CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 1 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to consumer data privacy; creating s. 2
501.173, F.S.; providing applicability; providing 3
definitions; requiring controllers that collect a 4
consumer's personal data to disclose certain 5
information regarding data collection and selling 6
practices to the consumer at or before the point of 7
collection; specifying that such information may be 8
provided through a general privacy policy or through a 9
notice informing the consumer that additional specific 10
information will be provided upon a certain reque st; 11
prohibiting controllers from collecting additional 12
categories of personal information or using personal 13
information for additional purposes without notifying 14
the consumer; requiring controllers that collect 15
personal information to implement reasonable security 16
procedures and practices to protect the information; 17
authorizing consumers to request controllers to 18
disclose the specific personal information the 19
controller has collected about the consumer; requiring 20
controllers to make available two or more me thods for 21
consumers to request their personal information; 22
requiring controllers to provide such information free 23
of charge within a certain timeframe and in a certain 24
format upon receiving a verifiable consumer request; 25
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 2 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
specifying requirements for third p arties with respect 26
to consumer information acquired or used; providing 27
construction; authorizing consumers to request 28
controllers to delete or correct personal information 29
the controllers have collected about the consumers; 30
providing exceptions; specifyin g requirements for 31
controllers to comply with deletion or correction 32
requests; authorizing consumers to opt out of third -33
party disclosure of personal information collected by 34
a controller; prohibiting controllers from selling or 35
disclosing the personal inf ormation of consumers 36
younger than a certain age, except under certain 37
circumstances; prohibiting controllers from selling or 38
sharing a consumer's information if the consumer has 39
opted out of such disclosure; prohibiting controllers 40
from taking certain act ions to retaliate against 41
consumers who exercise certain rights; providing 42
applicability; providing that a contract or agreement 43
that waives or limits certain consumer rights is void 44
and unenforceable; providing for civil actions and a 45
private right of act ion for consumers under certain 46
circumstances; providing civil remedies; authorizing 47
the Department of Legal Affairs to bring an action 48
under the Florida Unfair or Deceptive Trade Practices 49
Act and to adopt rules; requiring the department to 50
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 3 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
submit an annual report to the Legislature; providing 51
report requirements; providing that controllers must 52
have a specified timeframe to cure any violations; 53
providing jurisdiction; declaring that the act is 54
matter of statewide concern; preempting the 55
collection, processing, sharing, and sale of consumer 56
personal information to the state; amending s. 57
501.171, F.S.; revising the definition of "personal 58
information"; providing an effective date. 59
60
Be It Enacted by the Legislature of the State of Florida: 61
62
Section 1. Section 501.173, Florida Statutes, is created 63
to read: 64
501.173 Consumer data privacy. — 65
(1) APPLICABILITY.—This section does not apply to: 66
(a) Personal information collected and transmitted that is 67
necessary for the sole purpose of sharing such perso nal 68
information with a financial service provider solely to 69
facilitate short term, transactional payment processing for the 70
purchase of products or services. 71
(b) Personal information collected, used, retained, sold, 72
shared, or disclosed as deidentified p ersonal information or 73
aggregate consumer information. 74
(c) Compliance with federal, state, or local laws. 75
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 4 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(d) Compliance with a civil, criminal, or regulatory 76
inquiry, investigation, subpoena, or summons by federal, state, 77
or local authorities. 78
(e) Cooperation with law enforcement agencies concerning 79
conduct or activity that the controller, processor, or third 80
party reasonably and in good faith believes may violate federal, 81
state, or local law. 82
(f) Exercising or defending legal claims. 83
(g) Personal information obtained through the controller's 84
direct interactions with the consumer, if collected in 85
accordance with the provisions of this section, that is used by 86
the controller or the processor that the controller directly 87
contracts with for advertisi ng or marketing services to 88
advertise or market products or services that are produced or 89
offered directly by the controller. Such information may not be 90
sold, shared, or disclosed unless otherwise authorized under 91
this section. 92
(h) Personal information of a person acting in the role of 93
a job applicant, employee, owner, director, officer, contractor, 94
volunteer, or intern of a controller, that is collected by a 95
controller, to the extent the personal information is collected 96
and used solely within the conte xt of the person's role or 97
former role with the controller. 98
(i) Protected health information for purposes of the 99
federal Health Insurance Portability and Accountability Act of 100
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 5 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1996 and related regulations, and patient identifying 101
information for purposes of 42 C.F.R. part 2, established 102
pursuant to 42 U.S.C. s. 290dd -2. 103
(j) A covered entity or business associate governed by the 104
privacy, security, and breach notification rules issued by the 105
United States Department of Health and Human Services in 45 106
C.F.R. parts 160 and 164, or a program or a qualified service 107
program as defined in 42 C.F.R. part 2, to the extent the 108
