Florida Senate - 2021 SENATOR AMENDMENT
Bill No. CS for CS for CS for HB 969
Ì2856167Î285616
LEGISLATIVE ACTION
Senate . House
.
.
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
Senator Bradley moved the following:
1 Senate Amendment to Amendment (891990)
2
3 Delete lines 404 - 573
4 and insert:
5 (6) Consumers have the right to submit a verified request
6 that personal information that has been collected from the
7 consumer be deleted. Consumers have the right to submit a
8 verified request for correction of their personal information
9 held by a controller if that information is inaccurate, taking
10 into account the nature of the personal information and the
11 purpose for processing the consumer’s personal information.
12 (7) A controller, or a processor acting pursuant to its
13 contract with the controller or another processor, is not
14 required to comply with a consumer’s verified request to delete
15 the consumer’s personal information if it is necessary for the
16 controller or processor to maintain the consumer’s personal
17 information in order to do any of the following:
18 (a) Complete the transaction for which the personal
19 information was collected, fulfill the terms of a written
20 warranty or product recall conducted in accordance with federal
21 law, provide a good or service requested by the consumer, or
22 otherwise perform a contract between the business and the
23 consumer.
24 (b) Help to ensure security and integrity to the extent
25 that the use of the consumer’s personal information is
26 reasonably necessary and proportionate for those purposes.
27 (c) Debug to identify and repair errors that impair
28 existing intended functionality.
29 (d) Exercise free speech, ensure the right of another
30 consumer to exercise that consumer’s right of free speech, or
31 exercise another right provided for by law.
32 (e) Engage in public or peer-reviewed scientific,
33 historical, or statistical research that conforms or adheres to
34 all other applicable ethics and privacy laws, when the business’
35 deletion of the information is likely to render impossible or
36 seriously impair the ability to complete such research, if the
37 consumer has provided informed consent.
38 (f) Comply with a legal obligation.
39 (8) This section may not be construed to require a
40 controller to comply by reidentifying or otherwise linking
41 information that is not maintained in a manner that would be
42 considered personal information; retaining any personal
43 information about a consumer if, in the ordinary course of
44 business, that information would not be retained; maintaining
45 information in identifiable, linkable, or associable form; or
46 collecting, obtaining, retaining, or accessing any data or
47 technology in order to be capable of linking or associating a
48 verifiable consumer request with personal information.
49 (9) A consumer may authorize another person to opt out of
50 the sale of the consumer’s personal information. A controller
51 shall comply with an opt-out request received from a person
52 authorized by the consumer to act on the consumer’s behalf,
53 including a request received through a user-enabled global
54 privacy control, such as a browser plug-in or privacy setting,
55 device setting, or other mechanism, which communicates or
56 signals the consumer’s choice to opt out, and may not require a
57 consumer to make a verified request to opt out of the sale of
58 his or her information.
59 (10) Each controller shall establish a designated request
60 address through which a consumer may submit a request to
61 exercise his or her rights under this act.
62 (11)(a) A controller that receives a verified request:
63 1. For a consumer’s personal information shall disclose to
64 the consumer any personal information about the consumer which
65 it has collected since January 1, 2023, directly or indirectly,
66 including through or by a processor.
67 2. To correct a consumer’s inaccurate personal information
68 shall correct the inaccurate personal information, taking into
69 account the nature of the personal information and the purpose
70 for processing the consumer’s personal information.
71 3. To delete a consumer’s personal information shall delete
72 such personal information collected from the consumer.
73 (b) A processor is not required to personally comply with a
74 verified request received directly from a consumer, but the
75 processor must notify a controller of such a request within 10
76 days after receiving the request. The time period required for a
77 controller to comply with a verified request as provided in
78 paragraph (d) commences beginning from the time the processor
79 notifies the controller of the verified request. A processor
80 shall provide reasonable assistance to a controller with which
81 it has a contractual relationship with respect to the
82 controller’s response to a verifiable consumer request,
83 including, but not limited to, by providing to the controller
84 the consumer’s personal information in the processor’s
85 possession which the processor obtained as a result of providing
86 services to the controller.
