2023 Legislature             CS for CS for SB 262, 2nd Engrossed
    2         An act relating to technology transparency; creating
    3         s. 112.23, F.S.; defining terms; prohibiting officers
    4         or salaried employees of governmental entities from
    5         using their positions or state resources to make
    6         certain requests of social media platforms;
    7         prohibiting governmental entities from initiating or
    8         maintaining agreements or working relationships with
    9         social media platforms under a specified circumstance;
   10         providing exceptions; creating s. 501.1735, F.S.;
   11         providing definitions; prohibiting certain conduct by
   12         an online platform that provides online services,
   13         products, games, or features likely to be
   14         predominantly accessed by children; providing
   15         exceptions; providing for enforcement; providing
   16         construction; authorizing the department to bring an
   17         action under the Florida Deceptive and Unfair Trade
   18         Practices Act; providing for civil penalties;
   19         providing that the department may grant an online
   20         platform a timeframe to cure any violations; providing
   21         jurisdiction; providing directives to the Division of
   22         Law Revision; creating s. 501.701, F.S.; providing a
   23         short title; creating s. 501.702, F.S.; defining
   24         terms; creating s. 501.703, F.S.; providing
   25         applicability; creating s. 501.704, F.S.; providing
   26         exemptions; creating s. 501.705, F.S.; providing that
   27         a consumer may submit requests to controllers to
   28         exercise specified rights; requiring controllers to
   29         comply with certain authenticated consumer requests;
   30         prohibiting certain devices from being used for
   31         surveillance purposes without the express
   32         authorization of the consumer under certain
   33         circumstances; creating s. 501.706, F.S.; providing
   34         timeframes within which controllers must respond to
   35         consumer requests; providing notice requirements for
   36         controllers that cannot take action regarding a
   37         consumer’s request; providing that controllers are not
   38         required to comply with certain consumer requests;
   39         providing notice requirements for controllers’
   40         compliance with consumer requests; requiring responses
   41         to consumer requests to be made free of charge;
   42         providing exceptions; specifying the methods by which
   43         controllers may be considered to be in compliance with
   44         consumer requests for the controller to delete their
   45         personal data; creating s. 501.707, F.S.; requiring
   46         controllers to establish a process for consumers to
   47         appeal the controller’s refusal to take action on the
   48         consumer’s request within a specified timeframe;
   49         providing requirements for such process; creating s.
   50         501.708, F.S.; providing that contracts or agreements
   51         that waive or limit specified consumer rights are void
   52         and unenforceable; creating s. 501.709, F.S.;
   53         requiring controllers to establish methods for
   54         submitting consumer requests; prohibiting controllers
   55         from requiring consumers to create new accounts to
   56         exercise their consumer rights; requiring controllers
   57         to provide a certain mechanism on their websites for
   58         consumers to submit certain requests; creating s.
   59         501.71, F.S.; requiring controllers to limit the
   60         collection of personal data according to certain
   61         parameters; requiring controllers to establish,
   62         implement, and maintain specified practices regarding
   63         personal data; prohibiting controllers from taking
   64         certain actions regarding a consumer’s personal data;
   65         prohibiting controllers from discriminating against
   66         consumers exercising their consumer rights; providing
   67         construction; requiring a controller that operates a
   68         search engine to make certain information available on
   69         its webpage; creating s. 501.711, F.S.; requiring
   70         controllers to provide consumers with privacy notices
   71         that meet certain requirements; requiring controllers
   72         that engage in the sale of sensitive or biometric
   73         personal data to provide notices that meet certain
   74         requirements; requiring controllers that sell personal
   75         data or process personal data for targeted advertising
   76         to disclose certain information; prohibiting
   77         controllers from collecting additional categories of
   78         personal information or using such information for
   79         additional purposes without providing specified
   80         notice; creating s. 501.712, F.S.; requiring
   81         processors to adhere to controller instructions and to
   82         assist the controller in meeting or complying with
   83         certain requirements; providing requirements for
   84         contracts between controllers and processors regarding
   85         data processing procedures; providing construction;
   86         providing that the determination of whether a person
   87         is acting as a controller or processor is a fact-based
   88         determination; creating s. 501.713, F.S.; requiring
   89         controllers to conduct and document data protection
   90         assessments of specified processing activities
   91         involving personal data; providing requirements for
   92         such assessments; providing applicability; creating s.
   93         501.714, F.S.; requiring controllers in possession of
   94         deidentified data to take certain actions; providing
   95         construction; providing that specified consumer rights
   96         and controller duties do not apply to pseudonymous
   97         data or aggregate consumer information under certain
   98         circumstances; requiring controllers that disclose
   99         pseudonymous data, deidentified data, or aggregate
  100         consumer information to exercise reasonable oversight
  101         and take appropriate steps to address breaches of
  102         contractual agreements; creating s. 501.715, F.S.;
  103         requiring certain persons to receive consumer consent
  104         before engaging in the sale of sensitive personal
  105         data; requiring a specified notice; providing for
  106         penalties; creating s. 501.716, F.S.; providing
  107         exemptions for specified controller or processor uses
  108         of consumer personal data; providing that controllers
  109         or processors may provide personal data concerning a
  110         consumer to certain covered persons; creating s.
  111         501.717, F.S.; authorizing controllers and processors
  112         to collect, use, or retain data for specified
  113         purposes; providing that certain requirements do not
  114         apply if such compliance would violate certain laws;
  115         creating s. 501.718, F.S.; providing circumstances
  116         under which processors are not in violation of this
  117         act for the disclosure of personal data to a third
  118         party controller or processor; providing that third
  119         party controllers or processors that comply with this
  120         part are not liable for violations committed by
  121         controllers or processors from whom they receive
  122         personal data; creating s. 501.719, F.S.; providing
  123         requirements for the processing of certain personal
  124         data by controllers; requiring controllers and
  125         processors to adopt and implement a retention schedule
  126         that meets certain requirements; requiring controllers
  127         or processors that process certain personal data to
  128         demonstrate that such processing qualifies for a
  129         specified exemption; creating s. 501.72, F.S.;
  130         authorizing the Department of Legal Affairs to bring
  131         an action under the Florida Deceptive and Unfair Trade
  132         Practices Act for violations of the act; providing for
  133         civil penalties; providing for enhanced civil
  134         penalties for certain violations; authorizing the
  135         department to grant a specified timeframe within which
  136         an alleged violation may be cured; providing an
  137         exception; providing certain factors the department
  138         may take into consideration; requiring the department
  139         to make a report regarding certain enforcement actions
  140         publicly available on the department’s website;
  141         providing requirements for the report; requiring the
  142         department to adopt rules; authorizing the department
  143         to collaborate and cooperate with specified
  144         enforcement authorities; specifying that the act does
  145         not create a private cause of action; authorizing the
  146         department to employ or use outside legal counsel for
  147         specified purposes; providing for jurisdiction;
  148         creating s. 501.721, F.S.; declaring that the act is a
  149         matter of statewide concern; preempting the
  150         collection, processing, sharing, and sale of consumer
  151         personal data to the state; amending s. 501.171, F.S.;
  152         revising the definition of the term “personal
  153         information”; amending s. 16.53, F.S.; revising the
  154         purpose of the Legal Affairs Revolving Trust Fund;
  155         requiring that certain attorney fees, costs, and
  156         penalties recovered by the Attorney General be
  157         deposited in the trust fund; providing effective
  158         dates.
  160  Be It Enacted by the Legislature of the State of Florida:
  162         Section 1. Effective July 1, 2023, section 112.23, Florida
  163  Statutes, is created to read:
  164         112.23 Government-directed content moderation of social
  165  media platforms prohibited.—
  166         (1) As used in this section, the term:
  167         (a) “Governmental entity” means any officer or employee of
  168  a state, county, district, authority, municipality, department,
  169  agency, division, board, bureau, commission, or other separate
  170  unit of government created or established by law, and includes
  171  any other public or private entity acting on behalf of such
  172  governmental entity.
  173         (b) “Social media platform” means a form of electronic
  174  communication through which users create online communities or
  175  groups to share information, ideas, personal messages, and other
  176  content.
  177         (2) A governmental entity may not communicate with a social
  178  media platform to request that it remove content or accounts
  179  from the social media platform.
  180         (3) A governmental entity may not initiate or maintain any
  181  agreements or working relationships with a social media platform
  182  for the purpose of content moderation.
  183         (4) Subsections (2) and (3) do not apply if the
  184  governmental entity or an officer or an employee acting on
  185  behalf of a governmental entity is acting as part of any of the
  186  following:
  187         (a) Routine account management of the governmental entity’s
  188  account, including, but not limited to, the removal or revision
  189  of the governmental entity’s content or account or
  190  identification of accounts falsely posing as a governmental
  191  entity, officer, or salaried employee.
  192         (b) An attempt to remove content that pertains to the
  193  commission of a crime or violation of this state’s public
  194  records law.
  195         (c) An attempt to remove an account that pertains to the
  196  commission of a crime or violation of this state’s public
  197  records law.
  198         (d) An investigation or inquiry related to an effort to
  199  prevent imminent bodily harm, loss of life, or property damage.