covered entity, business associate, or program maintains 109
personal information in the same manner as medical information 110
or protected health information as described in paragraph (i), 111
and as long as the covered entity, business associate, or 112
program does not use personal information for targeted 113
advertising with third parties and does not sell or share 114
personal information to a third party unle ss such sale or 115
sharing is covered by an exception under this section. 116
(k) Identifiable private information collected for 117
purposes of research as defined in 45 C.F.R. s. 164.501 118
conducted in accordance with the Federal Policy for the 119
Protection of Human Subjects for purposes of 45 C.F.R. part 46, 120
the good clinical practice guidelines issued by the 121
International Council for Harmonisation of Technical 122
Requirements for Pharmaceuticals for Human Use, or the 123
Protection for Human Subjects for purposes of 21 C.F .R. parts 50 124
and 56, or personal information that is used or shared in 125
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 6 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
research conducted in accordance with one or more of these 126
standards. 127
(l) Information and documents created for purposes of the 128
federal Health Care Quality Improvement Act of 1986 and related 129
regulations, or patient safety work product for purposes of 42 130
C.F.R. part 3, established pursuant to 42 U.S.C. s. 299b -21 131
through 299b-26. 132
(m) Information that is deidentified in accordance with 45 133
C.F.R. part 164 and derived from individually identifiable 134
health information as described in the Health Insurance 135
Portability and Accountability Act of 1996, or identifiable 136
personal information, consistent with the Federal Policy for the 137
Protection of Human Subjects or the human subject protection 138
requirements of the United States Food and Drug Administration. 139
(n) Information used only for public health activities and 140
purposes as described in 45 C.F.R. s. 164.512. 141
(o) Personal information collected, processed, sold, or 142
disclosed pursuant to the f ederal Fair Credit Reporting Act, 15 143
U.S.C. s. 1681 and implementing regulations. 144
(p) Nonpublic personal information collected, processed, 145
sold, or disclosed pursuant to the Gramm -Leach-Bliley Act, 15 146
U.S.C. s. 6801 et seq., and implementing regulations. 147
(q) A financial institution as defined in the Gramm -Leach-148
Bliley Act, 15 U.S.C. s. 6801 et seq., to the extent the 149
financial institution maintains personal information in the same 150
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 7 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
manner as nonpublic personal information as described in 151
paragraph (p), and as long as such financial institution does 152
not use personal information for targeted advertising with third 153
parties and does not sell or share personal information to a 154
third party unless such sale or sharing is covered by an 155
exception under this sectio n. 156
(r) Personal information collected, processed, sold, or 157
disclosed pursuant to the federal Driver's Privacy Protection 158
Act of 1994, 18 U.S.C. s. 2721 et seq. 159
(s) Education information covered by the Family 160
Educational Rights and Privacy Act, 20 U.S.C . s. 1232(g) and 34 161
C.F.R. part 99. 162
(t) Information collected as part of public or peer -163
reviewed scientific or statistical research in the public 164
interest and that adheres to all other applicable ethics and 165
privacy laws, if the consumer has provided info rmed consent. 166
Research with personal information must be subjected by the 167
controller conducting the research to additional security 168
controls that limit access to the research data to only those 169
individuals necessary to carry out the research purpose and 170
subsequently deidentified. 171
(u) Personal information disclosed for the purpose of 172
responding to an alert of a present risk of harm to a person or 173
property or prosecuting those responsible for that activity. 174
(v) Personal information that is disclosed when a consumer 175
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 8 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
uses or directs a controller to intentionally disclose 176
information to a third party or uses the controller to 177
intentionally interact with a third party. An intentional 178
interaction occurs when the consumer intends to interact with 179
the third party, by one or more deliberate interactions. 180
Hovering over, muting, pausing, or closing a given piece of 181
content does not constitute a consumer's intent to interact with 182
a third party. 183
(w) An identifier used for a consumer who has opted out of 184
the sale or sharing of the consumer's personal information for 185
the sole purpose of alerting processors and third parties that 186
the consumer has opted out of the sale or sharing of the 187
consumer's personal information. 188
(x) Personal information transferred by a controlle r to a 189
third party as an asset that is part of a merger, acquisition, 190
bankruptcy, or other transaction in which the third party 191
assumes control of all or part of the controller, provided that 192
information is used or shared consistently with this section. If 193
a third party materially alters how it uses or shares the 194
personal information of a consumer in a manner that is 195
materially inconsistent with the commitments or promises made at 196
the time of collection, it shall provide prior notice of the new 197
or changed practice to the consumer. The notice must be 198
sufficiently prominent and robust to ensure that consumers can 199
easily exercise choices consistent with this section. 200
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 9 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(2) DEFINITIONS.—As used in this section, the term: 201
(a) "Aggregate consumer information" me ans information 202
that relates to a group or category of consumers, from which the 203
identity of an individual consumer has been removed and is not 204
reasonably capable of being directly or indirectly associated or 205
