Florida Senate - 2020                                    SB 1670
       By Senator Broxson
       1-01853-20                                            20201670__
    1                        A bill to be entitled                      
    2         An act relating to consumer data privacy; amending s.
    3         119.01, F.S.; prohibiting the use of personal data
    4         contained in public records for certain marketing,
    5         soliciting, and contact without the person’s consent;
    6         creating s. 501.062, F.S.; defining terms; requiring
    7         the operator of a website or online service that
    8         collects certain information from consumers in this
    9         state to establish a designated request address and
   10         provide specified notice regarding the collection and
   11         sale of such information; prohibiting such operator
   12         from making any sale of consumer information upon
   13         request of the consumer; providing applicability;
   14         requiring the Department of Legal Affairs to adopt
   15         rules; providing for injunctions and civil penalties;
   16         providing construction; providing an effective date.
   18  Be It Enacted by the Legislature of the State of Florida:
   20         Section 1. Subsection (4) is added to section 119.01,
   21  Florida Statutes, to read:
   22         119.01 General state policy on public records.—
   23         (4)Any public records requested from state agencies that
   24  include the personal data, including the name, address, and
   25  birthdate, or any portion thereof, of a resident of this state
   26  may not be used to market or solicit the sale of products or
   27  services to the person or to contact the person for the purpose
   28  of marketing or soliciting sales without the consent of the
   29  person. Such marketing, soliciting, and contact is prohibited
   30  unless the person has affirmatively consented by electronic or
   31  paper notification to share the data with a third party before
   32  the data is used for such purpose.
   33         Section 2. Section 501.062, Florida Statutes, is created to
   34  read:
   35         501.062Notice regarding privacy of information collected
   36  on the Internet from consumers.-
   37         (1)As used in this section, the term:
   38         (a)“Consumer” means a person who seeks or acquires, by
   39  purchase or lease, any good, service, money, or credit for
   40  personal, family, or household purposes from the website or
   41  online service of an operator.
   42         (b)“Covered information” means all of the following items
   43  of personally identifiable information about a consumer
   44  collected by an operator through a website or online service and
   45  maintained by the operator in an accessible format:
   46         1.A first and last name.
   47         2.A home or other physical address which includes the name
   48  of a street and the name of a city or town.
   49         3.An electronic mail address.
   50         4.A telephone number.
   51         5.A social security number.
   52         6.An identifier that allows a consumer to be contacted
   53  either physically or online.
   54         7.Any other information concerning a consumer that is
   55  collected from the consumer through the website or online
   56  service of the operator and maintained by the operator in
   57  combination with an identifier in a form that makes the
   58  information personally identifiable.
   59         (c)“Designated request address” means an electronic mail
   60  address, a toll-free telephone number, or a website established
   61  by an operator through which a consumer may submit a verified
   62  request to an operator.
   63         (d)1.“Operator” means a person who:
   64         a.Owns or operates a website or online service for
   65  commercial purposes.
   66         b.Collects and maintains covered information from
   67  consumers who reside in this state and use or visit the website
   68  or online service.
   69         c.Purposefully directs activities toward this state or
   70  purposefully executes a transaction or engages in any activity
   71  with this state or a resident thereof.
   72         2.The term does not include:
   73         a.A third party that operates, hosts, or manages a website
   74  or online service on behalf of its operator or processes
   75  information on behalf of its operator;
   76         b.A financial institution or an affiliate thereof that is
   77  subject to the Gramm-Leach-Bliley Act, 15 U.S.C. s. 6801 et
   78  seq., and regulations adopted pursuant thereto;
   79         c.An entity that is subject to the Health Insurance
   80  Portability and Accountability Act of 1996 (HIPAA), Pub. L. No.
   81  104-191, and regulations adopted pursuant thereto; or
   82         d.A manufacturer of a motor vehicle or a person who
   83  repairs or services a motor vehicle who collects, generates,
   84  records, or stores covered information that is retrieved from a
   85  motor vehicle in connection with a technology or service related
   86  to the motor vehicle or that is provided by a consumer in
   87  connection with a subscription or registration for a technology
   88  or service related to the motor vehicle.
   89         (e)1.“Sale” means the exchange of covered information for
   90  monetary consideration by the operator to a person for the
   91  person to license or sell the covered information to additional
   92  persons.
