HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 1 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to consumer data privacy; creating s. 2
501.173, F.S.; providing applicability; providing 3
definitions; requiring controllers that collect a 4
consumer's personal data to disclose certain 5
information regarding data collection and selling 6
practices to the consumer at or before the point of 7
collection; specifying that such information may be 8
provided through a general privacy policy or through a 9
notice informing the consumer that additional specific 10
information will be provided upon a certain reque st; 11
prohibiting controllers from collecting additional 12
categories of personal information or using personal 13
information for additional purposes without notifying 14
the consumer; requiring controllers that collect 15
personal information to implement reasonable security 16
procedures and practices to protect the information; 17
authorizing consumers to request controllers to 18
disclose the specific personal information the 19
controller has collected about the consumer; requiring 20
controllers to make available two or more me thods for 21
consumers to request their personal information; 22
requiring controllers to provide such information free 23
of charge within a certain timeframe and in a certain 24
format upon receiving a verifiable consumer request; 25
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 2 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
specifying requirements for third p arties with respect 26
to consumer information acquired or used; providing 27
construction; authorizing consumers to request 28
controllers to delete or correct personal information 29
the controllers have collected about the consumers; 30
providing exceptions; specifyin g requirements for 31
controllers to comply with deletion or correction 32
requests; authorizing consumers to opt out of third -33
party disclosure of personal information collected by 34
a controller; prohibiting controllers from selling or 35
disclosing the personal inf ormation of consumers 36
younger than a certain age, except under certain 37
circumstances; prohibiting controllers from selling or 38
sharing a consumer's information if the consumer has 39
opted out of such disclosure; prohibiting controllers 40
from taking certain act ions to retaliate against 41
consumers who exercise certain rights; providing 42
applicability; providing that a contract or agreement 43
that waives or limits certain consumer rights is void 44
and unenforceable; providing for civil actions and a 45
private right of act ion for consumers under certain 46
circumstances; providing civil remedies; authorizing 47
the Department of Legal Affairs to bring an action 48
under the Florida Unfair or Deceptive Trade Practices 49
Act and to adopt rules; requiring the department to 50
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 3 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
submit an annual report to the Legislature; providing 51
report requirements; providing that controllers must 52
have a specified timeframe to cure any violations; 53
providing jurisdiction; declaring that the act is 54
matter of statewide concern; preempting the 55
collection, processing, sharing, and sale of consumer 56
personal information to the state; amending s. 57
501.171, F.S.; revising the definition of "personal 58
information"; providing an effective date. 59
60
Be It Enacted by the Legislature of the State of Florida: 61
62
Section 1. Section 501.173, Florida Statutes, is created 63
to read: 64
501.173 Consumer data privacy. — 65
(1) APPLICABILITY.—This section does not apply to: 66
(a) Personal information collected and transmitted that is 67
necessary for the sole purpose of sharing such perso nal 68
information with a financial service provider to facilitate 69
short term, transactional payment processing for the purchase of 70
products or services. 71
(b) Personal information collected, used, retained, sold, 72
shared, or disclosed as deidentified personal information or 73
aggregate consumer information. 74
(c) Compliance with federal, state, or local laws. 75
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 4 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(d) Compliance with a civil, criminal, or regulatory 76
inquiry, investigation, subpoena, or summons by federal, state, 77
or local authorities. 78
(e) Cooperation with law enforcement agencies concerning 79
conduct or activity that the controller, processor, or third 80
party reasonably and in good faith believes may violate federal, 81
state, or local law. 82
(f) Exercising legal rights or privileges. 83
(g) Personal information used or collected by a controller 84
or processor pursuant to a written contract between the 85
controller and processor that complies with the requirements of 86
this section. 87
(h) Personal information used by a controller or processor 88
to advertise or market products or services that are produced or 89
offered directly by the controller or processor. Such 90
information may not be sold, shared, or disclosed to another 91
person unless otherwise authorized under this section. 92
(i) Personal information of a person a cting in the role of 93
a job applicant, employee, owner, director, officer, contractor, 94
volunteer, or intern of a controller, that is collected by a 95
controller, to the extent the personal information is collected 96
and used solely within the context of the per son's role or 97
former role with the controller. 98
(j) Protected health information for purposes of the 99
federal Health Insurance Portability and Accountability Act of 100
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 5 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1996 and related regulations, and patient identifying 101
information for purposes of 42 C.F.R. part 2, established 102
