Bill Text: FL S1864 | 2022 | Regular Session | Introduced
Bill Title: Consumer Data Privacy
Spectrum: Partisan Bill (Republican 2-0)
Status: (Failed) 2022-03-14 - Died in Commerce and Tourism [S1864 Detail]
Download: Florida-2022-S1864-Introduced.html
Florida Senate - 2022 SB 1864 By Senator Bradley 5-01351-22 20221864__ 1 A bill to be entitled 2 An act relating to consumer data privacy; creating s. 3 501.172, F.S.; providing a short title; creating s. 4 501.173, F.S.; providing a purpose; creating s. 5 501.174, F.S.; defining terms; creating s. 501.1745, 6 F.S.; requiring controllers that collect consumer 7 personal information to provide certain information to 8 the consumer; requiring such collection, use, and 9 retention of such information to meet certain 10 requirements; requiring controllers to implement 11 reasonable security procedures and practices; 12 prohibiting controllers from processing certain 13 sensitive consumer data under certain circumstances; 14 creating s. 501.175, F.S.; providing that consumers 15 have the right to opt out of the sale and processing 16 of their personal information by controllers; 17 providing requirements for a controller to comply with 18 such a request under certain circumstances; 19 prohibiting controllers from selling the personal 20 information of consumers younger than a specified age 21 without express authorization from the consumer or the 22 consumer’s parent or guardian under certain 23 circumstances; providing that businesses that 24 willfully disregard a consumer’s age are deemed to 25 have actual knowledge of the consumer’s age; providing 26 requirements for controllers to comply with a 27 consumer’s right to opt out; providing exceptions; 28 providing that consumers have the right to submit a 29 verified request for the deletion or correction of 30 their personal information; providing construction; 31 providing that consumers may authorize other persons 32 to opt out of the sale of the consumer’s personal 33 information on the consumer’s behalf; requiring 34 controllers to establish designated request addresses; 35 providing requirements for controllers to comply with 36 verified consumer requests; providing notice 37 requirements; authorizing businesses to charge 38 consumers a reasonable fee for manifestly unfounded or 39 excessive requests, or to refuse to complete a request 40 under certain circumstances; providing that 41 controllers and processors are not liable for certain 42 actions; providing that third-party controllers or 43 processors are liable for violating the act or the 44 terms of certain contractual agreements, thereby 45 resulting in a violation; providing that a consumer’s 46 rights and the obligations of a controller may not 47 adversely affect the rights and freedoms of other 48 consumers; creating s. 501.176, F.S.; providing 49 applicability; providing exceptions; defining the 50 terms “vehicle information” and “ownership 51 information”; creating s. 501.177, F.S.; providing 52 applicability; specifying violations that are 53 enforceable by the Department of Legal Affairs under 54 the Florida Deceptive and Unfair Trade Practices Act; 55 authorizing the department to grant controllers and 56 processors an opportunity to cure violations when 57 given notice by the department; providing civil 58 remedies and penalties for violations; authorizing 59 increased civil penalties for certain violations; 60 requiring the department, in conjunction and 61 consultation with the director of the Consumer Data 62 Privacy Unit, to submit a report to the Legislature by 63 a specified date; providing requirements for the 64 report; authorizing the department to adopt rules; 65 providing for jurisdiction; preempting the regulation 66 of the collection, processing, or sale of consumers’ 67 personal information by a controller or processor to 68 the state; amending s. 16.53, F.S.; revising the 69 purposes for which the Legal Affairs Revolving Trust 70 Fund may be used to include enforcement of the Florida 71 Privacy Protection Act by the Attorney General; 72 requiring that attorney fees and costs recovered by 73 the Attorney General for certain actions be deposited 74 in the fund; creating s. 16.581, F.S.; creating the 75 Consumer Data Privacy Unit within the department; 76 providing for a director of the unit; providing the 77 duties of the unit; authorizing the unit to take 78 certain actions; authorizing the unit to recover 79 reasonable attorney fees and costs and penalties in 80 accordance with certain provisions; requiring such 81 moneys to be deposited in the Legal Affairs Revolving 82 Trust Fund; requiring other moneys recovered by the 83 Attorney General for penalties to be deposited into 84 the General Revenue Fund; providing an effective date. 85 86 Be It Enacted by the Legislature of the State of Florida: 87 88 Section 1. Section 501.172, Florida Statutes, is created to 89 read: 90 501.172 Short title.—This act, consisting of ss. 501.172 91 501.177, may be cited as the “Florida Privacy Protection Act.” 92 Section 2. Section 501.173, Florida Statutes, is created to 93 read: 94 501.173 Purpose.—This act recognizes that privacy is an 95 important right, and consumers in this state should have the 96 ability to share their personal information as they wish, in a 97 way that is safe and that they understand and control. 98 Section 3. Section 501.174, Florida Statutes, is created to 99 read: 100 501.174 Definitions.—As used in ss. 501.172-501.177, unless 101 the context otherwise requires, the term: 102 (1) “Affiliate” means a legal entity that controls, is 103 controlled by, or is under common control with another legal 104 entity or shares common branding with another legal entity. For 105 the purposes of this subsection, the term “control” or 106 “controlled” means the ownership of, or the power to vote, more 107 than 50 percent of the outstanding shares of any class of voting 108 security of a company; control in any manner over the election 109 of a majority of the directors or of individuals exercising 110 similar functions; or the power to exercise controlling 111 influence over the management of a company. 112 (2) “Aggregate consumer information” means information that 113 relates to a group or category of consumers from which 114 individual consumer identities have been removed and which is 115 not linked or reasonably linkable to any consumer, including 116 through a device. The term does not include one or more 117 individual consumer records that have been de-identified. 118 (3) “Authenticate” means verifying through reasonable means 119 that the consumer entitled to exercise his or her consumer 120 rights under this act is the same consumer exercising such 121 consumer rights with respect to the personal information at 122 issue. 123 (4) “Biometric information” means personal information 124 generated by automatic measurements of an individual’s 125 physiological, behavioral, or biological characteristics, 126 including an individual’s DNA, which identifies an individual. 