Florida Senate - 2022                                    SB 1864
       By Senator Bradley
       5-01351-22                                            20221864__
    1                        A bill to be entitled                      
    2         An act relating to consumer data privacy; creating s.
    3         501.172, F.S.; providing a short title; creating s.
    4         501.173, F.S.; providing a purpose; creating s.
    5         501.174, F.S.; defining terms; creating s. 501.1745,
    6         F.S.; requiring controllers that collect consumer
    7         personal information to provide certain information to
    8         the consumer; requiring such collection, use, and
    9         retention of such information to meet certain
   10         requirements; requiring controllers to implement
   11         reasonable security procedures and practices;
   12         prohibiting controllers from processing certain
   13         sensitive consumer data under certain circumstances;
   14         creating s. 501.175, F.S.; providing that consumers
   15         have the right to opt out of the sale and processing
   16         of their personal information by controllers;
   17         providing requirements for a controller to comply with
   18         such a request under certain circumstances;
   19         prohibiting controllers from selling the personal
   20         information of consumers younger than a specified age
   21         without express authorization from the consumer or the
   22         consumer’s parent or guardian under certain
   23         circumstances; providing that businesses that
   24         willfully disregard a consumer’s age are deemed to
   25         have actual knowledge of the consumer’s age; providing
   26         requirements for controllers to comply with a
   27         consumer’s right to opt out; providing exceptions;
   28         providing that consumers have the right to submit a
   29         verified request for the deletion or correction of
   30         their personal information; providing construction;
   31         providing that consumers may authorize other persons
   32         to opt out of the sale of the consumer’s personal
   33         information on the consumer’s behalf; requiring
   34         controllers to establish designated request addresses;
   35         providing requirements for controllers to comply with
   36         verified consumer requests; providing notice
   37         requirements; authorizing businesses to charge
   38         consumers a reasonable fee for manifestly unfounded or
   39         excessive requests, or to refuse to complete a request
   40         under certain circumstances; providing that
   41         controllers and processors are not liable for certain
   42         actions; providing that third-party controllers or
   43         processors are liable for violating the act or the
   44         terms of certain contractual agreements, thereby
   45         resulting in a violation; providing that a consumer’s
   46         rights and the obligations of a controller may not
   47         adversely affect the rights and freedoms of other
   48         consumers; creating s. 501.176, F.S.; providing
   49         applicability; providing exceptions; defining the
   50         terms “vehicle information” and “ownership
   51         information”; creating s. 501.177, F.S.; providing
   52         applicability; specifying violations that are
   53         enforceable by the Department of Legal Affairs under
   54         the Florida Deceptive and Unfair Trade Practices Act;
   55         authorizing the department to grant controllers and
   56         processors an opportunity to cure violations when
   57         given notice by the department; providing civil
   58         remedies and penalties for violations; authorizing
   59         increased civil penalties for certain violations;
   60         requiring the department, in conjunction and
   61         consultation with the director of the Consumer Data
   62         Privacy Unit, to submit a report to the Legislature by
   63         a specified date; providing requirements for the
   64         report; authorizing the department to adopt rules;
   65         providing for jurisdiction; preempting the regulation
   66         of the collection, processing, or sale of consumers’
   67         personal information by a controller or processor to
   68         the state; amending s. 16.53, F.S.; revising the
   69         purposes for which the Legal Affairs Revolving Trust
   70         Fund may be used to include enforcement of the Florida
   71         Privacy Protection Act by the Attorney General;
   72         requiring that attorney fees and costs recovered by
   73         the Attorney General for certain actions be deposited
   74         in the fund; creating s. 16.581, F.S.; creating the
   75         Consumer Data Privacy Unit within the department;
   76         providing for a director of the unit; providing the
   77         duties of the unit; authorizing the unit to take
   78         certain actions; authorizing the unit to recover
   79         reasonable attorney fees and costs and penalties in
   80         accordance with certain provisions; requiring such
   81         moneys to be deposited in the Legal Affairs Revolving
   82         Trust Fund; requiring other moneys recovered by the
   83         Attorney General for penalties to be deposited into
   84         the General Revenue Fund; providing an effective date.
   86  Be It Enacted by the Legislature of the State of Florida:
   88         Section 1. Section 501.172, Florida Statutes, is created to
   89  read:
   90         501.172Short title.—This act, consisting of ss. 501.172
   91  501.177, may be cited as the “Florida Privacy Protection Act.”
   92         Section 2. Section 501.173, Florida Statutes, is created to
   93  read:
   94         501.173Purpose.—This act recognizes that privacy is an
   95  important right, and consumers in this state should have the
   96  ability to share their personal information as they wish, in a
   97  way that is safe and that they understand and control.
   98         Section 3. Section 501.174, Florida Statutes, is created to
   99  read:
  100         501.174Definitions.—As used in ss. 501.172-501.177, unless
  101  the context otherwise requires, the term:
  102         (1)“Affiliate” means a legal entity that controls, is
  103  controlled by, or is under common control with another legal
  104  entity or shares common branding with another legal entity. For
  105  the purposes of this subsection, the term “control” or
  106  “controlled” means the ownership of, or the power to vote, more
  107  than 50 percent of the outstanding shares of any class of voting
  108  security of a company; control in any manner over the election
  109  of a majority of the directors or of individuals exercising
  110  similar functions; or the power to exercise controlling
  111  influence over the management of a company.
  112         (2)“Aggregate consumer information” means information that
  113  relates to a group or category of consumers from which
  114  individual consumer identities have been removed and which is
  115  not linked or reasonably linkable to any consumer, including
  116  through a device. The term does not include one or more
  117  individual consumer records that have been de-identified.
  118         (3)“Authenticate” means verifying through reasonable means
  119  that the consumer entitled to exercise his or her consumer
  120  rights under this act is the same consumer exercising such
  121  consumer rights with respect to the personal information at
  122  issue.