pursuant to 42 U.S.C. s. 290dd -2. 103
(k) A covered entity or business associate governed by the 104
privacy, security, and breach notification rules issued by the 105
United States Department of Health and Human Services in 45 106
C.F.R. parts 160 and 164, or a program or a qualified service 107
program as defined in 42 C.F.R. part 2, to the extent the 108
covered entity, business associate, or program maintains 109
personal information in the same manner as medical information 110
or protected health information a s described in paragraph (j), 111
and as long as the covered entity, business associate, or 112
program does not use personal information for targeted 113
advertising with third parties and does not sell or share 114
personal information to a third party unless such sale or 115
sharing is covered by an exception under this section. 116
(l) Identifiable private information collected for 117
purposes of research as defined in 45 C.F.R. s. 164.501 118
conducted in accordance with the Federal Policy for the 119
Protection of Human Subjects for purposes of 45 C.F.R. part 46, 120
the good clinical practice guidelines issued by the 121
International Council for Harmonisation of Technical 122
Requirements for Pharmaceuticals for Human Use, or the 123
Protection for Human Subjects for purposes of 21 C.F.R. parts 50 124
and 56, or personal information that is used or shared in 125
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 6 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
research conducted in accordance with one or more of these 126
standards. 127
(m) Information and documents created for purposes of the 128
federal Health Care Quality Improvement Act of 1986 and related 129
regulations, or patient safety work product for purposes of 42 130
C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b -21 131
through 299b-26. 132
(n) Information that is deidentified in accordance with 45 133
C.F.R. part 164 and derived from individually identifiable 134
health information as described in the Health Insurance 135
Portability and Accountability Act of 1996, or identifiable 136
personal information, consistent with the Federal Policy for the 137
Protection of Human Subjects or the human subject protection 138
requirements of the United States Food and Drug Administration. 139
(o) Information used only for public health activities and 140
purposes as described in 45 C.F.R. s. 164.512. 141
(p) Personal information collected, processed, sold, or 142
disclosed pursuant to the federal Fair C redit Reporting Act, 15 143
U.S.C. s. 1681 and implementing regulations. 144
(q) Nonpublic personal information collected, processed, 145
sold, or disclosed pursuant to the Gramm -Leach-Bliley Act, 15 146
U.S.C. s. 6801 et seq., and implementing regulations. 147
(r) A financial institution as defined in the Gramm -Leach-148
Bliley Act, 15 U.S.C. s. 6801 et seq., to the extent the 149
financial institution maintains personal information in the same 150
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 7 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
manner as nonpublic personal information as described in 151
paragraph (q), and as long as such financial institution does 152
not use personal information for targeted advertising with third 153
parties and does not sell or share personal information to a 154
third party unless such sale or sharing is covered by an 155
exception under this section. 156
(s) Personal information collected, processed, sold, or 157
disclosed pursuant to the federal Driver's Privacy Protection 158
Act of 1994, 18 U.S.C. s. 2721 et seq. 159
(t) Education information covered by the Family 160
Educational Rights and Privacy Act, 20 U.S.C. s. 1232(g) and 34 161
C.F.R. part 99. 162
(u) Information collected as part of public or peer -163
reviewed scientific or statistical research in the public 164
interest and that adheres to all other applicable ethics and 165
privacy laws, if the consumer has provided informed consent. 166
Research with personal information must be subjected by the 167
controller conducting the research to additional security 168
controls that limit access to the research data to only those 169
individuals necessary to carry out the research purpose and 170
subsequently deidentified. 171
(v) Personal information disclosed for the purpose of 172
responding to an alert of a present risk of harm to a person or 173
property, detecting security incidents, protecting against 174
malicious, deceptive, fraudulent, or illegal activity, or 175
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 8 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
prosecuting those responsible for that activity. 176
(w) Personal information that is disclosed when a consumer 177
uses or directs a controller to intentionally disclose 178
information to a third party or uses the controller to 179
intentionally interact with a third party. An intentional 180
interaction occurs when the consumer intends to interact with 181
the third party, by one or more deliberate interactions. 182
Hovering over, muting, pausing, or closing a given piece of 183
content does not constitute a consumer's intent to interact wi th 184
a third party. 185
(x) An identifier used for a consumer who has opted out of 186
the sale or sharing of the consumer's personal information for 187
the sole purpose of alerting processors and third parties that 188
the consumer has opted out of the sale or sharing o f the 189
consumer's personal information. 190
(y) Personal information transferred by a controller to a 191
third party as an asset that is part of a merger, acquisition, 192
bankruptcy, or other transaction in which the third party 193
assumes control of all or part of th e controller, provided that 194
information is used or shared consistently with this section. If 195
a third party materially alters how it uses or shares the 196