127 The term does not include a physical or digital photograph; a 128 video or audio recording or data generated therefrom; or 129 information collected, used, or stored for health care 130 treatment, payment, or operations under the Health Insurance 131 Portability and Accountability Act of 1996. 132 (5) “Business purpose” means the use of personal 133 information for the controller’s operational, administrative, 134 security, or other purposes allowed for under this act, or for 135 any notice-given and consumer-approved purposes or for the 136 processor’s operational purposes, provided that the use of the 137 personal information is consistent with the requirements of this 138 act. 139 (6) “Child” means a natural person younger than 13 years of 140 age. 141 (7) “Collects,” “collected,” or “collection” means buying, 142 renting, gathering, obtaining, receiving, or accessing by any 143 means any personal information pertaining to a consumer, either 144 actively or passively or by observing the consumer’s behavior. 145 (8) “Consumer” means a natural person who resides in this 146 state to the extent he or she is acting in an individual or 147 household context. The term does not include any other natural 148 person who is a nonresident or a natural person acting in a 149 commercial or employment context. 150 (9) “Controller” means a sole proprietorship, a 151 partnership, a limited liability company, a corporation, or an 152 association or any other legal entity that meets the following 153 requirements: 154 (a) Is organized or operated for the profit or financial 155 benefit of its shareholders or owners; 156 (b) Does business in this state or provides products or 157 services targeted to the residents of this state; 158 (c) Determines the purposes and means of processing 159 personal information about consumers, alone or jointly with 160 others; and 161 (d) Satisfies either of the following thresholds: 162 1. During a calendar year, controls the processing of the 163 personal information of 100,000 or more consumers who are not 164 covered by an exception under this act; or 165 2. Controls or processes the personal information of at 166 least 25,000 consumers who are not covered by an exception under 167 this act and derives 50 percent or more of its global annual 168 revenues from selling personal information about consumers. 169 (10) “De-identified” means information that cannot 170 reasonably identify or be linked directly to a particular 171 consumer, or a device linked to such consumer, if the controller 172 or a processor that possesses such information on behalf of the 173 controller: 174 (a) Has taken reasonable measures to ensure that the 175 information cannot be associated with an individual consumer; 176 (b) Commits to maintain and use the information in a de 177 identified fashion without attempting to reidentify the 178 information; and 179 (c) Contractually prohibits downstream recipients from 180 attempting to reidentify the information. 181 (11) “Designated request address” means an e-mail address, 182 a toll-free telephone number, or a website established by a 183 controller through which a consumer may submit a verified 184 request to the controller. 185 (12) “Intentional interaction” or “intentionally 186 interacting” means that the consumer intends to interact with or 187 disclose personal information to a person through one or more 188 deliberate interactions, including visiting the person’s website 189 or purchasing a good or service from the person. The term does 190 not include hovering over, muting, pausing, or closing a given 191 piece of content. 192 (13) “Non-targeted advertising” means: 193 (a) Advertising based solely on a consumer’s activities 194 within a controller’s own, or its affiliates’, websites or 195 online applications; 196 (b) Advertisements based on the context of a consumer’s 197 current search query, visit to a website, or online application; 198 (c) Advertisements directed to a consumer in response to 199 the consumer’s request for information or feedback; or 200 (d) Processing personal information solely for measuring or 201 reporting advertising performance, reach, or frequency. 202 (14) “Personal information” means: 203 (a) Information that identifies or is linked or reasonably 204 linkable to an identified or identifiable consumer. 205 (b) The term does not include: 206 1. Information about a consumer that is lawfully made 207 available through federal, state, or local governmental records; 208 2. Information that a controller has a reasonable basis to 209 believe is lawfully made available to the general public by the 210 consumer or from widely distributed media unless the consumer 211 has restricted the information to a specific audience; or 212 3. Consumer information that is de-identified or aggregate 213 consumer information. 214 (15) “Precise geolocation data” means information from 215 technology, such as global positioning system level latitude and 216 longitude coordinates or other mechanisms, which directly 217 identifies the specific location of a natural person with 218 precision and accuracy within a radius of 1,750 feet. The term 219 does not include the information generated by the transmission 220 of communications or any information generated by or connected 221 to advanced utility metering infrastructure systems or equipment 222 for use by a utility. 223 (16) “Process” or “processing” means any operation or set 224 of operations performed on personal information or on sets of 225 personal information, regardless of whether by automated means. 226 (17) “Processor” means a natural or legal entity that 227 processes personal data on behalf of, and at the direction of, a 228 controller. 229 (18) “Profiling” means any form of automated processing 230 performed on personal data to evaluate, analyze, or predict 231 personal aspects related to an identified or identifiable 232 natural person’s economic situation, health, personal 233 preferences, interests, reliability, behavior, location, or 234 movements. The term does not include processing personal 235 information solely for the purpose of measuring or reporting 236 advertising performance, reach, or frequency. 237 (19) “Pseudonymous information” means personal information 238 that cannot be attributed to a specific natural person without 239 the use of additional information, which must be kept separate 240 at all times and must be subject to appropriate technical and 241 organizational measures to ensure that the personal data is not 242 attributed to or combined with other personal data that may 243 enable attribution to an identified or identifiable natural 244 person. 245 (20) “Security and integrity” means the ability of a: 246 (a) Network or information system, device, website, or 247 online application to detect security incidents that compromise 248 the availability, authenticity, integrity, and confidentiality 249 of stored or transmitted personal information; 250 (b) Controller to detect security incidents; resist 251 malicious, deceptive, fraudulent, or illegal actions; and help 252 prosecute those responsible for such actions; and 253 (c) Controller to ensure the physical safety of natural 254 persons. 