  123         (4)“Biometric information” means personal information
  124  generated by automatic measurements of an individual’s
  125  physiological, behavioral, or biological characteristics,
  126  including an individual’s DNA, which identifies an individual.
  127  The term does not include a physical or digital photograph; a
  128  video or audio recording or data generated therefrom; or
  129  information collected, used, or stored for health care
  130  treatment, payment, or operations under the Health Insurance
  131  Portability and Accountability Act of 1996.
  132         (5)“Business purpose” means the use of personal
  133  information for the controller’s operational, administrative,
  134  security, or other purposes allowed for under this act, or for
  135  any notice-given and consumer-approved purposes or for the
  136  processor’s operational purposes, provided that the use of the
  137  personal information is consistent with the requirements of this
  138  act.
  139         (6)“Child” means a natural person younger than 13 years of
  140  age.
  141         (7)“Collects,” “collected,” or “collection” means buying,
  142  renting, gathering, obtaining, receiving, or accessing by any
  143  means any personal information pertaining to a consumer, either
  144  actively or passively or by observing the consumer’s behavior.
  145         (8)“Consumer” means a natural person who resides in this
  146  state to the extent he or she is acting in an individual or
  147  household context. The term does not include any other natural
  148  person who is a nonresident or a natural person acting in a
  149  commercial or employment context.
  150         (9)“Controller” means a sole proprietorship, a
  151  partnership, a limited liability company, a corporation, or an
  152  association or any other legal entity that meets the following
  153  requirements:
  154         (a)Is organized or operated for the profit or financial
  155  benefit of its shareholders or owners;
  156         (b)Does business in this state or provides products or
  157  services targeted to the residents of this state;
  158         (c)Determines the purposes and means of processing
  159  personal information about consumers, alone or jointly with
  160  others; and
  161         (d)Satisfies either of the following thresholds:
  162         1.During a calendar year, controls the processing of the
  163  personal information of 100,000 or more consumers who are not
  164  covered by an exception under this act; or
  165         2.Controls or processes the personal information of at
  166  least 25,000 consumers who are not covered by an exception under
  167  this act and derives 50 percent or more of its global annual
  168  revenues from selling personal information about consumers.
  169         (10)“De-identified” means information that cannot
  170  reasonably identify or be linked directly to a particular
  171  consumer, or a device linked to such consumer, if the controller
  172  or a processor that possesses such information on behalf of the
  173  controller:
  174         (a)Has taken reasonable measures to ensure that the
  175  information cannot be associated with an individual consumer;
  176         (b)Commits to maintain and use the information in a de
  177  identified fashion without attempting to reidentify the
  178  information; and
  179         (c)Contractually prohibits downstream recipients from
  180  attempting to reidentify the information.
  181         (11)“Designated request address” means an e-mail address,
  182  a toll-free telephone number, or a website established by a
  183  controller through which a consumer may submit a verified
  184  request to the controller.
  185         (12)“Intentional interaction” or “intentionally
  186  interacting” means that the consumer intends to interact with or
  187  disclose personal information to a person through one or more
  188  deliberate interactions, including visiting the person’s website
  189  or purchasing a good or service from the person. The term does
  190  not include hovering over, muting, pausing, or closing a given
  191  piece of content.
  192         (13)“Non-targeted advertising” means:
  193         (a)Advertising based solely on a consumer’s activities
  194  within a controller’s own, or its affiliates’, websites or
  195  online applications;
  196         (b)Advertisements based on the context of a consumer’s
  197  current search query, visit to a website, or online application;
  198         (c)Advertisements directed to a consumer in response to
  199  the consumer’s request for information or feedback; or
  200         (d)Processing personal information solely for measuring or
  201  reporting advertising performance, reach, or frequency.
  202         (14)“Personal information” means:
  203         (a)Information that identifies or is linked or reasonably
  204  linkable to an identified or identifiable consumer.
  205         (b)The term does not include:
  206         1.Information about a consumer that is lawfully made
  207  available through federal, state, or local governmental records;
  208         2.Information that a controller has a reasonable basis to
  209  believe is lawfully made available to the general public by the
  210  consumer or from widely distributed media unless the consumer
  211  has restricted the information to a specific audience; or
  212         3.Consumer information that is de-identified or aggregate
  213  consumer information.
  214         (15)“Precise geolocation data” means information from
  215  technology, such as global positioning system level latitude and
  216  longitude coordinates or other mechanisms, which directly
  217  identifies the specific location of a natural person with
  218  precision and accuracy within a radius of 1,750 feet. The term
  219  does not include the information generated by the transmission
  220  of communications or any information generated by or connected
  221  to advanced utility metering infrastructure systems or equipment
  222  for use by a utility.
  223         (16)“Process” or “processing” means any operation or set
  224  of operations performed on personal information or on sets of
  225  personal information, regardless of whether by automated means.
  226         (17)“Processor” means a natural or legal entity that
  227  processes personal data on behalf of, and at the direction of, a
  228  controller.
  229         (18)“Profiling” means any form of automated processing
  230  performed on personal data to evaluate, analyze, or predict
  231  personal aspects related to an identified or identifiable
  232  natural person’s economic situation, health, personal
  233  preferences, interests, reliability, behavior, location, or
  234  movements. The term does not include processing personal
  235  information solely for the purpose of measuring or reporting
  236  advertising performance, reach, or frequency.
  237         (19)“Pseudonymous information” means personal information
  238  that cannot be attributed to a specific natural person without
  239  the use of additional information, which must be kept separate
  240  at all times and must be subject to appropriate technical and
  241  organizational measures to ensure that the personal data is not
  242  attributed to or combined with other personal data that may
  243  enable attribution to an identified or identifiable natural
  244  person.
  245         (20)“Security and integrity” means the ability of a:
  246         (a)Network or information system, device, website, or
  247  online application to detect security incidents that compromise
  248  the availability, authenticity, integrity, and confidentiality
  249  of stored or transmitted personal information;
  250         (b)Controller to detect security incidents; resist
  251  malicious, deceptive, fraudulent, or illegal actions; and help
  252  prosecute those responsible for such actions; and
  253         (c)Controller to ensure the physical safety of natural
  254  persons.