   93         2.The term does not include:
   94         a.The disclosure of covered information by an operator to
   95  a person who processes the covered information on behalf of the
   96  operator;
   97         b.The disclosure of covered information by an operator to
   98  a person with whom the consumer has a direct relationship for
   99  the purposes of providing a product or service requested by the
  100  consumer;
  101         c.The disclosure of covered information by an operator to
  102  a person for purposes that are consistent with the reasonable
  103  expectations of a consumer considering the context in which the
  104  consumer provided the covered information to the operator;
  105         d.The disclosure of covered information to a person who is
  106  an affiliate of the operator; or
  107         e.The disclosure or transfer of covered information to a
  108  person as an asset that is part of a merger, acquisition,
  109  bankruptcy, or other transaction in which the person assumes
  110  control of all or part of the assets of the operator.
  111         (f)“Verified request” means a request submitted by a
  112  consumer to an operator for the purposes provided in subsection
  113  (2) for which an operator can reasonably verify the authenticity
  114  of the request.
  115         (2)(a)Each operator shall establish a designated request
  116  address through which a consumer may submit a verified request.
  117         (b)A consumer may, at any time, submit a verified request
  118  through a designated request address to an operator directing
  119  the operator not to make any sale of any covered information the
  120  operator has collected or will collect about the consumer.
  121         (c)An operator who has received a verified request
  122  submitted by a consumer may not make any sale of any covered
  123  information the operator has collected or will collect about the
  124  consumer.
  125         (d)An operator shall respond to a verified request
  126  submitted by a consumer within 60 days after the date the
  127  request is submitted. An operator may extend such period by up
  128  to 30 days if the operator determines that such an extension is
  129  reasonably necessary. An operator who extends the period shall
  130  notify the consumer of such an extension.
  131         (3)An operator shall make available, in a manner
  132  reasonably accessible to consumers whose covered information the
  133  operator collects through its website or online service, a
  134  notice that:
  135         (a)Identifies the categories of covered information that
  136  the operator collects through its website or online service
  137  about consumers who use or visit the website or online service
  138  and the categories of third parties with whom the operator may
  139  share such covered information.
  140         (b)Provides a description of the process, if applicable,
  141  for a consumer who uses or visits the website or online service
  142  to review and request changes to any of his or her covered
  143  information that is collected through the website or online
  144  service.
  145         (c)Describes the process by which the operator notifies
  146  consumers who use or visit the website or online service of
  147  material changes to the notice.
  148         (d)Discloses whether a third party may collect covered
  149  information about a consumer’s online activities over time and
  150  across different websites or online services when the consumer
  151  uses the operator’s website or online service.
  152         (e)States the effective date of the notice.
  153         (4)This section does not apply to an operator:
  154         (a)Who is located in this state.
  155         (b)Whose revenue is derived primarily from a source other
  156  than the sale or lease of goods, services, or credit on websites
  157  or online services.
  158         (c)Whose website or online service has fewer than 20,000
  159  unique visitors per year.
  160         (5)(a)An operator may remedy any failure to comply with
  161  this section within 30 days after being informed of such a
  162  failure.
  163         (b)An operator violates this section if the operator:
  164         1.Knowingly and willfully fails to remedy a failure to
  165  comply within 30 days after being informed of such a failure; or
  166         2.Makes available a notice which constitutes a knowing and
  167  material misrepresentation or omission that is likely to mislead
  168  a consumer acting reasonably under the circumstances to the
  169  detriment of the consumer.
  170         (6)(a)The Department of Legal Affairs shall adopt rules to
  171  enforce this section. If the department has reason to believe
  172  that an operator, directly or indirectly, has violated or is
  173  violating this section, the department may institute an
  174  appropriate legal proceeding against the operator.
  175         (b)The district court, upon a showing that the operator,
  176  directly or indirectly, has violated or is violating this
  177  section, may:
  178         1.Issue a temporary or permanent injunction; or
  179         2.Impose a civil penalty not to exceed $5,000 for each
  180  violation.
  181         (7)This section does not establish a private right of
  182  action against an operator. This section is not exclusive and is
  183  in addition to any other remedies provided by law.
  184         Section 3. This act shall take effect July 1, 2020.