linked with, any consumer, household, or device . The term does 206
not include personal information that has been deidentified. 207
(b) "Biometric information" means an individual's 208
physiological, biological, or behavioral characteristics, 209
including an individual's deoxyribonucleic acid (DNA), that can 210
be used, singly or in combination with each other or with other 211
identifying data, to establish individual identity. The term 212
includes, but is not limited to, imagery of the iris, retina, 213
fingerprint, face, hand, palm, vein patterns, and voice 214
recordings, from which an identifier template, such as a 215
faceprint, a minutiae template, or a voiceprint, can be 216
extracted, and keystroke patterns or rhythms, gait patterns or 217
rhythms, and sleep, health, or exercise data that contain 218
identifying information. 219
(c) "Collect" means to buy, rent, gather, obtain, receive, 220
or access any personal information pertaining to a consumer by 221
any means. The term includes, but is not limited to, actively or 222
passively receiving information from the consumer or by 223
observing the consumer's b ehavior or actions. 224
(d) "Consumer" means a natural person who resides in or is 225
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 10 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
domiciled in this state, however identified, including by any 226
unique identifier, who is acting in a personal capacity or 227
household context. The term does not include a natural person 228
acting on behalf of a legal entity in a commercial or employment 229
context. 230
(e) "Controller" means: 231
1. A sole proprietorship, partnership, limited liability 232
company, corporation, association, or legal entity that meets 233
the following requirements: 234
a. Is organized or operated for the profit or financial 235
benefit of its shareholders or owners; 236
b. Does business in this state; 237
c. Collects personal information about consumers, or is 238
the entity on behalf of which such information is collected; 239
d. Determines the purposes and means of processing 240
personal information about consumers alone or jointly with 241
others; and 242
e. Satisfies at least two of the following thresholds: 243
(I) Has global annual gross revenues in excess of $50 244
million, as adjusted in January of every odd -numbered year to 245
reflect any increase in the Consumer Price Index. 246
(II) Annually buys, receives, sells, or shares the 247
personal information of 50,000 or more consumers, households, 248
and devices for the purpose of targeted advertising i n 249
conjunction with third parties or for a purpose that is not 250
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 11 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
listed under subsection (1). 251
(III) Derives 50 percent or more of its global annual 252
revenues from selling or sharing personal information about 253
consumers. 254
2. Any entity that controls or is controlled by a 255
controller. As used in this subparagraph, the term "control" 256
means: 257
a. Ownership of, or the power to vote, more than 50 258
percent of the outstanding shares of any class of voting 259
security of a controller; 260
b. Control in any manner over the election of a majority 261
of the directors, or of individuals exercising similar 262
functions; or 263
c. The power to exercise a controlling influence over the 264
management of a company. 265
(f) "Deidentified" means information that cannot 266
reasonably be used to infer information about or otherwise be 267
linked to a particular consumer, provided that the controller 268
that possesses the information: 269
1. Takes reasonable measures to ensure that the 270
information cannot be associated with a specific consumer; 271
2. Maintains and uses the information in deidentified form 272
and not to attempt to reidentify the information, except that 273
the controller may attempt to reidentify the information solely 274
for the purpose of determining whether its deidentification 275
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 12 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
processes satisfy the requi rements of this paragraph; and 276
3. Contractually obligates any recipients of the 277
information to comply with all the provisions of this paragraph 278
to avoid reidentifying such information. 279
(g) "Department" means the Department of Legal Affairs. 280
(h) "Device" means a physical object associated with a 281
consumer or household capable of directly or indirectly 282
connecting to the Internet. 283
(i) "Homepage" means the introductory page of an Internet 284
website and any Internet webpage where personal information is 285
collected. In the case of a mobile application, the homepage is 286
the application's platform page or download page, a link within 287
the application, such as the "About" or "Information" 288
application configurations, or settings page, and any other 289
location that allows consumers to review the notice required by 290
subsection (7), including, but not limited to, before 291
downloading the application. 292
(j) "Household" means a natural person or a group of 293
people in this state who reside at the same address, share a 294
common device or the same service provided by a controller, and 295
are identified by a controller as sharing the same group account 296
or unique identifier. 297
(k) "Personal information" means information that is 298
linked or reasonably linkable to an identified or identifiab le 299
consumer or household, including biometric information and 300
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 13 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
unique identifiers to the consumer. The term does not include 301
consumer information that is: 302
1. Consumer employment contact information, including a 303
position name or title, employment qualifica tions, emergency 304
contact information, business telephone number, business 305
electronic mail address, employee benefit information, and 306
similar information used solely in an employment context. 307
2. Deidentified or aggregate consumer information. 308
3. Publicly and lawfully available information reasonably 309
believed to be made available to the public in a lawful manner 310
