Florida Senate - 2021                          SENATOR AMENDMENT
       Bill No. CS for CS for CS for HB 969
                              LEGISLATIVE ACTION                        
                    Senate             .             House              

       Senator Bradley moved the following:
    1         Senate Amendment (with title amendment)
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. Section 501.172, Florida Statutes, is created to
    6  read:
    7         501.172Short title.—This act may be cited as the “Florida
    8  Privacy Protection Act.”
    9         Section 2. Section 501.173, Florida Statutes, is created to
   10  read:
   11         501.173Purpose.—This act recognizes that privacy is an
   12  important right, and consumers in this state should have the
   13  ability to share their personal information as they wish, in a
   14  way that is safe and that they understand and control.
   15         Section 3. Section 501.174, Florida Statutes, is created to
   16  read:
   17         501.174Definitions.—As used in ss. 501.172-501.177, unless
   18  the context otherwise requires, the term:
   19         (1)“Affiliate” means a legal entity that controls, is
   20  controlled by, or is under common control with another legal
   21  entity or shares common branding with another legal entity. For
   22  the purposes of this subsection, the term “control” or
   23  “controlled” means the ownership of, or the power to vote, more
   24  than 50 percent of the outstanding shares of any class of voting
   25  security of a company; control in any manner over the election
   26  of a majority of the directors or of individuals exercising
   27  similar functions; or the power to exercise controlling
   28  influence over the management of a company.
   29         (2)“Aggregate consumer information” means information that
   30  relates to a group or category of consumers from which
   31  individual consumer identities have been removed and which is
   32  not linked or reasonably linkable to any consumer, including
   33  through a device. The term does not include one or more
   34  individual consumer records that have been de-identified.
   35         (3)“Authenticate” means verifying through reasonable means
   36  that the consumer entitled to exercise his or her consumer
   37  rights under this act is the same consumer exercising such
   38  consumer rights with respect to the personal information at
   39  issue.
   40         (4)“Biometric information” means personal information
   41  generated by automatic measurements of characteristics of an
   42  individual’s physiological, behavioral, or biological
   43  characteristics, including an individual’s DNA, which identifies
   44  an individual. The term does not include a physical or digital
   45  photograph; a video or audio recording or data generated
   46  therefrom; or information collected, used, or stored for health
   47  care treatment, payment, or operations under the Health
   48  Insurance Portability and Accountability Act of 1996.
   49         (5)“Business purpose” means the use of personal
   50  information for the controller’s operational, administrative,
   51  security, or other purposes allowed for under this act, or for
   52  any notice-given and consumer-approved purposes or for the
   53  processor’s operational purposes, provided that the use of the
   54  personal information is consistent with the requirements of this
   55  act.
   56         (6)“Child” means a natural person younger than 13 years of
   57  age.
   58         (7)“Collects,” “collected,” or “collection” means buying,
   59  renting, gathering, obtaining, receiving, or accessing by any
   60  means any personal information pertaining to a consumer, either
   61  actively or passively or by observing the consumer’s behavior.
   62         (8)“Consumer” means a natural person who resides in this
   63  state to the extent he or she is acting in an individual or
   64  household context. The term does not include any other natural
   65  person who is a nonresident or a natural person acting in a
   66  commercial or employment context.
   67         (9)“Controller” means a sole proprietorship, a
   68  partnership, a limited liability company, a corporation, or an
   69  association or any other legal entity that meets the following
   70  requirements:
   71         (a)Is organized or operated for the profit or financial
   72  benefit of its shareholders or owners;
   73         (b)Does business in this state or provides products or
   74  services targeted to the residents of this state;
   75         (c)Determines the purposes and means of processing
   76  personal information about consumers, alone or jointly with
   77  others; and
   78         (d)Satisfies either of the following thresholds:
   79         1.During a calendar year, controls the processing of the
   80  personal information of 100,000 or more consumers who are not
   81  covered by an exception under this act; or
   82         2.Controls or processes the personal information of at
   83  least 25,000 consumers who are not covered by an exception under
   84  this act and derives over 50 percent or more of its global
   85  annual revenues from selling personal information about
   86  consumers.
   87         (10)“De-identified” means information that cannot
   88  reasonably identify or be linked directly to a particular
   89  consumer, or a device that is linked to such consumer, if the
   90  controller or a processor that possesses such information on
   91  behalf of the controller:
   92         (a)Has taken reasonable measures to ensure the information
   93  could not be associated with an individual consumer;
   94         (b)Commits to maintain and use the information in a de
   95  identified fashion without attempting to reidentify the
   96  information; and
   97         (c)Contractually prohibits downstream recipients from
   98  attempting to reidentify the information.
   99         (11)“Designated request address” means an e-mail address,
  100  a toll-free telephone number, or a website established by a
  101  controller through which a consumer may submit a verified
  102  request to the controller.
  103         (12)“Intentional interaction” or “intentionally
  104  interacting” means the consumer intends to interact with or
  105  disclose personal information to a person through one or more
  106  deliberate interactions, including visiting the person’s website
  107  or purchasing a good or service from the person. The term does
  108  not include hovering over, muting, pausing, or closing a given
  109  piece of content.
