Florida Senate - 2021                          SENATOR AMENDMENT
       Bill No. CS for CS for CS for HB 969
                              LEGISLATIVE ACTION                        
                    Senate             .             House              

       Senator Bradley moved the following:
    1         Senate Amendment to Amendment (891990) 
    3         Delete lines 404 - 573
    4  and insert:
    5         (6)Consumers have the right to submit a verified request
    6  that personal information that has been collected from the
    7  consumer be deleted. Consumers have the right to submit a
    8  verified request for correction of their personal information
    9  held by a controller if that information is inaccurate, taking
   10  into account the nature of the personal information and the
   11  purpose for processing the consumer’s personal information.
   12         (7)A controller, or a processor acting pursuant to its
   13  contract with the controller or another processor, is not
   14  required to comply with a consumer’s verified request to delete
   15  the consumer’s personal information if it is necessary for the
   16  controller or processor to maintain the consumer’s personal
   17  information in order to do any of the following:
   18         (a)Complete the transaction for which the personal
   19  information was collected, fulfill the terms of a written
   20  warranty or product recall conducted in accordance with federal
   21  law, provide a good or service requested by the consumer, or
   22  otherwise perform a contract between the business and the
   23  consumer.
   24         (b)Help to ensure security and integrity to the extent
   25  that the use of the consumer’s personal information is
   26  reasonably necessary and proportionate for those purposes.
   27         (c)Debug to identify and repair errors that impair
   28  existing intended functionality.
   29         (d)Exercise free speech, ensure the right of another
   30  consumer to exercise that consumer’s right of free speech, or
   31  exercise another right provided for by law.
   32         (e)Engage in public or peer-reviewed scientific,
   33  historical, or statistical research that conforms or adheres to
   34  all other applicable ethics and privacy laws, when the business’
   35  deletion of the information is likely to render impossible or
   36  seriously impair the ability to complete such research, if the
   37  consumer has provided informed consent.
   38         (f)Comply with a legal obligation.
   39         (8)This section may not be construed to require a
   40  controller to comply by reidentifying or otherwise linking
   41  information that is not maintained in a manner that would be
   42  considered personal information; retaining any personal
   43  information about a consumer if, in the ordinary course of
   44  business, that information would not be retained; maintaining
   45  information in identifiable, linkable, or associable form; or
   46  collecting, obtaining, retaining, or accessing any data or
   47  technology in order to be capable of linking or associating a
   48  verifiable consumer request with personal information.
   49         (9)A consumer may authorize another person to opt out of
   50  the sale of the consumer’s personal information. A controller
   51  shall comply with an opt-out request received from a person
   52  authorized by the consumer to act on the consumer’s behalf,
   53  including a request received through a user-enabled global
   54  privacy control, such as a browser plug-in or privacy setting,
   55  device setting, or other mechanism, which communicates or
   56  signals the consumer’s choice to opt out, and may not require a
   57  consumer to make a verified request to opt out of the sale of
   58  his or her information.
   59         (10)Each controller shall establish a designated request
   60  address through which a consumer may submit a request to
   61  exercise his or her rights under this act.
   62         (11)(a)A controller that receives a verified request:
   63         1.For a consumer’s personal information shall disclose to
   64  the consumer any personal information about the consumer which
   65  it has collected since January 1, 2023, directly or indirectly,
   66  including through or by a processor.
   67         2.To correct a consumer’s inaccurate personal information
   68  shall correct the inaccurate personal information, taking into
   69  account the nature of the personal information and the purpose
   70  for processing the consumer’s personal information.
   71         3.To delete a consumer’s personal information shall delete
   72  such personal information collected from the consumer.
   73         (b)A processor is not required to personally comply with a
   74  verified request received directly from a consumer, but the
   75  processor must notify a controller of such a request within 10
   76  days after receiving the request. The time period required for a
   77  controller to comply with a verified request as provided in
   78  paragraph (d) commences beginning from the time the processor
   79  notifies the controller of the verified request. A processor
   80  shall provide reasonable assistance to a controller with which
   81  it has a contractual relationship with respect to the
   82  controller’s response to a verifiable consumer request,
   83  including, but not limited to, by providing to the controller
   84  the consumer’s personal information in the processor’s
   85  possession which the processor obtained as a result of providing
   86  services to the controller.