and without legal restrictions: 311
a. From federal, state, or local government records. 312
b. By a widely distributed media source. 313
c. By the consumer or by someone to whom the consumer 314
disclosed the information unless the consumer has purposely and 315
effectively restricted the information to a certain audience on 316
a private account. 317
(l) "Processing" means any operation or set of operations 318
that are performed on personal information or on sets of 319
personal information, whether or not by automated means. 320
(m) "Processor" means a sole proprietorship, partnership, 321
limited liability company, corporation, association, or other 322
legal entity that is organiz ed or operated for the profit or 323
financial benefit of its shareholders or other owners, that 324
processes information on behalf of a controller and to which the 325
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 14 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
controller discloses a consumer's personal information pursuant 326
to a written contract, provided th at the contract prohibits the 327
entity receiving the information from retaining, using, or 328
disclosing the personal information for any purpose other than 329
for the specific purpose of performing the services specified in 330
the contract for the controller, as per mitted by this section. 331
(n) "Sell" means to sell, rent, release, disclose, 332
disseminate, make available, transfer, or otherwise communicate 333
orally, in writing, or by electronic or other means, a 334
consumer's personal information by a controller to another 335
controller or a third party for monetary or other valuable 336
consideration. 337
(o) "Share" means to share, rent, release, disclose, 338
disseminate, make available, transfer, or access a consumer's 339
personal information for advertising or marketing. The term 340
includes: 341
1. Allowing a third party to use or advertise or market to 342
a consumer based on a consumer's personal information without 343
disclosure of the personal information to the third party. 344
2. Monetary transactions, nonmonetary transactions, and 345
transactions for other valuable consideration between a 346
controller and a third party for advertising or marketing for 347
the benefit of a controller. 348
(p) "Targeted advertising" means marketing to a consumer 349
or displaying an advertisement to a consumer when the 350
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 15 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
advertisement is selected based on personal information used to 351
predict such consumer's preferences or interests. 352
(q) "Third party" means a person who is not a controller 353
or processor. 354
(r) "Verifiable consumer request" means a request related 355
to personal information that is made by a consumer, by a parent 356
or guardian on behalf of a consumer who is a minor child, or by 357
a person authorized by the consumer to act on the consumer's 358
behalf, in a form that is reasonably and readily accessible to 359
consumers and that the controller can reasonably verify to be 360
the consumer, pursuant to rules adopted by the department. 361
(3) CONSUMER DATA COLLECTION REQUIREMENTS AND 362
RESPONSIBILITIES.— 363
(a) A controller that collects personal information about 364
consumers shall maint ain an up-to-date online privacy policy and 365
make such policy available from its homepage. The online privacy 366
policy must include the following information: 367
1. Any Florida-specific consumer privacy rights. 368
2. A list of the types and categories of person al 369
information the controller collects, sells, or shares, or has 370
collected, sold, or shared, about consumers. 371
3. The consumer's right to request deletion or correction 372
of certain personal information. 373
4. The consumer's right to opt -out of the sale or s haring 374
to third parties. 375
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 16 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(b) A controller that collects personal information shall, 376
at or before the point of collection, inform, or direct the 377
processor to inform, consumers of the categories of personal 378
information to be collected and the purposes for which the 379
categories of personal information will be used. 380
(c) A controller may not collect additional categories of 381
personal information or use personal information collected for 382
additional purposes without providing the consumer with notice 383
consistent with this section. 384
(d) A controller that collects a consumer's personal 385
information shall implement and maintain reasonable security 386
procedures and practices appropriate to the nature of the 387
personal information to protect the personal information from 388
unauthorized or illegal access, destruction, use, modification, 389
or disclosure. 390
(e) A controller shall adopt and implement a retention 391
schedule that prohibits the use or retention of personal 392
information not subject to an exemption by the controller or 393
processor after the satisfaction of the initial purpose for 394
which such information was collected or obtained, after the 395
expiration or termination of the contract pursuant to which the 396
information was collected or obtained, or 3 years after the 397
consumer's last interaction with the controller. This paragraph 398
does not apply to personal information reasonably used or 399
retained to do any of the following: 400
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 17 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1. Fulfill the terms of a written warranty or product 401
recall conducted in accordance with federal law. 402
2. Provide a good or service requested by the consumer, or 403
reasonably anticipate the request of such good or service within 404
the context of a controller's ongoing business relationship with 405
the consumer. 406
3. Detect security threats or incidents; protect against 407
malicious, deceptive, fraudulent, unauthorized, or illegal 408
activity or access; or prosecute those responsible for such 409
activity or access. 410
4. Debug to identify and repair errors that impair 411
existing intended functionality. 412