255 (21) “Sell” means to transfer or make available a 256 consumer’s personal information by a controller to a third party 257 in exchange for monetary or other valuable consideration, 258 including nonmonetary transactions and agreements for other 259 valuable consideration between a controller and a third party 260 for the benefit of a controller. The term does not include any 261 of the following: 262 (a) The disclosure, for a business purpose, of a consumer’s 263 personal information to a processor that processes the 264 information for the controller. 265 (b) The disclosure by a controller for the purpose of 266 providing a product or service requested or approved by a 267 consumer, or the parent of a child, of the consumer’s personal 268 information to a third-party entity. 269 (c) The disclosure or transfer of personal information to 270 an affiliate of the controller. 271 (d) The disclosure of personal information for purposes of 272 nontargeted advertising. 273 (e) The disclosure or transfer of personal information to a 274 third party as an asset that is part of a proposed or actual 275 merger, acquisition, bankruptcy, or other transaction in which 276 the third party assumes control of all or part of the 277 controller’s assets. 278 (f) The controller disclosing personal information to a law 279 enforcement or other emergency processor for the purposes of 280 providing emergency assistance to the consumer. 281 (22) “Sensitive data” means a category of personal 282 information that includes any of the following: 283 (a) Racial or ethnic origin, religious beliefs, mental or 284 physical health diagnosis, sexual orientation, or citizenship or 285 immigration status. 286 (b) Biometric information, including genetic information, 287 processed for the purpose of uniquely identifying a natural 288 person. 289 (c) Personal information collected from a known child. 290 (d) Precise geolocation data. 291 (23) “Targeted advertising” means displaying an 292 advertisement to a consumer when the advertisement is selected 293 based on personal information obtained from the consumer’s 294 activities over time and across nonaffiliated websites or online 295 applications to predict such consumer’s preferences or 296 interests. The term does not include any of the following: 297 (a) Non-targeted advertising. 298 (b) Advertisements based on the context of a consumer’s 299 current search query or visit to a website. 300 (c) Advertising directed to a consumer in response to the 301 consumer’s request for information or feedback. 302 (d) Processing personal data solely for the purpose of 303 measuring or reporting advertising performance, reach, or 304 frequency. 305 (24) “Third party” means a person who is not any of the 306 following: 307 (a) The controller with which the consumer intentionally 308 interacts and which collects personal information from the 309 consumer as part of the consumer’s interaction with the 310 controller. 311 (b) A processor that processes personal information on 312 behalf of and at the direction of the controller. 313 (c) An affiliate of the controller. 314 (25) “Verified request” means a request submitted by a 315 consumer or by a consumer on behalf of the consumer’s minor 316 child for which the controller has reasonably verified the 317 authenticity of the request. The term includes a request made 318 through an established account using the controller’s 319 established security features to access the account through 320 communication features offered to consumers. The term does not 321 include a request in which the consumer or a person authorized 322 to act on the consumer’s behalf does not provide verification of 323 identify or verification of authorization to act with the 324 permission of the consumer, and the controller is not required 325 to provide information for such a request. 326 Section 4. Section 501.1745, Florida Statutes, is created 327 to read: 328 501.1745 General duties of controllers that collect 329 personal information.— 330 (1) A controller that controls the collection of a 331 consumer’s personal information that will be used for any 332 purpose other than a business purpose, at or before the point of 333 collection, shall inform consumers of the purposes for which 334 personal information is collected or used and whether that 335 information is sold. A controller may not collect additional 336 categories of personal information, or use collected personal 337 information for additional purposes that are incompatible with 338 the disclosed purpose for which the personal information was 339 collected, without providing the consumer with notice consistent 340 with this section. A controller that collects personal 341 information about, but not directly from, consumers may provide 342 the required information on its Internet home page or in its 343 online privacy policy. 344 (2) A controller’s collection, use, and retention of a 345 consumer’s personal information must be reasonably necessary to 346 achieve the purposes for which the personal information was 347 collected or processed. Such information may not be further 348 processed in a manner that is incompatible with those purposes 349 without notice to the consumer or be transferred or made 350 available to a third party in a manner inconsistent with the 351 requirements of this act. 352 (3) A controller that collects a consumer’s personal 353 information shall implement reasonable security procedures and 354 practices appropriate to the nature of the personal information 355 to protect the personal information from unauthorized or illegal 356 access, destruction, use, modification, or disclosure. 357 (4) A controller that collects a consumer’s personal 358 information and discloses it to a processor shall enter into a 359 contractual agreement with such processor which obligates the 360 processor to comply with applicable obligations under this act 361 and which prohibits downstream recipients from selling personal 362 information or retaining, using, or disclosing the personal 363 information. If a processor engages any other person to assist 364 it in processing personal information for a business purpose on 365 behalf of the controller, or if any other person engaged by the 366 processor engages another person to assist in processing 367 personal information for that business purpose, the processor or 368 person must notify the controller of that engagement and the 369 processor must prohibit downstream recipients from selling the 370 personal information or retaining, using, or disclosing the 371 personal information. 