1048 (b) The nature and purpose of processing. 1049 (c) The type of data subject to processing. 1050 (d) The duration of processing. 1051 (e) The rights and obligations of both parties. 1052 (f) A requirement that the processor: 1053 1. Ensure that each person processing personal data is 1054 subject to a duty of confidentiality with respect to the data; 1055 2. At the controller’s direction, delete or return all 1056 personal data to the controller as requested after the provision 1057 of the service is completed, unless retention of the personal 1058 data is required by law; 1059 3. Make available to the controller, upon reasonable 1060 request, all information in the processor’s possession necessary 1061 to demonstrate the processor’s compliance with this part; 1062 4. Allow, and cooperate with, reasonable assessments by the 1063 controller or the controller’s designated assessor; and 1064 5. Engage any subcontractor pursuant to a written contract 1065 that requires the subcontractor to meet the requirements of the 1066 processor with respect to the personal data. 1067 (3) Notwithstanding subparagraph (2)(f)4., a processor may 1068 arrange for a qualified and independent assessor to conduct an 1069 assessment of the processor’s policies and technical and 1070 organizational measures in support of the requirements under 1071 this part using an appropriate and accepted control standard or 1072 framework and assessment procedure. The processor shall provide 1073 a report of the assessment to the controller upon request. 1074 (4) This section may not be construed to relieve a 1075 controller or a processor from the liabilities imposed on the 1076 controller or processor by virtue of its role in the processing 1077 relationship as described by this part. 1078 (5) A determination as to whether a person is acting as a 1079 controller or processor with respect to a specific processing of 1080 data is a fact-based determination that depends on the context 1081 in which personal data is to be processed. A processor that 1082 continues to adhere to a controller’s instructions with respect 1083 to a specific processing of personal data remains in the role of 1084 a processor. 1085 Section 16. Section 501.713, Florida Statutes, is created 1086 to read: 1087 501.713 Data protection assessments.— 1088 (1) A controller shall conduct and document a data 1089 protection assessment of each of the following processing 1090 activities involving personal data: 1091 (a) The processing of personal data for purposes of 1092 targeted advertising. 1093 (b) The sale of personal data. 1094 (c) The processing of personal data for purposes of 1095 profiling if the profiling presents a reasonably foreseeable 1096 risk of: 1097 1. Unfair or deceptive treatment of or unlawful disparate 1098 impact on consumers; 1099 2. Financial, physical, or reputational injury to 1100 consumers; 1101 3. A physical or other intrusion on the solitude or 1102 seclusion, or the private affairs or concerns, of consumers, if 1103 the intrusion would be offensive to a reasonable person; or 1104 4. Other substantial injury to consumers. 1105 (d) The processing of sensitive data. 1106 (e) Any processing activities involving personal data which 1107 present a heightened risk of harm to consumers. 1108 (2) A data protection assessment conducted under subsection 1109 (1) must do all of the following: 1110 (a) Identify and weigh the direct or indirect benefits that 1111 may flow from the processing to the controller, the consumer, 1112 other stakeholders, and the public against the potential risks 1113 to the rights of the consumer associated with that processing, 1114 as mitigated by safeguards that can be employed by the 1115 controller to reduce such risks. 1116 (b) Factor into the assessment: 1117 1. The use of deidentified data; 1118 2. The reasonable expectations of consumers; 1119 3. The context of the processing; and 1120 4. The relationship between the controller and the consumer 1121 whose personal data will be processed. 1122 (3) The disclosure of a data protection assessment in 1123 compliance with a request from the Attorney General pursuant to 1124 s. 501.72 does not constitute a waiver of attorney-client 1125 privilege or work product protection with respect to the 1126 assessment and any information contained in the assessment. 1127 (4) A single data protection assessment may address a 1128 comparable set of processing operations which include similar 1129 activities. 1130 (5) A data protection assessment conducted by a controller 1131 for the purpose of compliance with any other law or regulation 1132 may constitute compliance with the requirements of this section 1133 if the assessment has a reasonably comparable scope and effect. 1134 (6) This section applies only to processing activities 1135 generated on or after July 1, 2023. 1136 Section 17. Section 501.714, Florida Statutes, is created 1137 to read: 1138 501.714 Deidentified data, pseudonymous data, and aggregate 1139 consumer information.— 1140 (1) A controller in possession of deidentified data shall 1141 do all of the following: 1142 (a) Take reasonable measures to ensure that the data cannot 1143 be associated with an individual. 1144 (b) Maintain and use the data in deidentified form. A 1145 controller may not attempt to reidentify the data, except that 1146 the controller may attempt to reidentify the data solely for the 1147 purpose of determining whether its deidentification processes 1148 satisfy the requirements of this section. 