  255         (21)“Sell” means to transfer or make available a
  256  consumer’s personal information by a controller to a third party
  257  in exchange for monetary or other valuable consideration,
  258  including nonmonetary transactions and agreements for other
  259  valuable consideration between a controller and a third party
  260  for the benefit of a controller. The term does not include any
  261  of the following:
  262         (a)The disclosure, for a business purpose, of a consumer’s
  263  personal information to a processor that processes the
  264  information for the controller.
  265         (b)The disclosure by a controller for the purpose of
  266  providing a product or service requested or approved by a
  267  consumer, or the parent of a child, of the consumer’s personal
  268  information to a third-party entity.
  269         (c)The disclosure or transfer of personal information to
  270  an affiliate of the controller.
  271         (d)The disclosure of personal information for purposes of
  272  nontargeted advertising.
  273         (e)The disclosure or transfer of personal information to a
  274  third party as an asset that is part of a proposed or actual
  275  merger, acquisition, bankruptcy, or other transaction in which
  276  the third party assumes control of all or part of the
  277  controller’s assets.
  278         (f)The controller disclosing personal information to a law
  279  enforcement or other emergency processor for the purposes of
  280  providing emergency assistance to the consumer.
  281         (22)“Sensitive data” means a category of personal
  282  information that includes any of the following:
  283         (a)Racial or ethnic origin, religious beliefs, mental or
  284  physical health diagnosis, sexual orientation, or citizenship or
  285  immigration status.
  286         (b)Biometric information, including genetic information,
  287  processed for the purpose of uniquely identifying a natural
  288  person.
  289         (c)Personal information collected from a known child.
  290         (d)Precise geolocation data.
  291         (23)“Targeted advertising” means displaying an
  292  advertisement to a consumer when the advertisement is selected
  293  based on personal information obtained from the consumer’s
  294  activities over time and across nonaffiliated websites or online
  295  applications to predict such consumer’s preferences or
  296  interests. The term does not include any of the following:
  297         (a)Non-targeted advertising.
  298         (b)Advertisements based on the context of a consumer’s
  299  current search query or visit to a website.
  300         (c)Advertising directed to a consumer in response to the
  301  consumer’s request for information or feedback.
  302         (d)Processing personal data solely for the purpose of
  303  measuring or reporting advertising performance, reach, or
  304  frequency.
  305         (24)“Third party” means a person who is not any of the
  306  following:
  307         (a)The controller with which the consumer intentionally
  308  interacts and which collects personal information from the
  309  consumer as part of the consumer’s interaction with the
  310  controller.
  311         (b)A processor that processes personal information on
  312  behalf of and at the direction of the controller.
  313         (c)An affiliate of the controller.
  314         (25)“Verified request” means a request submitted by a
  315  consumer or by a consumer on behalf of the consumer’s minor
  316  child for which the controller has reasonably verified the
  317  authenticity of the request. The term includes a request made
  318  through an established account using the controller’s
  319  established security features to access the account through
  320  communication features offered to consumers. The term does not
  321  include a request in which the consumer or a person authorized
  322  to act on the consumer’s behalf does not provide verification of
  323  identify or verification of authorization to act with the
  324  permission of the consumer, and the controller is not required
  325  to provide information for such a request.
  326         Section 4. Section 501.1745, Florida Statutes, is created
  327  to read:
  328         501.1745General duties of controllers that collect
  329  personal information.—
  330         (1)A controller that controls the collection of a
  331  consumer’s personal information that will be used for any
  332  purpose other than a business purpose, at or before the point of
  333  collection, shall inform consumers of the purposes for which
  334  personal information is collected or used and whether that
  335  information is sold. A controller may not collect additional
  336  categories of personal information, or use collected personal
  337  information for additional purposes that are incompatible with
  338  the disclosed purpose for which the personal information was
  339  collected, without providing the consumer with notice consistent
  340  with this section. A controller that collects personal
  341  information about, but not directly from, consumers may provide
  342  the required information on its Internet home page or in its
  343  online privacy policy.
  344         (2)A controller’s collection, use, and retention of a
  345  consumer’s personal information must be reasonably necessary to
  346  achieve the purposes for which the personal information was
  347  collected or processed. Such information may not be further
  348  processed in a manner that is incompatible with those purposes
  349  without notice to the consumer or be transferred or made
  350  available to a third party in a manner inconsistent with the
  351  requirements of this act.
  352         (3)A controller that collects a consumer’s personal
  353  information shall implement reasonable security procedures and
  354  practices appropriate to the nature of the personal information
  355  to protect the personal information from unauthorized or illegal
  356  access, destruction, use, modification, or disclosure.
  357         (4)A controller that collects a consumer’s personal
  358  information and discloses it to a processor shall enter into a
  359  contractual agreement with such processor which obligates the
  360  processor to comply with applicable obligations under this act
  361  and which prohibits downstream recipients from selling personal
  362  information or retaining, using, or disclosing the personal
  363  information. If a processor engages any other person to assist
  364  it in processing personal information for a business purpose on
  365  behalf of the controller, or if any other person engaged by the
  366  processor engages another person to assist in processing
  367  personal information for that business purpose, the processor or
  368  person must notify the controller of that engagement and the
  369  processor must prohibit downstream recipients from selling the
  370  personal information or retaining, using, or disclosing the
  371  personal information.
  372         (5)A controller may not process sensitive data concerning
  373  a consumer without obtaining the consumer’s consent or, in the
  374  case of the processing of sensitive data obtained from a known
  375  child, without processing such data for the purpose of
  376  delivering a product or service requested by the parent of such
  377  child, or in accordance with the federal Children’s Online
  378  Privacy Protection Act, 15 U.S.C. s. 6501 et seq. and
  379  regulations interpreting this act.