372 (5) A controller may not process sensitive data concerning 373 a consumer without obtaining the consumer’s consent or, in the 374 case of the processing of sensitive data obtained from a known 375 child, without processing such data for the purpose of 376 delivering a product or service requested by the parent of such 377 child, or in accordance with the federal Children’s Online 378 Privacy Protection Act, 15 U.S.C. s. 6501 et seq. and 379 regulations interpreting this act. 380 (6) The determination as to whether a person is acting as a 381 controller or processor with respect to a specific activity is a 382 fact-based determination that depends upon the context in which 383 personal information is processed. A processor that continues to 384 adhere to a controller’s instructions with respect to a specific 385 processing of personal information remains a processor. 386 Section 5. Section 501.175, Florida Statutes, is created to 387 read: 388 501.175 Use of personal information; third parties; other 389 rights.— 390 (1)(a) A consumer has the right at any time to direct a 391 controller that sells personal information about the consumer 392 not to sell the consumer’s personal information. This right may 393 be referred to as the right to opt out of the sale. 394 (b) A consumer has the right at any time to opt out of the 395 processing of the consumer’s personal information for purposes 396 of targeted advertising or profiling. A controller shall provide 397 a clear and conspicuous link on the controller’s Internet home 398 page, titled “Do Not Advertise To Me,” to a web page that 399 enables a consumer to opt out of targeted advertising or 400 profiling. However, this paragraph may not be construed to 401 prohibit the controller that collected the consumer’s personal 402 information from: 403 1. Offering a different price, rate, level, quality, or 404 selection of goods or services to a consumer, including offering 405 goods or services for no fee, if the consumer has opted out of 406 targeted advertising, profiling, or the sale of his or her 407 personal information; or 408 2. Offering a loyalty, reward, premium feature, discount, 409 or club card program. 410 (c) A controller that charges or offers a different price, 411 rate, level, quality, or selection of goods or services to a 412 consumer who has opted out of targeted advertising, profiling, 413 or the sale of his or her personal information, or that offers 414 goods or services for no fee, shall ensure that such charge or 415 offer is not unjust, unreasonable, coercive, or usurious. 416 (2) A controller that sells consumers’ personal information 417 shall provide notice to consumers that the information may be 418 sold and that consumers have the right to opt out of the sale of 419 their personal information. 420 (3) A controller that sells consumers’ personal information 421 and that has received direction from a consumer not to sell the 422 consumer’s personal information or, in the case of a minor 423 consumer’s personal information, has not received consent to 424 sell the minor consumer’s personal information, is prohibited 425 from selling the consumer’s personal information after the 426 controller receives the consumer’s direction, unless the 427 consumer subsequently provides express authorization for the 428 sale of the consumer’s personal information. A controller that 429 is able to authenticate the consumer by the consumer logging in 430 or any other means, or that is otherwise reasonably able to 431 authenticate the consumer’s request must comply with the 432 consumer’s request to opt out. The controller may not require 433 the consumer to declare privacy preferences every time the 434 consumer visits the controller’s website or uses the 435 controller’s online services. 436 (4)(a) A controller may not sell the personal information 437 collected from consumers that the controller has actual 438 knowledge are 16 years of age or younger, unless: 439 1. The consumer, in the case of consumers who are 13 years 440 of age up to 16 years of age, has affirmatively authorized the 441 sale of the consumer’s personal information; or 442 2. The consumer’s parent or guardian, in the case of 443 consumers who are younger than 13 years of age, has 444 affirmatively authorized such sale. 445 (b) This right may be referred to as the right to opt in. 446 (c) A business that willfully disregards the consumer’s age 447 is deemed to have actual knowledge of the consumer’s age. 448 (d) A controller that complies with the verifiable parental 449 consent requirements of the Children’s Online Privacy Protection 450 Act, 15 U.S.C. s. 6501 et seq., and accompanying regulations, or 451 is providing a product or service requested by a parent or 452 guardian, is deemed compliant with any obligation to obtain 453 parental consent. 454 (5) A controller required to comply with this section 455 shall: 456 (a) Provide a clear and conspicuous link on the 457 controller’s Internet home page, titled “Do Not Sell My Personal 458 Information,” to a web page that enables a consumer to opt out 459 of the sale of the consumer’s personal information. A business 460 may not require a consumer to create an account in order to 461 direct the business not to sell the consumer’s information. 462 (b) Ensure that all individuals responsible for handling 463 consumer inquiries about the controller’s privacy practices or 464 the controller’s compliance with this section are informed of 465 all requirements of this section and how to direct consumers to 466 exercise their rights. 467 (c) For consumers who exercise their right to opt out of 468 the sale of their personal information, refrain from selling 469 personal information the controller collected about the consumer 470 as soon as reasonably possible but no longer than 10 business 471 days after receiving the request to opt out. 472 (d) Use any personal information collected from the 473 consumer in connection with the submission of the consumer’s 474 opt-out request solely for the purposes of complying with the 475 opt-out request. 476 (e) For consumers who have opted out of the sale of their 477 personal information, respect the consumer’s decision to opt out 478 for at least 12 months before requesting that the consumer 479 authorize the sale of the consumer’s personal information. 480 (f) Ensure that consumers have the right to submit a 481 verified request for certain information from a controller, 482 including the categories of sources from which the consumer’s 483 personal information was collected, the specific items of 484 personal information it has collected about the consumer, and 485 the categories of any third parties to whom the personal 486 information was sold. 487 (6) Consumers have the right to submit a verified request 488 that personal information that has been collected from the 489 consumer be deleted. Consumers have the right to submit a 490 verified request for correction of their personal information 491 held by a controller if that information is inaccurate, taking 492 into account the nature of the personal information and the 493 purpose for processing the consumer’s personal information. 