personal information of a consumer in a manner that is 197
materially inconsistent with the commitments or pr omises made at 198
the time of collection, it shall provide prior notice of the new 199
or changed practice to the consumer. The notice must be 200
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 9 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
sufficiently prominent and robust to ensure that consumers can 201
easily exercise choices consistent with this section. 202
(2) DEFINITIONS.—As used in this section, the term: 203
(a) "Aggregate consumer information" means information 204
that relates to a group or category of consumers, from which the 205
identity of an individual consumer has been removed and is not 206
reasonably capable o f being directly or indirectly associated or 207
linked with, any consumer, household, or device. The term does 208
not include personal information that has been deidentified. 209
(b) "Biometric information" means an individual's 210
physiological, biological, or behav ioral characteristics, 211
including an individual's deoxyribonucleic acid (DNA), that can 212
be used, singly or in combination with each other or with other 213
identifying data, to establish individual identity. The term 214
includes, but is not limited to, imagery of the iris, retina, 215
fingerprint, face, hand, palm, vein patterns, and voice 216
recordings, from which an identifier template, such as a 217
faceprint, a minutiae template, or a voiceprint, can be 218
extracted, and keystroke patterns or rhythms, gait patterns or 219
rhythms, and sleep, health, or exercise data that contain 220
identifying information. 221
(c) "Collect" means to buy, rent, gather, obtain, receive, 222
or access any personal information pertaining to a consumer by 223
any means. The term includes, but is not limited to, ac tively or 224
passively receiving information from the consumer or by 225
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 10 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
observing the consumer's behavior or actions. 226
(d) "Consumer" means a natural person who resides in or is 227
domiciled in this state, however identified, including by any 228
unique identifier, wh o is acting in a personal capacity or 229
household context. The term does not include a natural person 230
acting on behalf of a legal entity in a commercial or employment 231
context. 232
(e) "Controller" means: 233
1. A sole proprietorship, partnership, limited liabili ty 234
company, corporation, association, or legal entity that meets 235
the following requirements: 236
a. Is organized or operated for the profit or financial 237
benefit of its shareholders or owners; 238
b. Does business in this state; 239
c. Collects personal informati on about consumers, or is 240
the entity on behalf of which such information is collected; 241
d. Determines the purposes and means of processing 242
personal information about consumers alone or jointly with 243
others; and 244
e. Satisfies at least two of the following thresholds: 245
(I) Has global annual gross revenues in excess of $50 246
million, as adjusted in January of every odd -numbered year to 247
reflect any increase in the Consumer Price Index. 248
(II) Annually buys, receives, sells, or shares the 249
personal information of 50,000 or more consumers, households, or 250
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 11 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
devices for the purpose of targeted advertising in conjunction 251
with third parties or for a purpose that is not listed under 252
subsection (1). 253
(III) Derives 50 percent or more of its global annual 254
revenues from selling or sharing personal information about 255
consumers. 256
2. Any entity that controls or is controlled by a 257
controller. As used in this subparagraph, the term "control" 258
means: 259
a. Ownership of, or the power to vote, more than 50 260
percent of the outstanding shares of any class of voting 261
security of a controller; 262
b. Control in any manner over the election of a majority 263
of the directors, or of individuals exercising similar 264
functions; or 265
c. The power to exercise a controlling influence over the 266
management of a company. 267
(f) "Deidentified" means information that cannot 268
reasonably be used to infer information about or otherwise be 269
linked to a particular consumer, provided that the contro ller 270
that possesses the information: 271
1. Takes reasonable measures to ensure that the 272
information cannot be associated with a specific consumer; 273
2. Maintains and uses the information in deidentified form 274
and not to attempt to reidentify the information, except that 275
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 12 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
the controller may attempt to reidentify the information solely 276
for the purpose of determining whether its deidentification 277
processes satisfy the requirements of this paragraph; and 278
3. Contractually obligates any recipients of the 279
information to comply with all the provisions of this paragraph 280
to avoid reidentifying such information. 281
(g) "Department" means the Department of Legal Affairs. 282
(h) "Device" means a physical object associated with a 283
consumer or household capable of directly or i ndirectly 284
connecting to the Internet. 285
(i) "Homepage" means the introductory page of an Internet 286
website and any Internet webpage where personal information is 287
collected. In the case of a mobile application, the homepage is 288
the application's platform page or download page, a link within 289
the application, such as the "About" or "Information" 290
application configurations, or settings page, and any other 291
location that allows consumers to review the notice required by 292
subsection (7), including, but not limited to , before 293