  380         (6)The determination as to whether a person is acting as a
  381  controller or processor with respect to a specific activity is a
  382  fact-based determination that depends upon the context in which
  383  personal information is processed. A processor that continues to
  384  adhere to a controller’s instructions with respect to a specific
  385  processing of personal information remains a processor.
  386         Section 5. Section 501.175, Florida Statutes, is created to
  387  read:
  388         501.175Use of personal information; third parties; other
  389  rights.—
  390         (1)(a)A consumer has the right at any time to direct a
  391  controller that sells personal information about the consumer
  392  not to sell the consumer’s personal information. This right may
  393  be referred to as the right to opt out of the sale.
  394         (b)A consumer has the right at any time to opt out of the
  395  processing of the consumer’s personal information for purposes
  396  of targeted advertising or profiling. A controller shall provide
  397  a clear and conspicuous link on the controller’s Internet home
  398  page, titled “Do Not Advertise To Me,” to a web page that
  399  enables a consumer to opt out of targeted advertising or
  400  profiling. However, this paragraph may not be construed to
  401  prohibit the controller that collected the consumer’s personal
  402  information from:
  403         1.Offering a different price, rate, level, quality, or
  404  selection of goods or services to a consumer, including offering
  405  goods or services for no fee, if the consumer has opted out of
  406  targeted advertising, profiling, or the sale of his or her
  407  personal information; or
  408         2.Offering a loyalty, reward, premium feature, discount,
  409  or club card program.
  410         (c)A controller that charges or offers a different price,
  411  rate, level, quality, or selection of goods or services to a
  412  consumer who has opted out of targeted advertising, profiling,
  413  or the sale of his or her personal information, or that offers
  414  goods or services for no fee, shall ensure that such charge or
  415  offer is not unjust, unreasonable, coercive, or usurious.
  416         (2)A controller that sells consumers’ personal information
  417  shall provide notice to consumers that the information may be
  418  sold and that consumers have the right to opt out of the sale of
  419  their personal information.
  420         (3)A controller that sells consumers’ personal information
  421  and that has received direction from a consumer not to sell the
  422  consumer’s personal information or, in the case of a minor
  423  consumer’s personal information, has not received consent to
  424  sell the minor consumer’s personal information, is prohibited
  425  from selling the consumer’s personal information after the
  426  controller receives the consumer’s direction, unless the
  427  consumer subsequently provides express authorization for the
  428  sale of the consumer’s personal information. A controller that
  429  is able to authenticate the consumer by the consumer logging in
  430  or any other means, or that is otherwise reasonably able to
  431  authenticate the consumer’s request must comply with the
  432  consumer’s request to opt out. The controller may not require
  433  the consumer to declare privacy preferences every time the
  434  consumer visits the controller’s website or uses the
  435  controller’s online services.
  436         (4)(a)A controller may not sell the personal information
  437  collected from consumers that the controller has actual
  438  knowledge are 16 years of age or younger, unless:
  439         1.The consumer, in the case of consumers who are 13 years
  440  of age up to 16 years of age, has affirmatively authorized the
  441  sale of the consumer’s personal information; or
  442         2.The consumer’s parent or guardian, in the case of
  443  consumers who are younger than 13 years of age, has
  444  affirmatively authorized such sale.
  445         (b)This right may be referred to as the right to opt in.
  446         (c)A business that willfully disregards the consumer’s age
  447  is deemed to have actual knowledge of the consumer’s age.
  448         (d)A controller that complies with the verifiable parental
  449  consent requirements of the Children’s Online Privacy Protection
  450  Act, 15 U.S.C. s. 6501 et seq., and accompanying regulations, or
  451  is providing a product or service requested by a parent or
  452  guardian, is deemed compliant with any obligation to obtain
  453  parental consent.
  454         (5)A controller required to comply with this section
  455  shall:
  456         (a)Provide a clear and conspicuous link on the
  457  controller’s Internet home page, titled “Do Not Sell My Personal
  458  Information,” to a web page that enables a consumer to opt out
  459  of the sale of the consumer’s personal information. A business
  460  may not require a consumer to create an account in order to
  461  direct the business not to sell the consumer’s information.
  462         (b)Ensure that all individuals responsible for handling
  463  consumer inquiries about the controller’s privacy practices or
  464  the controller’s compliance with this section are informed of
  465  all requirements of this section and how to direct consumers to
  466  exercise their rights.
  467         (c)For consumers who exercise their right to opt out of
  468  the sale of their personal information, refrain from selling
  469  personal information the controller collected about the consumer
  470  as soon as reasonably possible but no longer than 10 business
  471  days after receiving the request to opt out.
  472         (d)Use any personal information collected from the
  473  consumer in connection with the submission of the consumer’s
  474  opt-out request solely for the purposes of complying with the
  475  opt-out request.
  476         (e)For consumers who have opted out of the sale of their
  477  personal information, respect the consumer’s decision to opt out
  478  for at least 12 months before requesting that the consumer
  479  authorize the sale of the consumer’s personal information.
  480         (f)Ensure that consumers have the right to submit a
  481  verified request for certain information from a controller,
  482  including the categories of sources from which the consumer’s
  483  personal information was collected, the specific items of
  484  personal information it has collected about the consumer, and
  485  the categories of any third parties to whom the personal
  486  information was sold.
  487         (6)Consumers have the right to submit a verified request
  488  that personal information that has been collected from the
  489  consumer be deleted. Consumers have the right to submit a
  490  verified request for correction of their personal information
  491  held by a controller if that information is inaccurate, taking
  492  into account the nature of the personal information and the
  493  purpose for processing the consumer’s personal information.