1149 (c) Contractually obligate any recipient of the 1150 deidentified data to comply with this part. 1151 (d) Implement business processes to prevent the inadvertent 1152 release of deidentified data. 1153 (2) This part may not be construed to require a controller 1154 or processor to do any of the following: 1155 (a) Reidentify deidentified data or pseudonymous data. 1156 (b) Maintain data in an identifiable form or obtain, 1157 retain, or access any data or technology for the purpose of 1158 allowing the controller or processor to associate a consumer 1159 request with personal data. 1160 (c) Comply with an authenticated consumer rights request 1161 under s. 501.705 if the controller: 1162 1. Is not reasonably capable of associating the request 1163 with the personal data or it would be unreasonably burdensome 1164 for the controller to associate the request with the personal 1165 data; 1166 2. Does not use the personal data to recognize or respond 1167 to the specific consumer who is the subject of the personal data 1168 or associate the personal data with other personal data about 1169 the same specific consumer; and 1170 3. Does not sell the personal data to a third party or 1171 otherwise voluntarily disclose the personal data to a third 1172 party other than a processor, except as otherwise authorized by 1173 this section. 1174 (3) The consumer rights enumerated under s. 501.705(2), and 1175 controller duties imposed under s. 501.71, do not apply to 1176 pseudonymous data or aggregate consumer information in cases in 1177 which the controller is able to demonstrate that any information 1178 necessary to identify the consumer is kept separate and is 1179 subject to effective technical and organizational controls that 1180 prevent the controller from accessing the information. 1181 (4) A controller that discloses pseudonymous data, 1182 deidentified data, or aggregate consumer information shall 1183 exercise reasonable oversight to monitor compliance with any 1184 contractual commitments to which the data or information is 1185 subject and shall take appropriate steps to address any breach 1186 of the contractual commitments. 1187 Section 18. Section 501.715, Florida Statutes, is created 1188 to read: 1189 501.715 Requirements for sensitive data.— 1190 (1) A person who meets the requirements of s. 1191 501.702(9)(a)1., (a)2., and (a)3. for the definition of a 1192 controller may not engage in the sale of personal data that is 1193 sensitive data without receiving prior consent from the consumer 1194 or, if the sensitive data is of a known child, without 1195 processing that data with the affirmative authorization for such 1196 processing by a known child who is between 13 and 18 years of 1197 age or in accordance with the Children’s Online Privacy 1198 Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child 1199 under the age of 13. 1200 (2) A person in subsection (1) who engages in the sale of 1201 personal data that is sensitive data must provide the following 1202 notice: “NOTICE: This website may sell your sensitive personal 1203 data.” 1204 (3) A person who violates this section is subject to the 1205 penalty imposed under s. 501.72. 1206 Section 19. Section 501.716, Florida Statutes, is created 1207 to read: 1208 501.716 Exemptions for certain uses of consumer personal 1209 data.— 1210 (1) This part may not be construed to restrict a 1211 controller’s or processor’s ability to do any of the following: 1212 (a) Comply with federal or state laws, rules, or 1213 regulations. 1214 (b) Comply with a civil, criminal, or regulatory inquiry, 1215 investigation, subpoena, or summons by federal, state, local, or 1216 other governmental authorities. 1217 (c) Investigate, establish, exercise, prepare for, or 1218 defend legal claims. 1219 (d) Provide a product or service specifically requested by 1220 a consumer or the parent or guardian of a child, perform a 1221 contract to which the consumer is a party, including fulfilling 1222 the terms of a written warranty, or take steps at the request of 1223 the consumer before entering into a contract. 1224 (e) Take immediate steps to protect an interest that is 1225 essential for the life or physical safety of the consumer or of 1226 another individual and in which the processing cannot be 1227 manifestly based on another legal basis. 1228 (f) Prevent, detect, protect against, or respond to 1229 security incidents, identity theft, fraud, harassment, malicious 1230 or deceptive activities, or any illegal activity. 1231 (g) Preserve the integrity or security of systems or 1232 investigate, report, or prosecute those responsible for breaches 1233 of system security. 1234 (h) Engage in public or peer-reviewed scientific or 1235 statistical research in the public interest which adheres to all 1236 other applicable ethics and privacy laws and is approved, 1237 monitored, and governed by an institutional review board or 1238 similar independent oversight entity that determines: 1239 1. Whether the deletion of the information is likely to 1240 provide substantial benefits that do not exclusively accrue to 1241 the controller; 1242 2. Whether the expected benefits of the research outweigh 1243 the privacy risks; and 1244 3. Whether the controller has implemented reasonable 1245 safeguards to mitigate privacy risks associated with research, 1246 including any risks associated with reidentification. 