  200         Section 2. Section 501.1735, Florida Statutes, is created
  201  to read:
  202         501.1735Protection of children in online spaces.—
  203         (1)DEFINITIONS.—As used in this section, the term:
  204         (a)“Child” or “children” means a consumer or consumers who
  205  are under 18 years of age.
  206         (b)“Collect” means to buy, rent, gather, obtain, receive,
  207  save, store, or access any personal information pertaining to a
  208  child.
  209         (c) “Dark pattern” means a user interface designed or
  210  manipulated with the substantial effect of subverting or
  211  impairing user autonomy, decision-making, or choice and
  212  includes, but is not limited to, any practice the Federal Trade
  213  Commission refers to as a dark pattern.
  214         (d) “Department” means the Department of Legal Affairs.
  215         (e) “Online platform” means a social media platform as
  216  defined in s. 112.23(1), online game, or online gaming platform.
  217         (f) “Personal information” means information that is linked
  218  or reasonably linkable to an identified or identifiable child,
  219  including biometric information and unique identifiers to the
  220  child.
  221         (g) “Precise geolocation data” means information identified
  222  through technology which enables the online platform to collect
  223  specific location data which directly identifies the specific
  224  location of a child with precision and accuracy within a radius
  225  of 1,750 feet.
  226         (h) “Processing” means any operation or set of operations
  227  performed on personal information or on sets of personal
  228  information, regardless of whether by automated means.
  229         (i) “Profile” or “profiling” means any form of automated
  230  processing performed on personal information to evaluate,
  231  analyze, or predict personal aspects relating to the economic
  232  situation, health, personal preferences, interests, reliability,
  233  behavior, location, or movements of a child.
  234         (j) “Sell” means to sell, rent, release, disclose,
  235  disseminate, make available, transfer, or otherwise communicate
  236  orally, in writing, or by electronic or other means, a child’s
  237  personal information or information that relates to a group or
  238  category of children by an online platform to another online
  239  platform or an affiliate or third party for monetary or other
  240  valuable consideration.
  241         (k) “Share” means to share, rent, release, disclose,
  242  disseminate, make available, transfer, or access a child’s
  243  personal information for advertising or marketing. The term
  244  includes:
  245         1. Allowing a third party to advertise or market based on a
  246  child’s personal information without disclosure of the personal
  247  information to the third party.
  248         2. Monetary transactions, nonmonetary transactions, and
  249  transactions for other valuable consideration between an online
  250  platform and a third party for advertising or marketing.
  251         (l) “Substantial harm or privacy risk to children” means
  252  the processing of personal information in a manner that may
  253  result in any reasonably foreseeable substantial physical
  254  injury, economic injury, or offensive intrusion into the privacy
  255  expectations of a reasonable child under the circumstances,
  256  including:
  257         1. Mental health disorders or associated behaviors,
  258  including the promotion or exacerbation of self-harm, suicide,
  259  eating disorders, and substance abuse disorders;
  260         2. Patterns of use that indicate or encourage addictive
  261  behaviors;
  262         3. Physical violence, online bullying, and harassment;
  263         4. Sexual exploitation, including enticement, sex
  264  trafficking, and sexual abuse and trafficking of online sexual
  265  abuse material;
  266         5. Promotion and marketing of tobacco products, gambling,
  267  alcohol, or narcotic drugs as defined in s. 102 of the
  268  Controlled Substances Act, 21 U.S.C. 802; or
  269         6. Predatory, unfair, or deceptive marketing practices or
  270  other financial harms.
  271         (2) PROHIBITIONS.—An online platform that provides an
  272  online service, product, game, or feature likely to be
  273  predominantly accessed by children may not:
  274         (a) Process the personal information of any child if the
  275  online platform has actual knowledge of or willfully disregards
  276  that the processing may result in substantial harm or privacy
  277  risk to children.
  278         (b) Profile a child unless both of the following criteria
  279  are met:
  280         1. The online platform can demonstrate it has appropriate
  281  safeguards in place to protect children.
  282         2.a. Profiling is necessary to provide the online service,
  283  product, or feature requested for the aspects of the online
  284  service, product, or feature with which the child is actively
  285  and knowingly engaged; or
  286         b. The online platform can demonstrate a compelling reason
  287  that profiling does not pose a substantial harm or privacy risk
  288  to children.
  289         (c) Collect, sell, share, or retain any personal
  290  information that is not necessary to provide an online service,
  291  product, or feature with which a child is actively and knowingly
  292  engaged unless the online platform can demonstrate a compelling
  293  reason that collecting, selling, sharing, or retaining the
  294  personal information does not pose a substantial harm or privacy
  295  risk to children.
  296         (d) Use personal information of a child for any reason
  297  other than the reason for which the personal information was
  298  collected, unless the online platform can demonstrate a
  299  compelling reason that the use of the personal information does
  300  not pose a substantial harm or privacy risk to children.
  301         (e) Collect, sell, or share any precise geolocation data of
  302  children unless the collection of the precise geolocation data
  303  is strictly necessary for the online platform to provide the
  304  service, product, or feature requested and then only for the
  305  limited time that the collection of the precise geolocation data
  306  is necessary to provide the service, product, or feature.
  307         (f) Collect any precise geolocation data of a child without
  308  providing an obvious sign to the child for the duration of the
  309  collection that the precise geolocation data is being collected.
  310         (g) Use dark patterns to lead or encourage children to
  311  provide personal information beyond what personal information
  312  would otherwise be reasonably expected to be provided for that
  313  online service, product, game, or feature; to forego privacy
  314  protections; or to take any action that the online platform has
  315  actual knowledge of or willfully disregards that may result in
  316  substantial harm or privacy risk to children.
  317         (h) Use any personal information collected to estimate age
  318  or age range for any other purpose or retain that personal
  319  information longer than necessary to estimate age. The age
  320  estimate must be proportionate to the risks and data practice of
  321  an online service, product, or feature.
  322         (3) BURDEN OF PROOF.—If an online platform processes
  323  personal information pursuant to subsection (2), the online
  324  platform bears the burden of demonstrating that such processing
  325  does not violate subsection (2).
  327         (a) Any violation of subsection (2) is an unfair and
  328  deceptive trade practice actionable under part II of chapter 501
  329  solely by the department against an online platform. If the
  330  department has reason to believe that an online platform is in
  331  violation of subsection (2), the department, as the enforcing
  332  authority, may bring an action against such online platform for
  333  an unfair or deceptive act or practice. For the purpose of
  334  bringing an action pursuant to this section, ss. 501.211 and
  335  501.212 do not apply. In addition to other remedies under part
  336  II of chapter 501, the department may collect a civil penalty of
  337  up to $50,000 per violation of this section. Civil penalties may
  338  be tripled for any violation involving a Florida child who the
  339  online platform has actual knowledge is under 18 years of age.
  340         (b) After the department has notified an online platform in
  341  writing of an alleged violation, the department may in its
  342  discretion grant a 45-day period to cure the alleged violation.
  343  If the violation is cured to the satisfaction of the department
  344  and proof of such cure is provided to the department, the
  345  department may not bring an action for the alleged violation but
  346  in its discretion may issue a letter of guidance that indicates
  347  that the online platform will not be offered a 45-day cure
  348  period for any future violations. If the online platform fails
  349  to cure the violation within 45 calendar days, the department
  350  may bring an action against the online platform for the alleged
  351  violation.
  352         (c) Any action brought by the department may be brought
  353  only on behalf of a Florida child.
  354         (d) The department may adopt rules to implement this
  355  section.
  356         (e) Liability for a tort, contract claim, or consumer
  357  protection claim that is unrelated to an action brought under
  358  this subsection does not arise solely from the failure of an
  359  online platform to comply with this section.
  360         (f) This section does not establish a private cause of
  361  action.
  362         (5) JURISDICTION.—For purposes of bringing an action
  363  pursuant to this section, any person who meets the definition of
  364  online platform which operates an online service, product, game,
  365  or feature likely to be predominantly accessed by children and
  366  accessible by Florida children located in this state is
  367  considered to be both engaged in substantial and not isolated
  368  activities within this state and operating, conducting, engaging
  369  in, or carrying on a business, and doing business in this state,
  370  and is therefore subject to the jurisdiction of the courts of
  371  this state.
  372         Section 3. The Division of Law Revision is directed to:
  373         (1)Redesignate current parts V, VI, and VII of chapter
  374  501, Florida Statutes, as parts VI, VII, and VIII of chapter
  375  501, Florida Statutes, respectively; and
  376         (2)Create a new part V of chapter 501, Florida Statutes,
  377  consisting of ss. 501.701-501.721, Florida Statutes, entitled
  378  “Data Privacy and Security.”
  379         Section 4. Section 501.701, Florida Statutes, is created to
  380  read:
  381         501.701 Short title.—This part may be cited as the “Florida
  382  Digital Bill of Rights.”
  383         Section 5. Section 501.702, Florida Statutes, is created to
  384  read:
  385         501.702 Definitions.—As used in this part, the term:
  386         (1)“Affiliate” means a legal entity that controls, is
  387  controlled by, or is under common control with another legal
  388  entity or that shares common branding with another legal entity.