  110         (13)“Non-targeted advertising” means:
  111         (a)Advertising based solely on a consumer’s activities
  112  within a controller’s own, or its affiliate’s, websites or
  113  online applications;
  114         (b)Advertisements based on the context of a consumer’s
  115  current search query, visit to a website, or online application;
  116         (c)Advertisements directed to a consumer in response to
  117  the consumer’s request for information or feedback; or
  118         (d)Processing personal information solely for measuring or
  119  reporting advertising performance, reach, or frequency.
  120         (14)“Personal information” means:
  121         (a)Information that identifies or is linked or reasonably
  122  linkable to an identified or identifiable consumer.
  123         (b)The term does not include:
  124         1.Information about a consumer that is lawfully made
  125  available through federal, state, or local governmental records;
  126         2.Information that a controller has a reasonable basis to
  127  believe is lawfully made available to the general public by the
  128  consumer or from widely distributed media unless the consumer
  129  has restricted the information to a specific audience; or
  130         3.Consumer information that is de-identified or aggregate
  131  consumer information.
  132         (15)“Precise geolocation data” means information from
  133  technology, such as global positioning system level latitude and
  134  longitude coordinates or other mechanisms, that directly
  135  identifies the specific location of a natural person with
  136  precision and accuracy within a radius of 1,750 feet. The term
  137  does not include the information generated by the transmission
  138  of communications or any information generated by or connected
  139  to advanced utility metering infrastructure systems or equipment
  140  for use by a utility.
  141         (16)“Process” or “processing” means any operation or set
  142  of operations performed on personal information or on sets of
  143  personal information, whether or not by automated means.
  144         (17)“Processor” means a natural or legal entity that
  145  processes personal data on behalf of, and at the direction of, a
  146  controller.
  147         (18)“Profiling” means any form of automated processing
  148  performed on personal data to evaluate, analyze, or predict
  149  personal aspects related to an identified or identifiable
  150  natural person’s economic situation, health, personal
  151  preferences, interests, reliability, behavior, location, or
  152  movements. The term does not include processing personal
  153  information solely for the purpose of measuring or reporting
  154  advertising performance, reach, or frequency.
  155         (19)“Pseudonymous information” means personal information
  156  that cannot be attributed to a specific natural person without
  157  the use of additional information, provided that such additional
  158  information is kept separate at all times and is subject to
  159  appropriate technical and organizational measures to ensure that
  160  the personal data is not attributed to or combined with other
  161  personal data that may enable attribution to an identified or
  162  identifiable natural person.
  163         (20)“Security and integrity” means the ability of a:
  164         (a)Network or information system, device, website, or
  165  online application to detect security incidents that compromise
  166  the availability, authenticity, integrity, and confidentiality
  167  of stored or transmitted personal information;
  168         (b)Controller to detect security incidents; resist
  169  malicious, deceptive, fraudulent, or illegal actions; and help
  170  prosecute those responsible for such actions; and
  171         (c)Controller to ensure the physical safety of natural
  172  persons.
  173         (21)“Sell” means to transfer or make available a
  174  consumer’s personal information by a controller to a third party
  175  in exchange for monetary or other valuable consideration,
  176  including nonmonetary transactions and agreements for other
  177  valuable consideration between a controller and a third party
  178  for the benefit of a controller. The term does not include any
  179  of the following:
  180         (a)The disclosure, for a business purpose, of a consumer’s
  181  personal information to a processor that processes the
  182  information for the controller.
  183         (b)The disclosure by a controller for the purpose of
  184  providing a product or service requested or approved by a
  185  consumer, or the parent of a child, of the consumer’s personal
  186  information to a third-party entity.
  187         (c)The disclosure or transfer of personal information to
  188  an affiliate of the controller.
  189         (d)The disclosure of personal information for purposes of
  190  nontargeted advertising.
  191         (e)The disclosure or transfer of personal information to a
  192  third party as an asset that is part of a proposed or actual
  193  merger, acquisition, bankruptcy, or other transaction in which
  194  the third party assumes control of all or part of the
  195  controller’s assets.
  196         (f)The controller disclosing personal information to a law
  197  enforcement or other emergency processor for the purposes of
  198  providing emergency assistance to the consumer.
  199         (22)“Sensitive data” means a category of personal
  200  information that includes any of the following:
  201         (a)Racial or ethnic origin, religious beliefs, mental or
  202  physical health diagnosis, sexual orientation, or citizenship or
  203  immigration status.
  204         (b)Biometric information, including genetic information,
  205  processed for the purpose of uniquely identifying a natural
  206  person.
  207         (c)Personal information collected from a known child.
  208         (d)Precise geolocation data.
  209         (23)“Targeted advertising” means displaying an
  210  advertisement to a consumer when the advertisement is selected
  211  based on personal information obtained from the consumer’s
  212  activities over time and across nonaffiliated websites or online
  213  applications to predict such consumer’s preferences or
  214  interests. The term does not include any of the following:
  215         (a)Non-targeted advertising.
  216         (b)Advertisements based on the context of a consumer’s
  217  current search query or visit to a website.
  218         (c)Advertising directed to a consumer in response to the
  219  consumer’s request for information or feedback.
  220         (d)Processing personal data solely for measuring or
  221  reporting advertising performance, reach, or frequency.