  494         (7)A controller, or a processor acting pursuant to its
  495  contract with the controller or another processor, is not
  496  required to comply with a consumer’s verified request to delete
  497  the consumer’s personal information if it is necessary for the
  498  controller or processor to maintain the consumer’s personal
  499  information in order to do any of the following:
  500         (a)Complete the transaction for which the personal
  501  information was collected, fulfill the terms of a written
  502  warranty or product recall conducted in accordance with federal
  503  law, provide a good or service requested by the consumer, or
  504  otherwise perform a contract between the business and the
  505  consumer.
  506         (b)Help to ensure security and integrity to the extent
  507  that the use of the consumer’s personal information is
  508  reasonably necessary and proportionate for those purposes.
  509         (c)Debug to identify and repair errors that impair
  510  existing intended functionality.
  511         (d)Exercise free speech, ensure the right of another
  512  consumer to exercise that consumer’s right of free speech, or
  513  exercise another right provided for by law.
  514         (e)Engage in public or peer-reviewed scientific,
  515  historical, or statistical research that conforms or adheres to
  516  all other applicable ethics and privacy laws, when the business’
  517  deletion of the information is likely to render impossible or
  518  seriously impair the ability to complete such research, if the
  519  consumer has provided informed consent.
  520         (f)Comply with a legal obligation.
  521         (8)This section may not be construed to require a
  522  controller to comply by reidentifying or otherwise linking
  523  information that is not maintained in a manner that would be
  524  considered personal information; retaining any personal
  525  information about a consumer if, in the ordinary course of
  526  business, that information would not be retained; maintaining
  527  information in identifiable, linkable, or associable form; or
  528  collecting, obtaining, retaining, or accessing any data or
  529  technology in order to be capable of linking or associating a
  530  verifiable consumer request with personal information.
  531         (9)A consumer may authorize another person to opt out of
  532  the sale of the consumer’s personal information. A controller
  533  shall comply with an opt-out request received from a person
  534  authorized by the consumer to act on the consumer’s behalf,
  535  including a request received through a user-enabled global
  536  privacy control, such as a browser plug-in or privacy setting,
  537  device setting, or other mechanism, which communicates or
  538  signals the consumer’s choice to opt out, and may not require a
  539  consumer to make a verified request to opt out of the sale of
  540  his or her information.
  541         (10)Each controller shall establish a designated request
  542  address through which a consumer may submit a request to
  543  exercise his or her rights under this act.
  544         (11)(a)A controller that receives a verified request:
  545         1.For a consumer’s personal information shall disclose to
  546  the consumer any personal information about the consumer which
  547  it has collected since January 1, 2023, directly or indirectly,
  548  including such information obtained through or by a processor.
  549         2.To correct a consumer’s inaccurate personal information
  550  shall correct the inaccurate personal information, taking into
  551  account the nature of the personal information and the purpose
  552  for processing the consumer’s personal information.
  553         3.To delete a consumer’s personal information shall delete
  554  such personal information collected from the consumer.
  555         (b)A processor is not required to personally comply with a
  556  verified request received directly from a consumer, but the
  557  processor must notify a controller of such a request within 10
  558  days after receiving the request. The time period required for a
  559  controller to comply with a verified request as provided in
  560  paragraph (d) commences beginning from the time the processor
  561  notifies the controller of the verified request. A processor
  562  shall provide reasonable assistance to a controller with which
  563  it has a contractual relationship with respect to the
  564  controller’s response to a verifiable consumer request,
  565  including, but not limited to, by providing to the controller
  566  the consumer’s personal information in the processor’s
  567  possession which the processor obtained as a result of providing
  568  services to the controller.
  569         (c)At the direction of the controller, a processor shall
  570  correct inaccurate personal information or delete personal
  571  information, or enable the controller to do the same.
  572         (d)A controller shall comply with a verified request
  573  submitted by a consumer to access, correct, or delete personal
  574  information within 45 days after the date the request is
  575  submitted. A controller may extend such period by up to 45 days
  576  if the controller, in good faith, determines that such an
  577  extension is reasonably necessary. A controller that extends the
  578  period shall notify the consumer of the necessity of an
  579  extension.
  580         (e)A consumer’s rights under this subsection do not apply
  581  to pseudonymous information in cases in which the controller is
  582  able to demonstrate that all information necessary to identify
  583  the consumer is kept separate at all times and is subject to
  584  effective technical and organizational controls that prevent the
  585  controller from accessing or combining such information.
  586         (12)A controller shall comply with a consumer’s previous
  587  expressed decision to opt out of the sale of his or her personal
  588  information without requiring the consumer to take any
  589  additional action if the controller is able to identify the
  590  consumer through a login protocol or any other process the
  591  controller uses to identify consumers and the consumer has
  592  previously exercised his or her right to opt out of the sale of
  593  his or her personal information.
  594         (13)A controller shall make available, in a manner
  595  reasonably accessible to consumers whose personal information
  596  the controller collects through its website or online service, a
  597  notice that does all of the following:
  598         (a)Identifies the categories of personal information that
  599  the controller collects through its website or online service
  600  about consumers who use or visit the website or online service
  601  and the categories of third parties to whom the controller may
  602  disclose such personal information.
  603         (b)Provides a description of the process, if applicable,
  604  for a consumer who uses or visits the website or online service
  605  to review and request changes to any of his or her personal
  606  information collected from the consumer through the website or
  607  online service.
  608         (c)Describes the process by which the controller notifies
  609  consumers who use or visit the website or online service of
  610  material changes to the notice.
  611         (d)Discloses whether a third party may collect personal
  612  information about a consumer’s online activities over time and
  613  across different websites or online services when the consumer
  614  uses the controller’s website or online service.
  615         (e)States the effective date of the notice.
  616         (14)If a request from a consumer is manifestly unfounded
  617  or excessive, in particular because of the request’s repetitive
  618  character, a controller may either charge a reasonable fee,
  619  taking into account the administrative costs of providing the
  620  information or communication or taking the action requested, or
  621  refuse to act on the request and notify the consumer of the
  622  reason for refusing the request. The controller bears the burden
  623  of demonstrating that any verified consumer request is
  624  manifestly unfounded or excessive.