  389  For purposes of this subsection, the term “control” or
  390  “controlled” means any of the following:
  391         (a)The ownership of, or power to vote, more than 50
  392  percent of the outstanding shares of any class of voting
  393  security of a company.
  394         (b)The control in any manner over the election of a
  395  majority of the directors or of individuals exercising similar
  396  functions.
  397         (c)The power to exercise controlling influence over the
  398  management of a company.
  399         (2)“Aggregate consumer information” means information that
  400  relates to a group or category of consumers, from which the
  401  identity of an individual consumer has been removed and is not
  402  reasonably capable of being directly or indirectly associated or
  403  linked with any consumer, household, or device. The term does
  404  not include information about a group or category of consumers
  405  used to facilitate targeted advertising or the display of ads
  406  online. The term does not include personal information that has
  407  been deidentified.
  408         (3)“Authenticate” or “authenticated” means to verify or
  409  the state of having been verified, respectively, through
  410  reasonable means that the consumer who is entitled to exercise
  411  the consumer’s rights under s. 501.705 is the same consumer
  412  exercising those consumer rights with respect to the personal
  413  data at issue.
  414         (4)“Biometric data” means data generated by automatic
  415  measurements of an individual’s biological characteristics. The
  416  term includes fingerprints, voiceprints, eye retinas or irises,
  417  or other unique biological patterns or characteristics used to
  418  identify a specific individual. The term does not include
  419  physical or digital photographs, video or audio recordings or
  420  data generated from video or audio recordings, or information
  421  collected, used, or stored for health care treatment, payment,
  422  or operations under the Health Insurance Portability and
  423  Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
  424         (5)“Business associate” has the same meaning as in 45
  425  C.F.R. s. 160.103 and the Health Insurance Portability and
  426  Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
  427         (6)“Child” means an individual younger than 18 years of
  428  age.
  429         (7)“Consent,” when referring to a consumer, means a clear
  430  affirmative act signifying a consumer’s freely given, specific,
  431  informed, and unambiguous agreement to process personal data
  432  relating to the consumer. The term includes a written statement,
  433  including a statement written by electronic means, or any other
  434  unambiguous affirmative act. The term does not include any of
  435  the following:
  436         (a)Acceptance of a general or broad terms of use or
  437  similar document that contains descriptions of personal data
  438  processing along with other, unrelated information.
  439         (b)Hovering over, muting, pausing, or closing a given
  440  piece of content.
  441         (c)Agreement obtained through the use of dark patterns.
  442         (8)“Consumer” means an individual who is a resident of or
  443  is domiciled in this state acting only in an individual or
  444  household context. The term does not include an individual
  445  acting in a commercial or employment context.
  446         (9)“Controller” means:
  447         (a)A sole proprietorship, partnership, limited liability
  448  company, corporation, association, or legal entity that meets
  449  the following requirements:
  450         1.Is organized or operated for the profit or financial
  451  benefit of its shareholders or owners;
  452         2.Conducts business in this state;
  453         3.Collects personal data about consumers, or is the entity
  454  on behalf of which such information is collected;
  455         4.Determines the purposes and means of processing personal
  456  data about consumers alone or jointly with others;
  457         5.Makes in excess of $1 billion in global gross annual
  458  revenues; and
  459         6.Satisfies at least one of the following:
  460         a.Derives 50 percent or more of its global gross annual
  461  revenues from the sale of advertisements online, including
  462  providing targeted advertising or the sale of ads online;
  463         b.Operates a consumer smart speaker and voice command
  464  component service with an integrated virtual assistant connected
  465  to a cloud computing service that uses hands-free verbal
  466  activation. For purposes of this sub-subparagraph, a consumer
  467  smart speaker and voice command component service does not
  468  include a motor vehicle or speaker or device associated with or
  469  connected to a vehicle which is operated by a motor vehicle
  470  manufacturer or a subsidiary or affiliate thereof; or
  471         c. Operates an app store or a digital distribution platform
  472  that offers at least 250,000 different software applications for
  473  consumers to download and install.
  474         (b)Any entity that controls or is controlled by a
  475  controller. As used in this paragraph, the term “control” means:
  476         1.Ownership of, or the power to vote, more than 50 percent
  477  of the outstanding shares of any class of voting security of a
  478  controller;
  479         2.Control in any manner over the election of a majority of
  480  the directors, or of individuals exercising similar functions;
  481  or
  482         3.The power to exercise a controlling influence over the
  483  management of a company.
  484         (10)“Covered entity” has the same meaning as in 45 C.F.R.
  485  s. 160.103 and the Health Insurance Portability and
  486  Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
  487         (11)“Dark pattern” means a user interface designed or
  488  manipulated with the effect of substantially subverting or
  489  impairing user autonomy, decisionmaking, or choice. The term
  490  includes any practice the Federal Trade Commission refers to as
  491  a dark pattern.
  492         (12)“Decision that produces a legal or similarly
  493  significant effect concerning a consumer” means a decision made
  494  by a controller which results in the provision or denial by the
  495  controller of any of the following:
  496         (a)Financial and lending services.
  497         (b)Housing, insurance, or health care services.
  498         (c)Education enrollment.
  499         (d)Employment opportunities.
  500         (e)Criminal justice.
  501         (f)Access to basic necessities, such as food and water.
  502         (13)“Deidentified data” means data that cannot reasonably
  503  be linked to an identified or identifiable individual or a
  504  device linked to that individual.
  505         (14)“Health care provider” has the same meaning as in 45
  506  C.F.R. s. 160.103 and the Health Insurance Portability and
  507  Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
  508         (15)“Health record” means any written, printed, or
  509  electronically recorded material maintained by a health care
  510  provider in the course of providing health care services to an
  511  individual which concerns the individual and the services
  512  provided. The term includes any of the following:
  513         (a)The substance of any communication made by an
  514  individual to a health care provider in confidence during or in
  515  connection with the provision of health care services.
  516         (b)Information otherwise acquired by the health care
  517  provider about an individual in confidence and in connection
  518  with health care services provided to the individual.
  519         (16)“Identified or identifiable individual” means a
  520  consumer who can be readily identified, directly or indirectly.
  521         (17)“Known child” means a child under circumstances of
  522  which a controller has actual knowledge of, or willfully
  523  disregards, the child’s age.
  524         (18)“Nonprofit organization” means any of the following:
  525         (a)An organization exempt from federal taxation under s.
  526  501(a) of the Internal Revenue Code of 1986 by virtue of being
  527  listed as an exempt organization under s. 501(c)(3), s.
  528  501(c)(4), s. 501(c)(6), or s. 501(c)(12) of that code.
  529         (b)A political organization.
  530         (19)“Personal data” means any information, including
  531  sensitive data, which is linked or reasonably linkable to an
  532  identified or identifiable individual. The term includes
  533  pseudonymous data when the data is used by a controller or
  534  processor in conjunction with additional information that
  535  reasonably links the data to an identified or identifiable
  536  individual. The term does not include deidentified data or
  537  publicly available information.
  538         (20)“Political organization” means a party, a committee,
  539  an association, a fund, or any other organization, regardless of
  540  whether incorporated, organized and operated primarily for the
  541  purpose of influencing or attempting to influence any of the
  542  following:
  543         (a)The selection, nomination, election, or appointment of
  544  an individual to a federal, state, or local public office or an
  545  office in a political organization, regardless of whether the
  546  individual is selected, nominated, elected, or appointed.
  547         (b)The election of a presidential or vice-presidential
  548  elector, regardless of whether the elector is selected,
  549  nominated, elected, or appointed.
  550         (21)“Postsecondary education institution means a Florida
  551  College System institution, state university, or nonpublic
  552  postsecondary education institution that receives state funds.
  553         (22)“Precise geolocation data” means information derived
  554  from technology, including global positioning system level
  555  latitude and longitude coordinates or other mechanisms, which
  556  directly identifies the specific location of an individual with
  557  precision and accuracy within a radius of 1,750 feet. The term
  558  does not include the content of communications or any data
  559  generated by or connected to an advanced utility metering
  560  infrastructure system or to equipment for use by a utility.
  561         (23)“Process” or “processing” means an operation or set of
  562  operations performed, whether by manual or automated means, on
  563  personal data or on sets of personal data, such as the
  564  collection, use, storage, disclosure, analysis, deletion, or
  565  modification of personal data.
  566         (24)“Processor” means a person who processes personal data
  567  on behalf of a controller.
  568         (25)“Profiling” means any form of solely automated
  569  processing performed on personal data to evaluate, analyze, or
  570  predict personal aspects related to an identified or
  571  identifiable individual’s economic situation, health, personal
  572  preferences, interests, reliability, behavior, location, or
  573  movements.
  574         (26)“Protected health information” has the same meaning as
  575  in 45 C.F.R. s. 160.103 and the Health Insurance Portability and
  576  Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.
  577         (27)“Pseudonymous data” means any information that cannot
  578  be attributed to a specific individual without the use of
  579  additional information, provided that the additional information
  580  is kept separately and is subject to appropriate technical and
  581  organizational measures to ensure that the personal data is not
  582  attributed to an identified or identifiable individual.
  583         (28)“Publicly available information” means information
  584  lawfully made available through government records, or
  585  information that a business has a reasonable basis for believing
  586  is lawfully made available to the general public through widely
  587  distributed media, by a consumer, or by a person to whom a
  588  consumer has disclosed the information, unless the consumer has
  589  restricted the information to a specific audience.