  222         (24)“Third party” means a person who is not any of the
  223  following:
  224         (a)The controller with which the consumer intentionally
  225  interacts and which collects personal information from the
  226  consumer as part of the consumer’s interaction with the
  227  controller.
  228         (b)A processor that processes personal information on
  229  behalf of and at the direction of the controller.
  230         (c)An affiliate of the controller.
  231         (25)“Verified request” means a request submitted by a
  232  consumer or by a consumer on behalf of the consumer’s minor
  233  child for which the controller has reasonably verified the
  234  authenticity of the request. The term includes a request made
  235  through an established account using the controller’s
  236  established security features to access the account through
  237  communication features offered to consumers. The term does not
  238  include a request in which the consumer or a person authorized
  239  to act on the consumer’s behalf does not provide verification of
  240  identify or verification of authorization to act with the
  241  permission of the consumer, and the controller is not required
  242  to provide information for such a request.
  243         Section 4. Section 501.1745, Florida Statutes, is created
  244  to read:
  245         501.1745General duties of controllers that collect
  246  personal information.—
  247         (1)A controller that controls the collection of a
  248  consumer’s personal information that will be used for any
  249  purpose other than a business purpose, at or before the point of
  250  collection, shall inform consumers of the purposes for which
  251  personal information is collected or used and whether that
  252  information is sold. A controller may not collect additional
  253  categories of personal information, or use collected personal
  254  information for additional purposes that are incompatible with
  255  the disclosed purpose for which the personal information was
  256  collected, without providing the consumer with notice consistent
  257  with this section. A controller that collects personal
  258  information about, but not directly from, consumers may provide
  259  the required information on its Internet home page or in its
  260  online privacy policy.
  261         (2)A controller’s collection, use, and retention of a
  262  consumer’s personal information must be reasonably necessary to
  263  achieve the purposes for which the personal information was
  264  collected or processed. Such information may not be further
  265  processed in a manner that is incompatible with those purposes
  266  without notice to the consumer or be transferred or made
  267  available to a third party in a manner inconsistent with the
  268  requirements of this act.
  269         (3)A controller that collects a consumer’s personal
  270  information shall implement reasonable security procedures and
  271  practices appropriate to the nature of the personal information
  272  to protect the personal information from unauthorized or illegal
  273  access, destruction, use, modification, or disclosure.
  274         (4)A controller that collects a consumer’s personal
  275  information and discloses it to a processor shall enter into a
  276  contractual agreement with such processor which obligates the
  277  processor to comply with applicable obligations under this act
  278  and which prohibits downstream recipients from selling personal
  279  information or retaining, using, or disclosing the personal
  280  information. If a processor engages any other person to assist
  281  it in processing personal information for a business purpose on
  282  behalf of the controller, or if any other person engaged by the
  283  processor engages another person to assist in processing
  284  personal information for that business purpose, the processor or
  285  person must notify the controller of that engagement and the
  286  processor must prohibit downstream recipients from selling the
  287  personal information or retaining, using, or disclosing the
  288  personal information.
  289         (5)A controller may not process sensitive data concerning
  290  a consumer without obtaining the consumer’s consent or, in the
  291  case of the processing of sensitive data obtained from a known
  292  child, without processing such data for the purpose of
  293  delivering a product or service requested by the parent of such
  294  child, or in accordance with the federal Children’s Online
  295  Privacy Protection Act, 15 U.S.C. s. 6501 et. seq. and
  296  regulations interpreting this act
  297         (6)Determining whether a person is acting as a controller
  298  or processor with respect to a specific activity is a fact-based
  299  determination that depends upon the context in which personal
  300  information is processed. A processor that continues to adhere
  301  to a controller’s instructions with respect to a specific
  302  processing of personal information remains a processor.
  303         Section 5. Section 501.175, Florida Statutes, is created to
  304  read:
  305         501.175Use of personal information; third parties; other
  306  rights.—
  307         (1)(a)A consumer has the right at any time to direct a
  308  controller that sells personal information about the consumer
  309  not to sell the consumer’s personal information. This right may
  310  be referred to as the right to opt out of the sale.
  311         (b)A consumer has the right at any time to opt out of the
  312  processing of the consumer’s personal information for purposes
  313  of targeted advertising or profiling. A controller shall provide
  314  a clear and conspicuous link on the controller’s Internet home
  315  page, titled “Do Not Advertise To Me,” to a web page that
  316  enables a consumer to opt out of targeted advertising or
  317  profiling. However, this paragraph may not be construed to
  318  prohibit the controller that collected the consumer’s personal
  319  information from:
  320         1.Offering a different price, rate, level, quality, or
  321  selection of goods or services to a consumer, including offering
  322  goods or services for no fee, if the consumer has opted out of
  323  targeted advertising, profiling, or the sale of his or her
  324  personal information; or
  325         2.Offering a loyalty, reward, premium feature, discount,
  326  or club card program.
  327         (c)A controller that charges or offers a different price,
  328  rate, level, quality, or selection of goods or services to a
  329  consumer who has opted out of targeted advertising, profiling,
  330  or the sale of his or her personal information, or that offers
  331  goods or services for no fee, shall ensure that such charge or
  332  offer is not unjust, unreasonable, coercive, or usurious.