1247 (i) Assist another controller, processor, or third party in 1248 complying with the requirements of this part. 1249 (j) Disclose personal data disclosed when a consumer uses 1250 or directs the controller to intentionally disclose information 1251 to a third party or uses the controller to intentionally 1252 interact with a third party. An intentional interaction occurs 1253 when the consumer intends to interact with the third party, by 1254 one or more deliberate interactions. Hovering over, muting, 1255 pausing, or closing a given piece of content does not constitute 1256 a consumer’s intent to interact with a third party. 1257 (k) Transfer personal data to a third party as an asset 1258 that is part of a merger, an acquisition, a bankruptcy, or other 1259 transaction in which the third party assumes control of all or 1260 part of the controller, provided that the information is used or 1261 shared in a manner consistent with this part. If a third party 1262 materially alters how it uses or shares the personal data of a 1263 consumer in a manner that is materially inconsistent with the 1264 commitments or promises made at the time of collection, it must 1265 provide prior notice of the new or changed practice to the 1266 consumer. The notice must be sufficiently prominent and robust 1267 to ensure that consumers can easily exercise choices consistent 1268 with this part. 1269 (2) This part may not be construed to prevent a controller 1270 or processor from providing personal data concerning a consumer 1271 to a person covered by an evidentiary privilege under the laws 1272 of this state as part of a privileged communication. 1273 (3) This part may not be construed as imposing a 1274 requirement on controllers and processors which adversely 1275 affects the rights or freedoms of any person, including the 1276 right of free speech. 1277 (4) This part may not be construed as requiring a 1278 controller, processor, third party, or consumer to disclose a 1279 trade secret. 1280 Section 20. Section 501.717, Florida Statutes, is created 1281 to read: 1282 501.717 Collection, use, or retention of data for certain 1283 purposes.— 1284 (1) The requirements imposed on controllers and processors 1285 under this part may not restrict a controller’s or processor’s 1286 ability to collect, use, or retain data to do any of the 1287 following: 1288 (a) Conduct internal research to develop, improve, or 1289 repair products, services, or technology. 1290 (b) Effect a product recall. 1291 (c) Identify and repair technical errors that impair 1292 existing or intended functionality. 1293 (d) Perform internal operations that are: 1294 1. Reasonably aligned with the expectations of the 1295 consumer; 1296 2. Reasonably anticipated based on the consumer’s existing 1297 relationship with the controller; or 1298 3. Otherwise compatible with processing data in furtherance 1299 of the provision of a product or service specifically requested 1300 by a consumer or the performance of a contract to which the 1301 consumer is a party. 1302 (2) A requirement imposed on a controller or processor 1303 under this part does not apply if compliance with the 1304 requirement by the controller or processor, as applicable, would 1305 violate an evidentiary privilege under the laws of this state. 1306 Section 21. Section 501.718, Florida Statutes, is created 1307 to read: 1308 501.718 Disclosure of personal data to third-party 1309 controller or processor.— 1310 (1) A controller or processor that discloses personal data 1311 to a third-party controller or processor in compliance with the 1312 requirements of this part does not violate this part if the 1313 third-party controller or processor that receives and processes 1314 that personal data violates this part, provided that, at the 1315 time of the data’s disclosure, the disclosing controller or 1316 processor could not have reasonably known that the recipient 1317 intended to commit a violation. 1318 (2) A third-party controller or processor receiving 1319 personal data from a controller or processor in compliance with 1320 the requirements of this part may not be held liable for 1321 violations of this part committed by the controller or processor 1322 from which the third-party controller or processor receives the 1323 personal data. 1324 Section 22. Section 501.719, Florida Statutes, is created 1325 to read: 1326 501.719 Processing of certain personal data by controller 1327 or other person.— 1328 (1) Personal data processed by a controller pursuant to ss. 1329 501.716, 501.717, and 501.718 may not be processed for any 1330 purpose other than those specified in those sections. Personal 1331 data processed by a controller pursuant to ss. 501.716, 501.717, 1332 and 501.718 may be processed to the extent that the processing 1333 of the data is: 1334 (a) Reasonably necessary and proportionate to the purposes 1335 specified in ss. 501.716, 501.717, and 501.718; 1336 (b) Adequate, relevant, and limited to what is necessary in 1337 relation to the purposes specified in ss. 501.716, 501.717, and 1338 501.718; and 1339 (c) Done to assist another controller, processor, or third 1340 party with any of the purposes specified in s. 501.716, s. 1341 501.717, or s. 501.718. 