  590         (29)“Sale of personal data” means the sharing, disclosing,
  591  or transferring of personal data for monetary or other valuable
  592  consideration by the controller to a third party. The term does
  593  not include any of the following:
  594         (a)The disclosure of personal data to a processor who
  595  processes the personal data on the controller’s behalf.
  596         (b)The disclosure of personal data to a third party for
  597  purposes of providing a product or service requested by the
  598  consumer.
  599         (c)The disclosure of information that the consumer:
  600         1.Intentionally made available to the general public
  601  through a mass media channel; and
  602         2.Did not restrict to a specific audience.
  603         (d)The disclosure or transfer of personal data to a third
  604  party as an asset that is part of a merger or an acquisition.
  605         (30) “Search engine” means technology and systems that use
  606  algorithms to sift through and index vast third-party websites
  607  and content on the Internet in response to search queries
  608  entered by a user. The term does not include the license of
  609  search functionality for the purpose of enabling the licensee to
  610  operate a third-party search engine service in circumstances
  611  where the licensee does not have legal or operational control of
  612  the search algorithm, the index from which results are
  613  generated, or the ranking order in which the results are
  614  provided.
  615         (31)“Sensitive data” means a category of personal data
  616  which includes any of the following:
  617         (a)Personal data revealing an individual’s racial or
  618  ethnic origin, religious beliefs, mental or physical health
  619  diagnosis, sexual orientation, or citizenship or immigration
  620  status.
  621         (b)Genetic or biometric data processed for the purpose of
  622  uniquely identifying an individual.
  623         (c)Personal data collected from a known child.
  624         (d)Precise geolocation data.
  625         (32)“State agency” means any department, commission,
  626  board, office, council, authority, or other agency in the
  627  executive branch of state government created by the State
  628  Constitution or state law. The term includes a postsecondary
  629  education institution.
  630         (33) “Targeted advertising” means displaying to a consumer
  631  an advertisement selected based on personal data obtained from
  632  that consumer’s activities over time across affiliated or
  633  unaffiliated websites and online applications used to predict
  634  the consumer’s preferences or interests. The term does not
  635  include an advertisement that is:
  636         (a) Based on the context of a consumer’s current search
  637  query on the controller’s own website or online application; or
  638         (b) Directed to a consumer search query on the controller’s
  639  own website or online application in response to the consumer’s
  640  request for information or feedback.
  641         (34) “Third party” means a person, other than the consumer,
  642  the controller, the processor, or an affiliate of the controller
  643  or processor.
  644         (35) “Trade secret” has the same meaning as in s. 812.081.
  645         (36) “Voice recognition feature” means the function of a
  646  device which enables the collection, recording, storage,
  647  analysis, transmission, interpretation, or other use of spoken
  648  words or other sounds.
  649         Section 6. Section 501.703, Florida Statutes, is created to
  650  read:
  651         501.703 Applicability.—
  652         (1) This part applies only to a person who:
  653         (a) Conducts business in this state or produces a product
  654  or service used by residents of this state; and
  655         (b) Processes or engages in the sale of personal data.
  656         (2) This part does not apply to any of the following:
  657         (a) A state agency or a political subdivision of the state.
  658         (b) A financial institution or data subject to Title V,
  659  Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.
  660         (c) A covered entity or business associate governed by the
  661  privacy, security, and breach notification regulations issued by
  662  the United States Department of Health and Human Services, 45
  663  C.F.R. parts 160 and 164, established under the Health Insurance
  664  Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
  665  et seq., and the Health Information Technology for Economic and
  666  Clinical Health Act, Division A, Title XIII and Division B,
  667  Title IV, Pub. L. No. 111-5.
  668         (d) A nonprofit organization.
  669         (e) A postsecondary education institution.
  670         (f) The processing of personal data:
  671         1. By a person in the course of a purely personal or
  672  household activity.
  673         2. Solely for measuring or reporting advertising
  674  performance, reach, or frequency.
  675         (3) A controller or processor that complies with the
  676  authenticated parental consent requirements of the Children’s
  677  Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq., with
  678  respect to data collected online, is considered to be in
  679  compliance with any requirement to obtain parental consent under
  680  this part.
  681         Section 7. Section 501.704, Florida Statutes, is created to
  682  read:
  683         501.704 Exemptions.—All of the following information is
  684  exempt from this part:
  685         (1) Protected health information under the Health Insurance
  686  Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
  687  et seq.
  688         (2) Health records.
  689         (3) Patient identifying information for purposes of 42
  690  U.S.C. s. 290dd-2.
  691         (4) Identifiable private information:
  692         (a) For purposes of the federal policy for the protection
  693  of human subjects under 45 C.F.R. part 46;
  694         (b) Collected as part of human subjects research under the
  695  good clinical practice guidelines issued by the International
  696  Council for Harmonisation of Technical Requirements for
  697  Pharmaceuticals for Human Use or the protection of human
  698  subjects under 21 C.F.R. parts 50 and 56; or
  699         (c) That is personal data used or shared in research
  700  conducted in accordance with this part or other research
  701  conducted in accordance with applicable law.
  702         (5) Information and documents created for purposes of the
  703  Health Care Quality Improvement Act of 1986, 42 U.S.C. ss. 11101
  704  et seq.
  705         (6) Patient safety work product for purposes of the Patient
  706  Safety and Quality Improvement Act of 2005, 42 U.S.C. ss. 299b
  707  21 et seq.
  708         (7) Information derived from any of the health-care-related
  709  information listed in this section which is deidentified in
  710  accordance with the requirements for deidentification under the
  711  Health Insurance Portability and Accountability Act of 1996, 42
  712  U.S.C. ss. 1320d et seq.
  713         (8) Information originating from, and intermingled to be
  714  indistinguishable with, or information treated in the same
  715  manner as, information exempt under this section which is
  716  maintained by a covered entity or business associate as defined
  717  by the Health Insurance Portability and Accountability Act of
  718  1996, 42 U.S.C. ss. 1320d et seq. or by a program or a qualified
  719  service organization as defined by 42 U.S.C. s. 290dd-2.
  720         (9) Information included in a limited data set as described
  721  by 45 C.F.R. s. 164.514(e), to the extent that the information
  722  is used, disclosed, and maintained in the manner specified by 45
  723  C.F.R. s. 164.514(e).
  724         (10) Information used only for public health activities and
  725  purposes as described in 45 C.F.R. s. 164.512.
  726         (11) Information collected or used only for public health
  727  activities and purposes as authorized by the Health Insurance
  728  Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d
  729  et seq.
  730         (12) The collection, maintenance, disclosure, sale,
  731  communication, or use of any personal data bearing on a
  732  consumer’s creditworthiness, credit standing, credit capacity,
  733  character, general reputation, personal characteristics, or mode
  734  of living by a consumer reporting agency or furnisher that
  735  provides information for use in a consumer report, or by a user
  736  of a consumer report, but only to the extent that the activity
  737  is regulated by and authorized under the Fair Credit Reporting
  738  Act, 15 U.S.C. ss. 1681 et seq.
  739         (13) Personal data collected, processed, sold, or disclosed
  740  in compliance with the Driver’s Privacy Protection Act of 1994,
  741  18 U.S.C. ss. 2721 et seq.
  742         (14) Personal data regulated by the Family Educational
  743  Rights and Privacy Act of 1974, 20 U.S.C. s. 1232g.
  744         (15) Personal data collected, processed, sold, or disclosed
  745  in compliance with the Farm Credit Act of 1971, 12 U.S.C. ss.
  746  2001 et seq.
  747         (16) Data processed or maintained in the course of an
  748  individual applying to, being employed by, or acting as an agent
  749  or independent contractor of a controller, processor, or third
  750  party, to the extent that the data is collected and used within
  751  the context of that role.
  752         (17) Data processed or maintained as the emergency contact
  753  information of an individual under this part which is used for
  754  emergency contact purposes.
  755         (18) Data that is processed or maintained and that is
  756  necessary to retain to administer benefits for another
  757  individual which relates to an individual described in
  758  subsection (16) and which is used for the purposes of
  759  administering those benefits.
  760         (19) Personal data collected and transmitted which is
  761  necessary for the sole purpose of sharing such personal data
  762  with a financial service provider solely to facilitate short
  763  term, transactional payment processing for the purchase of
  764  products or services.
  765         (20) Personal data collected, processed, sold, or disclosed
  766  in relation to price, route, or service as those terms are used
  767  in the Airline Deregulation Act, 49 U.S.C. ss. 40101 et seq., by
  768  entities subject to that act, to the extent the provisions of
  769  this act are preempted by 49 U.S.C. s. 41713.
  770         (21) Personal data shared between a manufacturer of a
  771  tangible product and authorized third-party distributors or
  772  vendors of the product, as long as such personal data is used
  773  solely for advertising, marketing, or servicing the product that
  774  is acquired directly through such manufacturer and such
  775  authorized third-party distributors or vendors. Such personal
  776  data may not be sold or shared unless otherwise authorized under
  777  this part.