  333         (2)A controller that sells consumers’ personal information
  334  shall provide notice to consumers that the information may be
  335  sold and that consumers have the right to opt out of the sale of
  336  their personal information.
  337         (3)A controller that sells consumers’ personal information
  338  and that has received direction from a consumer not to sell the
  339  consumer’s personal information or, in the case of a minor
  340  consumer’s personal information, has not received consent to
  341  sell the minor consumer’s personal information, is prohibited
  342  from selling the consumer’s personal information after the
  343  controller receives the consumer’s direction, unless the
  344  consumer subsequently provides express authorization for the
  345  sale of the consumer’s personal information. A controller that
  346  is able to authenticate the consumer, for example, by the
  347  consumer logging in, or that is otherwise reasonably able to
  348  authenticate the consumer’s request must comply with the
  349  consumer’s request to opt out. The controller may not require
  350  the consumer to declare privacy preferences every time the
  351  consumer visits the controller’s website or uses the
  352  controller’s online services.
  353         (4)(a)A controller may not sell the personal information
  354  collected from consumers that the controller has actual
  355  knowledge are younger than 16 years of age, unless:
  356         1.The consumer, in the case of consumers between 13 and 16
  357  years of age, has affirmatively authorized the sale of the
  358  consumer’s personal information; or
  359         2.The consumer’s parent or guardian, in the case of
  360  consumers who are younger than 13 years of age, has
  361  affirmatively authorized such sale.
  362         (b)This right may be referred to as the right to opt in.
  363         (c)A business that willfully disregards the consumer’s age
  364  is deemed to have actual knowledge of the consumer’s age.
  365         (d)A controller that complies with the verifiable parental
  366  consent requirements of the Children’s Online Privacy Protection
  367  Act, 15 U.S.C. s. 6501 et seq., and accompanying regulations, or
  368  is providing a product or service requested by a parent or
  369  guardian, shall be deemed compliant with any obligation to
  370  obtain parental consent.
  371         (5)A controller that is required to comply with this
  372  section shall:
  373         (a)Provide a clear and conspicuous link on the
  374  controller’s Internet home page, titled “Do Not Sell My Personal
  375  Information,” to a web page that enables a consumer to opt out
  376  of the sale of the consumer’s personal information. A business
  377  may not require a consumer to create an account in order to
  378  direct the business not to sell the consumer’s information.
  379         (b)Ensure that all individuals responsible for handling
  380  consumer inquiries about the controller’s privacy practices or
  381  the controller’s compliance with this section are informed of
  382  all requirements of this section and how to direct consumers to
  383  exercise their rights.
  384         (c)For consumers who exercise their right to opt out of
  385  the sale of their personal information, refrain from selling
  386  personal information the controller collected about the consumer
  387  as soon as reasonably possible but no longer than 10 business
  388  days after receiving the request to opt out.
  389         (d)Use any personal information collected from the
  390  consumer in connection with the submission of the consumer’s
  391  opt-out request solely for the purposes of complying with the
  392  opt-out request.
  393         (e)For consumers who have opted out of the sale of their
  394  personal information, respect the consumer’s decision to opt out
  395  for at least 12 months before requesting that the consumer
  396  authorize the sale of the consumer’s personal information.
  397         (f)Ensure that consumers have the right to submit a
  398  verified request for certain information from a controller,
  399  including the categories of sources from which the consumer’s
  400  personal information was collected, the specific items of
  401  personal information it has collected about the consumer, and
  402  the categories of any third parties to whom the personal
  403  information was sold.
  404         (6)A controller, or a processor acting pursuant to its
  405  contract with the controller or another processor, is not
  406  required to comply with a consumer’s verified request to delete
  407  the consumer’s personal information if it is necessary for the
  408  controller or processor to maintain the consumer’s personal
  409  information in order to do any of the following:
  410         (a)Complete the transaction for which the personal
  411  information was collected, fulfill the terms of a written
  412  warranty or product recall conducted in accordance with federal
  413  law, provide a good or service requested by the consumer, or
  414  otherwise perform a contract between the business and the
  415  consumer.
  416         (b)Help to ensure security and integrity to the extent
  417  that the use of the consumer’s personal information is
  418  reasonably necessary and proportionate for those purposes.
  419         (c)Debug to identify and repair errors that impair
  420  existing intended functionality.
  421         (d)Exercise free speech, ensure the right of another
  422  consumer to exercise that consumer’s right of free speech, or
  423  exercise another right provided for by law.
  424         (e)Engage in public or peer-reviewed scientific,
  425  historical, or statistical research that conforms or adheres to
  426  all other applicable ethics and privacy laws, when the business’
  427  deletion of the information is likely to render impossible or
  428  seriously impair the ability to complete such research, if the
  429  consumer has provided informed consent.
  430         (f)Comply with a legal obligation.
  431         (7)Consumers have the right to submit a verified request
  432  that personal information that has been collected from the
  433  consumer be deleted. Consumers have the right to submit a
  434  verified request for correction of their personal information
  435  held by a controller if that information is inaccurate, taking
  436  into account the nature of the personal information and the
  437  purpose for processing the consumer’s personal information.