494 (7) A controller, or a processor acting pursuant to its 495 contract with the controller or another processor, is not 496 required to comply with a consumer’s verified request to delete 497 the consumer’s personal information if it is necessary for the 498 controller or processor to maintain the consumer’s personal 499 information in order to do any of the following: 500 (a) Complete the transaction for which the personal 501 information was collected, fulfill the terms of a written 502 warranty or product recall conducted in accordance with federal 503 law, provide a good or service requested by the consumer, or 504 otherwise perform a contract between the business and the 505 consumer. 506 (b) Help to ensure security and integrity to the extent 507 that the use of the consumer’s personal information is 508 reasonably necessary and proportionate for those purposes. 509 (c) Debug to identify and repair errors that impair 510 existing intended functionality. 511 (d) Exercise free speech, ensure the right of another 512 consumer to exercise that consumer’s right of free speech, or 513 exercise another right provided for by law. 514 (e) Engage in public or peer-reviewed scientific, 515 historical, or statistical research that conforms or adheres to 516 all other applicable ethics and privacy laws, when the business’ 517 deletion of the information is likely to render impossible or 518 seriously impair the ability to complete such research, if the 519 consumer has provided informed consent. 520 (f) Comply with a legal obligation. 521 (8) This section may not be construed to require a 522 controller to comply by reidentifying or otherwise linking 523 information that is not maintained in a manner that would be 524 considered personal information; retaining any personal 525 information about a consumer if, in the ordinary course of 526 business, that information would not be retained; maintaining 527 information in identifiable, linkable, or associable form; or 528 collecting, obtaining, retaining, or accessing any data or 529 technology in order to be capable of linking or associating a 530 verifiable consumer request with personal information. 531 (9) A consumer may authorize another person to opt out of 532 the sale of the consumer’s personal information. A controller 533 shall comply with an opt-out request received from a person 534 authorized by the consumer to act on the consumer’s behalf, 535 including a request received through a user-enabled global 536 privacy control, such as a browser plug-in or privacy setting, 537 device setting, or other mechanism, which communicates or 538 signals the consumer’s choice to opt out, and may not require a 539 consumer to make a verified request to opt out of the sale of 540 his or her information. 541 (10) Each controller shall establish a designated request 542 address through which a consumer may submit a request to 543 exercise his or her rights under this act. 544 (11)(a) A controller that receives a verified request: 545 1. For a consumer’s personal information shall disclose to 546 the consumer any personal information about the consumer which 547 it has collected since January 1, 2023, directly or indirectly, 548 including such information obtained through or by a processor. 549 2. To correct a consumer’s inaccurate personal information 550 shall correct the inaccurate personal information, taking into 551 account the nature of the personal information and the purpose 552 for processing the consumer’s personal information. 553 3. To delete a consumer’s personal information shall delete 554 such personal information collected from the consumer. 555 (b) A processor is not required to personally comply with a 556 verified request received directly from a consumer, but the 557 processor must notify a controller of such a request within 10 558 days after receiving the request. The time period required for a 559 controller to comply with a verified request as provided in 560 paragraph (d) commences beginning from the time the processor 561 notifies the controller of the verified request. A processor 562 shall provide reasonable assistance to a controller with which 563 it has a contractual relationship with respect to the 564 controller’s response to a verifiable consumer request, 565 including, but not limited to, by providing to the controller 566 the consumer’s personal information in the processor’s 567 possession which the processor obtained as a result of providing 568 services to the controller. 569 (c) At the direction of the controller, a processor shall 570 correct inaccurate personal information or delete personal 571 information, or enable the controller to do the same. 572 (d) A controller shall comply with a verified request 573 submitted by a consumer to access, correct, or delete personal 574 information within 45 days after the date the request is 575 submitted. A controller may extend such period by up to 45 days 576 if the controller, in good faith, determines that such an 577 extension is reasonably necessary. A controller that extends the 578 period shall notify the consumer of the necessity of an 579 extension. 580 (e) A consumer’s rights under this subsection do not apply 581 to pseudonymous information in cases in which the controller is 582 able to demonstrate that all information necessary to identify 583 the consumer is kept separate at all times and is subject to 584 effective technical and organizational controls that prevent the 585 controller from accessing or combining such information. 586 (12) A controller shall comply with a consumer’s previous 587 expressed decision to opt out of the sale of his or her personal 588 information without requiring the consumer to take any 589 additional action if the controller is able to identify the 590 consumer through a login protocol or any other process the 591 controller uses to identify consumers and the consumer has 592 previously exercised his or her right to opt out of the sale of 593 his or her personal information. 594 (13) A controller shall make available, in a manner 595 reasonably accessible to consumers whose personal information 596 the controller collects through its website or online service, a 597 notice that does all of the following: 598 (a) Identifies the categories of personal information that 599 the controller collects through its website or online service 600 about consumers who use or visit the website or online service 601 and the categories of third parties to whom the controller may 602 disclose such personal information. 603 (b) Provides a description of the process, if applicable, 604 for a consumer who uses or visits the website or online service 605 to review and request changes to any of his or her personal 606 information collected from the consumer through the website or 607 online service. 608 (c) Describes the process by which the controller notifies 609 consumers who use or visit the website or online service of 610 material changes to the notice. 