Florida Senate - 2020 SB 1670 By Senator Broxson 1-01853-20 20201670__ 1 A bill to be entitled 2 An act relating to consumer data privacy; amending s. 3 119.01, F.S.; prohibiting the use of personal data 4 contained in public records for certain marketing, 5 soliciting, and contact without the person’s consent; 6 creating s. 501.062, F.S.; defining terms; requiring 7 the operator of a website or online service that 8 collects certain information from consumers in this 9 state to establish a designated request address and 10 provide specified notice regarding the collection and 11 sale of such information; prohibiting such operator 12 from making any sale of consumer information upon 13 request of the consumer; providing applicability; 14 requiring the Department of Legal Affairs to adopt 15 rules; providing for injunctions and civil penalties; 16 providing construction; providing an effective date. 17 18 Be It Enacted by the Legislature of the State of Florida: 19 20 Section 1. Subsection (4) is added to section 119.01, 21 Florida Statutes, to read: 22 119.01 General state policy on public records.— 23 (4) Any public records requested from state agencies that 24 include the personal data, including the name, address, and 25 birthdate, or any portion thereof, of a resident of this state 26 may not be used to market or solicit the sale of products or 27 services to the person or to contact the person for the purpose 28 of marketing or soliciting sales without the consent of the 29 person. Such marketing, soliciting, and contact is prohibited 30 unless the person has affirmatively consented by electronic or 31 paper notification to share the data with a third party before 32 the data is used for such purpose. 33 Section 2. Section 501.062, Florida Statutes, is created to 34 read: 35 501.062 Notice regarding privacy of information collected 36 on the Internet from consumers.- 37 (1) As used in this section, the term: 38 (a) “Consumer” means a person who seeks or acquires, by 39 purchase or lease, any good, service, money, or credit for 40 personal, family, or household purposes from the website or 41 online service of an operator. 42 (b) “Covered information” means all of the following items 43 of personally identifiable information about a consumer 44 collected by an operator through a website or online service and 45 maintained by the operator in an accessible format: 46 1. A first and last name. 47 2. A home or other physical address which includes the name 48 of a street and the name of a city or town. 49 3. An electronic mail address. 50 4. A telephone number. 51 5. A social security number. 52 6. An identifier that allows a consumer to be contacted 53 either physically or online. 54 7. Any other information concerning a consumer that is 55 collected from the consumer through the website or online 56 service of the operator and maintained by the operator in 57 combination with an identifier in a form that makes the 58 information personally identifiable. 59 (c) “Designated request address” means an electronic mail 60 address, a toll-free telephone number, or a website established 61 by an operator through which a consumer may submit a verified 62 request to an operator. 63 (d)1. “Operator” means a person who: 64 a. Owns or operates a website or online service for 65 commercial purposes. 66 b. Collects and maintains covered information from 67 consumers who reside in this state and use or visit the website 68 or online service. 69 c. Purposefully directs activities toward this state or 70 purposefully executes a transaction or engages in any activity 71 with this state or a resident thereof. 72 2. The term does not include: 73 a. A third party that operates, hosts, or manages a website 74 or online service on behalf of its operator or processes 75 information on behalf of its operator; 76 b. A financial institution or an affiliate thereof that is 77 subject to the Gramm-Leach-Bliley Act, 15 U.S.C. s. 6801 et 78 seq., and regulations adopted pursuant thereto; 79 c. An entity that is subject to the Health Insurance 80 Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 81 104-191, and regulations adopted pursuant thereto; or 82 d. A manufacturer of a motor vehicle or a person who 83 repairs or services a motor vehicle who collects, generates, 84 records, or stores covered information that is retrieved from a 85 motor vehicle in connection with a technology or service related 86 to the motor vehicle or that is provided by a consumer in 87 connection with a subscription or registration for a technology 88 or service related to the motor vehicle. 89 (e)1. “Sale” means the exchange of covered information for 90 monetary consideration by the operator to a person for the 91 person to license or sell the covered information to additional 92 persons. 