  438         (8)This section may not be construed to require a
  439  controller to comply by reidentifying or otherwise linking
  440  information that is not maintained in a manner that would be
  441  considered personal information; retaining any personal
  442  information about a consumer if, in the ordinary course of
  443  business, that information would not be retained; maintaining
  444  information in identifiable, linkable, or associable form; or
  445  collecting, obtaining, retaining, or accessing any data or
  446  technology in order to be capable of linking or associating a
  447  verifiable consumer request with personal information.
  448         (9)A consumer may authorize another person to opt out of
  449  the sale of the consumer’s personal information. A controller
  450  shall comply with an opt-out request received from a person
  451  authorized by the consumer to act on the consumer’s behalf,
  452  including a request received through a user-enabled global
  453  privacy control, such as a browser plug-in or privacy setting,
  454  device setting, or other mechanism, which communicates or
  455  signals the consumer’s choice to opt out, and may not require a
  456  consumer to make a verified request to opt out of the sale of
  457  his or her information.
  458         (10)Each controller shall establish a designated request
  459  address through which a consumer may submit a request to
  460  exercise his or her rights under this act.
  461         (11)(a)A controller that receives a verified request:
  462         1.For a consumer’s personal information shall disclose to
  463  the consumer any personal information about the consumer which
  464  it has collected since January 1, 2023, directly or indirectly,
  465  including through or by a processor.
  466         2.To correct a consumer’s inaccurate personal information
  467  shall correct the inaccurate personal information, taking into
  468  account the nature of the personal information and the purpose
  469  for processing the consumer’s personal information.
  470         3.To delete a consumer’s personal information shall delete
  471  such personal information collected from the consumer.
  472         (b)A processor is not required to personally comply with a
  473  verified request received directly from a consumer, but the
  474  processor must notify a controller of such a request within 10
  475  days after receiving the request. The time period required for a
  476  controller to comply with a verified request as provided in
  477  paragraph (d) commences beginning from the time the processor
  478  notifies the controller of the verified request. A processor
  479  shall provide reasonable assistance to a controller with which
  480  it has a contractual relationship with respect to the
  481  controller’s response to a verifiable consumer request,
  482  including, but not limited to, by providing to the controller
  483  the consumer’s personal information in the processor’s
  484  possession which the processor obtained as a result of providing
  485  services to the controller.
  486         (c)At the direction of the controller, a processor shall
  487  correct inaccurate personal information or delete personal
  488  information, or enable the controller to do the same.
  489         (d)A controller shall comply with a verified request
  490  submitted by a consumer to access, correct, or delete personal
  491  information within 45 days after the date the request is
  492  submitted. A controller may extend such period by up to 45 days
  493  if the controller, in good faith, determines that such an
  494  extension is reasonably necessary. A controller that extends the
  495  period shall notify the consumer of the necessity of an
  496  extension.
  497         (e)A consumer’s rights under this subsection do not apply
  498  to pseudonymous information in cases where the controller is
  499  able to demonstrate that all information necessary to identify
  500  the consumer is kept separate at all times and is subject to
  501  effective technical and organizational controls that prevent the
  502  controller from accessing or combining such information.
  503         (12)A controller shall comply with a consumer’s previous
  504  expressed decision to opt out of the sale of his or her personal
  505  information without requiring the consumer to take any
  506  additional action if the controller is able to identify the
  507  consumer through a login protocol or any other process the
  508  controller uses to identify consumers and the consumer has
  509  previously exercised his or her right to opt out of the sale of
  510  his or her personal information.
  511         (13)A controller shall make available, in a manner
  512  reasonably accessible to consumers whose personal information
  513  the controller collects through its website or online service, a
  514  notice that does all of the following:
  515         (a)Identifies the categories of personal information that
  516  the controller collects through its website or online service
  517  about consumers who use or visit the website or online service
  518  and the categories of third parties to whom the controller may
  519  disclose such personal information.
  520         (b)Provides a description of the process, if applicable,
  521  for a consumer who uses or visits the website or online service
  522  to review and request changes to any of his or her personal
  523  information that is collected from the consumer through the
  524  website or online service.
  525         (c)Describes the process by which the controller notifies
  526  consumers who use or visit the website or online service of
  527  material changes to the notice.
  528         (d)Discloses whether a third party may collect personal
  529  information about a consumer’s online activities over time and
  530  across different websites or online services when the consumer
  531  uses the controller’s website or online service.
  532         (e)States the effective date of the notice.
  533         (14)If a request from a consumer is manifestly unfounded
  534  or excessive, in particular because of the request’s repetitive
  535  character, a controller may either charge a reasonable fee,
  536  taking into account the administrative costs of providing the
  537  information or communication or taking the action requested, or
  538  refuse to act on the request and notify the consumer of the
  539  reason for refusing the request. The controller bears the burden
  540  of demonstrating that any verified consumer request is
  541  manifestly unfounded or excessive.
  542         (15)A controller that discloses personal information to a
  543  processor is not liable under this act if the processor
  544  receiving the personal information uses it in violation of the
  545  restrictions set forth in the act, provided that, at the time of
  546  disclosing the personal information, the controller does not
  547  have actual knowledge or reason to believe that the processor
  548  intends to commit such a violation. A processor is likewise not
  549  liable under this act for the obligations of a controller for
  550  which it processes personal information as set forth in this
  551  act.