611 (d) Discloses whether a third party may collect personal 612 information about a consumer’s online activities over time and 613 across different websites or online services when the consumer 614 uses the controller’s website or online service. 615 (e) States the effective date of the notice. 616 (14) If a request from a consumer is manifestly unfounded 617 or excessive, in particular because of the request’s repetitive 618 character, a controller may either charge a reasonable fee, 619 taking into account the administrative costs of providing the 620 information or communication or taking the action requested, or 621 refuse to act on the request and notify the consumer of the 622 reason for refusing the request. The controller bears the burden 623 of demonstrating that any verified consumer request is 624 manifestly unfounded or excessive. 625 (15) A controller that discloses personal information to a 626 processor is not liable under this act if the processor 627 receiving the personal information uses it in violation of the 628 restrictions set forth in the act, provided that, at the time of 629 disclosing the personal information, the controller does not 630 have actual knowledge or reason to believe that the processor 631 intends to commit such a violation. A processor is likewise not 632 liable under this act for the obligations of a controller for 633 which it processes personal information as set forth in this 634 act. 635 (16) A controller or processor that discloses personal 636 information to a third-party controller or processor in 637 compliance with the requirements of this act is not in violation 638 of this chapter if the third-party controller or processor that 639 receives and processes such personal information is in violation 640 of this act, provided that, at the time of disclosing the 641 personal information, the disclosing controller or processor did 642 not have actual knowledge that the recipient intended to commit 643 a violation. A third-party controller or processor that violates 644 this act, or violates the terms of a contractual agreement with 645 a controller or processor which results in a violation of this 646 act, is deemed to have violated the requirements of this act and 647 is subject to the enforcement actions otherwise provided against 648 a controller pursuant to s. 501.177. A third-party controller or 649 processor receiving personal information from a controller or 650 processor in compliance with the requirements of this act is not 651 in violation of this act for noncompliance of the controller or 652 processor from which it receives such personal data. 653 (17) The rights afforded to consumers and the obligations 654 imposed on a controller in this act may not adversely affect the 655 rights and freedoms of other consumers. Notwithstanding 656 subsection (7), a verified request for specific items of 657 personal information, to delete a consumer’s personal 658 information, or to correct inaccurate personal information does 659 not extend to personal information about the consumer which 660 belongs to, or which the controller maintains on behalf of, 661 another natural person. 662 Section 6. Section 501.176, Florida Statutes, is created to 663 read: 664 501.176 Applicability; exclusions.— 665 (1) The obligations imposed on a controller or processor by 666 this act do not restrict a controller’s or processor’s ability 667 to do any of the following: 668 (a) Comply with federal, state, or local laws, rules, or 669 regulations. 670 (b) Comply with a civil, criminal, or regulatory inquiry or 671 an investigation, a subpoena, or a summons by federal, state, 672 local, or other governmental authorities. 673 (c) Cooperate with law enforcement agencies concerning 674 conduct or activity that the controller or processor reasonably 675 and in good faith believes may violate federal, state, or local 676 laws, rules, or regulations. 677 (d) Exercise, investigate, establish, prepare for, or 678 defend legal claims. 679 (e) Collect, use, retain, sell, or disclose consumer 680 personal information to: 681 1. Conduct internal research to develop, improve, or repair 682 products, services, or technology; 683 2. Effectuate a product recall or provide a warranty for 684 products or services; 685 3. Identify or repair technical errors that impair existing 686 or intended functionality; 687 4. Perform internal operations that are reasonably aligned 688 with the expectations of the consumer or reasonably anticipated 689 based on the consumer’s existing relationship with the 690 controller or that are otherwise compatible with processing data 691 in furtherance of the provision of a product or service 692 specifically requested by a consumer or a parent of a child, or 693 the performance of a contract to which the consumer is a party; 694 5. Provide a product or service specifically requested by a 695 consumer or a parent of a child; perform a contract to which the 696 consumer or parent is a party, including fulfilling the terms of 697 a written warranty; or take steps at the request of the consumer 698 before entering into a contract; 699 6. Take steps to protect an interest that is essential for 700 the life or physical safety of the consumer or of another 701 natural person, and where the processing cannot be manifestly 702 based on another legal basis; 703 7. Prevent, detect, protect against, or respond to security 704 incidents, identity theft, fraud, harassment, malicious or 705 deceptive activities, or any illegal activity, and prosecute 706 those responsible for that activity; 707 8. Preserve the integrity or security of information 708 technology systems; 709 9. Investigate, report, or prosecute those responsible for 710 any illegal, malicious, harmful, deceptive, or otherwise harmful 711 activities; 712 10. Engage in public or peer-reviewed scientific or 713 statistical research in the public interest that adheres to all 714 other applicable ethics and privacy laws and, if applicable, is 715 approved, monitored, and governed by an institutional review 716 board, or similar independent oversight entity that determines 717 if the information is likely to provide substantial benefits 718 that do not exclusively accrue to the controller, if the 719 expected benefits of the research outweigh the privacy risks, 720 and if the controller has implemented reasonable safeguards to 721 mitigate privacy risks associated with research, including any 722 risks associated with reidentification; or 723 11. Assist another controller, processor, or third party 724 with any of the obligations under this subsection. 725 (2) This act does not apply to any of the following: 726 (a) A controller that collects, processes, or discloses the 727 personal information of its employees, owners, directors, 728 officers, beneficiaries, job applicants, interns, or volunteers, 729 so long as the controller is collecting or disclosing such 730 information only to the extent reasonable and necessary within 731 the scope of the role the controller has in relation to each 732 class of listed individuals. For purposes of this section the 733 term “personal information” includes employment benefit 734 information. 