downloading the application. 294
(j) "Household" means a natural person or a group of 295
people in this state who reside at the same address, share a 296
common device or the same service provided by a controller, and 297
are identified by a controller as shar ing the same group account 298
or unique identifier. 299
(k) "Personal information" means information that is 300
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 13 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
linked or reasonably linkable to an identified or identifiable 301
consumer or household, including biometric information and 302
unique identifiers to the cons umer. The term does not include 303
consumer information that is: 304
1. Consumer employment contact information, including a 305
position name or title, employment qualifications, emergency 306
contact information, business telephone number, business 307
electronic mail address, employee benefit information, and 308
similar information used solely in an employment context. 309
2. Deidentified or aggregate consumer information. 310
3. Publicly and lawfully available information reasonably 311
believed to be made available to the public in a lawful manner 312
and without legal restrictions: 313
a. From federal, state, or local government records. 314
b. By a widely distributed media source. 315
c. By the consumer or by someone to whom the consumer 316
disclosed the information unless the consumer has p urposely and 317
effectively restricted the information to a certain audience on 318
a private account. 319
(l) "Processing" means any operation or set of operations 320
that are performed on personal information or on sets of 321
personal information, whether or not by aut omated means. 322
(m) "Processor" means a sole proprietorship, partnership, 323
limited liability company, corporation, association, or other 324
legal entity that is organized or operated for the profit or 325
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 14 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
financial benefit of its shareholders or other owners, that 326
processes information on behalf of a controller and to which the 327
controller discloses a consumer's personal information pursuant 328
to a written contract, provided that the contract prohibits the 329
entity receiving the information from retaining, using, or 330
disclosing the personal information for any purpose other than 331
for the specific purpose of performing the services specified in 332
the contract for the controller, or as otherwise permitted by 333
this section. 334
(n) "Sell" means to sell, rent, release, disclose, 335
disseminate, make available, transfer, or otherwise communicate 336
orally, in writing, or by electronic or other means, a 337
consumer's personal information by a controller to another 338
controller or a third party for monetary or other valuable 339
consideration. 340
(o) "Share" means to share, rent, release, disclose, 341
disseminate, make available, transfer, or access a consumer's 342
personal information for advertising or marketing. The term 343
includes: 344
1. Allowing a third party to use or advertise or market to 345
a consumer based on a consumer's personal information without 346
disclosure of the personal information to the third party. 347
2. Monetary transactions, nonmonetary transactions, and 348
transactions for other valuable consideration between a 349
controller and a third party for ad vertising or marketing for 350
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 15 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
the benefit of a controller. 351
(p) "Targeted advertising" means marketing to a consumer 352
or displaying an advertisement to a consumer when the 353
advertisement is selected based on personal information used to 354
predict such consumer's preferences or interests. 355
(q) "Third party" means a person who is not a controller 356
or processor. 357
(r) "Verifiable consumer request" means a request related 358
to personal information that is made by a consumer, by a parent 359
or guardian on behalf of a consu mer who is a minor child, or by 360
a person authorized by the consumer to act on the consumer's 361
behalf in a form that is reasonably and readily accessible to 362
consumers and that the controller can reasonably verify to be 363
the consumer pursuant to rules adopted by the department. 364
(3) CONSUMER DATA COLLECTION REQUIREMENTS AND 365
RESPONSIBILITIES.— 366
(a) A controller that collects personal information about 367
consumers shall maintain an up -to-date online privacy policy and 368
make such policy available from its homepage. The online privacy 369
policy must include the following information: 370
1. Any Florida-specific consumer privacy rights. 371
2. A list of the types and categories of personal 372
information the controller collects, sells, or shares, or has 373
collected, sold, or shar ed, about consumers. 374
3. The consumer's right to request deletion or correction 375
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 16 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
of certain personal information. 376
4. The consumer's right to opt -out of the sale or sharing 377
to third parties. 378
(b) A controller that collects personal information shall, 379
at or before the point of collection, inform, or direct the 380
processor to inform, consumers of the categories of personal 381
information to be collected and the purposes for which the 382
categories of personal information will be used. 383
(c) A controller may not col lect additional categories of 384
personal information or use personal information collected for 385
additional purposes without providing the consumer with notice 386
consistent with this section. 387
(d) A controller that collects a consumer's personal 388