  552         (16)A controller or processor that discloses personal
  553  information to a third-party controller or processor in
  554  compliance with the requirements of this act is not in violation
  555  of this chapter if the third-party controller or processor that
  556  receives and processes such personal information is in violation
  557  of this act, provided that, at the time of disclosing the
  558  personal information, the disclosing controller or processor did
  559  not have actual knowledge that the recipient intended to commit
  560  a violation. A third-party controller or processor that violates
  561  this act, or violates the terms of a contractual agreement with
  562  a controller or processor which results in a violation of this
  563  act, is deemed to have violated the requirements of this act and
  564  is subject to the enforcement actions otherwise provided against
  565  a controller pursuant to s. 501.177. A third-party controller or
  566  processor receiving personal information from a controller or
  567  processor in compliance with the requirements of this act is not
  568  in violation of this act for noncompliance of the controller or
  569  processor from which it receives such personal data.
  570         (17)The rights afforded to consumers and the obligations
  571  imposed on a controller in this act may not adversely affect the
  572  rights and freedoms of other consumers. Notwithstanding
  573  subsection (6), a verified request for specific items of
  574  personal information, to delete a consumer’s personal
  575  information, or to correct inaccurate personal information does
  576  not extend to personal information about the consumer which
  577  belongs to, or which the controller maintains on behalf of,
  578  another natural person.
  579         Section 6. Section 501.176, Florida Statutes, is created to
  580  read:
  581         501.176Applicability; exclusions.—
  582         (1)The obligations imposed on a controller or processor by
  583  this act do not restrict a controller’s or processor’s ability
  584  to do any of the following:
  585         (a)Comply with federal, state, or local laws, rules, or
  586  regulations.
  587         (b)Comply with a civil, criminal, or regulatory inquiry or
  588  an investigation, a subpoena, or a summons by federal, state,
  589  local, or other governmental authorities.
  590         (c)Cooperate with law enforcement agencies concerning
  591  conduct or activity that the controller or processor reasonably
  592  and in good faith believes may violate federal, state, or local
  593  laws, rules, or regulations.
  594         (d)Exercise, investigate, establish, prepare for, or
  595  defend legal claims.
  596         (e)Collect, use, retain, sell, or disclose consumer
  597  personal information to:
  598         1.Conduct internal research to develop, improve, or repair
  599  products, services, or technology;
  600         2.Effectuate a product recall or provide a warranty for
  601  products or services;
  602         3.Identify or repair technical errors that impair existing
  603  or intended functionality;
  604         4.Perform internal operations that are reasonably aligned
  605  with the expectations of the consumer or reasonably anticipated
  606  based on the consumer’s existing relationship with the
  607  controller or are otherwise compatible with processing data in
  608  furtherance of the provision of a product or service
  609  specifically requested by a consumer or a parent of a child, or
  610  the performance of a contract to which the consumer is a party;
  611         5.Provide a product or service specifically requested by a
  612  consumer or a parent of a child; perform a contract to which the
  613  consumer or parent is a party, including fulfilling the terms of
  614  a written warranty; or take steps at the request of the consumer
  615  before entering into a contract;
  616         6.Take steps to protect an interest that is essential for
  617  the life or physical safety of the consumer or of another
  618  natural person, and where the processing cannot be manifestly
  619  based on another legal basis;
  620         7.Prevent, detect, protect against, or respond to security
  621  incidents, identity theft, fraud, harassment, malicious or
  622  deceptive activities, or any illegal activity, and prosecute
  623  those responsible for that activity;
  624         8.Preserve the integrity or security of information
  625  technology systems;
  626         9.Investigate, report, or prosecute those responsible for
  627  any illegal, malicious, harmful, deceptive, or otherwise harmful
  628  activities;
  629         10.Engage in public or peer-reviewed scientific or
  630  statistical research in the public interest that adheres to all
  631  other applicable ethics and privacy laws and, if applicable, is
  632  approved, monitored, and governed by an institutional review
  633  board, or similar independent oversight entity that determines
  634  if the information is likely to provide substantial benefits
  635  that do not exclusively accrue to the controller, if the
  636  expected benefits of the research outweigh the privacy risks,
  637  and if the controller has implemented reasonable safeguards to
  638  mitigate privacy risks associated with research, including any
  639  risks associated with reidentification; or
  640         11.Assist another controller, processor, or third party
  641  with any of the obligations under this subsection.
  642         (2)This act does not apply to any of the following:
  643         (a)A controller that collects, processes, or discloses the
  644  personal information of its employees, owners, directors,
  645  officers, beneficiaries, job applicants, interns, or volunteers,
  646  so long as the controller is collecting or disclosing such
  647  information only to the extent reasonable and necessary within
  648  the scope of the role the controller has in relation to each
  649  class of listed individuals. For purposes of this section the
  650  term “personal information” includes employment benefit
  651  information.
  652         (b)Personal information that is part of a written or
  653  verbal communication or a transaction between the controller or
  654  processor and the consumer, where the consumer is a natural
  655  person who is acting as an employee, owner, director, officer,
  656  or contractor of a company, partnership, sole proprietorship,
  657  non-profit, or government agency and whose communications or
  658  transaction with the business occur solely within the context of
  659  the business conducting due diligence regarding, or providing or
  660  receiving a product or service to or from such company,
  661  partnership, sole proprietorship, non-profit, or government
  662  agency.