  625         (15)A controller that discloses personal information to a
  626  processor is not liable under this act if the processor
  627  receiving the personal information uses it in violation of the
  628  restrictions set forth in the act, provided that, at the time of
  629  disclosing the personal information, the controller does not
  630  have actual knowledge or reason to believe that the processor
  631  intends to commit such a violation. A processor is likewise not
  632  liable under this act for the obligations of a controller for
  633  which it processes personal information as set forth in this
  634  act.
  635         (16)A controller or processor that discloses personal
  636  information to a third-party controller or processor in
  637  compliance with the requirements of this act is not in violation
  638  of this chapter if the third-party controller or processor that
  639  receives and processes such personal information is in violation
  640  of this act, provided that, at the time of disclosing the
  641  personal information, the disclosing controller or processor did
  642  not have actual knowledge that the recipient intended to commit
  643  a violation. A third-party controller or processor that violates
  644  this act, or violates the terms of a contractual agreement with
  645  a controller or processor which results in a violation of this
  646  act, is deemed to have violated the requirements of this act and
  647  is subject to the enforcement actions otherwise provided against
  648  a controller pursuant to s. 501.177. A third-party controller or
  649  processor receiving personal information from a controller or
  650  processor in compliance with the requirements of this act is not
  651  in violation of this act for noncompliance of the controller or
  652  processor from which it receives such personal data.
  653         (17)The rights afforded to consumers and the obligations
  654  imposed on a controller in this act may not adversely affect the
  655  rights and freedoms of other consumers. Notwithstanding
  656  subsection (7), a verified request for specific items of
  657  personal information, to delete a consumer’s personal
  658  information, or to correct inaccurate personal information does
  659  not extend to personal information about the consumer which
  660  belongs to, or which the controller maintains on behalf of,
  661  another natural person.
  662         Section 6. Section 501.176, Florida Statutes, is created to
  663  read:
  664         501.176Applicability; exclusions.—
  665         (1)The obligations imposed on a controller or processor by
  666  this act do not restrict a controller’s or processor’s ability
  667  to do any of the following:
  668         (a)Comply with federal, state, or local laws, rules, or
  669  regulations.
  670         (b)Comply with a civil, criminal, or regulatory inquiry or
  671  an investigation, a subpoena, or a summons by federal, state,
  672  local, or other governmental authorities.
  673         (c)Cooperate with law enforcement agencies concerning
  674  conduct or activity that the controller or processor reasonably
  675  and in good faith believes may violate federal, state, or local
  676  laws, rules, or regulations.
  677         (d)Exercise, investigate, establish, prepare for, or
  678  defend legal claims.
  679         (e)Collect, use, retain, sell, or disclose consumer
  680  personal information to:
  681         1.Conduct internal research to develop, improve, or repair
  682  products, services, or technology;
  683         2.Effectuate a product recall or provide a warranty for
  684  products or services;
  685         3.Identify or repair technical errors that impair existing
  686  or intended functionality;
  687         4.Perform internal operations that are reasonably aligned
  688  with the expectations of the consumer or reasonably anticipated
  689  based on the consumer’s existing relationship with the
  690  controller or that are otherwise compatible with processing data
  691  in furtherance of the provision of a product or service
  692  specifically requested by a consumer or a parent of a child, or
  693  the performance of a contract to which the consumer is a party;
  694         5.Provide a product or service specifically requested by a
  695  consumer or a parent of a child; perform a contract to which the
  696  consumer or parent is a party, including fulfilling the terms of
  697  a written warranty; or take steps at the request of the consumer
  698  before entering into a contract;
  699         6.Take steps to protect an interest that is essential for
  700  the life or physical safety of the consumer or of another
  701  natural person, and where the processing cannot be manifestly
  702  based on another legal basis;
  703         7.Prevent, detect, protect against, or respond to security
  704  incidents, identity theft, fraud, harassment, malicious or
  705  deceptive activities, or any illegal activity, and prosecute
  706  those responsible for that activity;
  707         8.Preserve the integrity or security of information
  708  technology systems;
  709         9.Investigate, report, or prosecute those responsible for
  710  any illegal, malicious, harmful, deceptive, or otherwise harmful
  711  activities;
  712         10.Engage in public or peer-reviewed scientific or
  713  statistical research in the public interest that adheres to all
  714  other applicable ethics and privacy laws and, if applicable, is
  715  approved, monitored, and governed by an institutional review
  716  board, or similar independent oversight entity that determines
  717  if the information is likely to provide substantial benefits
  718  that do not exclusively accrue to the controller, if the
  719  expected benefits of the research outweigh the privacy risks,
  720  and if the controller has implemented reasonable safeguards to
  721  mitigate privacy risks associated with research, including any
  722  risks associated with reidentification; or
  723         11.Assist another controller, processor, or third party
  724  with any of the obligations under this subsection.
  725         (2)This act does not apply to any of the following:
  726         (a)A controller that collects, processes, or discloses the
  727  personal information of its employees, owners, directors,
  728  officers, beneficiaries, job applicants, interns, or volunteers,
  729  so long as the controller is collecting or disclosing such
  730  information only to the extent reasonable and necessary within
  731  the scope of the role the controller has in relation to each
  732  class of listed individuals. For purposes of this section the
  733  term “personal information” includes employment benefit
  734  information.
  735         (b)Personal information that is part of a written or
  736  verbal communication or a transaction between the controller or
  737  processor and the consumer, when the consumer is a natural
  738  person who is acting as an employee, owner, director, officer,
  739  or contractor of a company, partnership, sole proprietorship,
  740  nonprofit, or government agency and whose communications or
  741  transaction with the business occur solely within the context of
  742  the business conducting due diligence regarding, or providing or
  743  receiving a product or service to or from such company,
  744  partnership, sole proprietorship, nonprofit, or government
  745  agency.