information shall implement and maintain reasonable security 389
procedures and practices appropriate to the nature of the 390
personal information to protect the personal information from 391
unauthorized or illegal access, destruction, use, modification, 392
or disclosure. A controlle r must require any processors and 393
third parties to implement and maintain the same or similar 394
security procedures and practices for personal information. 395
(e) A controller shall adopt and implement a retention 396
schedule that prohibits the use or retention of personal 397
information not subject to an exemption by the controller or 398
processor after the satisfaction of the initial purpose for 399
which such information was collected or obtained, after the 400
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 17 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
expiration or termination of the contract pursuant to which the 401
information was collected or obtained, or 3 years after the 402
consumer's last interaction with the controller. This paragraph 403
does not apply to personal information used or retained for the 404
following purposes: 405
1. Detection of security threats or incidents ; protection 406
against malicious, deceptive, fraudulent, unauthorized, or 407
illegal activity or access; or prosecution of those responsible 408
for such activity or access. 409
2. Compliance with a legal obligation, including any 410
federal retention laws. 411
3. As reasonably needed for the protection of the 412
controller's interests related to existing disputes, legal 413
action, or governmental investigations. 414
4. Assuring the physical security of persons or property. 415
(4) CONSUMER RIGHT TO REQUEST COPY OF PERSONAL DATA 416
COLLECTED, SOLD, OR SHARED. — 417
(a) A consumer has the right to request that a controller 418
that collects, sells, or shares personal information about the 419
consumer to disclose the following to the consumer: 420
1. The specific pieces of personal information that h ave 421
been collected about the consumer. 422
2. The sources from which the consumer's personal 423
information was collected. 424
3. The specific pieces of personal information about the 425
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 18 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
consumer that were sold or shared. 426
4. The third parties to which the personal information 427
about the consumer was sold or shared. 428
5. The categories of personal information about the 429
consumer that were disclosed to a processor. 430
(b) A controller that collects, sells, or shares personal 431
information about a consumer shall disclose t he information 432
specified in paragraph (a) to the consumer upon receipt of a 433
verifiable consumer request. 434
(c) This subsection does not require a controller to 435
retain, reidentify, or otherwise link any data that, in the 436
ordinary course of business is not m aintained in a manner that 437
would be considered personal information. 438
(d) The controller shall deliver the information required 439
or act on the request in this subsection to a consumer free of 440
charge within 45 days after receiving a verifiable consumer 441
request. The response period may be extended once by 45 442
additional days when reasonably necessary, provided the 443
controller informs the consumer of any such extension within the 444
initial 45-day response period and the reason for the extension. 445
The information must be delivered in a readily usable format. A 446
controller is not obligated to provide information to the 447
consumer if the consumer or a person authorized to act on the 448
consumer's behalf does not provide verification of identity or 449
verification of authorizati on to act with the permission of the 450
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 19 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
consumer. 451
(e) A controller may provide personal information to a 452
consumer at any time, but is not required to provide personal 453
information to a consumer more than twice in a 12 -month period. 454
(f) This subsection does not apply to personal information 455
relating solely to households. 456
(5) RIGHT TO HAVE PERSONAL INFORMATION DELETED OR 457
CORRECTED.— 458
(a) A consumer has the right to request that a controller 459
delete any personal information about the consumer which the 460
controller has collected from the consumer. 461
(b) A controller that receives a verifiable consumer 462
request to delete the consumer's personal information shall 463
delete the consumer's personal information from its records and 464
direct any processors to delete such i nformation within 90 days 465
of receipt of the verifiable consumer request. 466
(c) A controller or a processor acting pursuant to its 467
contract with the controller may not be required to comply with 468
a consumer's request to delete the consumer's personal 469
information if it is reasonably necessary for the controller or 470
processor to maintain the consumer's personal information to do 471
any of the following: 472
1. Complete the transaction for which the personal 473
information was collected. 474
2. Fulfill the terms of a writt en warranty or product 475
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 20 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
recall conducted in accordance with federal law. 476
3. Provide a good or service requested by the consumer, or 477
reasonably anticipated to be requested within the context of a 478
controller's ongoing business relationship with the consumer , or 479
otherwise perform a contract between the controller and the 480
consumer. 481
4. Detect security incidents, protect against malicious, 482
deceptive, fraudulent, or illegal activity; or prosecute those 483
responsible for that activity. 484
5. Debug to identify and r epair errors that impair 485