1342 (2) A controller or processor that collects, uses, or 1343 retains personal data for the purposes specified in s. 1344 501.717(1) must take into account the nature and purpose of such 1345 collection, use, or retention. Such personal data is subject to 1346 reasonable administrative, technical, and physical measures to 1347 protect its confidentiality, integrity, and accessibility and to 1348 reduce reasonably foreseeable risks of harm to consumers 1349 relating to the collection, use, or retention of personal data. 1350 (3) A controller or processor shall adopt and implement a 1351 retention schedule that prohibits the use or retention of 1352 personal data not subject to an exemption by the controller or 1353 processor after the satisfaction of the initial purpose for 1354 which such information was collected or obtained, after the 1355 expiration or termination of the contract pursuant to which the 1356 information was collected or obtained, or 2 years after the 1357 consumer’s last interaction with the controller or processor. 1358 This subsection does not apply to personal data reasonably used 1359 or retained to do any of the following: 1360 (a) Provide a good or service requested by the consumer, or 1361 reasonably anticipate the request of such good or service within 1362 the context of a controller’s ongoing business relationship with 1363 the consumer. 1364 (b) Debug to identify and repair errors that impair 1365 existing intended functionality. 1366 (c) Enable solely internal uses that are reasonably aligned 1367 with the expectations of the consumer based on the consumer’s 1368 relationship with the controller or that are compatible with the 1369 context in which the consumer provided the information. 1370 (4) A controller or processor that processes personal data 1371 pursuant to ss. 501.716, 501.717, and 501.718 bears the burden 1372 of demonstrating that the processing of the personal data 1373 qualifies for the exemption and complies with the requirements 1374 of this section. 1375 Section 23. Section 501.72, Florida Statutes, is created to 1376 read: 1377 501.72 Enforcement and implementation by the Department of 1378 Legal Affairs.— 1379 (1) A violation of this part is an unfair and deceptive 1380 trade practice actionable under part II of this chapter solely 1381 by the Department of Legal Affairs. If the department has reason 1382 to believe that a person is in violation of this section, the 1383 department may, as the enforcing authority, bring an action 1384 against such person for an unfair or deceptive act or practice. 1385 For the purpose of bringing an action pursuant to this section, 1386 ss. 501.211 and 501.212 do not apply. In addition to other 1387 remedies under part II of this chapter, the department may 1388 collect a civil penalty of up to $50,000 per violation. Civil 1389 penalties may be tripled for any of the following violations: 1390 (a) A violation involving a Florida consumer who is a known 1391 child. A controller that willfully disregards the consumer’s age 1392 is deemed to have actual knowledge of the consumer’s age. 1393 (b) Failure to delete or correct the consumer’s personal 1394 data pursuant to this section after receiving an authenticated 1395 consumer request or directions from a controller to delete or 1396 correct such personal data, unless an exception to the 1397 requirements to delete or correct such personal data under this 1398 section applies. 1399 (c) Continuing to sell or share the consumer’s personal 1400 data after the consumer chooses to opt out under this part. 1401 (2) After the department has notified a person in writing 1402 of an alleged violation, the department may grant a 45-day 1403 period to cure the alleged violation and issue a letter of 1404 guidance. The 45-day cure period does not apply to an alleged 1405 violation of paragraph (1)(a). The department may consider the 1406 number and frequency of violations, the substantial likelihood 1407 of injury to the public, and the safety of persons or property 1408 in determining whether to grant 45 calendar days to cure and the 1409 issuance of a letter of guidance. If the alleged violation is 1410 cured to the satisfaction of the department and proof of such 1411 cure is provided to the department, the department may not bring 1412 an action for the alleged violation but in its discretion may 1413 issue a letter of guidance that indicates that the person will 1414 not be offered a 45-day cure period for any future violations. 1415 If the person fails to cure the alleged violation within 45 1416 calendar days, the department may bring an action against such 1417 person for the alleged violation. 1418 (3) Any action brought by the department may be brought 1419 only on behalf of a Florida consumer. 1420 (4) By February 1 of each year, the department shall make a 1421 report publicly available on the department’s website describing 1422 any actions taken by the department to enforce this section. The 1423 report must include statistics and relevant information 1424 detailing all of the following: 1425 (a) The number of complaints received and the categories or 1426 types of violations alleged by the complainant. 1427 (b) The number and type of enforcement actions taken and 1428 the outcomes of such actions, including the amount of penalties 1429 issued and collected. 1430 (c) The number of complaints resolved without the need for 1431 litigation. 