  746         (c)A business, service provider, or third party that
  747  collects the personal information of an individual:
  748         1.Who applies to, is or was previously employed by, or
  749  acts as an agent of the business, service provider, or third
  750  party, to the extent that the personal information is collected
  751  and used in a manner related to or arising from the individual’s
  752  employment status; or
  753         2.To administer benefits for another individual and the
  754  personal information is used to administer those benefits.
  755         (d)A business that enters into a contract with an
  756  independent contractor and collects or discloses personal
  757  information about the contractor reasonably necessary to either
  758  enter into or to fulfill the contract when the contracted
  759  services would not defeat the purposes of this act.
  760         (e)Protected health information for purposes of the
  761  federal Health Insurance Portability and Accountability Act of
  762  1996 and related regulations, and patient identifying
  763  information for purposes of 42 C.F.R. part 2, established
  764  pursuant to 42 U.S.C. s. 290dd-2.
  765         (f)A covered entity or business associate governed by the
  766  privacy, security, and breach notification rules issued by the
  767  United States Department of Health and Human Services in 45
  768  C.F.R. parts 160 and 164, or a program or a qualified service
  769  program defined in 42 C.F.R. part 2, to the extent that the
  770  covered entity, business associate, or program maintains
  771  personal information in the same manner as medical information
  772  or protected health information as described in paragraph (e).
  773         (g)Identifiable private information collected for purposes
  774  of research as defined in 45 C.F.R. s. 164.501 which is
  775  conducted in accordance with the Federal Policy for the
  776  Protection of Human Subjects for purposes of 45 C.F.R. part 46,
  777  the good clinical practice guidelines issued by the
  778  International Council for Harmonisation of Technical
  779  Requirements for Pharmaceuticals for Human Use, or the
  780  Protection for Human Subjects for purposes of 21 C.F.R. parts 50
  781  and 56; or personal information used or shared in research
  782  conducted in accordance with one or more of these standards, or
  783  another applicable protocol.
  784         (h)Information and documents created for purposes of the
  785  federal Health Care Quality Improvement Act of 1986 and related
  786  regulations, or patient safety work product for purposes of 42
  787  C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21
  788  through 299b-26.
  789         (i)Information de-identified in accordance with 45 C.F.R.
  790  part 164 and derived from individually identifiable health
  791  information, as described in the federal Health Insurance
  792  Portability and Accountability Act of 1996, or identifiable
  793  personal information, consistent with the Federal Policy for the
  794  Protection of Human Subjects or the human subject protection
  795  requirements of the United States Food and Drug Administration
  796  or the good clinical practice guidelines issued by the
  797  International Council for Harmonisation of Technical
  798  Requirements for Pharmaceuticals for Human Use.
  799         (j)Information collected as part of a clinical trial
  800  subject to the Federal Policy for the Protection of Human
  801  Subjects pursuant to good clinical practice guidelines issued by
  802  the International Council for Harmonisation of Technical
  803  Requirements for Pharmaceuticals for Human Use or pursuant to
  804  human subject protection requirements of the United States Food
  805  and Drug Administration, or another protocol.
  806         (k)Personal information collected, processed, sold, or
  807  disclosed pursuant to the federal Fair Credit Reporting Act, 15
  808  U.S.C. s. 1681 et seq.
  809         (l)Personal information collected, processed, sold, or
  810  disclosed pursuant to, or a financial institution to the extent
  811  regulated by, the federal Gramm-Leach-Bliley Act, 15 U.S.C. s.
  812  6801 et seq. and implementing regulations.
  813         (m)Personal information collected, processed, sold, or
  814  disclosed pursuant to the Farm Credit Act of 1971, as amended in
  815  12 U.S.C. s. 2001-2279cc and implementing regulations.
  816         (n)Personal information collected, processed, sold, or
  817  disclosed pursuant to the federal Driver’s Privacy Protection
  818  Act of 1994, 18 U.S.C. s. 2721 et seq.
  819         (o)Education information covered by the federal Family
  820  Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34
  821  C.F.R. part 99.
  822         (p)Personal information collected, processed, sold, or
  823  disclosed in relation to price, route, or service as those terms
  824  are used in the federal Airline Deregulation Act, 49 U.S.C. s.
  825  40101 et seq., by entities subject to the federal Airline
  826  Deregulation Act, to the extent this act is preempted by s.
  827  41713 of the federal Airline Deregulation Act.
  828         (q)Vehicle information or ownership information retained
  829  or shared between a new motor vehicle dealer, a distributor, or
  830  the vehicle’s manufacturer if the vehicle or ownership
  831  information is shared for the purpose of effectuating, or in
  832  anticipation of effectuating, a vehicle repair covered by a
  833  vehicle warranty or a recall conducted pursuant to 49 U.S.C. s.
  834  30118-30120, provided that the new motor vehicle dealer,
  835  distributor, or vehicle manufacturer with which that vehicle
  836  information or ownership information is shared does not sell,
  837  share, or use that information for any other purpose. As used in
  838  this paragraph, the term “vehicle information” means the vehicle
  839  identification number, make, model, year, and odometer reading,
  840  and the term “ownership information” means the name or names of
  841  the registered owner or owners and the contact information for
  842  the owner or owners.
  843         Section 7. Section 501.177, Florida Statutes, is created to
  844  read:
  845         501.177Enforcement; preemption.—
  846         (1)ENFORCEMENT.—
  847         (a)This subsection and subsection (2) apply only to
  848  controllers and processors that sell the personal information of
  849  consumers to third parties and that are subject to the
  850  requirements of this act.
  851         (b)This act does not establish a private cause of action.
  852         (c)The following are unfair and deceptive trade practices
  853  actionable under part II of this chapter solely by the
  854  Department of Legal Affairs against a controller or processor:
  855         1.Failure to delete or correct a consumer’s personal
  856  information pursuant to this act after receiving from a
  857  controller a verifiable consumer request or directions to delete
  858  or correct, unless the controller or processor qualifies for an
  859  exception to the requirements to delete or correct under this
  860  act; and
  861         2.Continuing to sell a consumer’s personal information
  862  after the consumer chooses to opt out or selling the personal
  863  information of a consumer age 16 or younger without obtaining
  864  the consent required by this act.