5. Engage in public or peer -reviewed scientific, 413
historical, or statistical research in the public interest that 414
adheres to all other applicable ethics and privacy laws when the 415
controller's deletion of the information is likely to render 416
impossible or seriously impair the achievemen t of such research, 417
if the consumer has provided informed consent. 418
6. Enable solely internal uses that are reasonably aligned 419
with the expectations of the consumer based on the consumer's 420
relationship with the controller or that are compatible with the 421
context in which the consumer provided the information. 422
7. Comply with a legal obligation, including any state or 423
federal retention laws. 424
8. As reasonably needed to protect the controller's 425
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 18 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
interests against existing disputes, legal action, or 426
governmental investigations. 427
9. Assure the physical security of persons or property. 428
(4) CONSUMER RIGHT TO REQUEST COPY OF PERSONAL DATA 429
COLLECTED, SOLD, OR SHARED. — 430
(a) A consumer has the right to request that a controller 431
that collects, sells, or shares personal information about the 432
consumer to disclose the following to the consumer: 433
1. The specific pieces of personal information that have 434
been collected about the consumer. 435
2. The categories of sources from which the consumer's 436
personal information w as collected. 437
3. The specific pieces of personal information about the 438
consumer that were sold or shared. 439
4. The third parties to which the personal information 440
about the consumer was sold or shared. 441
5. The categories of personal information about the 442
consumer that were disclosed to a processor. 443
(b) A controller that collects, sells, or shares personal 444
information about a consumer shall disclose the information 445
specified in paragraph (a) to the consumer upon receipt of a 446
verifiable consumer reques t. 447
(c) This subsection does not require a controller to 448
retain, reidentify, or otherwise link any data that, in the 449
ordinary course of business is not maintained in a manner that 450
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 19 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
would be considered personal information. 451
(d) The controller shall delive r the information required 452
or act on the request in this subsection to a consumer free of 453
charge within 45 calendar days after receiving a verifiable 454
consumer request. The response period may be extended once by 45 455
additional calendar days when reasonably necessary, provided the 456
controller informs the consumer of any such extension within the 457
initial 45-day response period and the reason for the extension. 458
The information must be delivered in a readily usable format. A 459
controller is not obligated to provide information to the 460
consumer if the consumer or a person authorized to act on the 461
consumer's behalf does not provide verification of identity or 462
verification of authorization to act with the permission of the 463
consumer. 464
(e) A controller may provide person al information to a 465
consumer at any time, but is not required to provide personal 466
information to a consumer more than twice in a 12 -month period. 467
(f) This subsection does not apply to personal information 468
relating solely to households. 469
(5) RIGHT TO HAVE PERSONAL INFORMATION DELETED OR 470
CORRECTED.— 471
(a) A consumer has the right to request that a controller 472
delete any personal information about the consumer which the 473
controller has collected from the consumer. 474
1. A controller that receives a verifiable consumer 475
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 20 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
request to delete the consumer's personal information shall 476
delete the consumer's personal information from its records and 477
direct any processors to delete such information within 90 478
calendar days of receipt of the verifiable consumer request. 479
2. A controller or a processor acting pursuant to its 480
contract with the controller may not be required to comply with 481
a consumer's request to delete the consumer's personal 482
information if it is reasonably necessary for the controller or 483
processor to maintai n the consumer's personal information to do 484
any of the following: 485
a. Complete the transaction for which the personal 486
information was collected. 487
b. Fulfill the terms of a written warranty or product 488
recall conducted in accordance with federal law. 489
c. Provide a good or service requested by the consumer, or 490
reasonably anticipate the request of such good or service within 491
the context of a controller's ongoing business relationship with 492
the consumer, or otherwise perform a contract between the 493
controller and the consumer. 494
d. Detect security threats or incidents; protect against 495
malicious, deceptive, fraudulent, unauthorized, or illegal 496
activity or access; or prosecute those responsible for such 497
activity or access. 498
e. Debug to identify and repair errors that impair 499
existing intended functionality. 500
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 21 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
f. Engage in public or peer -reviewed scientific, 501
historical, or statistical research in the public interest that 502
adheres to all other applicable ethics and privacy laws when the 503
controller's deletion of the in formation is likely to render 504
impossible or seriously impair the achievement of such research, 505
if the consumer has provided informed consent. 506
g. Enable solely internal uses that are reasonably aligned 507
with the expectations of the consumer based on the co nsumer's 508
relationship with the controller or that are compatible with the 509
context in which the consumer provided the information. 510
h. Comply with a legal obligation, including any state or 511
federal retention laws. 512
i. As reasonably needed to protect the c ontroller's 513
interests against existing disputes, legal action, or 514
governmental investigations. 515