  778         Section 8. Section 501.705, Florida Statutes, is created to
  779  read:
  780         501.705 Consumer rights.—
  781         (1) A consumer is entitled to exercise the consumer rights
  782  authorized by this section at any time by submitting a request
  783  to a controller which specifies the consumer rights that the
  784  consumer wishes to exercise. With respect to the processing of
  785  personal data belonging to a known child, a parent or legal
  786  guardian of the child may exercise these rights on behalf of the
  787  child.
  788         (2) A controller shall comply with an authenticated
  789  consumer request to exercise any of the following rights:
  790         (a) To confirm whether a controller is processing the
  791  consumer’s personal data and to access the personal data.
  792         (b) To correct inaccuracies in the consumer’s personal
  793  data, taking into account the nature of the personal data and
  794  the purposes of the processing of the consumer’s personal data.
  795         (c) To delete any or all personal data provided by or
  796  obtained about the consumer.
  797         (d) To obtain a copy of the consumer’s personal data in a
  798  portable and, to the extent technically feasible, readily usable
  799  format if the data is available in a digital format.
  800         (e) To opt out of the processing of the personal data for
  801  purposes of:
  802         1. Targeted advertising;
  803         2. The sale of personal data; or
  804         3. Profiling in furtherance of a decision that produces a
  805  legal or similarly significant effect concerning a consumer.
  806         (f) To opt out of the collection of sensitive data,
  807  including precise geolocation data, or the processing of
  808  sensitive data.
  809         (g) To opt out of the collection of personal data collected
  810  through the operation of a voice recognition or facial
  811  recognition feature.
  812         (3) A device that has a voice recognition feature, a facial
  813  recognition feature, a video recording feature, an audio
  814  recording feature, or any other electronic, visual, thermal, or
  815  olfactory feature that collects data may not use those features
  816  for the purpose of surveillance by the controller, processor, or
  817  affiliate of a controller or processor when such features are
  818  not in active use by the consumer, unless otherwise expressly
  819  authorized by the consumer.
  820         Section 9. Section 501.706, Florida Statutes, is created to
  821  read:
  822         501.706 Controller response to consumer requests.—
  823         (1)Except as otherwise provided by this part, a controller
  824  shall comply with a request submitted by a consumer to exercise
  825  the consumer’s rights pursuant to s. 501.705, as provided in
  826  this section.
  827         (2)A controller shall respond to the consumer request
  828  without undue delay, which may not be later than 45 days after
  829  the date of receipt of the request. The controller may extend
  830  the response period once by an additional 15 days when
  831  reasonably necessary, taking into account the complexity and
  832  number of the consumer’s requests, so long as the controller
  833  informs the consumer of the extension within the initial 45-day
  834  response period, together with the reason for the extension.
  835         (3)If a controller cannot take action regarding the
  836  consumer’s request, the controller must inform the consumer
  837  without undue delay, which may not be later than 45 days after
  838  the date of receipt of the request, of the justification for the
  839  inability to take action on the request and provide instructions
  840  on how to appeal the decision in accordance with s. 501.707. A
  841  controller is not required to comply with a consumer request
  842  submitted under s. 501.705 if the controller cannot authenticate
  843  the request. However, the controller must make a reasonable
  844  effort to request that the consumer provide additional
  845  information reasonably necessary to authenticate the consumer
  846  and the consumer’s request. If a controller maintains a self
  847  service mechanism to allow a consumer to correct certain
  848  personal data, the controller may deny the consumer’s request
  849  and require the consumer to correct his or her own personal data
  850  through such mechanism.
  851         (4) A controller must provide the consumer with notice
  852  within 60 days after the request is received that the controller
  853  has complied with the consumer’s request as required in this
  854  section.
  855         (5)A controller shall provide information or take action
  856  in response to a consumer request free of charge, at least twice
  857  annually per consumer. If a request from a consumer is
  858  manifestly unfounded, excessive, or repetitive, the controller
  859  may charge the consumer a reasonable fee to cover the
  860  administrative costs of complying with the request or may
  861  decline to act on the request. The controller bears the burden
  862  of demonstrating for purposes of this subsection that a request
  863  is manifestly unfounded, excessive, or repetitive.
  864         (6)A controller who has obtained personal data about a
  865  consumer from a source other than the consumer is considered in
  866  compliance with a consumer’s request to delete that personal
  867  data pursuant to s. 501.705(2)(c), by doing any of the
  868  following:
  869         (a)Deleting the personal data, retaining a record of the
  870  deletion request and the minimum data necessary for the purpose
  871  of ensuring that the consumer’s personal data remains deleted
  872  from the business’s records, and not using the retained data for
  873  any other purpose under this part.
  874         (b)Opting the consumer out of the processing of that
  875  personal data for any purpose other than a purpose exempt under
  876  this part.
  877         Section 10. Section 501.707, Florida Statutes, is created
  878  to read:
  879         501.707 Appeal.—
  880         (1)A controller shall establish a process for a consumer
  881  to appeal the controller’s refusal to take action on a request
  882  within a reasonable period of time after the consumer’s receipt
  883  of the decision under s. 501.706(3).
  884         (2)The appeal process must be conspicuously available and
  885  similar to the process for initiating action to exercise
  886  consumer rights by submitting a request under s. 501.705.
  887         (3)A controller shall inform the consumer in writing of
  888  any action taken or not taken in response to an appeal under
  889  this section within 60 days after the date of receipt of the
  890  appeal, including a written explanation of the reason or reasons
  891  for the decision.
  892         Section 11. Section 501.708, Florida Statutes, is created
  893  to read:
  894         501.708 Waiver or limitation of consumer rights
  895  prohibited.—Any provision of a contract or agreement which
  896  waives or limits in any way a consumer right described by s.
  897  501.705, s. 501.706, or s. 501.707 is contrary to public policy
  898  and is void and unenforceable.
  899         Section 12. Section 501.709, Florida Statutes, is created
  900  to read:
  901         501.709 Submitting consumer requests.—
  902         (1)A controller shall establish two or more methods to
  903  enable consumers to submit a request to exercise their consumer
  904  rights under this part. The methods must be secure, reliable,
  905  and clearly and conspicuously accessible. The methods must take
  906  all of the following into account:
  907         (a)The ways in which consumers normally interact with the
  908  controller.
  909         (b)The necessity for secure and reliable communications of
  910  these requests.
  911         (c)The ability of the controller to authenticate the
  912  identity of the consumer making the request.
  913         (2)A controller may not require a consumer to create a new
  914  account to exercise the consumer’s rights under this part but
  915  may require a consumer to use an existing account.
  916         (3)A controller shall provide a mechanism on its website
  917  for a consumer to submit a request for information required to
  918  be disclosed under this part. A controller that operates
  919  exclusively online and has a direct relationship with a consumer
  920  from whom the controller collects personal data may also provide
  921  an e-mail address for the submission of requests.
  922         Section 13. Section 501.71, Florida Statutes, is created to
  923  read:
  924         501.71 Controller duties.—
  925         (1)A controller shall:
  926         (a)Limit the collection of personal data to data that is
  927  adequate, relevant, and reasonably necessary in relation to the
  928  purposes for which it is processed, as disclosed to the
  929  consumer; and
  930         (b)For purposes of protecting the confidentiality,
  931  integrity, and accessibility of personal data, establish,
  932  implement, and maintain reasonable administrative, technical,
  933  and physical data security practices appropriate to the volume
  934  and nature of the personal data at issue.
  935         (2)A controller may not do any of the following:
  936         (a)Except as otherwise provided by this part, process
  937  personal data for a purpose that is neither reasonably necessary
  938  nor compatible with the purpose for which the personal data is
  939  processed, as disclosed to the consumer, unless the controller
  940  obtains the consumer’s consent.
  941         (b)Process personal data in violation of state or federal
  942  laws that prohibit unlawful discrimination against consumers.
  943         (c)Discriminate against a consumer for exercising any of
  944  the consumer rights contained in this part, including by denying
  945  goods or services, charging different prices or rates for goods
  946  or services, or providing a different level of quality of goods
  947  or services to the consumer. A controller may offer financial
  948  incentives, including payments to consumers as compensation, for
  949  processing of personal data if the consumer gives the controller
  950  prior consent that clearly describes the material terms of the
  951  financial incentive program and provided that such incentive
  952  practices are not unjust, unreasonable, coercive, or usurious in
  953  nature. The consent may be revoked by the consumer at any time.
  954         (d)Process the sensitive data of a consumer without
  955  obtaining the consumer’s consent, or, in the case of processing
  956  the sensitive data of a known child, without processing that
  957  data with the affirmative authorization for such processing by a
  958  known child who is between 13 and 18 years of age or in
  959  accordance with the Children’s Online Privacy Protection Act, 15
  960  U.S.C. ss. 6501 et seq. for a known child under the age of 13.
  961         (3)Paragraph (2)(c) may not be construed to require a
  962  controller to provide a product or service that requires the
  963  personal data of a consumer which the controller does not
  964  collect or maintain or to prohibit a controller from offering a
  965  different price, rate, level, quality, or selection of goods or
  966  services to a consumer, including offering goods or services for
  967  no fee, if the consumer has exercised the consumer’s right to
  968  opt out under s. 501.705(2) or the offer is related to a
  969  consumer’s voluntary participation in a bona fide loyalty,
  970  rewards, premium features, discounts, or club card program.