735 (b) Personal information that is part of a written or 736 verbal communication or a transaction between the controller or 737 processor and the consumer, when the consumer is a natural 738 person who is acting as an employee, owner, director, officer, 739 or contractor of a company, partnership, sole proprietorship, 740 nonprofit, or government agency and whose communications or 741 transaction with the business occur solely within the context of 742 the business conducting due diligence regarding, or providing or 743 receiving a product or service to or from such company, 744 partnership, sole proprietorship, nonprofit, or government 745 agency. 746 (c) A business, service provider, or third party that 747 collects the personal information of an individual: 748 1. Who applies to, is or was previously employed by, or 749 acts as an agent of the business, service provider, or third 750 party, to the extent that the personal information is collected 751 and used in a manner related to or arising from the individual’s 752 employment status; or 753 2. To administer benefits for another individual and the 754 personal information is used to administer those benefits. 755 (d) A business that enters into a contract with an 756 independent contractor and collects or discloses personal 757 information about the contractor reasonably necessary to either 758 enter into or to fulfill the contract when the contracted 759 services would not defeat the purposes of this act. 760 (e) Protected health information for purposes of the 761 federal Health Insurance Portability and Accountability Act of 762 1996 and related regulations, and patient identifying 763 information for purposes of 42 C.F.R. part 2, established 764 pursuant to 42 U.S.C. s. 290dd-2. 765 (f) A covered entity or business associate governed by the 766 privacy, security, and breach notification rules issued by the 767 United States Department of Health and Human Services in 45 768 C.F.R. parts 160 and 164, or a program or a qualified service 769 program defined in 42 C.F.R. part 2, to the extent that the 770 covered entity, business associate, or program maintains 771 personal information in the same manner as medical information 772 or protected health information as described in paragraph (e). 773 (g) Identifiable private information collected for purposes 774 of research as defined in 45 C.F.R. s. 164.501 which is 775 conducted in accordance with the Federal Policy for the 776 Protection of Human Subjects for purposes of 45 C.F.R. part 46, 777 the good clinical practice guidelines issued by the 778 International Council for Harmonisation of Technical 779 Requirements for Pharmaceuticals for Human Use, or the 780 Protection for Human Subjects for purposes of 21 C.F.R. parts 50 781 and 56; or personal information used or shared in research 782 conducted in accordance with one or more of these standards, or 783 another applicable protocol. 784 (h) Information and documents created for purposes of the 785 federal Health Care Quality Improvement Act of 1986 and related 786 regulations, or patient safety work product for purposes of 42 787 C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b-21 788 through 299b-26. 789 (i) Information de-identified in accordance with 45 C.F.R. 790 part 164 and derived from individually identifiable health 791 information, as described in the federal Health Insurance 792 Portability and Accountability Act of 1996, or identifiable 793 personal information, consistent with the Federal Policy for the 794 Protection of Human Subjects or the human subject protection 795 requirements of the United States Food and Drug Administration 796 or the good clinical practice guidelines issued by the 797 International Council for Harmonisation of Technical 798 Requirements for Pharmaceuticals for Human Use. 799 (j) Information collected as part of a clinical trial 800 subject to the Federal Policy for the Protection of Human 801 Subjects pursuant to good clinical practice guidelines issued by 802 the International Council for Harmonisation of Technical 803 Requirements for Pharmaceuticals for Human Use or pursuant to 804 human subject protection requirements of the United States Food 805 and Drug Administration, or another protocol. 806 (k) Personal information collected, processed, sold, or 807 disclosed pursuant to the federal Fair Credit Reporting Act, 15 808 U.S.C. s. 1681 et seq. 809 (l) Personal information collected, processed, sold, or 810 disclosed pursuant to, or a financial institution to the extent 811 regulated by, the federal Gramm-Leach-Bliley Act, 15 U.S.C. s. 812 6801 et seq. and implementing regulations. 813 (m) Personal information collected, processed, sold, or 814 disclosed pursuant to the Farm Credit Act of 1971, as amended in 815 12 U.S.C. s. 2001-2279cc and implementing regulations. 816 (n) Personal information collected, processed, sold, or 817 disclosed pursuant to the federal Driver’s Privacy Protection 818 Act of 1994, 18 U.S.C. s. 2721 et seq. 819 (o) Education information covered by the federal Family 820 Educational Rights and Privacy Act, 20 U.S.C. s. 1232g and 34 821 C.F.R. part 99. 822 (p) Personal information collected, processed, sold, or 823 disclosed in relation to price, route, or service as those terms 824 are used in the federal Airline Deregulation Act, 49 U.S.C. s. 825 40101 et seq., by entities subject to the federal Airline 826 Deregulation Act, to the extent this act is preempted by s. 827 41713 of the federal Airline Deregulation Act. 828 (q) Vehicle information or ownership information retained 829 or shared between a new motor vehicle dealer, a distributor, or 830 the vehicle’s manufacturer if the vehicle or ownership 831 information is shared for the purpose of effectuating, or in 832 anticipation of effectuating, a vehicle repair covered by a 833 vehicle warranty or a recall conducted pursuant to 49 U.S.C. s. 834 30118-30120, provided that the new motor vehicle dealer, 835 distributor, or vehicle manufacturer with which that vehicle 836 information or ownership information is shared does not sell, 837 share, or use that information for any other purpose. As used in 838 this paragraph, the term “vehicle information” means the vehicle 839 identification number, make, model, year, and odometer reading, 840 and the term “ownership information” means the name or names of 841 the registered owner or owners and the contact information for 842 the owner or owners. 843 Section 7. Section 501.177, Florida Statutes, is created to 844 read: 845 501.177 Enforcement; preemption.— 846 (1) ENFORCEMENT.— 847 (a) This subsection and subsection (2) apply only to 848 controllers and processors that sell the personal information of 849 consumers to third parties and that are subject to the 850 requirements of this act. 851 (b) This act does not establish a private cause of action. 