j. Assure the physical security of persons or property. 516
(b) A consumer has the right to make a request to correct 517
inaccurate personal information to a contro ller that maintains 518
inaccurate personal information about the consumer. A controller 519
that receives a verifiable consumer request to correct 520
inaccurate personal information shall use commercially 521
reasonable efforts to correct the inaccurate personal 522
information as directed by the consumer and direct any 523
processors to correct such information within 90 calendar days 524
after receipt of the verifiable consumer request. If a 525
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 22 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
controller maintains a self -service mechanism to allow a 526
consumer to correct certain perso nal information, the controller 527
may require the consumer to correct their own personal 528
information through such mechanism. A controller or a processor 529
acting pursuant to its contract with the controller may not be 530
required to comply with a consumer's reque st to correct the 531
consumer's personal information if it is reasonably necessary 532
for the controller or processor to maintain the consumer's 533
personal information to do any of the following: 534
1. Complete the transaction for which the personal 535
information was collected. 536
2. Fulfill the terms of a written warranty or product 537
recall conducted in accordance with federal law. 538
3. Detect security threats or incidents; protect against 539
malicious, deceptive, fraudulent, unauthorized, or illegal 540
activity or access; o r prosecute those responsible for such 541
activity or access. 542
4. Debug to identify and repair errors that impair 543
existing intended functionality. 544
5. Enable solely internal uses that are reasonably aligned 545
with the expectations of the consumer based on the consumer's 546
relationship with the controller or that are compatible with the 547
context in which the consumer provided the information. 548
6. Comply with a legal obligation, including any state or 549
federal retention laws. 550
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 23 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
7. As reasonably needed to protect th e controller's 551
interests against existing disputes, legal action, or 552
governmental investigations. 553
8. Assure the physical security of persons or property. 554
(6) RIGHT TO OPT-OUT OF THE SALE OR SHARING OF PERSONAL 555
INFORMATION.— 556
(a) A consumer has the rig ht at any time to direct a 557
controller not to sell or share the consumer's personal 558
information to a third party. This right may be referred to as 559
the right to opt-out. 560
(b) Notwithstanding paragraph (a), a controller may not 561
sell or share the personal inf ormation of a minor consumer if 562
the controller has actual knowledge that the consumer is not 18 563
years of age or older. However, if a consumer who is between 13 564
and 18 years of age, or if the parent or guardian of a consumer 565
who is 12 years of age or younge r, has affirmatively authorized 566
the sale or sharing of such consumer's personal information, 567
then a controller may sell or share such information in 568
accordance with this section. A controller that willfully 569
disregards the consumer's age is deemed to have a ctual knowledge 570
of the consumer's age. A controller that complies with the 571
verifiable parental consent requirements of the Children's 572
Online Privacy Protection Act, 15 U.S.C. s. 6501 et seq., shall 573
be deemed compliant with any obligation to obtain parental 574
consent. 575
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 24 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(c) A controller that has received direction prohibiting 576
the sale or sharing of the consumer's personal information is 577
prohibited from selling or sharing the consumer's personal 578
information beginning 48 hours after receipt of such direction, 579
unless the consumer subsequently provides express authorization 580
for the sale or sharing of the consumer's personal information. 581
(7) FORM TO OPT-OUT OF SALE OR SHARING OF PERSONAL 582
INFORMATION.— 583
(a) A controller shall: 584
1. In a form that is reasonably acc essible to consumers, 585
provide a clear and conspicuous link on the controller's 586
Internet homepage, entitled "Do Not Sell or Share My Personal 587
Information," to an Internet webpage that enables a consumer, or 588
a person authorized by the consumer, to opt -out of the sale or 589
sharing of the consumer's personal information. A controller may 590
not require a consumer to create an account in order to direct 591
the controller not to sell the consumer's personal information. 592
A controller may accept a request to opt -out received through a 593
user-enabled global privacy control, such as a browser plug -in 594
or privacy setting, device setting, or other mechanism, which 595
communicates or signals the consumer's choice to opt out. 596
2. For consumers who opted -out of the sale or sharing of 597
their personal information, respect the consumer's decision to 598
opt-out for at least 12 months before requesting that the 599
consumer authorize the sale or sharing of the consumer's 600
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 25 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
personal information. 601
3. Use any personal information collected from the 602
consumer in connection with the submission of the consumer's 603
opt-out request solely for the purposes of complying with the 604
opt-out request. 605
(b) A consumer may authorize another person to opt -out of 606
the sale or sharing of the consumer's personal information o n 607
the consumer's behalf pursuant to rules adopted by the 608
department. 609
(8) ACTIONS RELATED TO CONSUMERS WHO EXERCISE PRIVACY 610
RIGHTS.— 611
(a) A controller may charge a consumer who exercised any 612
of the consumer's rights under this section a different price o r 613
rate, or provide a different level or quality of goods or 614
services to the consumer, only if that difference is reasonably 615
related to the value provided to the controller by the 616
consumer's data or is related to a consumer's voluntary 617