existing intended functionality. 486
6. Engage in public or peer -reviewed scientific, 487
historical, or statistical research in the public interest that 488
adheres to all other applicable ethics and privacy laws when the 489
controller's deletion of the information is likely to render 490
impossible or seriously impair the achievement of such research, 491
if the consumer has provided informed consent. 492
7. Enable solely internal uses that are reasonably aligned 493
with the expectations of the consumer ba sed on the consumer's 494
relationship with the controller or that are compatible with the 495
context in which the consumer provided the information. 496
8. Comply with a legal obligation, including any state or 497
federal retention laws. 498
9. Reasonably protect the c ontroller's interests against 499
existing disputes, legal action, or governmental investigations. 500
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 21 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
10. Internally use the consumer's personal information in 501
a lawful manner. 502
(d) A consumer has the right to make a request to correct 503
inaccurate personal info rmation to a controller that maintains 504
inaccurate personal information about the consumer. A controller 505
that receives a verifiable consumer request to correct 506
inaccurate personal information shall use commercially 507
reasonable efforts to correct the inaccura te personal 508
information as directed by the consumer and direct any 509
processors to correct such information within 90 days after 510
receipt of the verifiable consumer request. If a controller 511
maintains a self-service mechanism to allow a consumer to 512
correct certain personal information, the controller may require 513
the consumer to correct their own personal information through 514
such mechanism. 515
(6) RIGHT TO OPT-OUT OF THE SALE OR SHARING OF PERSONAL 516
INFORMATION.— 517
(a) A consumer has the right at any time to direc t a 518
controller not to sell or share the consumer's personal 519
information to a third party. This right may be referred to as 520
the right to opt-out. 521
(b) Notwithstanding paragraph (a), a controller may not 522
sell or share the personal information of a minor con sumer if 523
the controller has actual knowledge that the consumer is not 16 524
years of age or older. However, if a consumer who is between 13 525
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 22 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
and 16 years of age, or if the parent or guardian of a consumer 526
who is 12 years of age or younger, has affirmatively au thorized 527
the sale or sharing of such consumer's personal information, 528
then a controller may sell or share such information in 529
accordance with this section. A controller that willfully 530
disregards the consumer's age is deemed to have actual knowledge 531
of the consumer's age. A controller that complies with the 532
verifiable parental consent requirements of the Children's 533
Online Privacy Protection Act, 15 U.S.C. s. 6501 et seq., shall 534
be deemed compliant with any obligation to obtain parental 535
consent. 536
(c) A controller that has received direction prohibiting 537
the sale or sharing of the consumer's personal information is 538
prohibited from selling or sharing the consumer's personal 539
information beginning 48 hours after receipt of such direction, 540
unless the consumer subse quently provides express authorization 541
for the sale or sharing of the consumer's personal information. 542
(7) FORM TO OPT-OUT OF SALE OR SHARING OF PERSONAL 543
INFORMATION.— 544
(a) A controller shall: 545
1. In a form that is reasonably accessible to consumers, 546
provide a clear and conspicuous link on the controller's 547
Internet homepage, entitled "Do Not Sell or Share My Personal 548
Information," to an Internet webpage that enables a consumer, or 549
a person authorized by the consumer, to opt -out of the sale or 550
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 23 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
sharing of the consumer's personal information. A controller may 551
not require a consumer to create an account in order to direct 552
the controller not to sell the consumer's personal information. 553
A controller may accept a request to opt -out received through a 554
user-enabled global privacy control, such as a browser plug -in 555
or privacy setting, device setting, or other mechanism, which 556
communicates or signals the consumer's choice to opt out. 557
2. For consumers who opted -out of the sale or sharing of 558
their personal informati on, respect the consumer's decision to 559
opt-out for at least 12 months before requesting that the 560
consumer authorize the sale or sharing of the consumer's 561
personal information. 562
3. Use any personal information collected from the 563
consumer in connection with the submission of the consumer's 564
opt-out request solely for the purposes of complying with the 565
opt-out request. 566
(b) A consumer may authorize another person to opt -out of 567
the sale or sharing of the consumer's personal information on 568
the consumer's behalf pursuant to rules adopted by the 569
department. 570
(8) ACTIONS RELATED TO CONSUMERS WHO EXERCISE PRIVACY 571
RIGHTS.— 572
(a) A controller may charge a consumer who exercised any 573
of the consumer's rights under this section a different price or 574
rate, or provide a different level or quality of goods or 575
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 24 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
services to the consumer, only if that difference is reasonably 576
related to the value provided to the controller by the 577
consumer's data or is related to a consumer's voluntary 578
participation in a financial incentive program, including a bona 579