  663         (c)A business, service provider, or third party that
  664  collects the personal information of an individual:
  665         1.Who applies to, is or was previously employed by, or
  666  acts as an agent of the business, service provider, or third
  667  party, to the extent that the personal information is collected
  668  and used in a manner related to or arising from the individual’s
  669  employment status; or
  670         2.To administer benefits for another individual and the
  671  personal information is used to administer those benefits.
  672         (d)A business that enters into a contract with an
  673  independent contractor and collects or discloses personal
  674  information about the contractor reasonably necessary to either
  675  enter into or to fulfill the contract when the contracted
  676  services would not defeat the purposes of this act.
  677         (e)Protected health information for purposes of the
  678  federal Health Insurance Portability and Accountability Act of
  679  1996 and related regulations, and patient identifying
  680  information for purposes of 42 C.F.R. part 2, established
  681  pursuant to 42 U.S.C. s. 290dd-2.
  682         (f)A covered entity or business associate governed by the
  683  privacy, security, and breach notification rules issued by the
  684  United States Department of Health and Human Services in 45
  685  C.F.R. parts 160 and 164, or a program or a qualified service
  686  program defined in 42 C.F.R. part 2, to the extent the covered
  687  entity, business associate, or program maintains personal
  688  information in the same manner as medical information or
  689  protected health information as described in paragraph (e).
  690         (g)Identifiable private information collected for purposes
  691  of research as defined in 45 C.F.R. s. 164.501 which is
  692  conducted in accordance with the Federal Policy for the
  693  Protection of Human Subjects for purposes of 45 C.F.R. part 46,
  694  the good clinical practice guidelines issued by the
  695  International Council for Harmonisation of Technical
  696  Requirements for Pharmaceuticals for Human Use, or the
  697  Protection for Human Subjects for purposes of 21 C.F.R. parts 50
  698  and 56; or personal information used or shared in research
  699  conducted in accordance with one or more of these standards, or
  700  another applicable protocol.
  701         (h)Information and documents created for purposes of the
  702  federal Health Care Quality Improvement Act of 1986 and related
  703  regulations, or patient safety work product for purposes of 42
  704  C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21
  705  through 299b-26.
  706         (i)Information that is de-identified in accordance with 45
  707  C.F.R. part 164 and that is derived from individually
  708  identifiable health information, as described in the Health
  709  Insurance Portability and Accountability Act of 1996, or
  710  identifiable personal information, consistent with the Federal
  711  Policy for the Protection of Human Subjects or the human subject
  712  protection requirements of the United States Food and Drug
  713  Administration or the good clinical practice guidelines issued
  714  by the International Council for Harmonisation.
  715         (j)Information collected as part of a clinical trial
  716  subject to the Federal Policy for the Protection of Human
  717  Subjects pursuant to good clinical practice guidelines issued by
  718  the International Council for Harmonisation of Technical
  719  Requirements for Pharmaceuticals for Human Use or pursuant to
  720  human subject protection requirements of the United States Food
  721  and Drug Administration, or another protocol.
  722         (k)Personal information collected, processed, sold, or
  723  disclosed pursuant to the federal Fair Credit Reporting Act, 15
  724  U.S.C. s. 1681 et seq.
  725         (l)Personal information collected, processed, sold, or
  726  disclosed pursuant to, or a financial institution to the extent
  727  regulated by, the federal Gramm-Leach-Bliley Act, 15 U.S.C. s.
  728  6801 et seq. and implementing regulations.
  729         (m)Personal information collected, processed, sold, or
  730  disclosed pursuant to the Farm Credit Act of 1971, as amended in
  731  12 U.S.C. s. 2001-2279cc and implementing regulations.
  732         (n)Personal information collected, processed, sold, or
  733  disclosed pursuant to the federal Driver’s Privacy Protection
  734  Act of 1994, 18 U.S.C. s. 2721 et seq.
  735         (o)Education information covered by the federal Family
  736  Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34
  737  C.F.R. part 99.
  738         (p)Personal information collected, processed, sold, or
  739  disclosed in relation to price, route, or service as those terms
  740  are used in the federal Airline Deregulation Act, 49 U.S.C. s.
  741  40101 et seq., by entities subject to the federal Airline
  742  Deregulation Act, to the extent this act is preempted by s.
  743  41713 of the federal Airline Deregulation Act.
  744         (q)Vehicle information or ownership information retained
  745  or shared between a new motor vehicle dealer, distributor, or
  746  the vehicle’s manufacturer if the vehicle or ownership
  747  information is shared for the purpose of effectuating, or in
  748  anticipation of effectuating, a vehicle repair covered by a
  749  vehicle warranty or a recall conducted pursuant to 49 U.S.C. s.
  750  30118-30120, provided that the new motor vehicle dealer,
  751  distributor, or vehicle manufacturer with which that vehicle
  752  information or ownership information is shared does not sell,
  753  share, or use that information for any other purpose. As used in
  754  this paragraph, the term “vehicle information” means the vehicle
  755  identification number, make, model, year, and odometer reading,
  756  and the term “ownership information” means the name or names of
  757  the registered owner or owners and the contact information for
  758  the owner or owners.