participation in a fi nancial incentive program, including a bona 618
fide loyalty, rewards, premium features, discounts, or club card 619
program offered by the controller. 620
(b) A controller may offer financial incentives, including 621
payments to consumers as compensation, for the coll ection, 622
sharing, sale, or deletion of personal information if the 623
consumer gives the controller prior consent that clearly 624
describes the material terms of the financial incentive program. 625
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 26 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
The consent may be revoked by the consumer at any time. 626
(c) A controller may not use financial incentive practices 627
that are unjust, unreasonable, coercive, or usurious in nature. 628
(9) CONTRACTS AND ROLES. — 629
(a) Any contract or agreement between a controller and a 630
processor must: 631
1. Prohibit the processor from sel ling, sharing, 632
retaining, using, or disclosing the personal information for any 633
purpose that violates this section; 634
2. Govern the processor's personal information processing 635
procedures with respect to processing performed on behalf of the 636
controller, including processing instructions, the nature and 637
purpose of processing, the type of information subject to 638
processing, the duration of processing, and the rights and 639
obligations of both the controller and processor; 640
3. Require the processor to return or de lete all personal 641
information under the contract to the controller as requested by 642
the controller at the end of the provision of services, unless 643
retention of the information is required by law; and 644
4. Upon request of the controller, require the processo r 645
to make available to the controller all personal information in 646
its possession under the contract or agreement. 647
(b) Determining whether a person is acting as a controller 648
or processor with respect to a specific processing of data is a 649
fact-based determination that depends upon the context in which 650
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 27 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
personal information is to be processed. The contract between a 651
controller and processor must reflect their respective roles and 652
relationships related to handling personal information. A 653
processor that continu es to adhere to a controller's 654
instructions with respect to a specific processing of personal 655
information remains a processor. 656
(c) A third party may not sell or share personal 657
information about a consumer that has been sold or shared to the 658
third party by a controller unless the consumer has received 659
explicit notice from the third party and is provided an 660
opportunity to opt-out by the third party. 661
(d) A processor or third party must require any 662
subcontractor to meet the same obligations of such process or or 663
third party with respect to personal information. 664
(e) A processor or third party or any subcontractor 665
thereof who violates any of the restrictions imposed upon it 666
under this section is liable or responsible for any failure to 667
comply with this secti on. 668
(f) Any provision of a contract or agreement of any kind 669
that waives or limits in any way a consumer's rights under this 670
section, including, but not limited to, any right to a remedy or 671
means of enforcement, is deemed contrary to public policy and is 672
void and unenforceable. This section does not prevent a consumer 673
from declining to request information from a controller, 674
declining to opt-out of a controller's sale or sharing of the 675
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 28 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
consumer's personal information, or authorizing a controller to 676
sell or share the consumer's personal information after 677
previously opting out. 678
(10) CIVIL ACTIONS; PRIVATE RIGHT OF ACTION. — 679
(a) A Florida consumer may only bring a civil action 680
against a controller, processor, or third party pursuant to this 681
section for the following: 682
1. Failure to delete or correct the consumer's personal 683
information pursuant to this section after receiving a 684
verifiable consumer request or directions to delete or correct 685
from a controller unless the controller, processor, or third 686
party qualifies for an exception to the requirements to delete 687
or correct under this section. 688
2. Continuing to sell or share the consumer's personal 689
information after the consumer chooses to opt -out pursuant to 690
this section. 691
3. Selling or sharing the personal information of the 692
consumer age 18 or younger without obtaining consent as required 693
by this section. 694
(b) A court may grant the following relief to a Florida 695
consumer: 696
1. Statutory damages in an amount not less than $100 and 697
not greater than $750 per co nsumer per incident or actual 698
damages, whichever is greater. 699
2. Injunctive or declaratory relief. 700
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 29 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(c) Upon prevailing, the Florida consumer shall recover 701
reasonable attorney fees and costs. 702
(d) Any action under this subsection may only be brought 703
by or on behalf of a Florida consumer. 704
(e) Liability for a tort, contract claim, or consumer 705
protection claim which is unrelated to an action brought under 706
subsection (10) or subsection (11) does not arise solely from 707
the failure of a controller, processor, or third party to comply 708
with this section and evidence of such may only be used as the 709
basis to prove a cause of action under this subsection. 710
(f) In assessing the amount of statutory damages, the 711
court shall consider any one or more of the relevant 712
circumstances presented by any of the parties to the case, 713
including, but not limited to, the nature and seriousness of the 714
misconduct, the number of violations, the length of time over 715
which the misconduct occurred, and the defendant's assets, 716
liability, and net worth. 717
(11) ENFORCEMENT AND IMPLEMENTATION BY THE DEPARTMENT. — 718