fide loyalty, rewards, premium features, discounts, or club card 580
program offered by the con troller. 581
(b) A controller may offer financial incentives, including 582
payments to consumers as compensation, for the collection, 583
sharing, sale, or deletion of personal information if the 584
consumer gives the controller prior consent that clearly 585
describes the material terms of the financial incentive program. 586
The consent may be revoked by the consumer at any time. 587
(c) A controller may not use financial incentive practices 588
that are unjust, unreasonable, coercive, or usurious in nature. 589
(9) CONTRACTS AND RO LES.— 590
(a) Any contract or agreement between a controller and a 591
processor must: 592
1. Prohibit the processor from selling, sharing, 593
retaining, using, or disclosing the personal information other 594
than for the purposes specified in the contract or agreement 595
with the controller; 596
2. Govern the processor's personal information processing 597
procedures with respect to processing performed on behalf of the 598
controller, including processing instructions, the nature and 599
purpose of processing, the type of information s ubject to 600
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 25 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
processing, the duration of processing, and the rights and 601
obligations of both the controller and processor; 602
3. Require the processor to return or delete all personal 603
information under the contract to the controller as requested by 604
the controller at the end of the provision of services, unless 605
retention of the information is required by law; and 606
4. Upon request of the controller, require the processor 607
to make available to the controller all information in its 608
possession under the contract or a greement. 609
(b) Determining whether a person is acting as a controller 610
or processor with respect to a specific processing of data is a 611
fact-based determination that depends upon the context in which 612
personal information is to be processed. The contract bet ween a 613
controller and processor must reflect their respective roles and 614
relationships related to handling personal information. A 615
processor that continues to adhere to a controller's 616
instructions with respect to a specific processing of personal 617
information remains a processor. 618
(c) A third party may not sell or share personal 619
information about a consumer that has been sold or shared to the 620
third party by a controller unless the consumer has received 621
explicit notice from the third party and is provided an 622
opportunity to opt-out by the third party. 623
(d) A processor or third party must require any 624
subcontractor to meet the same obligations of such processor or 625
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 26 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
third party with respect to personal information. 626
(e) A processor or third party or any subcontra ctor 627
thereof who violates any of the restrictions imposed upon it 628
under this section is liable or responsible for any failure to 629
comply with this section. 630
(f) Any provision of a contract or agreement of any kind 631
that waives or limits in any way a consume r's rights under this 632
section, including, but not limited to, any right to a remedy or 633
means of enforcement, is deemed contrary to public policy and is 634
void and unenforceable. This section does not prevent a consumer 635
from declining to request information f rom a controller, 636
declining to opt-out of a controller's sale or sharing of the 637
consumer's personal information, or authorizing a controller to 638
sell or share the consumer's personal information after 639
previously opting out. 640
(10) CIVIL ACTIONS; PRIVATE RIGHT OF ACTION.— 641
(a) A Florida consumer may only bring a civil action 642
against a controller, processor, or person pursuant to this 643
section for the following: 644
1. Failure to delete or correct a consumer's personal 645
information pursuant to this section aft er receiving a 646
verifiable consumer request or directions to delete or correct 647
from a controller unless the controller, processor, or person 648
qualifies for an exception to the requirements to delete or 649
correct under this section. 650
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 27 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
2. Continuing to sell or s hare a consumer's personal 651
information after the consumer chooses to opt -out pursuant to 652
this section. 653
3. Selling or sharing the personal information of a 654
consumer age 16 or younger without obtaining consent as required 655
by this section. 656
(b) A court may grant the following relief to a consumer: 657
1. Damages in an amount not less than $100 and not greater 658
than $750 per consumer per incident or actual damages, whichever 659
is greater. 660
2. Injunctive or declaratory relief. 661
(c) Upon prevailing, the consumer shall recover reasonable 662
attorney fees and costs. 663
(d) Any action under this subsection may only be brought 664
by or on behalf of a Florida consumer. 665
(e) Liability for a tort, contract claim, or consumer 666
protection claim which is unrelated to an action bro ught under 667
subsection (10) or subsection (11) does not arise solely from 668
the failure of a controller, processor, or person to comply with 669
this section and evidence of such may only be used as the basis 670
to prove a cause of action under this subsection. 671
(11) ENFORCEMENT AND IMPLEMENTATION BY THE DEPARTMENT. — 672
(a) Any violation of this section is an unfair and 673
deceptive trade practice actionable under part II of chapter 501 674
solely by the department against a controller, processor, or 675
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 28 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