1432 (d) For the report due February 1, 2024, the status of the 1433 development and implementation of rules to implement this 1434 section. 1435 (5) The department shall adopt rules to implement this 1436 section, including standards for authenticated consumer 1437 requests, enforcement, data security, and authorized persons who 1438 may act on a consumer’s behalf. 1439 (6) The department may collaborate and cooperate with other 1440 enforcement authorities of the Federal Government or other state 1441 governments concerning consumer data privacy issues and consumer 1442 data privacy investigations if such enforcement authorities have 1443 restrictions governing confidentiality at least as stringent as 1444 the restrictions provided in this section. 1445 (7) Liability for a tort, contract claim, or consumer 1446 protection claim unrelated to an action brought under this 1447 section does not arise solely from the failure of a person to 1448 comply with this part. 1449 (8) This part does not establish a private cause of action. 1450 (9) The department may employ or use the legal services of 1451 outside counsel and the investigative services of outside 1452 personnel to fulfill the obligations of this section. 1453 (10) For purposes of bringing an action pursuant to this 1454 section, any person who meets the definition of controller as 1455 defined in this part who collects, shares, or sells the personal 1456 data of Florida consumers is considered to be engaged in both 1457 substantial and not isolated activities within this state and 1458 operating, conducting, engaging in, or carrying on a business, 1459 and doing business in this state, and is, therefore, subject to 1460 the jurisdiction of the courts of this state. 1461 Section 24. Section 501.721, Florida Statutes, is created 1462 to read: 1463 501.721 Preemption.—This part is a matter of statewide 1464 concern and supersedes all rules, regulations, codes, 1465 ordinances, and other laws adopted by a city, county, city and 1466 county, municipality, or local agency regarding the collection, 1467 processing, sharing, or sale of consumer personal data by a 1468 controller or processor. The regulation of the collection, 1469 processing, sharing, or sale of consumer personal data by a 1470 controller or processor is preempted to the state. 1471 Section 25. Paragraph (g) of subsection (1) of section 1472 501.171, Florida Statutes, is amended to read: 1473 501.171 Security of confidential personal information.— 1474 (1) DEFINITIONS.—As used in this section, the term: 1475 (g)1. “Personal information” means either of the following: 1476 a. An individual’s first name or first initial and last 1477 name in combination with any one or more of the following data 1478 elements for that individual: 1479 (I) A social security number; 1480 (II) A driver license or identification card number, 1481 passport number, military identification number, or other 1482 similar number issued on a government document used to verify 1483 identity; 1484 (III) A financial account number or credit or debit card 1485 number, in combination with any required security code, access 1486 code, or password that is necessary to permit access to an 1487 individual’s financial account; 1488 (IV) Any information regarding an individual’s medical 1489 history, mental or physical condition, or medical treatment or 1490 diagnosis by a health care professional;or1491 (V) An individual’s health insurance policy number or 1492 subscriber identification number and any unique identifier used 1493 by a health insurer to identify the individual; 1494 (VI) An individual’s biometric data as defined in s. 1495 501.702; or 1496 (VII) Any information regarding an individual’s 1497 geolocation. 1498 b. A user name or e-mail address, in combination with a 1499 password or security question and answer that would permit 1500 access to an online account. 1501 2. The term does not include information about an 1502 individual that has been made publicly available by a federal, 1503 state, or local governmental entity. The term also does not 1504 include information that is encrypted, secured, or modified by 1505 any other method or technology that removes elements that 1506 personally identify an individual or that otherwise renders the 1507 information unusable. 1508 Section 26. Subsection (1) of section 16.53, Florida 1509 Statutes, is amended, and subsection (8) is added to that 1510 section, to read: 1511 16.53 Legal Affairs Revolving Trust Fund.— 1512 (1) There is created in the State Treasury the Legal 1513 Affairs Revolving Trust Fund, from which the Legislature may 1514 appropriate funds for the purpose of funding investigation, 1515 prosecution, and enforcement by the Attorney General of the 1516 provisions of the Racketeer Influenced and Corrupt Organization 1517 Act, the Florida Deceptive and Unfair Trade Practices Act, the 1518 Florida False Claims Act,orstate or federal antitrust laws, s. 1519 501.1735, or part V of chapter 501. 1520 (8) All moneys recovered by the Attorney General for 1521 attorney fees, costs, and penalties in an action for a violation 1522 of s. 501.1735 or part V of chapter 501 must be deposited in the 1523 fund. 1524 Section 27. Except as otherwise expressly provided in this 1525 act and except for this section, which shall take effect upon 1526 this act becoming a law, this act shall take effect July 1, 1527 2024.