  971         (4)A controller that operates a search engine shall make
  972  available, in an easily accessible location on the webpage which
  973  does not require a consumer to log in or register to read, an
  974  up-to-date plain language description of the main parameters
  975  that are individually or collectively the most significant in
  976  determining ranking and the relative importance of those main
  977  parameters, including the prioritization or deprioritization of
  978  political partisanship or political ideology in search results.
  979  Algorithms are not required to be disclosed nor is any other
  980  information that, with reasonable certainty, would enable
  981  deception of or harm to consumers through the manipulation of
  982  search results.
  983         Section 14. Section 501.711, Florida Statutes, is created
  984  to read:
  985         501.711Privacy notices.—
  986         (1)A controller shall provide consumers with a reasonably
  987  accessible and clear privacy notice, updated at least annually,
  988  that includes all of the following information:
  989         (a)The categories of personal data processed by the
  990  controller, including, if applicable, any sensitive data
  991  processed by the controller.
  992         (b)The purpose of processing personal data.
  993         (c)How consumers may exercise their rights under s.
  994  501.705(2), including the process by which a consumer may appeal
  995  a controller’s decision with regard to the consumer’s request.
  996         (d)If applicable, the categories of personal data that the
  997  controller shares with third parties.
  998         (e)If applicable, the categories of third parties with
  999  whom the controller shares personal data.
 1000         (f)A description of the methods specified in s. 501.709,
 1001  by which consumers can submit requests to exercise their
 1002  consumer rights under this part.
 1003         (2)If a controller engages in the sale of personal data
 1004  that is sensitive data, the controller must provide the
 1005  following notice: “NOTICE: This website may sell your sensitive
 1006  personal data.” The notice must be posted in accordance with
 1007  subsection (1).
 1008         (3)If a controller engages in the sale of personal data
 1009  that is biometric data, the controller must provide the
 1010  following notice: “NOTICE: This website may sell your biometric
 1011  personal data.” The notice must be posted in accordance with
 1012  subsection (1).
 1013         (4)If a controller sells personal data to third parties or
 1014  processes personal data for targeted advertising, the controller
 1015  must clearly and conspicuously disclose that process and the
 1016  manner in which a consumer may exercise the right to opt out of
 1017  that process.
 1018         (5)A controller may not collect additional categories of
 1019  personal information or use personal information collected for
 1020  additional purposes without providing the consumer with notice
 1021  consistent with this section.
 1022         Section 15. Section 501.712, Florida Statutes, is created
 1023  to read:
 1024         501.712 Duties of processor.—
 1025         (1)A processor shall adhere to the instructions of a
 1026  controller and shall assist the controller in meeting or
 1027  complying with the controller’s duties under this section and
 1028  the requirements of this part, including the following:
 1029         (a)Assisting the controller in responding to consumer
 1030  rights requests submitted pursuant to ss. 501.705 and 501.709,
 1031  by using appropriate technical and organizational measures, as
 1032  reasonably practicable, taking into account the nature of
 1033  processing and the information available to the processor.
 1034         (b)Assisting the controller with regard to complying with
 1035  the requirement relating to the security of processing personal
 1036  data and to the notification of a breach of security of the
 1037  processor’s system under s. 501.171, taking into account the
 1038  nature of processing and the information available to the
 1039  processor.
 1040         (c)Providing necessary information to enable the
 1041  controller to conduct and document data protection assessments
 1042  under s. 501.713.
 1043         (2)A contract between a controller and a processor governs
 1044  the processor’s data processing procedures with respect to
 1045  processing performed on behalf of the controller. The contract
 1046  must include all of the following information:
 1047         (a)Clear instructions for processing data.
 1048         (b)The nature and purpose of processing.
 1049         (c)The type of data subject to processing.
 1050         (d)The duration of processing.
 1051         (e)The rights and obligations of both parties.
 1052         (f)A requirement that the processor:
 1053         1.Ensure that each person processing personal data is
 1054  subject to a duty of confidentiality with respect to the data;
 1055         2.At the controller’s direction, delete or return all
 1056  personal data to the controller as requested after the provision
 1057  of the service is completed, unless retention of the personal
 1058  data is required by law;
 1059         3.Make available to the controller, upon reasonable
 1060  request, all information in the processor’s possession necessary
 1061  to demonstrate the processor’s compliance with this part;
 1062         4.Allow, and cooperate with, reasonable assessments by the
 1063  controller or the controller’s designated assessor; and
 1064         5.Engage any subcontractor pursuant to a written contract
 1065  that requires the subcontractor to meet the requirements of the
 1066  processor with respect to the personal data.
 1067         (3)Notwithstanding subparagraph (2)(f)4., a processor may
 1068  arrange for a qualified and independent assessor to conduct an
 1069  assessment of the processor’s policies and technical and
 1070  organizational measures in support of the requirements under
 1071  this part using an appropriate and accepted control standard or
 1072  framework and assessment procedure. The processor shall provide
 1073  a report of the assessment to the controller upon request.
 1074         (4)This section may not be construed to relieve a
 1075  controller or a processor from the liabilities imposed on the
 1076  controller or processor by virtue of its role in the processing
 1077  relationship as described by this part.
 1078         (5)A determination as to whether a person is acting as a
 1079  controller or processor with respect to a specific processing of
 1080  data is a fact-based determination that depends on the context
 1081  in which personal data is to be processed. A processor that
 1082  continues to adhere to a controller’s instructions with respect
 1083  to a specific processing of personal data remains in the role of
 1084  a processor.
 1085         Section 16. Section 501.713, Florida Statutes, is created
 1086  to read:
 1087         501.713 Data protection assessments.—
 1088         (1)A controller shall conduct and document a data
 1089  protection assessment of each of the following processing
 1090  activities involving personal data:
 1091         (a)The processing of personal data for purposes of
 1092  targeted advertising.
 1093         (b)The sale of personal data.
 1094         (c)The processing of personal data for purposes of
 1095  profiling if the profiling presents a reasonably foreseeable
 1096  risk of:
 1097         1.Unfair or deceptive treatment of or unlawful disparate
 1098  impact on consumers;
 1099         2.Financial, physical, or reputational injury to
 1100  consumers;
 1101         3.A physical or other intrusion on the solitude or
 1102  seclusion, or the private affairs or concerns, of consumers, if
 1103  the intrusion would be offensive to a reasonable person; or
 1104         4.Other substantial injury to consumers.
 1105         (d)The processing of sensitive data.
 1106         (e)Any processing activities involving personal data which
 1107  present a heightened risk of harm to consumers.
 1108         (2)A data protection assessment conducted under subsection
 1109  (1) must do all of the following:
 1110         (a)Identify and weigh the direct or indirect benefits that
 1111  may flow from the processing to the controller, the consumer,
 1112  other stakeholders, and the public against the potential risks
 1113  to the rights of the consumer associated with that processing,
 1114  as mitigated by safeguards that can be employed by the
 1115  controller to reduce such risks.
 1116         (b)Factor into the assessment:
 1117         1.The use of deidentified data;
 1118         2.The reasonable expectations of consumers;
 1119         3.The context of the processing; and
 1120         4.The relationship between the controller and the consumer
 1121  whose personal data will be processed.
 1122         (3)The disclosure of a data protection assessment in
 1123  compliance with a request from the Attorney General pursuant to
 1124  s. 501.72 does not constitute a waiver of attorney-client
 1125  privilege or work product protection with respect to the
 1126  assessment and any information contained in the assessment.
 1127         (4)A single data protection assessment may address a
 1128  comparable set of processing operations which include similar
 1129  activities.
 1130         (5)A data protection assessment conducted by a controller
 1131  for the purpose of compliance with any other law or regulation
 1132  may constitute compliance with the requirements of this section
 1133  if the assessment has a reasonably comparable scope and effect.
 1134         (6)This section applies only to processing activities
 1135  generated on or after July 1, 2023.
 1136         Section 17. Section 501.714, Florida Statutes, is created
 1137  to read:
 1138         501.714 Deidentified data, pseudonymous data, and aggregate
 1139  consumer information.—
 1140         (1)A controller in possession of deidentified data shall
 1141  do all of the following:
 1142         (a)Take reasonable measures to ensure that the data cannot
 1143  be associated with an individual.
 1144         (b)Maintain and use the data in deidentified form. A
 1145  controller may not attempt to reidentify the data, except that
 1146  the controller may attempt to reidentify the data solely for the
 1147  purpose of determining whether its deidentification processes
 1148  satisfy the requirements of this section.
 1149         (c)Contractually obligate any recipient of the
 1150  deidentified data to comply with this part.
 1151         (d)Implement business processes to prevent the inadvertent
 1152  release of deidentified data.
 1153         (2)This part may not be construed to require a controller
 1154  or processor to do any of the following:
 1155         (a)Reidentify deidentified data or pseudonymous data.
 1156         (b)Maintain data in an identifiable form or obtain,
 1157  retain, or access any data or technology for the purpose of
 1158  allowing the controller or processor to associate a consumer
 1159  request with personal data.