person. If the departme nt has reason to believe that any 676
controller, processor, or person is in violation of this 677
section, the department, as the enforcement authority, may bring 678
an action against such controller, processor, or person for an 679
unfair or deceptive act or practice. For the purpose of bringing 680
an action pursuant to this section, ss. 501.211 and 501.212 do 681
not apply. Civil penalties may be tripled if the violation: 682
1. Involves a consumer who the controller, processor, or 683
person has actual knowledge is 16 years of age or younger; or 684
2. Is based on paragraph (10)(a). 685
(b) After the department has notified a controller, 686
processor, or person in writing of an alleged violation, the 687
department may in its discretion grant a 45 -day period to cure 688
the alleged violation. The 45-day cure period does not apply to 689
a violation of subparagraph (10)(a)1. The department may 690
consider the number and frequency of violations, the substantial 691
likelihood of injury to the public, and the safety of persons or 692
property when determining wheth er to grant 45 days to cure and 693
the issuance of a letter of guidance. If the violation is cured 694
to the satisfaction of the department and proof of such cure is 695
provided to the department, the department in its discretion may 696
issue a letter of guidance. If the controller, processor, or 697
person fails to cure the violation within 45 days, the 698
department may bring an action against the controller, 699
processor, or person for the alleged violation. 700
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 29 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(c) Any action brought by the department may only be 701
brought by or on behalf of a Florida consumer. 702
(d) By February 1 of each year, the department shall 703
submit a report to the President of the Senate and the Speaker 704
of the House of Representatives describing any actions taken by 705
the department to enforce this section. The report shall include 706
statistics and relevant information detailing: 707
1. The number of complaints received; 708
2. The number and type of enforcement actions taken and 709
the outcomes of such actions; 710
3. The number of complaints resolved without the need for 711
litigation; and 712
4. The status of the development and implementation of 713
rules to implement this section. 714
(e) The department may adopt rules to implement this 715
section, including standards for verifiable consumer requests, 716
enforcement, data security, and authorized persons who may act 717
on a consumer's behalf. 718
(12) JURISDICTION.—For purposes of bringing an action in 719
accordance with subsections (10) and (11), any person who meets 720
the definition of controller as defined in this section that 721
collects, shares, or sells the personal information of Florida 722
consumers, is considered to be both engaged in substantial and 723
not isolated activities within this state and operating, 724
conducting, engaging in, or carrying on a business, and doing 725
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 30 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
business in this state, and is therefore subject to the 726
jurisdiction of the courts of this state. 727
(13) PREEMPTION.—This section is a matter of statewide 728
concern and supersedes all rules, regulations, codes, 729
ordinances, and other laws adopted by a city, county, city and 730
county, municipality, or local agency regarding the collection, 731
processing, sharing, or sale of consumer personal information by 732
a controller or processor. The regulation of the collection, 733
processing, sharing, or sale of consumer personal information by 734
a controller or processor is preempted to the state. 735
Section 2. Paragraph (g) of subsection (1) of section 736
501.171, Florida Statutes, is amended to read: 737
501.171 Security of confidential personal information. — 738
(1) DEFINITIONS.—As used in this section, the t erm: 739
(g)1. "Personal information" means either of the 740
following: 741
a. An individual's first name or first initial and last 742
name in combination with any one or more of the following data 743
elements for that individual: 744
(I) A social security number; 745
(II) A driver license or identification card number, 746
passport number, military identification number, or other 747
similar number issued on a government document used to verify 748
identity; 749
(III) A financial account number or credit or debit card 750
HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-00
Page 31 of 31
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
number, in combination with any required security code, access 751
code, or password that is necessary to permit access to an 752
individual's financial account; 753
(IV) Any information regarding an individual's medical 754
history, mental or physical condition, or medical treatment or 755
diagnosis by a health care professional; or 756
(V) An individual's health insurance policy number or 757
subscriber identification number and any unique identifier used 758
by a health insurer to identify the individual. 759
(VI) An individual's biometric information as defined in 760
s. 501.173(2). 761
b. A user name or e -mail address, in combination with a 762
password or security question and answer that would permit 763
access to an online account. 764
2. The term does not include information about an 765
individual that has been mad e publicly available by a federal, 766
state, or local governmental entity. The term also does not 767
include information that is encrypted, secured, or modified by 768
any other method or technology that removes elements that 769
personally identify an individual or tha t otherwise renders the 770
information unusable. 771
Section 3. This act shall take effect July 1, 2023. 772