93 2. The term does not include: 94 a. The disclosure of covered information by an operator to 95 a person who processes the covered information on behalf of the 96 operator; 97 b. The disclosure of covered information by an operator to 98 a person with whom the consumer has a direct relationship for 99 the purposes of providing a product or service requested by the 100 consumer; 101 c. The disclosure of covered information by an operator to 102 a person for purposes that are consistent with the reasonable 103 expectations of a consumer considering the context in which the 104 consumer provided the covered information to the operator; 105 d. The disclosure of covered information to a person who is 106 an affiliate of the operator; or 107 e. The disclosure or transfer of covered information to a 108 person as an asset that is part of a merger, acquisition, 109 bankruptcy, or other transaction in which the person assumes 110 control of all or part of the assets of the operator. 111 (f) “Verified request” means a request submitted by a 112 consumer to an operator for the purposes provided in subsection 113 (2) for which an operator can reasonably verify the authenticity 114 of the request. 115 (2)(a) Each operator shall establish a designated request 116 address through which a consumer may submit a verified request. 117 (b) A consumer may, at any time, submit a verified request 118 through a designated request address to an operator directing 119 the operator not to make any sale of any covered information the 120 operator has collected or will collect about the consumer. 121 (c) An operator who has received a verified request 122 submitted by a consumer may not make any sale of any covered 123 information the operator has collected or will collect about the 124 consumer. 125 (d) An operator shall respond to a verified request 126 submitted by a consumer within 60 days after the date the 127 request is submitted. An operator may extend such period by up 128 to 30 days if the operator determines that such an extension is 129 reasonably necessary. An operator who extends the period shall 130 notify the consumer of such an extension. 131 (3) An operator shall make available, in a manner 132 reasonably accessible to consumers whose covered information the 133 operator collects through its website or online service, a 134 notice that: 135 (a) Identifies the categories of covered information that 136 the operator collects through its website or online service 137 about consumers who use or visit the website or online service 138 and the categories of third parties with whom the operator may 139 share such covered information. 140 (b) Provides a description of the process, if applicable, 141 for a consumer who uses or visits the website or online service 142 to review and request changes to any of his or her covered 143 information that is collected through the website or online 144 service. 145 (c) Describes the process by which the operator notifies 146 consumers who use or visit the website or online service of 147 material changes to the notice. 148 (d) Discloses whether a third party may collect covered 149 information about a consumer’s online activities over time and 150 across different websites or online services when the consumer 151 uses the operator’s website or online service. 152 (e) States the effective date of the notice. 153 (4) This section does not apply to an operator: 154 (a) Who is located in this state. 155 (b) Whose revenue is derived primarily from a source other 156 than the sale or lease of goods, services, or credit on websites 157 or online services. 158 (c) Whose website or online service has fewer than 20,000 159 unique visitors per year. 160 (5)(a) An operator may remedy any failure to comply with 161 this section within 30 days after being informed of such a 162 failure. 163 (b) An operator violates this section if the operator: 164 1. Knowingly and willfully fails to remedy a failure to 165 comply within 30 days after being informed of such a failure; or 166 2. Makes available a notice which constitutes a knowing and 167 material misrepresentation or omission that is likely to mislead 168 a consumer acting reasonably under the circumstances to the 169 detriment of the consumer. 170 (6)(a) The Department of Legal Affairs shall adopt rules to 171 enforce this section. If the department has reason to believe 172 that an operator, directly or indirectly, has violated or is 173 violating this section, the department may institute an 174 appropriate legal proceeding against the operator. 175 (b) The district court, upon a showing that the operator, 176 directly or indirectly, has violated or is violating this 177 section, may: 178 1. Issue a temporary or permanent injunction; or 179 2. Impose a civil penalty not to exceed $5,000 for each 180 violation. 181 (7) This section does not establish a private right of 182 action against an operator. This section is not exclusive and is 183 in addition to any other remedies provided by law. 184 Section 3. This act shall take effect July 1, 2020.