  759         Section 7. Section 501.177, Florida Statutes, is created to
  760  read:
  761         501.177Enforcement; Attorney General; preemption.—
  762         (1)The Department of Legal Affairs may adopt rules to
  763  implement this section. If the department has reason to believe
  764  that any controller, processor, or other person or entity is in
  765  violation of this act and that proceedings would be in the
  766  public interest, the department may institute an appropriate
  767  legal proceeding against such party.
  768         (2)After the department has notified a controller in
  769  writing of an alleged violation of this act, the Attorney
  770  General may at his her discretion, before initiating a
  771  proceeding under this section, grant the controller a 30-day
  772  period to cure the alleged violation. The Attorney General may
  773  consider the number of violations, the substantial likelihood of
  774  injury to the public, or the safety of persons or property when
  775  determining whether to grant 30 days to cure an alleged
  776  violation. If the controller cures the alleged violation to the
  777  satisfaction of the Attorney General and provides proof of such
  778  cure to the Attorney General, the Attorney General may either
  779  extend the cure period or issue a letter of guidance to the
  780  controller which indicates that the controller will not be
  781  offered a 30-day cure period for any future violations. If the
  782  controller fails to cure the violation within 30 days, the
  783  Attorney General may bring an action against the controller for
  784  the alleged violation.
  785         (3)The trial court, upon a showing that any controller,
  786  processor, or other person or entity is in violation of this
  787  act, may take any of the following actions:
  788         (a)Issue a temporary or permanent injunction.
  789         (b)Impose a civil penalty of not more than $2,500 for each
  790  violation.
  791         (c)Award reasonable costs of enforcement, including
  792  reasonable attorney fees and costs.
  793         (4)This act is a matter of statewide concern and
  794  supersedes and preempts to the state all rules, regulations,
  795  codes, ordinances, and other laws adopted by a city, county,
  796  city and county, municipality, or local agency regarding the
  797  collection, processing, or sale of consumers personal
  798  information by a controller or processor.
  799         (5)Any reference to federal law or statute in this act
  800  shall be deemed to include any accompanying rules or regulations
  801  or exemptions thereto. Further, this enactment is declaratory of
  802  existing law.
  803         Section 8. This act shall take effect July 1, 2023.
  805  ================= T I T L E  A M E N D M E N T ================
  806  And the title is amended as follows:
  807         Delete everything before the enacting clause
  808  and insert:
  809                        A bill to be entitled                      
  810         An act relating to consumer data privacy; creating s.
  811         501.172, F.S.; providing a short title; creating s.
  812         501.173, F.S.; providing a purpose; creating s.
  813         501.174, F.S.; defining terms; creating s. 501.1745,
  814         F.S.; requiring controllers that collect consumer
  815         personal information to provide certain information to
  816         the consumer; requiring such collection, use, and
  817         retention of such information to meet certain
  818         requirements; requiring controllers to implement
  819         reasonable security procedures and practices;
  820         prohibiting controllers from processing certain
  821         sensitive consumer data under certain circumstances;
  822         creating s. 501.175, F.S.; providing that consumers
  823         have the right to opt out of the sale and processing
  824         of their personal information by controllers; proving
  825         requirements for a controller to comply with such a
  826         request under certain circumstances; prohibiting
  827         controllers from selling the personal information of
  828         consumers younger than a specified age without express
  829         authorization from the consumer or the consumer’s
  830         parent or guardian under certain circumstances;
  831         providing that controllers that willfully disregard a
  832         consumer’s age are deemed to have actual knowledge of
  833         the consumer’s age; providing requirements for
  834         controllers to comply with a consumer’s right to opt
  835         out; providing exceptions; providing that consumers
  836         have the right to submit a verified request for the
  837         deletion or correction of their personal information;
  838         providing construction; providing that consumers may
  839         authorize other persons to opt out of the sale of the
  840         consumer’s personal information on the consumer’s
  841         behalf; requiring controllers to establish designated
  842         request addresses; providing requirements for
  843         controllers to comply with verified consumer requests;
  844         authorizing businesses to charge consumers a
  845         reasonable fee for manifestly unfounded or excessive
  846         requests, or to refuse to complete a request under
  847         certain circumstances; providing that controllers and
  848         processors are not liable for certain actions;
  849         providing that third-party controllers or processors
  850         are liable for violating the act or the terms of
  851         certain contractual agreements, thereby resulting in a
  852         violation; providing that a consumer’s rights and the
  853         obligations of a controller may not adversely affect
  854         the rights and freedoms of other consumers; creating
  855         s. 501.176, F.S.; providing applicability; providing
  856         exceptions; creating s. 501.177, F.S.; authorizing the
  857         Department of Legal Affairs to adopt rules and to
  858         bring appropriate legal proceedings for violations
  859         under certain circumstances; authorizing the Attorney
  860         General to grant controllers an opportunity to cure
  861         violations when given notice by the department;
  862         providing civil remedies and penalties for violations;
  863         preempting the regulation of the collection,
  864         processing, or sale of consumers’ personal information
  865         by a controller or processor to the state; providing
  866         applicability; providing an effective date.