(a) Any violation of this section is an unfair and 719
deceptive trade practice actionable under part II of chapter 501 720
solely by the department against a controller, processor, or 721
person. If the department has reason to believe that any 722
controller, processor, or third party is in violation of this 723
section, the department, as the enforcement authority, may bring 724
an action against such controller, processor, or third party for 725
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 30 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
an unfair or deceptive act or practice. For the purpose of 726
bringing an action pursuant to this section, ss. 501.211 and 727
501.212 do not apply. Civil penalties may be tripled if the 728
violation: 729
1. Involves a Florida consumer who the controller, 730
processor, or third party has actual knowledge is 18 years of 731
age or younger; or 732
2. Is based on paragraph (10)(a). 733
(b) After the department has notified a controller, 734
processor, or third party in writing of an alleged violation, 735
the department may in its discretion grant a 45 -day period to 736
cure the alleged violation. The 45 -day cure period does not 737
apply to a violation of subparagraph (10)(a)1. The department 738
may consider the number and frequency of violations, the 739
substantial likelihood of injury to the public, and the safety 740
of persons or property when determining whether to grant 45 741
calendar days to cure and the issuance of a letter of guidance. 742
If the violation is cured to the satisfaction of the department 743
and proof of such cure is provided to the department, the 744
department in its discretion may issue a letter of guidance. If 745
the controller, processor, or third party fails to cure the 746
violation within 45 calendar days, the department may bring an 747
action against the controller, processor, or third party for the 748
alleged violation. 749
(c) Any action brought by the department may only be 750
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 31 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
brought on behalf of a Florida consumer. 751
(d) By February 1 of each year, the department shall 752
submit a report to the President of the Senate and the Speaker 753
of the House of Representatives descr ibing any actions taken by 754
the department to enforce this section. The report shall include 755
statistics and relevant information detailing: 756
1. The number of complaints received; 757
2. The number and type of enforcement actions taken and 758
the outcomes of such actions; 759
3. The number of complaints resolved without the need for 760
litigation; and 761
4. The status of the development and implementation of 762
rules to implement this section. 763
(e) The department may adopt rules to implement this 764
section, including stand ards for verifiable consumer requests, 765
enforcement, data security, and authorized persons who may act 766
on a consumer's behalf. 767
(12) JURISDICTION.—For purposes of bringing an action in 768
accordance with subsections (10) and (11), any person who meets 769
the definition of controller as defined in this section that 770
collects, shares, or sells the personal information of Florida 771
consumers, is considered to be both engaged in substantial and 772
not isolated activities within this state and operating, 773
conducting, engaging in, or carrying on a business, and doing 774
business in this state, and is therefore subject to the 775
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 32 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
jurisdiction of the courts of this state. 776
(13) PREEMPTION.—This section is a matter of statewide 777
concern and supersedes all rules, regulations, codes, 778
ordinances, and other laws adopted by a city, county, city and 779
county, municipality, or local agency regarding the collection, 780
processing, sharing, or sale of consumer personal information by 781
a controller or processor. The regulation of the collection, 782
processing, sharing, or sale of consumer personal information by 783
a controller or processor is preempted to the state. 784
Section 2. Paragraph (g) of subsection (1) of section 785
501.171, Florida Statutes, is amended to read: 786
501.171 Security of confidential personal information. — 787
(1) DEFINITIONS.—As used in this section, the term: 788
(g)1. "Personal information" means either of the 789
following: 790
a. An individual's first name or first initial and last 791
name in combination with any one or more of the following d ata 792
elements for that individual: 793
(I) A social security number; 794
(II) A driver license or identification card number, 795
passport number, military identification number, or other 796
similar number issued on a government document used to verify 797
identity; 798
(III) A financial account number or credit or debit card 799
number, in combination with any required security code, access 800
CS/HB 9 2022
CODING: Words stricken are deletions; words underlined are additions.
hb0009-01-c1
Page 33 of 33
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
code, or password that is necessary to permit access to an 801
individual's financial account; 802
(IV) Any information regarding an individual's medical 803
history, mental or physical condition, or medical treatment or 804
diagnosis by a health care professional; or 805
(V) An individual's health insurance policy number or 806
subscriber identification number and any unique identifier used 807
by a health insurer to identify the individual. 808
(VI) An individual's biometric information as defined in 809
s. 501.173(2). 810
b. A user name or e -mail address, in combination with a 811
password or security question and answer that would permit 812
access to an online account. 813
2. The term does not include information about an 814
individual that has been made publicly available by a federal, 815
state, or local governmental entity. The term also does not 816
include information that is encrypted, secured, or modified by 817
any other method or techno logy that removes elements that 818
personally identify an individual or that otherwise renders the 819
information unusable. 820
Section 3. This act shall take effect July 1, 2023. 821