852 (c) The following are unfair and deceptive trade practices 853 actionable under part II of this chapter solely by the 854 Department of Legal Affairs against a controller or processor: 855 1. Failure to delete or correct a consumer’s personal 856 information pursuant to this act after receiving from a 857 controller a verifiable consumer request or directions to delete 858 or correct, unless the controller or processor qualifies for an 859 exception to the requirements to delete or correct under this 860 act; and 861 2. Continuing to sell a consumer’s personal information 862 after the consumer chooses to opt out or selling the personal 863 information of a consumer age 16 or younger without obtaining 864 the consent required by this act. 865 (d) If the department has reason to believe that a 866 controller or processor has committed an act described in 867 paragraph (c), the department, as the enforcement authority, may 868 bring an action against such controller or processor. For the 869 purpose of bringing an action pursuant to this act, ss. 501.211 870 and 501.212 do not apply. Civil penalties may be tripled if the 871 violation involves a consumer who the controller or processor 872 has actual knowledge is 16 years of age or younger. 873 (e) After the department has notified a controller or 874 processor in writing of an alleged violation, the department, at 875 its discretion, may grant to the controller or processor a 45 876 day period to cure the alleged violation. The department may 877 consider the number of violations, the substantial likelihood of 878 injury to the public, or the safety of persons or property when 879 determining whether to grant the 45-day cure period. If the 880 controller or processor provides proof to the department that 881 the violation has been cured to the satisfaction of the 882 department, the department may issue a letter of guidance that 883 indicates that the controller or processor will not be offered a 884 45-day cure period for any future violations. If the controller 885 or processor fails to cure the violation within 45 days, the 886 department may bring an action against the controller or 887 processor for the alleged violation. 888 (f) A court may grant the following relief in an action 889 brought pursuant to this act by the department: 890 1. Actual damages to a consumer. 891 2. Injunctive or declaratory relief. 892 (g) Liability for a tort, contract claim, or consumer 893 protection claim which is unrelated to an action by the 894 department does not arise solely from the failure of a 895 controller or processor to comply with this act and evidence of 896 such noncompliance may only be used as the basis to prove a 897 cause of action under this section. 898 (h) By each February 1, the department, in conjunction and 899 consultation with the director of the Consumer Data Privacy 900 Unit, shall submit a report to the President of the Senate and 901 the Speaker of the House of Representatives describing any 902 actions taken by the department to enforce this act. The report 903 must include statistics and relevant information detailing all 904 of the following: 905 1. The number of complaints received. 906 2. The number of complaints investigated. 907 3. The number and type of enforcement actions taken and the 908 outcomes of such actions. 909 4. The number of complaints resolved without the need for 910 litigation. 911 5. The status of the development and implementation of 912 rules to implement this act. 913 (i) The department may adopt rules to implement this act. 914 (2) JURISDICTION.—For purposes of bringing an action in 915 accordance with this section, any person that meets the 916 definition of a controller that collects or sells the personal 917 information of Florida consumers, is considered to be both 918 engaged in substantial and not isolated activities within this 919 state and operating, conducting, engaging in, or carrying on a 920 business, and doing business in this state, and therefore is 921 subject to the jurisdiction of the courts of this state. 922 (3) PREEMPTION.—This section is a matter of statewide 923 concern and supersedes and preempts to the state all rules, 924 regulations, codes, ordinances, and other laws adopted by a 925 city, county, city and county, municipality, or local agency 926 regarding the collection, processing, or sale of consumers’ 927 personal information by a controller or processor. 928 Section 8. Subsection (1) of section 16.53, Florida 929 Statutes, is amended, and subsection (8) is added to that 930 section, to read: 931 16.53 Legal Affairs Revolving Trust Fund.— 932 (1) There is created in the State Treasury the Legal 933 Affairs Revolving Trust Fund, from which the Legislature may 934 appropriate funds for the purpose of funding investigation, 935 prosecution, and enforcement by the Attorney General of the 936 provisions of the Racketeer Influenced and Corrupt Organization 937 Act, the Florida Deceptive and Unfair Trade Practices Act, the 938 Florida False Claims Act,orstate or federal antitrust laws, or 939 the Florida Privacy Protection Act. 940 (8) All moneys recovered by the Attorney General for 941 attorney fees and costs in an action for violation of the 942 Florida Privacy Protection Act must be deposited in the fund. 943 Section 9. Section 16.581, Florida Statutes, is created to 944 read: 945 16.581 Consumer Data Privacy Unit.— 946 (1) There is created in the Department of Legal Affairs the 947 Consumer Data Privacy Unit, which shall be headed by a director 948 who is fully accountable to the Attorney General, who shall 949 assign the director such powers, duties, responsibilities, and 950 functions as are necessary to ensure the greatest possible 951 coordination, efficiency, and effectiveness of the unit in 952 protecting the personal information of residents of this state. 953 (2) The unit shall serve as legal counsel in any suit or 954 other legal action initiated in connection with the Florida 955 Privacy Protection Act. 956 (3) The unit may investigate and initiate actions 957 authorized by the Florida Privacy Protection Act. 958 (4) If, by its own inquiry or as a result of complaints, 959 the unit has reason to believe that there has been a violation 960 of the Florida Privacy Protection Act, the unit may administer 961 oaths and affirmations, subpoena witnesses or matter, and 962 collect evidence. 963 (5) The unit may refer any criminal violations so uncovered 964 to the appropriate prosecuting authority. 965 (6) The unit may recover reasonable attorney fees and costs 966 and penalties in accordance with part II of chapter 501 in any 967 action for violation of consumer data privacy provisions in the 968 Florida Privacy Protection Act. Such attorney fees and costs 969 collected must be deposited in the Legal Affairs Revolving Trust 970 Fund. 971 (7) All moneys recovered by the Attorney General for 972 penalties in an action for violation of the Florida Privacy 973 Protection Act must be deposited in the General Revenue Fund. 974 Section 10. This act shall take effect December 31, 2022.