 1160         (c)Comply with an authenticated consumer rights request
 1161  under s. 501.705 if the controller:
 1162         1.Is not reasonably capable of associating the request
 1163  with the personal data or it would be unreasonably burdensome
 1164  for the controller to associate the request with the personal
 1165  data;
 1166         2.Does not use the personal data to recognize or respond
 1167  to the specific consumer who is the subject of the personal data
 1168  or associate the personal data with other personal data about
 1169  the same specific consumer; and
 1170         3.Does not sell the personal data to a third party or
 1171  otherwise voluntarily disclose the personal data to a third
 1172  party other than a processor, except as otherwise authorized by
 1173  this section.
 1174         (3)The consumer rights enumerated under s. 501.705(2), and
 1175  controller duties imposed under s. 501.71, do not apply to
 1176  pseudonymous data or aggregate consumer information in cases in
 1177  which the controller is able to demonstrate that any information
 1178  necessary to identify the consumer is kept separate and is
 1179  subject to effective technical and organizational controls that
 1180  prevent the controller from accessing the information.
 1181         (4)A controller that discloses pseudonymous data,
 1182  deidentified data, or aggregate consumer information shall
 1183  exercise reasonable oversight to monitor compliance with any
 1184  contractual commitments to which the data or information is
 1185  subject and shall take appropriate steps to address any breach
 1186  of the contractual commitments.
 1187         Section 18. Section 501.715, Florida Statutes, is created
 1188  to read:
 1189         501.715 Requirements for sensitive data.—
 1190         (1)A person who meets the requirements of s.
 1191  501.702(9)(a)1., (a)2., and (a)3. for the definition of a
 1192  controller may not engage in the sale of personal data that is
 1193  sensitive data without receiving prior consent from the consumer
 1194  or, if the sensitive data is of a known child, without
 1195  processing that data with the affirmative authorization for such
 1196  processing by a known child who is between 13 and 18 years of
 1197  age or in accordance with the Children’s Online Privacy
 1198  Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child
 1199  under the age of 13.
 1200         (2) A person in subsection (1) who engages in the sale of
 1201  personal data that is sensitive data must provide the following
 1202  notice: “NOTICE: This website may sell your sensitive personal
 1203  data.”
 1204         (3)A person who violates this section is subject to the
 1205  penalty imposed under s. 501.72.
 1206         Section 19. Section 501.716, Florida Statutes, is created
 1207  to read:
 1208         501.716 Exemptions for certain uses of consumer personal
 1209  data.—
 1210         (1)This part may not be construed to restrict a
 1211  controller’s or processor’s ability to do any of the following:
 1212         (a)Comply with federal or state laws, rules, or
 1213  regulations.
 1214         (b)Comply with a civil, criminal, or regulatory inquiry,
 1215  investigation, subpoena, or summons by federal, state, local, or
 1216  other governmental authorities.
 1217         (c)Investigate, establish, exercise, prepare for, or
 1218  defend legal claims.
 1219         (d)Provide a product or service specifically requested by
 1220  a consumer or the parent or guardian of a child, perform a
 1221  contract to which the consumer is a party, including fulfilling
 1222  the terms of a written warranty, or take steps at the request of
 1223  the consumer before entering into a contract.
 1224         (e)Take immediate steps to protect an interest that is
 1225  essential for the life or physical safety of the consumer or of
 1226  another individual and in which the processing cannot be
 1227  manifestly based on another legal basis.
 1228         (f)Prevent, detect, protect against, or respond to
 1229  security incidents, identity theft, fraud, harassment, malicious
 1230  or deceptive activities, or any illegal activity.
 1231         (g)Preserve the integrity or security of systems or
 1232  investigate, report, or prosecute those responsible for breaches
 1233  of system security.
 1234         (h)Engage in public or peer-reviewed scientific or
 1235  statistical research in the public interest which adheres to all
 1236  other applicable ethics and privacy laws and is approved,
 1237  monitored, and governed by an institutional review board or
 1238  similar independent oversight entity that determines:
 1239         1.Whether the deletion of the information is likely to
 1240  provide substantial benefits that do not exclusively accrue to
 1241  the controller;
 1242         2.Whether the expected benefits of the research outweigh
 1243  the privacy risks; and
 1244         3.Whether the controller has implemented reasonable
 1245  safeguards to mitigate privacy risks associated with research,
 1246  including any risks associated with reidentification.
 1247         (i)Assist another controller, processor, or third party in
 1248  complying with the requirements of this part.
 1249         (j)Disclose personal data disclosed when a consumer uses
 1250  or directs the controller to intentionally disclose information
 1251  to a third party or uses the controller to intentionally
 1252  interact with a third party. An intentional interaction occurs
 1253  when the consumer intends to interact with the third party, by
 1254  one or more deliberate interactions. Hovering over, muting,
 1255  pausing, or closing a given piece of content does not constitute
 1256  a consumer’s intent to interact with a third party.
 1257         (k)Transfer personal data to a third party as an asset
 1258  that is part of a merger, an acquisition, a bankruptcy, or other
 1259  transaction in which the third party assumes control of all or
 1260  part of the controller, provided that the information is used or
 1261  shared in a manner consistent with this part. If a third party
 1262  materially alters how it uses or shares the personal data of a
 1263  consumer in a manner that is materially inconsistent with the
 1264  commitments or promises made at the time of collection, it must
 1265  provide prior notice of the new or changed practice to the
 1266  consumer. The notice must be sufficiently prominent and robust
 1267  to ensure that consumers can easily exercise choices consistent
 1268  with this part.
 1269         (2)This part may not be construed to prevent a controller
 1270  or processor from providing personal data concerning a consumer
 1271  to a person covered by an evidentiary privilege under the laws
 1272  of this state as part of a privileged communication.
 1273         (3)This part may not be construed as imposing a
 1274  requirement on controllers and processors which adversely
 1275  affects the rights or freedoms of any person, including the
 1276  right of free speech.
 1277         (4)This part may not be construed as requiring a
 1278  controller, processor, third party, or consumer to disclose a
 1279  trade secret.
 1280         Section 20. Section 501.717, Florida Statutes, is created
 1281  to read:
 1282         501.717 Collection, use, or retention of data for certain
 1283  purposes.—
 1284         (1)The requirements imposed on controllers and processors
 1285  under this part may not restrict a controller’s or processor’s
 1286  ability to collect, use, or retain data to do any of the
 1287  following:
 1288         (a)Conduct internal research to develop, improve, or
 1289  repair products, services, or technology.
 1290         (b)Effect a product recall.
 1291         (c)Identify and repair technical errors that impair
 1292  existing or intended functionality.
 1293         (d)Perform internal operations that are:
 1294         1.Reasonably aligned with the expectations of the
 1295  consumer;
 1296         2.Reasonably anticipated based on the consumer’s existing
 1297  relationship with the controller; or
 1298         3.Otherwise compatible with processing data in furtherance
 1299  of the provision of a product or service specifically requested
 1300  by a consumer or the performance of a contract to which the
 1301  consumer is a party.
 1302         (2)A requirement imposed on a controller or processor
 1303  under this part does not apply if compliance with the
 1304  requirement by the controller or processor, as applicable, would
 1305  violate an evidentiary privilege under the laws of this state.
 1306         Section 21. Section 501.718, Florida Statutes, is created
 1307  to read:
 1308         501.718 Disclosure of personal data to third-party
 1309  controller or processor.—
 1310         (1)A controller or processor that discloses personal data
 1311  to a third-party controller or processor in compliance with the
 1312  requirements of this part does not violate this part if the
 1313  third-party controller or processor that receives and processes
 1314  that personal data violates this part, provided that, at the
 1315  time of the data’s disclosure, the disclosing controller or
 1316  processor could not have reasonably known that the recipient
 1317  intended to commit a violation.
 1318         (2)A third-party controller or processor receiving
 1319  personal data from a controller or processor in compliance with
 1320  the requirements of this part may not be held liable for
 1321  violations of this part committed by the controller or processor
 1322  from which the third-party controller or processor receives the
 1323  personal data.
 1324         Section 22. Section 501.719, Florida Statutes, is created
 1325  to read:
 1326         501.719 Processing of certain personal data by controller
 1327  or other person.—
 1328         (1)Personal data processed by a controller pursuant to ss.
 1329  501.716, 501.717, and 501.718 may not be processed for any
 1330  purpose other than those specified in those sections. Personal
 1331  data processed by a controller pursuant to ss. 501.716, 501.717,
 1332  and 501.718 may be processed to the extent that the processing
 1333  of the data is:
 1334         (a)Reasonably necessary and proportionate to the purposes
 1335  specified in ss. 501.716, 501.717, and 501.718;
 1336         (b)Adequate, relevant, and limited to what is necessary in
 1337  relation to the purposes specified in ss. 501.716, 501.717, and
 1338  501.718; and
 1339         (c) Done to assist another controller, processor, or third
 1340  party with any of the purposes specified in s. 501.716, s.
 1341  501.717, or s. 501.718.
 1342         (2)A controller or processor that collects, uses, or
 1343  retains personal data for the purposes specified in s.