   87         (c)At the direction of the controller, a processor shall
   88  correct inaccurate personal information or delete personal
   89  information, or enable the controller to do the same.
   90         (d)A controller shall comply with a verified request
   91  submitted by a consumer to access, correct, or delete personal
   92  information within 45 days after the date the request is
   93  submitted. A controller may extend such period by up to 45 days
   94  if the controller, in good faith, determines that such an
   95  extension is reasonably necessary. A controller that extends the
   96  period shall notify the consumer of the necessity of an
   97  extension.
   98         (e)A consumer’s rights under this subsection do not apply
   99  to pseudonymous information in cases where the controller is
  100  able to demonstrate that all information necessary to identify
  101  the consumer is kept separate at all times and is subject to
  102  effective technical and organizational controls that prevent the
  103  controller from accessing or combining such information.
  104         (12)A controller shall comply with a consumer’s previous
  105  expressed decision to opt out of the sale of his or her personal
  106  information without requiring the consumer to take any
  107  additional action if the controller is able to identify the
  108  consumer through a login protocol or any other process the
  109  controller uses to identify consumers and the consumer has
  110  previously exercised his or her right to opt out of the sale of
  111  his or her personal information.
  112         (13)A controller shall make available, in a manner
  113  reasonably accessible to consumers whose personal information
  114  the controller collects through its website or online service, a
  115  notice that does all of the following:
  116         (a)Identifies the categories of personal information that
  117  the controller collects through its website or online service
  118  about consumers who use or visit the website or online service
  119  and the categories of third parties to whom the controller may
  120  disclose such personal information.
  121         (b)Provides a description of the process, if applicable,
  122  for a consumer who uses or visits the website or online service
  123  to review and request changes to any of his or her personal
  124  information that is collected from the consumer through the
  125  website or online service.
  126         (c)Describes the process by which the controller notifies
  127  consumers who use or visit the website or online service of
  128  material changes to the notice.
  129         (d)Discloses whether a third party may collect personal
  130  information about a consumer’s online activities over time and
  131  across different websites or online services when the consumer
  132  uses the controller’s website or online service.
  133         (e)States the effective date of the notice.
  134         (14)If a request from a consumer is manifestly unfounded
  135  or excessive, in particular because of the request’s repetitive
  136  character, a controller may either charge a reasonable fee,
  137  taking into account the administrative costs of providing the
  138  information or communication or taking the action requested, or
  139  refuse to act on the request and notify the consumer of the
  140  reason for refusing the request. The controller bears the burden
  141  of demonstrating that any verified consumer request is
  142  manifestly unfounded or excessive.
  143         (15)A controller that discloses personal information to a
  144  processor is not liable under this act if the processor
  145  receiving the personal information uses it in violation of the
  146  restrictions set forth in the act, provided that, at the time of
  147  disclosing the personal information, the controller does not
  148  have actual knowledge or reason to believe that the processor
  149  intends to commit such a violation. A processor is likewise not
  150  liable under this act for the obligations of a controller for
  151  which it processes personal information as set forth in this
  152  act.
  153         (16)A controller or processor that discloses personal
  154  information to a third-party controller or processor in
  155  compliance with the requirements of this act is not in violation
  156  of this chapter if the third-party controller or processor that
  157  receives and processes such personal information is in violation
  158  of this act, provided that, at the time of disclosing the
  159  personal information, the disclosing controller or processor did
  160  not have actual knowledge that the recipient intended to commit
  161  a violation. A third-party controller or processor that violates
  162  this act, or violates the terms of a contractual agreement with
  163  a controller or processor which results in a violation of this
  164  act, is deemed to have violated the requirements of this act and
  165  is subject to the enforcement actions otherwise provided against
  166  a controller pursuant to s. 501.177. A third-party controller or
  167  processor receiving personal information from a controller or
  168  processor in compliance with the requirements of this act is not
  169  in violation of this act for noncompliance of the controller or
  170  processor from which it receives such personal data.
  171         (17)The rights afforded to consumers and the obligations
  172  imposed on a controller in this act may not adversely affect the
  173  rights and freedoms of other consumers. Notwithstanding
  174  subsection (7), a verified request for specific items of