  865         (d)If the department has reason to believe that a
  866  controller or processor has committed an act described in
  867  paragraph (c), the department, as the enforcement authority, may
  868  bring an action against such controller or processor. For the
  869  purpose of bringing an action pursuant to this act, ss. 501.211
  870  and 501.212 do not apply. Civil penalties may be tripled if the
  871  violation involves a consumer who the controller or processor
  872  has actual knowledge is 16 years of age or younger.
  873         (e)After the department has notified a controller or
  874  processor in writing of an alleged violation, the department, at
  875  its discretion, may grant to the controller or processor a 45
  876  day period to cure the alleged violation. The department may
  877  consider the number of violations, the substantial likelihood of
  878  injury to the public, or the safety of persons or property when
  879  determining whether to grant the 45-day cure period. If the
  880  controller or processor provides proof to the department that
  881  the violation has been cured to the satisfaction of the
  882  department, the department may issue a letter of guidance that
  883  indicates that the controller or processor will not be offered a
  884  45-day cure period for any future violations. If the controller
  885  or processor fails to cure the violation within 45 days, the
  886  department may bring an action against the controller or
  887  processor for the alleged violation.
  888         (f)A court may grant the following relief in an action
  889  brought pursuant to this act by the department:
  890         1.Actual damages to a consumer.
  891         2.Injunctive or declaratory relief.
  892         (g)Liability for a tort, contract claim, or consumer
  893  protection claim which is unrelated to an action by the
  894  department does not arise solely from the failure of a
  895  controller or processor to comply with this act and evidence of
  896  such noncompliance may only be used as the basis to prove a
  897  cause of action under this section.
  898         (h)By each February 1, the department, in conjunction and
  899  consultation with the director of the Consumer Data Privacy
  900  Unit, shall submit a report to the President of the Senate and
  901  the Speaker of the House of Representatives describing any
  902  actions taken by the department to enforce this act. The report
  903  must include statistics and relevant information detailing all
  904  of the following:
  905         1.The number of complaints received.
  906         2.The number of complaints investigated.
  907         3.The number and type of enforcement actions taken and the
  908  outcomes of such actions.
  909         4.The number of complaints resolved without the need for
  910  litigation.
  911         5.The status of the development and implementation of
  912  rules to implement this act.
  913         (i)The department may adopt rules to implement this act.
  914         (2)JURISDICTION.—For purposes of bringing an action in
  915  accordance with this section, any person that meets the
  916  definition of a controller that collects or sells the personal
  917  information of Florida consumers, is considered to be both
  918  engaged in substantial and not isolated activities within this
  919  state and operating, conducting, engaging in, or carrying on a
  920  business, and doing business in this state, and therefore is
  921  subject to the jurisdiction of the courts of this state.
  922         (3)PREEMPTION.—This section is a matter of statewide
  923  concern and supersedes and preempts to the state all rules,
  924  regulations, codes, ordinances, and other laws adopted by a
  925  city, county, city and county, municipality, or local agency
  926  regarding the collection, processing, or sale of consumers’
  927  personal information by a controller or processor.
  928         Section 8. Subsection (1) of section 16.53, Florida
  929  Statutes, is amended, and subsection (8) is added to that
  930  section, to read:
  931         16.53 Legal Affairs Revolving Trust Fund.—
  932         (1) There is created in the State Treasury the Legal
  933  Affairs Revolving Trust Fund, from which the Legislature may
  934  appropriate funds for the purpose of funding investigation,
  935  prosecution, and enforcement by the Attorney General of the
  936  provisions of the Racketeer Influenced and Corrupt Organization
  937  Act, the Florida Deceptive and Unfair Trade Practices Act, the
  938  Florida False Claims Act, or state or federal antitrust laws, or
  939  the Florida Privacy Protection Act.
  940         (8)All moneys recovered by the Attorney General for
  941  attorney fees and costs in an action for violation of the
  942  Florida Privacy Protection Act must be deposited in the fund.
  943         Section 9. Section 16.581, Florida Statutes, is created to
  944  read:
  945         16.581Consumer Data Privacy Unit.—
  946         (1)There is created in the Department of Legal Affairs the
  947  Consumer Data Privacy Unit, which shall be headed by a director
  948  who is fully accountable to the Attorney General, who shall
  949  assign the director such powers, duties, responsibilities, and
  950  functions as are necessary to ensure the greatest possible
  951  coordination, efficiency, and effectiveness of the unit in
  952  protecting the personal information of residents of this state.
  953         (2)The unit shall serve as legal counsel in any suit or
  954  other legal action initiated in connection with the Florida
  955  Privacy Protection Act.
  956         (3)The unit may investigate and initiate actions
  957  authorized by the Florida Privacy Protection Act.
  958         (4)If, by its own inquiry or as a result of complaints,
  959  the unit has reason to believe that there has been a violation
  960  of the Florida Privacy Protection Act, the unit may administer
  961  oaths and affirmations, subpoena witnesses or matter, and
  962  collect evidence.
  963         (5)The unit may refer any criminal violations so uncovered
  964  to the appropriate prosecuting authority.
  965         (6)The unit may recover reasonable attorney fees and costs
  966  and penalties in accordance with part II of chapter 501 in any
  967  action for violation of consumer data privacy provisions in the
  968  Florida Privacy Protection Act. Such attorney fees and costs
  969  collected must be deposited in the Legal Affairs Revolving Trust
  970  Fund.
  971         (7)All moneys recovered by the Attorney General for
  972  penalties in an action for violation of the Florida Privacy
  973  Protection Act must be deposited in the General Revenue Fund.
  974         Section 10. This act shall take effect December 31, 2022.