 1344  501.717(1) must take into account the nature and purpose of such
 1345  collection, use, or retention. Such personal data is subject to
 1346  reasonable administrative, technical, and physical measures to
 1347  protect its confidentiality, integrity, and accessibility and to
 1348  reduce reasonably foreseeable risks of harm to consumers
 1349  relating to the collection, use, or retention of personal data.
 1350         (3)A controller or processor shall adopt and implement a
 1351  retention schedule that prohibits the use or retention of
 1352  personal data not subject to an exemption by the controller or
 1353  processor after the satisfaction of the initial purpose for
 1354  which such information was collected or obtained, after the
 1355  expiration or termination of the contract pursuant to which the
 1356  information was collected or obtained, or 2 years after the
 1357  consumer’s last interaction with the controller or processor.
 1358  This subsection does not apply to personal data reasonably used
 1359  or retained to do any of the following:
 1360         (a)Provide a good or service requested by the consumer, or
 1361  reasonably anticipate the request of such good or service within
 1362  the context of a controller’s ongoing business relationship with
 1363  the consumer.
 1364         (b)Debug to identify and repair errors that impair
 1365  existing intended functionality.
 1366         (c)Enable solely internal uses that are reasonably aligned
 1367  with the expectations of the consumer based on the consumer’s
 1368  relationship with the controller or that are compatible with the
 1369  context in which the consumer provided the information.
 1370         (4)A controller or processor that processes personal data
 1371  pursuant to ss. 501.716, 501.717, and 501.718 bears the burden
 1372  of demonstrating that the processing of the personal data
 1373  qualifies for the exemption and complies with the requirements
 1374  of this section.
 1375         Section 23. Section 501.72, Florida Statutes, is created to
 1376  read:
 1377         501.72 Enforcement and implementation by the Department of
 1378  Legal Affairs.—
 1379         (1)A violation of this part is an unfair and deceptive
 1380  trade practice actionable under part II of this chapter solely
 1381  by the Department of Legal Affairs. If the department has reason
 1382  to believe that a person is in violation of this section, the
 1383  department may, as the enforcing authority, bring an action
 1384  against such person for an unfair or deceptive act or practice.
 1385  For the purpose of bringing an action pursuant to this section,
 1386  ss. 501.211 and 501.212 do not apply. In addition to other
 1387  remedies under part II of this chapter, the department may
 1388  collect a civil penalty of up to $50,000 per violation. Civil
 1389  penalties may be tripled for any of the following violations:
 1390         (a)A violation involving a Florida consumer who is a known
 1391  child. A controller that willfully disregards the consumer’s age
 1392  is deemed to have actual knowledge of the consumer’s age.
 1393         (b)Failure to delete or correct the consumer’s personal
 1394  data pursuant to this section after receiving an authenticated
 1395  consumer request or directions from a controller to delete or
 1396  correct such personal data, unless an exception to the
 1397  requirements to delete or correct such personal data under this
 1398  section applies.
 1399         (c)Continuing to sell or share the consumer’s personal
 1400  data after the consumer chooses to opt out under this part.
 1401         (2)After the department has notified a person in writing
 1402  of an alleged violation, the department may grant a 45-day
 1403  period to cure the alleged violation and issue a letter of
 1404  guidance. The 45-day cure period does not apply to an alleged
 1405  violation of paragraph (1)(a). The department may consider the
 1406  number and frequency of violations, the substantial likelihood
 1407  of injury to the public, and the safety of persons or property
 1408  in determining whether to grant 45 calendar days to cure and the
 1409  issuance of a letter of guidance. If the alleged violation is
 1410  cured to the satisfaction of the department and proof of such
 1411  cure is provided to the department, the department may not bring
 1412  an action for the alleged violation but in its discretion may
 1413  issue a letter of guidance that indicates that the person will
 1414  not be offered a 45-day cure period for any future violations.
 1415  If the person fails to cure the alleged violation within 45
 1416  calendar days, the department may bring an action against such
 1417  person for the alleged violation.
 1418         (3)Any action brought by the department may be brought
 1419  only on behalf of a Florida consumer.
 1420         (4)By February 1 of each year, the department shall make a
 1421  report publicly available on the department’s website describing
 1422  any actions taken by the department to enforce this section. The
 1423  report must include statistics and relevant information
 1424  detailing all of the following:
 1425         (a)The number of complaints received and the categories or
 1426  types of violations alleged by the complainant.
 1427         (b)The number and type of enforcement actions taken and
 1428  the outcomes of such actions, including the amount of penalties
 1429  issued and collected.
 1430         (c)The number of complaints resolved without the need for
 1431  litigation.
 1432         (d)For the report due February 1, 2024, the status of the
 1433  development and implementation of rules to implement this
 1434  section.
 1435         (5)The department shall adopt rules to implement this
 1436  section, including standards for authenticated consumer
 1437  requests, enforcement, data security, and authorized persons who
 1438  may act on a consumer’s behalf.
 1439         (6)The department may collaborate and cooperate with other
 1440  enforcement authorities of the Federal Government or other state
 1441  governments concerning consumer data privacy issues and consumer
 1442  data privacy investigations if such enforcement authorities have
 1443  restrictions governing confidentiality at least as stringent as
 1444  the restrictions provided in this section.
 1445         (7)Liability for a tort, contract claim, or consumer
 1446  protection claim unrelated to an action brought under this
 1447  section does not arise solely from the failure of a person to
 1448  comply with this part.
 1449         (8)This part does not establish a private cause of action.
 1450         (9)The department may employ or use the legal services of
 1451  outside counsel and the investigative services of outside
 1452  personnel to fulfill the obligations of this section.
 1453         (10)For purposes of bringing an action pursuant to this
 1454  section, any person who meets the definition of controller as
 1455  defined in this part who collects, shares, or sells the personal
 1456  data of Florida consumers is considered to be engaged in both
 1457  substantial and not isolated activities within this state and
 1458  operating, conducting, engaging in, or carrying on a business,
 1459  and doing business in this state, and is, therefore, subject to
 1460  the jurisdiction of the courts of this state.
 1461         Section 24. Section 501.721, Florida Statutes, is created
 1462  to read:
 1463         501.721 Preemption.—This part is a matter of statewide
 1464  concern and supersedes all rules, regulations, codes,
 1465  ordinances, and other laws adopted by a city, county, city and
 1466  county, municipality, or local agency regarding the collection,
 1467  processing, sharing, or sale of consumer personal data by a
 1468  controller or processor. The regulation of the collection,
 1469  processing, sharing, or sale of consumer personal data by a
 1470  controller or processor is preempted to the state.
 1471         Section 25. Paragraph (g) of subsection (1) of section
 1472  501.171, Florida Statutes, is amended to read:
 1473         501.171 Security of confidential personal information.—
 1474         (1) DEFINITIONS.—As used in this section, the term:
 1475         (g)1. “Personal information” means either of the following:
 1476         a. An individual’s first name or first initial and last
 1477  name in combination with any one or more of the following data
 1478  elements for that individual:
 1479         (I) A social security number;
 1480         (II) A driver license or identification card number,
 1481  passport number, military identification number, or other
 1482  similar number issued on a government document used to verify
 1483  identity;
 1484         (III) A financial account number or credit or debit card
 1485  number, in combination with any required security code, access
 1486  code, or password that is necessary to permit access to an
 1487  individual’s financial account;
 1488         (IV) Any information regarding an individual’s medical
 1489  history, mental or physical condition, or medical treatment or
 1490  diagnosis by a health care professional; or
 1491         (V) An individual’s health insurance policy number or
 1492  subscriber identification number and any unique identifier used
 1493  by a health insurer to identify the individual;
 1494         (VI)An individual’s biometric data as defined in s.
 1495  501.702; or
 1496         (VII)Any information regarding an individual’s
 1497  geolocation.
 1498         b. A user name or e-mail address, in combination with a
 1499  password or security question and answer that would permit
 1500  access to an online account.
 1501         2. The term does not include information about an
 1502  individual that has been made publicly available by a federal,
 1503  state, or local governmental entity. The term also does not
 1504  include information that is encrypted, secured, or modified by
 1505  any other method or technology that removes elements that
 1506  personally identify an individual or that otherwise renders the
 1507  information unusable.
 1508         Section 26. Subsection (1) of section 16.53, Florida
 1509  Statutes, is amended, and subsection (8) is added to that
 1510  section, to read:
 1511         16.53 Legal Affairs Revolving Trust Fund.—
 1512         (1) There is created in the State Treasury the Legal
 1513  Affairs Revolving Trust Fund, from which the Legislature may
 1514  appropriate funds for the purpose of funding investigation,
 1515  prosecution, and enforcement by the Attorney General of the
 1516  provisions of the Racketeer Influenced and Corrupt Organization
 1517  Act, the Florida Deceptive and Unfair Trade Practices Act, the
 1518  Florida False Claims Act, or state or federal antitrust laws, s.
 1519  501.1735, or part V of chapter 501.
 1520         (8) All moneys recovered by the Attorney General for
 1521  attorney fees, costs, and penalties in an action for a violation
 1522  of s. 501.1735 or part V of chapter 501 must be deposited in the
 1523  fund.
 1524         Section 27. Except as otherwise expressly provided in this
 1525  act and except for this section, which shall take effect upon
 1526  this act becoming a law, this act shall take effect July 1,
 1527  2024.