87 (c) At the direction of the controller, a processor shall
88 correct inaccurate personal information or delete personal
89 information, or enable the controller to do the same.
90 (d) A controller shall comply with a verified request
91 submitted by a consumer to access, correct, or delete personal
92 information within 45 days after the date the request is
93 submitted. A controller may extend such period by up to 45 days
94 if the controller, in good faith, determines that such an
95 extension is reasonably necessary. A controller that extends the
96 period shall notify the consumer of the necessity of an
97 extension.
98 (e) A consumer’s rights under this subsection do not apply
99 to pseudonymous information in cases where the controller is
100 able to demonstrate that all information necessary to identify
101 the consumer is kept separate at all times and is subject to
102 effective technical and organizational controls that prevent the
103 controller from accessing or combining such information.
104 (12) A controller shall comply with a consumer’s previous
105 expressed decision to opt out of the sale of his or her personal
106 information without requiring the consumer to take any
107 additional action if the controller is able to identify the
108 consumer through a login protocol or any other process the
109 controller uses to identify consumers and the consumer has
110 previously exercised his or her right to opt out of the sale of
111 his or her personal information.
112 (13) A controller shall make available, in a manner
113 reasonably accessible to consumers whose personal information
114 the controller collects through its website or online service, a
115 notice that does all of the following:
116 (a) Identifies the categories of personal information that
117 the controller collects through its website or online service
118 about consumers who use or visit the website or online service
119 and the categories of third parties to whom the controller may
120 disclose such personal information.
121 (b) Provides a description of the process, if applicable,
122 for a consumer who uses or visits the website or online service
123 to review and request changes to any of his or her personal
124 information that is collected from the consumer through the
125 website or online service.
126 (c) Describes the process by which the controller notifies
127 consumers who use or visit the website or online service of
128 material changes to the notice.
129 (d) Discloses whether a third party may collect personal
130 information about a consumer’s online activities over time and
131 across different websites or online services when the consumer
132 uses the controller’s website or online service.
133 (e) States the effective date of the notice.
134 (14) If a request from a consumer is manifestly unfounded
135 or excessive, in particular because of the request’s repetitive
136 character, a controller may either charge a reasonable fee,
137 taking into account the administrative costs of providing the
138 information or communication or taking the action requested, or
139 refuse to act on the request and notify the consumer of the
140 reason for refusing the request. The controller bears the burden
141 of demonstrating that any verified consumer request is
142 manifestly unfounded or excessive.
143 (15) A controller that discloses personal information to a
144 processor is not liable under this act if the processor
145 receiving the personal information uses it in violation of the
146 restrictions set forth in the act, provided that, at the time of
147 disclosing the personal information, the controller does not
148 have actual knowledge or reason to believe that the processor
149 intends to commit such a violation. A processor is likewise not
150 liable under this act for the obligations of a controller for
151 which it processes personal information as set forth in this
152 act.
153 (16) A controller or processor that discloses personal
154 information to a third-party controller or processor in
155 compliance with the requirements of this act is not in violation
156 of this chapter if the third-party controller or processor that
157 receives and processes such personal information is in violation
158 of this act, provided that, at the time of disclosing the
159 personal information, the disclosing controller or processor did
160 not have actual knowledge that the recipient intended to commit
161 a violation. A third-party controller or processor that violates
162 this act, or violates the terms of a contractual agreement with
163 a controller or processor which results in a violation of this
164 act, is deemed to have violated the requirements of this act and
165 is subject to the enforcement actions otherwise provided against
166 a controller pursuant to s. 501.177. A third-party controller or
167 processor receiving personal information from a controller or
168 processor in compliance with the requirements of this act is not
169 in violation of this act for noncompliance of the controller or
170 processor from which it receives such personal data.
171 (17) The rights afforded to consumers and the obligations
172 imposed on a controller in this act may not adversely affect the
173 rights and freedoms of other consumers. Notwithstanding
174 subsection (7), a verified request for specific items of